• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 837
  • Last Modified:

Virus - Explorer.exe not found

A clients computer has been infected with a virus and when booting into Windows, has no desktop. One sees the background and after a while the screensaver. (This was only after fixing a log off issue caused by the virus, were the computer logged into a Windows profile and then immediately logged out. This needed a clean wininit file and registry edit to resolve.)

CTRL-ALT-DELETE for Task Manager (henceforth TM) --> Run --> Explorer.exe got an error (paraphrase) "Exlorer.exe can't be found". Trying regedit got a (para) "Registry editing has been turned off. Need admistrator privileges." UBCD4Win and the included Adware took care of that regedit issue. Google said, that to solve the explorer.exe issue, one needs to edit the Registry key as follows: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution.options
 
Under this key there will be subkeys named explorer.exe and iexplorer.exe. Delete the explorer and iexplorer keys entirely. They should not be listed under the Image File Execution.Options key."

The problem is that Registry key doesn't exist on this system! I've seen other people say the same thing, that they can't find the offending key, on various forums and as yet, have seen no solution suggested. (I saw a TechNet forum post that suggested a winlogon registry key to be checked for a bad Shell value, but the value is correct on this system.)

What is causing the lack of desktop (no shell) and how do I fix it? Failing that, short of removing the HD and attaching to another computer, is there a way to connect to the internet and download other antivirus programs on this system? (iexplorer.exe does not work from TM --> Run, but is there some cmd window that can?)

Thanks!


 
0
ssvarc
Asked:
ssvarc
  • 9
  • 8
  • 5
  • +2
1 Solution
 
IntegrityOfficeCommented:
try running combofix ( possibly in safe mode although not recommended sounds like you do not have too much to loose )
0
 
Sudeep SharmaTechnical DesignerCommented:
It could be just the files and folders are hidden, so try running this in Normal mode and if you are unabel to run it in Normal mode then try running it in safe mode

http://download.bleepingcomputer.com/grinler/unhide.exe

Sudeep
0
 
ssvarcAuthor Commented:
IntegrityOffice:

How do I get Combofix onto the computer to run it, without infecting a USB key (iow: without downloading onto another system and then transferring via USB key, infecting said USB key in the process and any other computer where the USB key is next inserted, creating triple the amount of work)?

Is there a way to download via a cmd window?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ssvarcAuthor Commented:
SSharma:

How do I get to that program to run it? Remember I have no shell, no start button, no explorer, no takbar, etc
0
 
IntegrityOfficeCommented:
You could pop combofix onto CD, does the system start in safe mode with netowrking you could download it that way?

also can you do a system restore and roll system back to a good date?
0
 
IntegrityOfficeCommented:
This is also really cool and go tme out of a few holes.
http://support.microsoft.com/kb/307545
0
 
Sudeep SharmaTechnical DesignerCommented:
You could use BartPE to boot, add the executable to the boot CD and then run the executable:

http://www.nu2.nu/pebuilder/

I hope that would help

Sudeep
0
 
willcompCommented:
I just finished with one that may have had the same malware along with a bunch of others. I was able to run iexplore (Internet Explorer) using Task Manager and then install MBAM and update it manually -- once again using iexplore and a make-do file manager. Had to rename MBAM for it to run. MBAM found over 300 infected items with most related to MyWebSearch but there were at least 2 fake AVs and several trojan downloaders as well.

After running MBAM, copied explorer.exe to the Windows folder but it did not run properly and was deleted after running. At that point, decided to use restore partition and do a clean install of XP. PC was an older Compaq that saves user files when it does a re-install so was rather painless. I was looking at a repair install at a minimum to replace missing/corrupt files.

I did not run ComboFix but it should run without any problems using iexplore. Be sure to rename ComboFix while downloading. It can be run from a flash drive. The flash drive I used was not infected but you can reformat your flash drive if you have concerns.

Let me know if you have any questions.
0
 
willcompCommented:
Typo:

"using iexplore and a make-do" should be "using iexplore as a make-do"
0
 
younghvCommented:
If the suggestion from 'willcomp' allows you to run executables (TM with iexplore as a make-do file manager), you should be able to run the tools you need.

Using a clean computer, download the following applications and use the IE "Save As" function to rename all of them before the save:
Download one of the "Rogue Killer" applications, Malwarebytes, and ComboFix - then burn them to CD (preferred) or USB stick.

The first preference is to then copy the executables over to the infected computer, but you may have to try to run the installation for them from the CD/USB.

*************
RogueKiller: http://www.geekstogo.com/forum/files/file/413-roguekiller/ 
or
TheKiller
•Download TheKiller to your Desktop
http://www.osvemu.com/thekiller/explorer.exe

•Note that TheKiller is renamed as explorer.exe
•Run it by double click
•Press OK button after program finish
•Do not restart your system after this step, but immediately run the next scan:
MalwareBytes, TDSSKiller, ComboFix
************
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
The instructions are included right in that link.

