Explorer Does Not Run on Startup; Opens a Window to My Documents

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bowiehero, May 27, 2009.

  1. bowiehero

    bowiehero Private E-2

    Hello,

    I've recently run in to a problem with an XP SP3 computer.

    Backstory:

    It had become severely infected. My browsers were being hijacked, and programs were unable to run. I attempted to install malwarebytes, but I didn't succeed; it would fail at "finishing installation". After that, I installed Hijackthis and noticed several strange key entries. At that point, I ran combofix which managed to find 12 or so rootkits, and had to reboot the computer in order to clean them.

    I did so, and on reboot, my AVG 8.5 began popping up with several virus notifications. I told AVG to remove all of the threats it found. I was able to install Malwarebytes and update and run it. It found about 47 infected objects and was able to remove them all with a reboot.

    At this time, I began noticing that on reboots, explorer was no longer starting. All that opens on startup is a folder window to "My Documents". If I then try to run explorer from the command line, another duplicate "My Documents" window appears. If I close all of the "My Documents" windows, and then run explorer, I am able to view the desktop as normal. This happens on any user profile I log in with, and also in safe mode. Any scans I now perform show no infections. Afterwards, I ran MGtools, but it appeared to have no effect. I also ran CCleaner to check for registry errors, but again, no noticable effect.

    I have checked many sources as to why this might be happening. There is no entry for explorer in my startup folder, nor in msconfig (it is set to normal startup). In the registry, my value for shell in Current User-MS-Windows NT yadda-Winlogon is "Explorer.exe", and Userinit is "C:\windows\system32\userinit.exe,". Minus the quotes, of course.

    Long story short: On boot, explorer no longer starts. The only thing visible on startup is a folder window to "My Documents" of the current user. If I then try to run explorer from the command line, another duplicate "My Documents" window appears. If I close all of the "My Documents" windows, and then run explorer, I am able to view the desktop as normal.

    Any assistance would be appreciated. My restore points were deleted as I mistakenly thought I was out of the woods once combofix and malwarebytes completed their scans and found nothing. Attached are the combofix, malwarebytes, and mgtools logs.

    I apologize for jumping the gun on using these tools, I'm used to malware/virus removal being much simpler. In doing so, I made the problems on this computer a lot worse.

    Thanks!
     

    Attached Files:

    bowiehero, May 27, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need to install and run SUPERAntiSpyware as requested in our cleaning instructions.

    You also need to refer to step 1 of the READ & RUN ME and uninstall the Viewpoint software that you still have installed, and also you need to uninstall the 7 old versions of Sun Java that you have installed and then install the current version. This was all covered in step 1. If you are having a problem doing this because you could not figure out how to run Add/Remove Programs without having a Desktop then you can simply run Task Manager and click File, New Task (Run...) and enter appwiz.cpl in the box and click ok.

    Then you will need to run MGtools again and attach a new MGlogs.zip file.

    Do you know what the below startup processes are?

     
    Last edited: May 27, 2009
    chaslang, May 27, 2009
    #2
  3. bowiehero

    bowiehero Private E-2

    Thank you for your response. I'll try and get the new logs up as soon as possible after performing the required tests.

    It will take me little bit as I currently don't have access to the computer. I'll continue the procedures as soon as I can.

    I'm afraid I don't know what those processes are off the top of my head.

    They were disabled on selective startup, but enabled again when I switched it back to normal startup.
     
    Last edited: May 27, 2009
    bowiehero, May 27, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's okay! Keep your system in normal startup mode. We will remove these during our cleaning processes. I was betting that they were not valid processes.
     
    chaslang, May 27, 2009
    #4
  5. bowiehero

    bowiehero Private E-2

    Good morning, chaslang.

    Thank you again for helping me with this problem.

    I have removed the Java and Viewpoint software, and am running the complete scan with SUPERAntiSpyware now.

    I should have the logs you need presently.
     
    bowiehero, May 28, 2009
    #5
  6. bowiehero

    bowiehero Private E-2

    Please find attached the latest SUPERAntiSpyware logs and MGtools logs.

    Thank you.
     

    Attached Files:

    bowiehero, May 28, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O3 - Toolbar: (no name) - {CFBB8D46-47FD-4D71-A9EF-D303AD7FB88D} - (no file)
    O4 - HKLM\..\Run: [newbreed] forces_elite.exe
    O4 - HKLM\..\Run: [ATLIEHELPER] NopeZ.exe
    O4 - HKCU\..\Run: [utsgmon] Testimonials.exe
    O4 - HKCU\..\Run: [forces_elite] UserSp1.exe
    O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
    O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now although you are using AVG for your antivirus, you still have left overs from Symantec. Please run the below then reboot. After reboot run it one more time.

    Norton Removal Tool (SymNRT)

    Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Carol Warren.WARRENUPSTAIRS\Local Settings\Temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 28, 2009
    #7
  8. bowiehero

    bowiehero Private E-2

    Hello again chaslang,

    I have completed the work with HiJack this, and am waiting for Combofix to complete its processes.

    EDIT: I should have the logs and status report shortly.

    Thank you again for all the help you've given me!
     
    Last edited: May 28, 2009
    bowiehero, May 28, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Make sure that along with the new logs you tell me how things are working.
     
    chaslang, May 28, 2009
    #9
  10. bowiehero

    bowiehero Private E-2

    Please find attached the latest ComboFix and MGTools logs.

    The computer seems to be working perfectly OK now. On boot, the computer goes directly to the desktop, and I no longer have to manually run explorer.

    I had an issue with the DNS not resolving (I couldn't visit any websites by domain name, but if I hit them by IP, I could), but repairing the LAN connection corrected that.
     

    Attached Files:

    bowiehero, May 29, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that looks much better but there is a little more to do.



    Now we need to use ComboFix to remove some more malware
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 29, 2009
    #11
  12. bowiehero

    bowiehero Private E-2

    Attached are the latest logs.

    Things are working as well as they were at last update.

    I don't notice anything overtly wrong with the computer or its performance.
     

    Attached Files:

    bowiehero, May 29, 2009
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, May 31, 2009
    #13
  14. bowiehero

    bowiehero Private E-2

    Very good.

    I've taken the remaining steps.

    Thanks so much for your help!
     
    bowiehero, May 31, 2009
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Jun 2, 2009
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds