Explorer doesn'twork - need advice fast

Primrose · Jun 29, 2007

So, my friend gave me his laptop to clean up. He has already told me that he does not want to reformat so please don't tell me to reformat because I know this is fixable.

His computer was so loaded with stuff, it took at least 30 minutes to start up and get running, not to mention his Norton Antivirus was always popping up with stuff and it took at least 2 minutes to be able to click the "ok" button and for it to register. It was so slow he said that he was using it in safemode most of the time.

The first thing I did was uninstall Norton so that the computer would function proper. I used Registry Mechanic, Ad Aware 2007, and housecall.trendmicro.com to initially clean it as well as uninstalling useless stuff like google toolbar and other toolbar addons.

I also did a defrag and c cleanup.

NOW, explorer won't work. I'm not talking about Internet Explorer, I mean the explorer that we all need and use every day, the one that keeps the icons and start menu and everything around. I can run explorer through task manager but it just pops everything up and then it all goes away in less than a second again. It is even worse when I try it in safe mode.

I also have registryfix v6.2 and it found a whole bunch of stuff that registry mechanic didn't find.

Right now explorer is running fine since I started it through task manager, and I have no idea why. When I restart/Shut Down the computer explorer doesn't run on startup. Is there any advice? Anything? I really need some help here. Any help or advice is greatly appreciated. I am supposed to give him back his computer today and I don't want it to be worse off than when he gave it to me =S

Jenna

TimW · Jun 29, 2007

If you are concerned that it is a malware issue....
Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

CounterSpy

AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy

Bitdefender - from step 6

Panda Scan - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

You may have to keep it for another day....

Primrose · Jun 29, 2007

Okay, I am attempting to do everything in the Sticky Thread, but it is very difficult. I am starting up in Normal Mode, but like I said, explorer isn't working. I cannot view folders or files. I got to the point of downloading C Cleaner but I literally cannot install it because I can't get to the location that it downloaded to. Without explorer this is very difficult...

TimW · Jun 29, 2007

If you go to start / run / and type in " explorer" without the qoutes, does it come up?

Primrose · Jun 29, 2007

It comes up for less than half a second then goes away again. I am slowly getting through the Sticky though and I will be able to post some logs soon. Explorer is definitely trying to run though, after I type it in task manager it keeps on popping up several times then going away again (and by popping up I mean the taskbar and start menu and icons etc).

There isn't any explorer error messages, but sometimes there is one about a bad image file, next time it comes up I will post it.

It came up, it is qvghvody.dll that seems to be the error message

TimW · Jun 29, 2007

And there will be plenty of other bad .dll's.....try to get thru as much as you can ...esp. the shownew/getrun/HJT and the virus scans!!

Primrose · Jun 29, 2007

I am at the BitDefender scan now, I would have gone further but an internet explorer error came up right at the end of the scan and it all had to close down!

*sigh* this is soooooo boring. I was wondering if replacing the explorer.exe file with another one off of a usb drive would work?

By the way, I cannot do the scans in safe mode becuase explorer gives me 2x the trouble when in safe mode, but if I get explorer fixed then I can do the scans again in safemode

Primrose · Jun 30, 2007

Scan results 1

Primrose · Jun 30, 2007

Scan Results 2

Primrose · Jun 30, 2007

Can anyone help? I've kept the computer an extra day. Now that I've tried so hard with it I don't know what to do. *shrug*

~Jenna

TimW · Jun 30, 2007

This computer has alot of problems ..it will take a little time.
1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {00261803-4094-4B8C-8235-91B1B3D22B12} - (no file)
O2 - BHO: (no name) - {23229741-25EA-426D-A729-6102A5D56FB1} - (no file)
O2 - BHO: (no name) - {3E71DC86-4A5C-4C71-A185-EBE9AC2EB607} - C:\WINDOWS\system32\fccyxvw.dll
O2 - BHO: (no name) - {BF312B7B-D2E3-407F-8926-98F23DDA2D52} - C:\WINDOWS\system32\ddccb.dll
O20 - Winlogon Notify: ddccb - C:\WINDOWS\system32\ddccb.dll
O20 - Winlogon Notify: fccyxvw - C:\WINDOWS\SYSTEM32\fccyxvw.dll
O20 - Winlogon Notify: nnnmlmj - C:\WINDOWS\SYSTEM32\nnnmlmj.dll
O20 - Winlogon Notify: ssqroon - C:\WINDOWS\SYSTEM32\ssqroon.dll
O20 - Winlogon Notify: sstqq - C:\WINDOWS\
O20 - Winlogon Notify: tuvwxyv - tuvwxyv.dll (file missing)
O20 - Winlogon Notify: wvuusts - C:\WINDOWS\SYSTEM32\wvuusts.dll
O20 - Winlogon Notify: xxyvurp - C:\WINDOWS\SYSTEM32\xxyvurp.dll
O20 - Winlogon Notify: yayaxur - C:\WINDOWS\SYSTEM32\yayaxur.dll
O20 - Winlogon Notify: yayvvtu - C:\WINDOWS\SYSTEM32\yayvvtu.dll
Click to expand...

