C:/Explorer.exe does not start on startup!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Wrenchman, Dec 9, 2008.

  1. Wrenchman

    Wrenchman Private First Class

    Hi MG, long time no problem!

    Ok so let me cut the cr*p and get right to it!

    C:/Explorer.exe does not start on startup!

    There are 2 accounts, one for me and one for me wife,
    when I log in on one of these two accounts, the computer
    start without the desktop bar and items!

    I have to do the alt ctrl del explorer trick, luckily I knew
    about this, otherwise I wouldn't be here right now, now
    would I?

    Here's what happend, some kind of virus pop'd op on my
    screen in a strange language, a grey box with a blue bar
    on top that says "Pray", so I did a scan, don't remember
    which one I did, I think it was S&D that found it!

    I didn't pay too much attention but I did notice that the
    problem was in explorer, without thinking twice I asked
    for it to repair, next thing I know, the computer starts
    without explorer and the "Pray" virus, spyware, trojan
    Worm thing, still pop's up every now and then!

    Any clues on this one?
    Should I post a HJT?

    :)

    Wrenchman
     
  2. Wrenchman

    Wrenchman Private First Class

    Hi again, it's me...Wrenchman! :-D

    I managed to take a snapshot of the virus/whatever thing!
    [​IMG]
    You've gotta love the timing! ;)

    :)

    Wrenchman
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Windows Explorer is not located there. It is located at C:\Windows\explorer.exe


    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    READ & RUN ME FIRST. Malware Removal Guide
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
  4. Wrenchman

    Wrenchman Private First Class

    Alright here we go!

    It gave me this when I tried to upload:
    SUPERAntiSpyware Scan Log - 12-12-2008 - 18-19-21.log.lnk:
    Invalid File
    It's not supposed to have the .INK, is it, is that a virus then?

    :)

    Wrenchman
     

    Attached Files:

  5. Wrenchman

    Wrenchman Private First Class

    Three more logs!

    The Information.txt, is from the RemoveIT Pro XT2 - SE!
    It found a bunch of viruses, have a look! (this log is made today, 14.dez.)

    Also, let me add a small detail in addition to my first post:

    I asked RemoveIT Pro to search for viruses on the c:\drive
    (the c:\drive is now the e:\drive), here's how:

    So it found 3 or 4 viruses, and I asked it to fix em, then after a reboot it
    wouldn't log on!

    Actually it would log on but before you could count to three, it would log off
    again!

    Instead of formatting the whole thing,
    (didn't want to lose important information) I bought an other hard drive, this
    hard drive is now the c:\drive (I bought it used, with xp and everything
    else on it already installed)

    My plan is to clean the e:\drive using the c:\drive and then format/use the
    c:\drive as a backup with Win XP in case I get attacked again!

    The computer now have two hard disk drives and it's the e:\drive that has a
    virus which, until now, haven't manifested itself! (see picture in second post)
    (the c:\drive might have a few issues too)

    :)

    Wrenchman
     

    Attached Files:

  6. Wrenchman

    Wrenchman Private First Class

    I hate to do this, but, when you have a virus on your computer,
    you get kind of nervous!

    Sorry about that, please don't hate me...
    (I´m toasted!)

    :)

    Wrenchman
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do what?? You mean post this extra unnecessary message to bump!! This just cost you almost 3 more days. See the stickies: Don't Bump! It Only Hurts You!!!


    Rename the file to not have the .LNK at the end of it. It should only be a .log file. Then attach it.

    DO NOT RUN RemoveIt Pro. It is junk and is full of false positives. You don't need this program as the ones we gave you in the READ & RUN ME are much much much.....much better. Uninstall this now!!!! All of the below detected by it are WRONG and totally misleading irresponsible reports. Anyone who knows anything about malware removal would know what they are. These are all useful tools. Some are used by SmitFraudFix and or ComboFix and or other toos and or even MGtools (but we keep most of ours in c:\mgtools ).

