Problem with IE6

Printable View

January 24th, 2006, 09:49 PM
tarpi

Problem with IE6

My windows update fails to install new updates on my XP dell laptop. I have SP2 and IE6 on inspiron 4150. I also noticed for about 6 months or so that opening internet explorer actually shows up as explorer.exe in a porcess listing using sysinternals, or task manager. Opening additional IE windows only adds memory to explorer process. I guess I am running IE that is embedded in windows explorer? I don't remember what I did to get to this but the bottom line is that ever since then windows updates is not functional.

I cannot reinstall SP2 nor IE6. I tinkered with services making sure nothing is disabled, and also making sure that update service is automatic, along with other XP services required.
I do run hijackthis regularly and didn't notice anything unusual, didn't find any ADS, also run systinternals tcpviewer often while working and nothing unusual. No rootkits have been found(using the sysinternals stuff). Cain&Abel's sniffer is also running from time to time to see if something unusuall is happening. But nothing in the form of rootkits or logon attempts is seen. At least nothing on the network level.

Any ideas what I could have done to create this. I like the fact that everything runs from explorer process but I'd like to update the laptop as well.
January 24th, 2006, 09:56 PM
rapier57

OK, don't panic, but you may have a trojan, malware or redirector running. You probably can't see it unless you boot to Safe Mode. Here's what I recommend:

1. boot to Safe Mode with networking.
2. update your AV
3. download and run HijackThis (http://www.spywareinfo.com/~merijn/)
4. post the results here for us to look over
5. in the meantime, run a full scan of the hard drive with your AV and get SpyBot, or one of the other free spyware scanners and run it. Don't leave Safe Mode until you have completed the scans.
January 24th, 2006, 10:48 PM
tarpi

I run the scans regularly. In safe mode I ran at least 3 times since i noticed that IEexplore.exe does not show in the process listing. Spybot and Ad-aware.
Also sysinternals rootkit revealer does not find anything in safe mode.
attached is the hijackthis listing. Didn't ignore anything.
January 24th, 2006, 11:10 PM
Relyt

Since I don't have Auto-update on, within the last six months, I had to manually install a new windows update manager. Have you installed the new one? The old one won't work any longer.

Cheers
January 24th, 2006, 11:21 PM
rapier57

I didn't see what I thought would be there, in the HijackThis log. So, Relyt is correct, you probably don't have the updated updater. The update site should try to automatically fix you updater, but if not, try this link:

http://update.microsoft.com/microsof....aspx?ln=en-us
January 24th, 2006, 11:56 PM
Relyt

Just another thought (darn two in one day!!!), make sure your firewall isn't blocking the updating program as well. Some folks forget about that. And especially if they have told their firewall not display a window everytime that program wants to access the Internet.

cheers
January 25th, 2006, 12:04 AM
tarpi

Failed fixing the updater. Automatic update service is running. Should i stop it first?

Now that I am looking into stuff, I have the side-by-side dlls in the Winsxs directory and comctl32.dll (user experience controlls) is loaded from WinSxS folder in addition to system32.
I remember that at one point I needed the debug and release version of mfc runtime libraries to avoid some linker errors. I think that ever since installing the debug version of mfc runtime libraries, I have the side-by-side stuff and the strange behavior of my IE running within the explorer process. Maybe i am off but if anyone is more familiar with the use of side-by-side dlls in XP, let me know.
January 25th, 2006, 12:19 AM
Nokia

Why not go to the Windows Update Troubleshooter Page and see if your problem is listed there.

I has 90% of the most common faults there so you may get lucky!

gl
January 25th, 2006, 01:06 AM
dalek

Another thing you can try is downloading Spybot S & D and run a scan and see if you may have some HOST file "redirects", some spyware/malware will trick your HOST file to see the autoupdate URL for either the Windows or even your AV updaters and stop it from calling Home....just a thought....
January 25th, 2006, 01:15 AM
rapier57

Do you have Process Explorer? I think it might help to download and run that so see where things are coming from and if you should have those DLL's and processes running. Might help, can't hurt.

http://www.sysinternals.com/Processe...Utilities.html
January 25th, 2006, 01:27 AM
a*user

Sounds like some malware if you restart in safe-mode and scan you should catch it. Why is reinstalling not an option? No disk?

I would also check folder c:\I386 for file labeled HOSTS open in notepad and see if there are any entries in their besides the localhost example microsoft gives you. This could have been altered with malware. Always make sure you know what you are doing before changing anything or at least make a backup. Also your IE could be corrupt, reinstall, i don't see the problem but here is the link to the IE homepage you should be able to get more information on updates for the browser at IE home page. Let me know.
January 25th, 2006, 01:32 AM
kcore

lmhosts file.

Look at your lmhosts file as well..

it's like.. in \Windows\drivers\etc\

or something like that. (can't remember the directory, I haven't used Windows in several years.
January 25th, 2006, 01:44 AM
a*user

There are two lmhosts files one is in the same folder as the HOSTS file C:\I386 and the other lmhosts is located in the C:\WINDOWS\SYSTEM32\DRIVERS\ETC.
January 25th, 2006, 02:20 AM
rapier57

The second LMHOSTS is the one that is used. The one in the I386 folder is just a backup or install version.

Also, I looked through your HijackThis log again and two things popped out that seem odd:

O23 - Service: EC2007 Service 1.35 - Unknown - C:\WINDOWS\System32\ec27ser.exe
...
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\wltrysvc.exe

Find those two files and right-click on them. Check the Version tab and make sure they are known to you. If the version tab is blank, these are suspect.

Do the same for your explorer.EXE file as listed in the header. Something funny about this. Right-click and check the version information. If it isn't a Microsoft product, delete it.
January 25th, 2006, 05:44 AM
tarpi

Ok the ec27ser.exe is the ENC chart viewer, for marine charts. That is definately not it.

wltrysvc.exe is the wireless tray for dell true mobile wireless cards.

I update the hosts file about once a year, and no there are no redirects nor bad entries in the hosts file.

I believe that failed updates definately has to do with iexplore.exe process not running, or perhaps running within explorer.exe. Attached is the listing for all the modules loaded by explorer.exe. Like I said earlier, the more IE windows I open, the larger the memory consumed by the explorer.exe process.