After clicking fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddccb]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccyxvw]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnmlmj]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqroon]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sstqq]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvwxyv]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvuusts]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyvurp]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayaxur]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvvtu]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DDC]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\GPLv3]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00261803-4094-4B8C-8235-91B1B3D22B12}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{23229741-25EA-426D-A729-6102A5D56FB1}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF312B7B-D2E3-407F-8926-98F23DDA2D52}]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{3E71DC86-4A5C-4C71-A185-EBE9AC2EB607}"=-
Click to expand...

Now attach new logs for:
ShowNew
GetRun
HJT

Primrose · Jun 30, 2007

your link to combofix is broken. Is there any particular version of it that I should get/find?

TimW · Jun 30, 2007

I am so sorry for the bad link.

. Download this file - Combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Primrose · Jul 2, 2007

new logs

Primrose · Jul 2, 2007

combofix log

TimW · Jul 2, 2007

Your friend needs to uninstall all the poker crap (use add/remove to uninstall Pacific Poker and Ultimate Bet).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
Click to expand...

After clicking fix, exit HJT

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT 4

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=-
Click to expand...

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\WINDOWS\system32\lhoqknyd.dll
C:\WINDOWS\system32\qvghvody.dll
C:\WINDOWS\system32\qqtss.tmp"
C:\WINDOWS\system32\dynkqohl.ini
C:\WINDOWS\system32\jdbjqexp.ini
C:\WINDOWS\system32\qqtss~1.ini
C:\WINDOWS\system32\qutjkdmu.ini
C:\WINDOWS\system32\sdsrtrlj.ini
Click to expand...

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Attach new logs for:
ShowNew
GetRun
HJT
Avenger

Tell me how things are running ....

Primrose · Jul 3, 2007

logs again, post to follow

Primrose · Jul 3, 2007

I want to thank you so much for the help. Explorer is finally running now, but I haven't switched away from normal bootup yet, so I have yet to see. Sorry for the few and far between replies, I have been working the night shift the last few nights until 2/3am and have had limited time, just mostly working on the computer in between other things.

I want to express my appreciation for all of the help. I'm sure there is still more to fix, but I am just so glad that explorer is working now. It makes things a lot easier =p.

The forums don't want to load my avenger log just yet for some reason, says upload error, so I will wait a few minutes and try again.

TimW · Jul 3, 2007

Not a problem!!

Please uninstall:
Counterspy ---> as we are finished with it.
RegistryFix v6.2 ---appears to be warezx ....

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {B255D5A9-6FC9-4664-AFEA-681FE15D199b} - C:\WINDOWS\system32\qvghvody.dll (file missing)
Click to expand...

After clicking fix, exit HJT.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT 4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B255D5A9-6FC9-4664-AFEA-681FE15D199b}]

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=-
Click to expand...

Now attach logs for:
HJT
GetRun

Primrose · Jul 4, 2007

New logs

TimW · Jul 4, 2007

Your logs look clean. You may uninstall any programs we had you download (including CounterSpy, etc).

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

Primrose · Jul 15, 2007

Okay, sorry to bump up this thread again, but explorer quit working again a couple of days later on this computer. Should I try a system restore to the point we made before? What could have gone wrong? The computer was restarted and it had maybe 2 internet sessions just to check the emails and explorer quit working again on the next restart.

Now, given that this computer hasn't had any service pack downloads from windows, could it be possible that this is a vulnerability in windows? Thanks again.

TimW · Jul 16, 2007

Primrose said: ↑

Now, given that this computer hasn't had any service pack downloads from windows, could it be possible that this is a vulnerability in windows? Thanks again.
Click to expand...

Yes..I would do a system restore to the "clean state" and then you definitely need to get SP2 .... xp sp2

You may wish to run these scans before you apply the service pack, after you do the system restore:
ShowNew
GetRun
HJT

Explorer doesn'twork - need advice fast

Primrose Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Primrose Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Primrose Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Primrose Private E-2

Primrose Private E-2

Attached Files:

Primrose Private E-2

Attached Files:

Primrose Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Primrose Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Primrose Private E-2

Attached Files:

Primrose Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Primrose Private E-2

Attached Files:

Primrose Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Primrose Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Primrose Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member