    Infected with Sys32.grep - File C:\WINDOWS\grep.exe
    Infected with Sys32.impborl - File C:\WINDOWS\impborl.dll
    Infected with Sys32.nircmd - File C:\WINDOWS\nircmd.exe
    Infected with Sys32.sed - File C:\WINDOWS\sed.exe
    Infected with Sys32.swreg - File C:\WINDOWS\swreg.exe
    Infected with Sys32.swsc - File C:\WINDOWS\swsc.exe
    Infected with Sys32.swxcacls - File C:\WINDOWS\swxcacls.exe
    Infected with Sys32.vfind - File C:\WINDOWS\vfind.exe


    You need to update Malwarebytes and run a new scan. Make sure that you have the correct version and updates for SUPERAntiSpyware too.


    Why are the below files for and why are they being saved in the base C:\Documents and Settings folder??? They should not be here!! If you need them, move them somewhere else. Otherwise delete them.
    Code:
    2008-11-24 12:01 . 2008-11-24 12:01 1,664,984 --a------ c:\documents and settings\Adm(33).mp3
    2008-11-24 12:01 . 2008-11-24 12:01 1,085,379 --a------ c:\documents and settings\Adm(32).mp3
    2008-11-24 12:01 . 2008-11-24 12:01 911,717 --a------ c:\documents and settings\Adm(31).mp3
    2008-11-24 12:00 . 2008-11-24 12:01 1,694,137 --a------ c:\documents and settings\Adm(30).mp3
    2008-11-24 12:00 . 2008-11-24 12:00 1,321,735 --a------ c:\documents and settings\Adm(28).mp3
    2008-11-24 12:00 . 2008-11-24 12:00 1,248,384 --a------ c:\documents and settings\Adm(29).mp3
    2008-11-24 11:57 . 2008-11-24 11:57 1,997,262 --a------ c:\documents and settings\Adm(26).mp3
    2008-11-24 11:57 . 2008-11-24 11:57 1,879,084 --a------ c:\documents and settings\Adm(25).mp3
    2008-11-24 11:57 . 2008-11-24 11:58 1,874,695 --a------ c:\documents and settings\Adm(27).mp3
    2008-11-24 11:56 . 2008-11-24 11:56 2,055,254 --a------ c:\documents and settings\Adm(23).mp3
    2008-11-24 11:56 . 2008-11-24 11:57 1,907,923 --a------ c:\documents and settings\Adm(24).mp3
    2008-11-24 11:56 . 2008-11-24 11:56 1,662,790 --a------ c:\documents and settings\Adm(22).mp3
    2008-11-24 11:56 . 2008-11-24 11:56 1,598,215 --a------ c:\documents and settings\Adm(21).mp3
    2008-11-24 11:55 . 2008-11-24 11:55 2,086,287 --a------ c:\documents and settings\Adm(19).mp3
    2008-11-24 11:55 . 2008-11-24 11:56 1,905,729 --a------ c:\documents and settings\Adm(20).mp3
    2008-11-24 11:55 . 2008-11-24 11:55 1,651,819 --a------ c:\documents and settings\Adm(18).mp3
    2008-11-24 11:54 . 2008-11-24 11:55 1,919,208 --a------ c:\documents and settings\Adm(17).mp3
    2008-11-24 11:54 . 2008-11-24 11:54 1,832,377 --a------ c:\documents and settings\Adm(15).mp3
    2008-11-24 11:54 . 2008-11-24 11:54 1,745,232 --a------ c:\documents and settings\Adm(16).mp3
    2008-11-24 11:53 . 2008-11-24 11:53 2,342,705 --a------ c:\documents and settings\Adm(13).mp3
    2008-11-24 11:53 . 2008-11-24 11:54 1,910,431 --a------ c:\documents and settings\Adm(14).mp3
    2008-11-24 11:52 . 2008-11-24 11:52 2,095,378 --a------ c:\documents and settings\Adm(11).mp3
    2008-11-24 11:52 . 2008-11-24 11:53 1,979,394 --a------ c:\documents and settings\Adm(12).mp3
    2008-11-24 11:51 . 2008-11-24 11:52 2,958,046 --a------ c:\documents and settings\Adm(10).mp3
    What is the below folder for?
    Code:
    2008-11-14 15:13 . 2008-11-30 15:18 <DIR> d-------- c:\windows\system32\boys1024x768 dir
    You must put your PC into Normal Startup mode with MSconfig as requested in step 1 of the READ & RUN ME. Then reboot. After reboot, download the current version of MGtools ( get it here MGtools.exe ) Run it and attach a new MGlogs.zip file. DO NOT use MSconfig anymore except for temporary debugging. See the tips in step 1 of the READ & RUN ME.
     
