Search crashes Explorer - XP

By CaptBilly1Eye ·
This is happening on a laptop with XP Pro SP3.

Running a Search (Files & Folders) causes Explorer to crash. The crash happens at the end of the search on the first attempt and then immediately when text is typed in the search field on subsequent attempts until the machine is rebooted.

explorer.exe - Application Error
The instruction at "0x7342611a" referenced memory at "0x7342611a". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program

Things I have tried:
1. Re-registered wshom.ocx, jscript.dll, & urlmon.dll
2. Ran a .bat file to re-register all DLLs in System32.
3. Reinstalled Windows Search using srchasst.inf.
4. Performed a full Chkdsk - no errors found.
5. Scanned with Ad-Aware, McAfee A/V, CWShredder, MalwareBytes, VundoFix, and performed a registry cleaning with Fix My Registry and RegCleaner.
6. Reinstalled MDAC 2.6
7. Cleanly uninstalled all versions of .NET and then reinstalled 1.1, 2.0, 3.0 & 3.5 up to SP1. (with reboots between each step).
8. Performed a RAM memory check using Memtest86.
So far, no problems found or corrections that have worked.

The same error occurs when I attempt to check File Types in Tools > Options > File Types. Although I have used ShellExView and find no unassociated or strange types.

Any other ideas would be greatly appreciated.

Unfortunately, a System Restore is not an option since it is turned off due to group policy.

Thanks in advance.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Further Update & Thanks

by CaptBilly1Eye In reply to Search crashes Explorer - ...

Since CoreFlood is a network transmittable trojan, I wasn't surprised to find it on 70% of the other workstations I've checked so far.
So much for firewalls, McAfee, and following standard MS security protocol. I guess there's no such thing as being 'Secure.'

As I suspected, it had a different name in every instance.
In every case, the name of the key under ShellIconOverlayIdentifiers matched the two corresponding .OCX and .DAT files in System32.

I cleaned those workstations by just following these steps:

1. Exported and then deleted the registry key involved under HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
2. Exported and then deleted the corresponding CLSID key under HKEY_Classes_Root\CLSID.
3. Copied and then deleted the .OCX and .DAT file with the same name from the System32 directory.
Replacing Explorer.exe or going into Safe Mode was evidently not necessary.
So far, it has not returned.

I had the chance to try Sophos Anti-Rootkit and Spybot Search & Destroy but they found nothing. A full scan with McAfee and the latest signature update returned a positive in every case except the first machine. It tagged explorer.exe as being infected with CoreFlood!MEM. After I removed the Registry keys along with the .OCX and .DAT files, nothing came up at all. I'm still surprised McAfee didn't do a better job of keeping it out to begin with. I think I'll stick with Avast on my home system. ;-)

Here is the most current article on CoreFlood I could find. It should be updated since the trojan no longer uses .DLL files and no mention is made of the random name thing. http://www.pc1news.com/news/0360/the-evolution-of-coreflood-trojan-and-how-to-remove-coreflood.html. CoreFlood is an evolving little bugger.

...now it's time to get on to things more productive.

Thanks for the good words, everyone! The acknowledgment is appreciated.


Collapse -


by NexS In reply to Further Update & Thanks

I think that the webpage is fine. I remain vigilant to say that trojan viruses look like black/white dressed prisoners carrying my 6 year old monitor out of my door.

Even though McAfee didn't prevent it from getting <b>in</b>, at least it found it at all!
It's good to know that the big names are still above the smaller dogs.

Collapse -

yea, but....

by CaptBilly1Eye In reply to Definately

Although McAfee <b>did</b> identify Explorer.exe as being infected, that is all it was able to do.
It said that the infected file was "deleted" when in reality nothing was removed. Additionally, the Registry keys were not caught. Without getting rid of those, CoreFlood, like most trojans, will just recreate itself.

Collapse -


by NexS In reply to yea, but....

It'd be interesting to see a comparison of top line antivirus software on nasty bugs like these.
Would really pull the blinds away and show people how much manual removal is needed.

Collapse -

This thread is a keeper.

by seanferd In reply to Further Update & Thanks
Collapse -

One Last Additional Note

by CaptBilly1Eye In reply to Search crashes Explorer - ...

I neglected to include some all-important steps when removing CoreFlood in a network environment where PCs share directories.

Since it is a network transmitted trojan, in order to avoid immediate re-infection, here is simplest way to get rid of it completely:

1. disconnect all workstations from the network
2. clean it from your servers.
3. clean it from the workstations.
4. reconnect the workstations to the network.

...take it from someone who learned the hard way. ;-) Another example of where haste makes waste.

The next and final step is to determine how to keep it out of the network in the future. That may be the hardest step of all. ... still working on that one.

Collapse -

That's rough

by NexS In reply to One Last Additional Note

You have to take <b>everything</b> off the network?
Ouch. Management wouldn't be happy. Though I'm sure they'd be even less happy with a 100% infection ratio!

Keep track? Running weekly/bi-weekly full scans?
Would it be worth putting something on a proxy that scans everything as it passes through (in addition to ISP filtering)?

Collapse -

Script to remove CoreFlood!Mem

by CaptBilly1Eye In reply to Search crashes Explorer - ...

Here is a script to remove the CoreFlood!Mem trojan virus.

I have tested this thoroughly in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 both 32 and 64-bit. But use it at your own risk as I take no responsibility other than offering it for testing.

Click on the link below to access the download page on MediaFire. Download and Save the file "CleanCoreflood.vb_" to the Desktop. After the download is complete, rename the file extension from ".VB_" to ".VBS". Close Regedit if it is open. Then double click "CleanCoreflood.vbs" to run the script.

I ran this on all workstations and servers to resolve the issue. It will not make any changes to a system that does not have the CoreFlood registry keys or .OCX and .DAT files.

I hope this helps.


I apologize for the ad pop-ups at MediaFire, but... hey... it's free.

Collapse -

What is this?

by NexS In reply to Script to remove CoreFloo ...
Collapse -


by seanferd In reply to What is this?

Yup. A preview of things to come. Just a bit more definite that it is coming than a Wikipedia "RFC".

Related Discussions

Related Forums