If you need to manually download the latest update, use this link:
http://data.mbamupdates.com/tools/mbam-rules.exe
*****************
ComboFix by sUBs:(and attach the resulting log) http://download.bleepingcomputer.com/sUBs/ComboFix.exe
If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
*****************

We have several articles published here on EE for fighting malware, so take a read through some. You may find some techniques that will help you work through this.

http://www.experts-exchange.com/A_1995.html (IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM:)
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)
0
 
ssvarcAuthor Commented:
I made a CD with TheKiller, MBAM, Superantispyware, and ComboFix. Some of them don't run, i.e. ComboFix doesn't, even after running TheKiller. MBAM and Superanti, on their first run fount stacks of issues, and on subsequent passes those are gone, but there is still no desktop (shell, file explorer, etc.).

This must be caused by a registry key somewhere, no? Can someone help me track it down?

Thanks!
0
 
ssvarcAuthor Commented:
IntegrityOffice:

Restoring the registry pulls it out of System Restore, which is a prime canditate for infection. Chances are that I'll be putting back in the same registry I'm getting rid of. Further, in the different scans that I've run up to this point, I've seen explicit references to System Restore locations being deleted by the scans, so A) this reinforces the above, B) I'm worried that I'll be putting in a corrupted registry (iow, a registry that won't work).

Your thoughts?
0
 
ssvarcAuthor Commented:
One last point...

On the CD taht I made, I placed both regular and renamed copies of ComboFix and TheKiller. The renamed ComboFix didn't run as well.
0
 
ssvarcAuthor Commented:
willcomp:

You wrote "using iexplore as a make-do file manager". What syntax did you use for iexplore? (iexplore, iexplore.exe, iexplorer, iexplorer.exe in the Run dialog didn't work for me.)
0
 
willcompCommented:
iexplore in Task Manager (New Task --> Open)

Note that explorer.exe was missing in my case. Registry won't fix a missing file. Try copying explorer.exe from a PC with same SP installed. It is located in the c:\windows folder.
0
 
willcompCommented:
I had to be in safe mode to use IE.
0
 
ssvarcAuthor Commented:
And the syntax was, in TM --> Run --> iexplore, no .exe? That seems to be what your saying but you're not being explicit. I gave four options above that I have tried, the one your telling me about is the first, and it did not work for me.

I will try to get a copy of explorer.exe, we'll see where that goes. However, you write, "Try copying explorer.exe from a PC with same SP installed". You're still not explicit enough with the followup steps. Do I attempt to run it from the CD? Do I copy it to the virus infected computer? If the latter, how do I go about this? Remember, at this point I don't have explorer, that is why I'm copying it. No shell, no file manager, etc.

About ready to pull HD and scan from another computer (which I don't like to do because of the possibility the virus will infect the other computer as well - this has happened and then there is a larger mess to cleanup).
0
 
willcompCommented:
I think iexplore is specific enough. You can also enter iexplore.exe. Either one will work.
0
 
willcompCommented:
You can copy explorer.exe using a flash drive and a boot CD such as Bart PE or UBCD4Win (my preference). If the malware is still active, it will disable or delete explorer again. I've seen quite a bit of malware but this was a new one and difficult to remove. Wish now that I had spent more time trying to clean the PC rather than re-installing the factory image.
0
 
willcompCommented:
One other thing that may work is to use a file manager other than explorer that does not require installation. a43 should work. You'll need to extract and copy to a flash drive then run it using Task Manager. http://www.alterion.us/a43/
0
 
IntegrityOfficeCommented:
Yes sys restore is often corrupted too, however there maywell be a backup in the folder mentioned in the article that will get you going again. Also it sounds like you are fairly stuffed and that you are going to have to stick the drive in another PC so, maybe it is worth giving the reg restore a quick go, it does not take too long.

0
 
willcompCommented:
I'm leaving in the morning for a little R&R and won't be readily available. Will check in from time to time and see how things are progressing.
0
 
IntegrityOfficeCommented:
by the way have you run regedt32.exe instead of reg edit you get different level of access to the reg by using the menu across the top.
0
 
ssvarcAuthor Commented:
Well, I finally bit the bullet and went for a data transfer an reformat/reinstall. The steps mentioned above (specifically, copying over files from other windows installations) got me back a working shell, so some knowledge was gained in this excerise that might be used on other computers.
0
 
ssvarcAuthor Commented:
I'm keeping this question around for the knowledge contained in some of the answers. But there was no solution here as the computer remained infected, and needed a reformat/reinstall.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 9
  • 8
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now