    Last edited: Dec 18, 2008
  8. Wrenchman

    Wrenchman Private First Class

    Hi I'm back (vacation)

    SUPERAntiSpyware Scan Log Renamed.log.lnk:
    Invalid File

    We have a problem here > I renamed it as you can see but little did it help!

    The Ink thing is not showing on my computer, it is only showing on >
    "MG Manage Attachments"

    The log file is a shortcut, don't ask, so I renamed it to a txt file!

    SUPERAntiSpyware Scan Log Renamed.log.txt.lnk:
    Invalid File

    It renamed itself again!

    The SUPERAntiSpyware Scan Log - 12-12-2008 - 18-19-21.log
    is the original file before I renamed it,
    to > SUPERAntiSpyware Scan Log Renamed.log
    is now > SUPERAntiSpyware Scan Log - 12-12-2008 - 18-19-21.log.txt

    The files you have shown in C:\Documents and Settings folder, looks like mp3
    files! (music, no kidding)

    And the other folder that you asked about is, I believe, a screen saver,
    which I have now deleted!

    Did I mention that I have no sound, only blip from the computer, but when I start the computer the "voice power on selftest" is working!
    I've read that, that might be a virus, too!

    Oh, and I almost forgot, when I open Opera browser, I get a warning, Cookie4.dat something tribalfusion from AVG F 8, I press heal but get a warning that some files could not be healed, so I deleted it myself including the .dat.bak file! lets see if it helps!

    Malwarebytes and SUPERAntiSpyware Updated!

    The last step > Normal Startup mode with MSconfig:
    I'll try to look into that in a moment, you see, it's kind of complicated for a novice like me!

    :)

    Wrenchman
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    At this point I'm not even sure anymore what problem we are trying to solve.

    It took you too long to respond. Your SAS and MBAM are now still out of date since they recently changed again. Not sure the new versions will find anything since you don't appear to have malware problems, but it would not hurt to get the new versions. You need to uninstall SAS and then download, install, update from within the program, and run a new scan. MBAM can simply be updated by choosing the Update tab in the program.

    Since you waited too long the ling I gave you for MGtools is also no longer valid. Get it by doing the below.


    Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me what actual malware problems you are having. Sound problems are probably not due to malware.!


    Cookies are not problems.

    The instructions tell you what to do.
     
  10. Wrenchman

    Wrenchman Private First Class

    The above makes part of the original problem
    The above box appeared on the C:\drive, now for some reason I used
    remove it pro,(Deleted) it said that the problem was located in the Explorer.exe
    The sucker is located inside Explorer.exe, do you want to HEAL press YES
    After restart the computer wouldn't logon anymore, thats when I dicided to
    buy another hard drive, plug it in as primary and the old one as secondary!

    Thats the case we have now: Could it be, since it found a virus in the
    Explorer.exe which is now deleted, that I deleted the Virus too?

    I prefer at this point, to start all over again with the
    READ & RUN ME FIRST. Malware Removal Guide

    :)

    Wrenchman
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We do not recommend using Remove It Pro. It is not a good progam and it has way way too many false positives. Any good program would also know that you cannot simply delete explorer.exe which is your Windows shell. I did tell you in my previous message not to run and to uninstall Remove It Pro!!!

    Don't know since I don't trust anything that Remove It Pro says.

    What problem are you trying to fix? You just said you have installed a new drive.
     
  12. Wrenchman

    Wrenchman Private First Class

    M8, you are getting it all wrong!

