Search crashes Explorer - XP

By CaptBilly1Eye ·
This is happening on a laptop with XP Pro SP3.

Running a Search (Files & Folders) causes Explorer to crash. The crash happens at the end of the search on the first attempt and then immediately when text is typed in the search field on subsequent attempts until the machine is rebooted.

explorer.exe - Application Error
The instruction at "0x7342611a" referenced memory at "0x7342611a". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program

Things I have tried:
1. Re-registered wshom.ocx, jscript.dll, & urlmon.dll
2. Ran a .bat file to re-register all DLLs in System32.
3. Reinstalled Windows Search using srchasst.inf.
4. Performed a full Chkdsk - no errors found.
5. Scanned with Ad-Aware, McAfee A/V, CWShredder, MalwareBytes, VundoFix, and performed a registry cleaning with Fix My Registry and RegCleaner.
6. Reinstalled MDAC 2.6
7. Cleanly uninstalled all versions of .NET and then reinstalled 1.1, 2.0, 3.0 & 3.5 up to SP1. (with reboots between each step).
8. Performed a RAM memory check using Memtest86.
So far, no problems found or corrections that have worked.

The same error occurs when I attempt to check File Types in Tools > Options > File Types. Although I have used ShellExView and find no unassociated or strange types.

Any other ideas would be greatly appreciated.

Unfortunately, a System Restore is not an option since it is turned off due to group policy.

Thanks in advance.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Update - Problem Solved - CoreFlood Trojan

by CaptBilly1Eye In reply to Search crashes Explorer - ...

After running FileMon and searching EventViewer to no avail, I decided to perform a test on the actual file Explorer.exe by checking a particular Registry key that I have seen to house the CoreFlood Trojan.

The particular registry key is found under HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers.
Typically, the only folder under that key should be Offline Files.
Surprise! - there was also another one named 'MSVCP70U' and in it was a reference to a CLSID value.

Here is how I got rid of it:
1. Copied a known good copy of Explorer.exe (verified it was the same version number) from another workstation and saved it to the infected machine's C drive.
2. Opened Task Manager and ended task on Explorer.
3. Still in Task Manager, Went to File and then New Task.
4. Selected the good copy of Explorer on the C drive.
5. Opened to C:\Windows\System32, found Msvcp70u.ocx and Msvcp70u.dat, and moved those to a new folder (for deletion later). Those were the only files that began with 'Msvcp70u'.
6. In the Registry, (after exporting them first for safety) deleted the Msvcp70u folder found earlier and deleted the CLSID value that it referred to (HKEY_Classes_Root\CLSID\{4597A33D-A3A3-893D-40A4-B207DEA418CB}.
7. Deleted Explorer.exe from the System32 folder and replaced it with a copy of the known good version.
8. Rebooted.

All fixed! No more crashes when searching.

I suspect that a good rootkit detector may have caught it, but I believe the trojan generates different names for itself. I found nothing on the web in reference to CoreFlood by the file name or CLSID I had. So instead of Msvcp70u, it may hide under some other name.

I just hope I got all of it and that this helps anyone else that runs into this little PITA.

[edited for better search results]

Collapse -

Nice work

by NexS In reply to Update - Problem Solved - ...

If only you could give thumbs to yourself!

Viruses can be quite sneaky, and I can't imagine what would possess someone to write a virus that simple crashes explorer. There's no gain for the coder who spent (probably) hours writing it!

People are stupid.

Collapse -

Yea, but....

by CaptBilly1Eye In reply to Nice work

... I think the symptom of Explorer crashing when searching was an unintended side-effect.
But, thanks to that, I was alerted that CoreFlood was present. Who knows how long it would have gone undetected otherwise. The door may have been open for a long time inviting much more dangerous exploits.

Nope, no self-thumbing allowed. But that doesn't mean I can't give 'em out to everyone else.

Collapse -


by seanferd In reply to Update - Problem Solved - ...

Don't you hate it when the scans show nothing?

Don't you love it when your well-cultivated intuition tells you to go look yourself?

I wonder what that evil little thing does.

Collapse -

Who knows?

by CaptBilly1Eye In reply to Nicework!

This article sheds a little light on CoreFlood's background:

Collapse -


by seanferd In reply to Who knows?


Edit: Well, Coreflood sure is bloody well evil. I bet M. Kassner would be interested in the one.

Collapse -

Oh, and Question of the Week, no less.

by seanferd In reply to Update - Problem Solved - ...
Collapse -


by santeewelding In reply to Search crashes Explorer - ...

CaptBilly1Eye, where had you been going, and what had you been doing, in order to attract such a vile thing?

Only so that I won't, lest I have to call on you if I did.

Collapse -


by CaptBilly1Eye In reply to Erm

Even though this wasn't my laptop, most of what I've learned about viruses and how to clean them out has come from infections I've had on my own personal system over the many years.

No matter what, I can't break the addiction with P2P. :-)
♪♫ ...yes, I am a pirate... 200 years too late. The cannons don't thunder and there's nothin' to plunder. I'm an over 40 victim of fate. ♪♫

But only boobs do that crap at work.


Collapse -


by santeewelding In reply to Actually....

More than sufficient. Thank you, sir.

I'll know who to ask.

Related Discussions

Related Forums