Re: Explorer.exe fails to load at startup

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: screwedblue <screwedblue.3mpyns@xxxxxxxxxxxxx>
Date: Tue, 27 Jan 2009 22:16:42 +0530

ok ,, after exhautive searches for a remidy i have found this easy
simple step,, dowload malwarebytes and run.. for the past 3 days my
explorer would not load, only a blank desktop,, running task manager i
was able to get explorer to load infrequently. it would flash on then go
away then come back, i tried to re-install windows xp home ( no avail)
tried different virus scans ( i use avg free, and also use kapersky
online scan and trend house call, only kapersky found 2 trojans)
after downloading malwarebytes and running a scan i found an additional
27 errors. run claener and then ran ccleaner to remove rest of wrong reg
entries.
upon reboot, everything is back to as it should be,
will now try to add the log from malwarebytes scan.

Malwarebytes' Anti-Malware 1.33
Database version: 1698
Windows 5.1.2600 Service Pack 2

1/27/2009 8:19:30 AM
mbam-log-2009-01-27 (08-19-30).txt

Scan type: Quick Scan
Objects scanned: 67697
Time elapsed: 6 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 31
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 16
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iifGyVPF.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\khfCULbY.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{90cc9550-c8c0-4588-b995-1de68652df4d} (Trojan.Vundo.H)
-> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{90cc9550-c8c0-4588-b995-1de68652df4d}
(Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
(Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) ->
Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\khfculby (Trojan.Vundo) -> Delete on
reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90cc9550-c8c0-4588-b995-1de68652df4d}
(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution
Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da}
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pgqttuek
(Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka
(Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and
deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) ->
Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c}
(Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification
Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\iifgyvpf ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication
Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\iifgyvpf ->
Delete on reboot.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and
deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined
and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) ->
Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) ->
Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and
deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) ->
Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch)
-> Quarantined and deleted successfully.
C:\WINDOWS\system32\778670 (Trojan.BHO) -> Quarantined and deleted
successfully.
C:\Documents and Settings\Dad\Application Data\FunWebProducts
(Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\FunWebProducts\Data
(Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\FunWebProducts\Data\Dad
(Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\MalwareBot
(Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\MalwareBot\Log
(Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\MalwareBot\Quarantine
(Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\MalwareBot\Registry
Backups (Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\MalwareBot\Settings
(Rogue.MalwareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iifGyVPF.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\FPVyGfii.ini (Trojan.Vundo.H) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\FPVyGfii.ini2 (Trojan.Vundo.H) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\khfCULbY.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wvUnOgfg.dll (Trojan.Vundo) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\Drivers\nddbhpou.sys (Rootkit.Agent) -> Delete on
reboot.
C:\Documents and Settings\Dad\Local Settings\Temp\winvsnet.tmp
(Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Local Settings\Temp\canmsewrox.tmp
(Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch)
-> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search3 (Adware.MyWebSearch)
-> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm.bak
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat.bak
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\00EDFDE7.urr
(Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application
Data\FunWebProducts\Data\Dad\wffavs.dat (Adware.MyWay) -> Quarantined
and deleted successfully.
C:\Documents and Settings\Dad\Application Data\MalwareBot\rs.dat
(Rogue.MalwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application Data\MalwareBot\Log\2007 Dec
09 - 06_14_38 PM_896.log (Rogue.MalwareBot) -> Quarantined and deleted
successfully.
C:\Documents and Settings\Dad\Application Data\MalwareBot\Log\2007 Dec
09 - 06_14_42 PM_381.log (Rogue.MalwareBot) -> Quarantined and deleted
successfully.
C:\Documents and Settings\Dad\Application
Data\MalwareBot\Settings\CustomScan.stg (Rogue.MalwareBot) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application
Data\MalwareBot\Settings\IgnoreList.stg (Rogue.MalwareBot) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application
Data\MalwareBot\Settings\ScanInfo.stg (Rogue.MalwareBot) -> Quarantined
and deleted successfully.
C:\Documents and Settings\Dad\Application
Data\MalwareBot\Settings\ScanResults.stg (Rogue.MalwareBot) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application
Data\MalwareBot\Settings\SelectedFolders.stg (Rogue.MalwareBot) ->
Quarantined and deleted successfully.
C:\Documents and Settings\Dad\Application
Data\MalwareBot\Settings\Settings.stg (Rogue.MalwareBot) -> Quarantined
and deleted successfully.
C:\WINDOWS\Tasks\MalwareBot Scheduled Scan.job (Rogue.MalwareBot) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaiwulbdmd.sys (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekarmowrndt.sys (Trojan.Agent) ->
Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMdAQhI.dll (Trojan.Vundo) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\qoMeBqRl.dll (Trojan.Vundo) -> Quarantined and
deleted successfully.

if someone would be so kind as to copy this and place where it is best
used ,, thank you

--
screwedblue
------------------------------------------------------------------------
screwedblue's Profile: http://forums.techarena.in/members/screwedblue.htm
View this thread: http://forums.techarena.in/windows-xp-support/902979.htm

http://forums.techarena.in

.

Prev by Date: RE: Windows XP Pro - Desktop Background reverting to prior backgro
Next by Date: Explorer Drag and Drop Function Inop
Previous by thread: Re: Explorer.exe fails to load at startup
Next by thread: Ethernet not working on DHCP
Index(es):
- Date
- Thread

Relevant Pages

Re: Force a registry change to take affect?
... Well there are more .log's and logfile keys... ... >Now when the Description of the file is configured in the registry, ... >description is changed inside of Explorer. ... >the three-finger reboot ...
(microsoft.public.vb.general.discussion)
Re: Restore previous folder windows at logon not working
... when restarting the computer W Explorer does not start up as it ... If the registry value changes on a reboot, ...
(microsoft.public.windowsxp.general)
Re: Reg Refresh
... Thank you for the link, and this works, but I still have to reboot to make ... > Visit www.RegmagiK.com, The Registry Editor ... >> I need to add a key and refresh the registry, ... >> tried killing the expolorer processs and restarting the explorer process ...
(microsoft.public.win2000.registry)
RE: windows update & services.msc
... MalwareBytes' Antimalware and ... Reboot ... .change Automatic Updates to automatic etc. ... Anti Virus. ...
(microsoft.public.windowsupdate)
RE: Vista freezes after idle time
... I recommend downloading and installing ... MalwareBytes' Antimalware and ... Reboot ... When I went to do a system restore, ...
(microsoft.public.windows.vista.performance_maintenance)