Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Explorer.exe missing + Blank Desktop [CLOSED]


  • This topic is locked This topic is locked

#1
superdan54

superdan54

    Member

  • Member
  • PipPip
  • 28 posts
Hi,

My brother-in-law made the mistake of connecting to a campus network w/out any virus protection and sure enough the second he was connected he was barraged with a nasty virus that wiped out/corrupted his explorer.exe. I'm trying to help him fix it but I am running out of options. Right now the PC loads very slowly before bringing up the desktop wallpaper but nothing else. I can manually start commands (cmd,regedit,etc...) but I CANNOT run IE or Explorer as it says they are missing. I was able to successfully run safe mode for a while, and so I installed AVG & Ad-Aware, but now even safe-mode has been corrupted. I've also tried the following to no avail:

1. Ad-Aware

2. Installed AVG w/ updates and scanned for potential worms

3. Removed Obvious Malware offenders via HiJackThis/msconfig

4. Ran various Virus Removal tools for explorer.exe viruses (e.g. MyDoom)

5. Re-installed Windows

My last resort is to format the drive, but I REALLY don't want to do that as he has 8+ GB of music and other stuff, and since I only have a laptop I'd have to find an IDE adapter. So any help with this would be GREATLY appreciated!

Thanks!

Current HiJackThis Log:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
a:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://clinic.mcafee...stalltype=force (obfuscated)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKCU\..\Run: [Cacheman] C:\Program Files\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} - http://download.micr...D0C/wmv9dmo.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
  • 0

Advertisements


#2
superdan54

superdan54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
on looking at the HiJack log again...I think its actually the userinit.exe that has been compromised. I will try and get an original copy from the CD.

if anyone else has experienced this problem and has other suggestions, I would definetely love to hear them!
  • 0

#3
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Welcome to Geeks to Go!

Please do not do anything else with the HiJackThis log until instructed...

Userinit.exe is not the culprit, so it is uneccessary to replace the file.

I know exactly what is causing the problem, explorer is not actually gone and either is Internet Explorer, I assure you :tazz:

Download FixO.exe to your desktop.
  • Double-click FixO.exe to install the program.
  • After it's installed, open the FixO folder and double-click FixO.bat.
  • When it's done running a notepad will appear with a log, please copy the contents of the notepad and paste it into your next reply.
  • Reboot your computer and post a new HiJackThis log (including the FULL header which was cut off on the last one) so we can finish cleaning up!

Edited by Michelle, 30 August 2005 - 12:15 AM.

  • 0

#4
superdan54

superdan54

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thank you SOOOOOOOO Much!! The desktop has reappeared and everything is just great, except the fact that I got around 2 hrs sleep b/c of this. Oh well, sorry for getting a little trigger happy there earlier.

Here's the check log from the Startpage virus removal tool:


running from ---
C:\Documents and Settings\James Schierman\Desktop\FixO

StartPAge.O Removal batch 1.00

by miekiemoes

같같같같같같같같같같같같같같같같같같같같같같같같같같
existing bad files:
-----------------------------------------------------
XMLLIBUI.exe present
winadvt.dll present
C:\WINDOWS\hosts present


existing important bad keys:
-----------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger"="C:\\WINDOWS\\explorer32dbg.exe"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]
"Debugger"="C:\\WINDOWS\\iexplore_dbg.exe"



Merging Registry----------


Deleting Files-------------


Searching for files not deleted:
-----------------------------------------------------


Searching for keys not deleted:
-----------------------------------------------------


And the Hijackthis Log (which yes I did have to update)

Logfile of HijackThis v1.99.1
Scan saved at 5:01:23 AM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Cacheman\Cacheman.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://clinic.mcafee...stalltype=force (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [Cacheman] C:\Program Files\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

Thanks Again!!!
->dan
  • 0

#5
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're very welcome! :tazz:

Do you have anything disabled in msconfig? If so, please enable normal startup then post a new HiJackThis log.

I thought you said you installed AVG? It's not showing up in the log anywhere.
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP