11 replies to this topic

[Bbow]

Hi all,

After restarting my computer after a scan, my windows bootup is not loading explorer.exe anymore.
I can see my desktop wallpaper but nothing else. I can get into taskmanager and access all programs that way, apart from windows explorer.

This is the start of the logfile, which I think may be the cause of the problem.

Malwarebytes' Anti-Malware 1.31
Database version: 1478
Windows 5.1.2600 Service Pack 3

10-Dec-08 10:56:16
mbam-log-2008-12-10 (10-56-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 160927
Time elapsed: 57 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\mt49hub.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

When I try to start explorer manually it says it cannot locate the file. I locate the file under Windows and try again, but again get the same error. Very strange!

Does anybody know how to fix this?

I do have an old drive with the same winXP on it (but probably fewer updates). Could I possibly copy the old explorer.exe file over to my current HDD?

Many thanks,

Bbow

[nosirrah]

Quote

I locate the file under Windows and try again, but again get the same error

So explorer is not deleted then right ?

Quote

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

What this would do is to run a different program instead of explorer whenever explorer was run . My guess is that for some reason this value did not actually get fixed .

If you are familiar with regedit you could navigate to that key and make sure that it has been deleted , if its still there , there will be no way to run explorer .

You can test this by copying explorer to a different folder , renaming it and then running it . If that works it confirms my suspicions .

[Bbow]

nosirrah, on Dec 16 2008, 02:00 AM, said:

So explorer is not deleted then right ?



What this would do is to run a different program instead of explorer whenever explorer was run . My guess is that for some reason this value did not actually get fixed .

If you are familiar with regedit you could navigate to that key and make sure that it has been deleted , if its still there , there will be no way to run explorer .

You can test this by copying explorer to a different folder , renaming it and then running it . If that works it confirms my suspicions .

Ok, I located the file, copied it to a different folder, renamed it and when I open it it does start explorer in My Documents only, not the taskbar and there's still no icons on the desktop.

So it clearly hasn't actually deleted it then...it just won't work for some reason...

[nosirrah]

Quote

.it just won't work for some reason

Quote

My guess is that for some reason this value did not actually get fixed .

I mentioned the reason , also if you restored from quarantine this reg entry it is for sure the cause of the problem .

I am making a file for you to fix what I suggested above automatically , download and unzip it somewhere easy to find . This is not an executable so you will have to change "File of type:" from "Programs" to "All files" while browsing with taskmanager for the file I created for you . Once you run it accept the merge and then reboot and report back .

Attached Files

•  fix.zip   291bytes   155 downloads

[Bbow]

nosirrah, on Dec 16 2008, 12:53 PM, said:

I mentioned the reason , also if you restored from quarantine this reg entry it is for sure the cause of the problem .

I am making a file for you to fix what I suggested above automatically , download and unzip it somewhere easy to find . This is not an executable so you will have to change "File of type:" from "Programs" to "All files" while browsing with taskmanager for the file I created for you . Once you run it accept the merge and then reboot and report back .

Wow! Many thanks for doing that, I really appreciate your help.

Now, before I do that. I made a shell entry (under WinNT\currentversion\winlogon, binary data is explorer.exe) in the registry (I read somewhere that this might fix it, it didn't).

Do you want me to remove the Shell entry I made in the Reg? to prevent any issues?

[Bbow]

also I did not restore anything from quarantine.

[nosirrah]

Quote

Do you want me to remove the Shell entry I made in the Reg? to prevent any issues?

There should be only one explorer load point here :

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

If this is the one you created everything should be fine , if you created a second one then it wont break anything but it will launch a second explorer instance but not in shell mode .

[Bbow]

nosirrah, on Dec 16 2008, 02:08 PM, said:

There should be only one explorer load point here :

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

If this is the one you created everything should be fine , if you created a second one then it wont break anything but it will launch a second explorer instance but not in shell mode .

YES!!!! It's fixed!

I have no idea how you did it or what that reg-file did, but it fixed it!

executed the reg-file, rebooted. Initially there was a screen saying that Windows was unable to restore to the 16th of December 2008, closed that window and then it booted normally.

Initially there was no background and a few seconds later it appeared...what a beauty!

So what did that reg-entry do then?


Can't thank you enough!

[CinDee Parz]

Thank you for the zip file fix! I was SLAMMED at work on April 1 with about 20 different rogue software viruses and after all of the scans, fixes, etc., everything seemed finally gone, but what is listed above is exactly what happened - desktop background with no explorer. I have been working for a week through task manager and it was driving me crazy! After being ignored by the IT person at work for the last 3 days, I finally came on here and found exactly what I needed.

I am in eternal debt!!!!!

[angelbaby]

nosirrah, on Dec 16 2008, 01:53 PM, said:

I mentioned the reason , also if you restored from quarantine this reg entry it is for sure the cause of the problem .

I am making a file for you to fix what I suggested above automatically , download and unzip it somewhere easy to find . This is not an executable so you will have to change "File of type:" from "Programs" to "All files" while browsing with taskmanager for the file I created for you . Once you run it accept the merge and then reboot and report back .

can i load this registry editor on boot up cos task manager wont load i aint gotta disk and not getting nothing on desktop please help

[angelbaby]

i have downloaded the registry editor zip file but ive got no access to task manager and nothing on desktop will load can i instal this file on boot up?? please help

[Jacktivity]

Hi angelbaby and Welcome to Malwarebytes

This fix was for a completely different problem than you are having. Since you obviously won't be able to post any logs, please also note the instructions at the bottom in green.


If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.