    Let me try and help you get back on track!

    When you warned me about RIP, it was waaay too late!

    So like I said, I couldn't log on to the original hard drive the c:\drive, so I bought another
    hard drive, this hard drive is by far not new, it's used, installed with programs including
    spyware and malware of it's own!

    So the c:\drive is now the e:\drive (80giga)
    and the "new"(used) hard drive is now the c:\drive! (40giga)

    Ok what is my problem then, well when I made the first couple of posts, I
    was still able to log on using ctrl alt del, and start the C:\explorer.exe prosess
    manually!

    Originally I wanted to repair the broken/deleted explorer.exe startup-file!

    But this thread have all the time been about removing malware from the c:\
    and the e:\drive, including the "pray" virus on the e:\, which seems to have
    "Make like a tree, and leave." (past tense) "Made like a tree, and left."

    Sorry if I have been wasting your time, I have not been doing it on purpose!

    I just want to know for sure that I'm clean, but when each scan takes about
    two hours, a noob like me gets tired, then I discover that I forgot to turn on
    normal startup mode, and in between you tell me that I have been too slow to
    post and have to delete and re-install and re-update and do the scan again,
    so my head gets kind of heavy and the days go by!

    Now what, I am confused too, I have started another thread in software, but
    by no means is it ment to be disrespectful to you!

    :)

    Wrenchman
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on what you just stated, you are now using a different drive to boot your PC and this drive may be infected. If the previous scans were not run on this drive, then my answer would be I don't know and you would have to run scans on this drive and attach new logs.

    If you plan on surfing without an AV and without a firewall as stated in your other thread, you are just asking for big trouble. If you do not protect your PC, our forum may refuse to help when it becomes infected. This policy exists on many forums as we just do not have the resources to help people who refuse to take protection seriously.
     
    Last edited: Jan 19, 2009
  14. Wrenchman

    Wrenchman Private First Class

    I didn't want to bump the thread so I waited until after you have replied!

    But I am pleased to inform you that I have realized that
    fw and av is very important especially when you are trying to clean your
    system and other people are spending there precious spare time!

    As of earlier today I have installed OA3 and I already have AVG8, so it should
    be safe now to make new scans!

    The SP3 update had been on wait for some days, today I tryed to install it
    but something went wrong "access denied" almost at the end, I suspect the
    OA3 to be the cause! Why? Because OA3 would keep asking for acceptance
    and at one point I was not paying attention, therefore I think it timed out!

    I am printing out all the guides on A4 and marking the most important with red!

    Here's how I understand it:

    BCM:
    Remove prog's (free choice mode)
    Ccleaner run (free choice mode)
    Ccleaner reg fix (sometimes nessecery to do 3 or 4 times to clean all)(free choice mode)
    Startup items (free choice mode)
    Jkdefrag (free choice mode)

    House Cleaning & Setup:
    Uninstall malware programs (free choice mode)
    Uninstall ALL Sun Java versions and get updated. (free choice mode)
    Set Msconfig to Normal Startup mode (now)
    Empty ALL Quarantine (AVG8)(normal startup mode)
    Empty Recycle Bin (Ccleaner already did that in BCM)(normal startup mode)
    Download and install CCleaner (already did that in BCM)(normal startup mode)
    Run CCleaner on each account (safe & normal startup mode)-
    Do not run any other options from other tabs. (too late, already did the reg fix in BCM)
    Enable viewing of hidden files, system files and file extensions(normal startup mode)

    Xp:
    SUPERAntiSpyware (unplug internet)(normal startup mode)
    Spybot S&D (normal startup mode)
    Malwarebytes Anti-Malware (normal startup mode)
    ComboFix (normal startup mode)
    MGtools (normal startup mode)

    Toggle System Restore:
    ? Haven't studied the TSR yet!

    :)

    Wrenchman
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know what A4 is.

    This is not part of malware removal. It is only in there as a starting point for the thousands of people complaining about their PC being slow.

    Is there something you still need our help with?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds