Explorer.exe doesn't run

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.

• Do not assume that because one step does not work that they all will not.

Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

Too bad you did not rad the sticky threads like Don't Bump! It Only Hurts You!!! This post cost you more than a day of additional waiting time.

You did not attach the C:\MGlogs.zip file from running MGtools. Please attach it as requested. We need this to continue.

Also you did not update Malwarebytes as requested. Please do this now and then run a new scan and attach a new log. Your PC was very badly infected so this is highly recommended to make sure nothing was missed.

 

Are you using Remote Desktop CopyPaste (the below process)
C:\WINDOWS\system32\rdpclip.exe

Are you using Microsoft Scheduling Agent for something?
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon

What is the below script/sreen saver for that I see running?
C:\WINDOWS\system32\logon.scr
Put a copy of the above file into a ZIP file and attach it here.

Are the below valid services that you still software for? Why is it using an executable file in the root folder of the drive? Bad idea!!!!
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
Viewpoint Media Player (Remove Only) <-- should have been uninstalled in step 1 of the READ ME

Now we need to use ComboFix to remove some malware and some leftovers from CounterSpy.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

No it is not. That is an intermediate log. When ComboFix finishes running properly, the log will be C:\combofix.txt

 

Not sure what you mean explorer is back. explorer.exe is your Windows shell and it needs to be running. What are you referring to by it's back?

What list are you referring to? You should not be using regedit on your own as you can break your PC if you do the wrong thing in the registry.

What folder?

Not really since wuauclt.exe is just the program used to perform automatic Windows updates.

Who made the below folder and what is in it?

Code:

"C:\Program Files\Internet Explorer\"
QUARAN~1      Dec  9 2008              "Quarantine"

The last logs you posted were clean.

 

I'm not seeing any signs of this in your logs. If you are fixing it before getting the logs then it would be best if you did not fix so we can see the logs before it is fixed.

Yes I know what this registry key is. It is displayed in our logs but Explorer.exe is not showing in the list since you are removing it before getting the logs and thus we never see the problem.

Delete this folder.

Does the below folder really exist? If so, what is in this folder and what is the date and time stamp on the folder? This is not a normal Microsoft folder.
C:\Program Files\Microsoft Common

Also rename the below file. Change it to something like logon.XXX, then reboot your PC and let me know if you still have a problem.
C:\WINDOWS\system32\logon.scr

The logon.scr file is a valid Windows file used for having a screen saver during the logon process but it is not a necessary process. I want to check what is calling it and if an error message now occurs. I think the mstinit.exe /firstlogon process I mentioned earlier could be running it but I'm not sure.


Also make sure that you are not logged into multiple user accounts and then do the below. You first scans looked like you may have been using Switch User. I saw winlogon.exe running at least twice. Reboot your PC and ONLY log into one user account and the continue. Not sure if this is somehow related to rdpclip being used and it causes the second winlogon.exe to appear.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I saw this file still showing in your process list. Is the last MGlogs.zip file that you attach from before rebooting after it was renamed? Or had you rebooted after renaming it? If you have rebooted, did you get any error messages about this file being missing? Did the file come back?


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.
Now reboot your PC.

If explorer.exe comes back into the Image File Executions list, please do the below.

• Click Start, Run, and enter regedit and click OK. This should open the Windows Registry Editor.
• Navigate to the below registry key and select it.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
• Then click File, Export and save it to a file named IMEexp.reg somewhere that you can find it. The .reg extension is the default for registry files.
• Now locate the IMEexp.reg file and right click on it and select rename. Rename it to IMEexp.txt
• Now attach the IMEexp.txt file to your next message.

Also run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below log:

• C:\MGlogs.zip

 

Please attach the new MGlogs.zip file anyway and also tell me if things still look okay. If it has come back, make sure you attach the IMEexp.txt file too.

 

Perhaps it is related to the logon.scr that came back.

You have to follow my instructions and create it.

 

Okay now that I have this information I know much much more about what your problem is. Some call it Win32/Auraax.A and others call W32/Autorun.GA. However before we can properly remove this, we need more information. One very important piece of info is do you have any removable type drives like USB drives, flash drives....etc. They all may be infected with the source of this infection and can infect any PC that they are plugged into. If you do have drives like this you need to look on them for a file names autorun.inf and delete it. This file is trying to run an infected program named WUAUCLT.EXE which is the same file name as the Windows Update program but it is not the Windows Update program. Also look for a file named system.exe So delete all three of those files if found on any removable drives. Also look on all hard disk partitions for these and delete them. Just don't delete in C:\WINDOWS\SYSTEM32\wuauclt.exe which is the real Windows Update.

After doing the above, continue on with the below.



You are out of date with your version of SUPERAntiSpyware.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this new log.

You are also out of date with the definitions for Malwarebytes, run it and update to the current database and run a new scan with it too. Attach the new log.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Administrator\Local Settings\temp

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.


Run MGtools.exe then attach the below logs:

• The new logs from SUPERAntiSpyware & Malwarebytes
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You did not attach anything.

These are all normal. You should not delete anything unless I ask you to. There are many other possible locations where this file could be found and be valid. Other update folders, and i386 folder...etc. Only the one I mentioned in the fix with ComboFix was an issue. However on any other hard disk that is not where you boot Windows from or on any removable device if you find this file, delete it.


You also need to tell me how things are working after following my instructions.

 

None of them because they are all valid.

You still did not tell me how things are working.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Your logs are clean. Make sure you complete my final instructions given in message # 28.

 

Download the current version of MGtools and attach a new MGlogs.zip file.

 

It is very important that in the future you properly download and run Mgtools.exe as instructed. You did not download it, and are simply trying to open and run it directly from your browser as the below shows:

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2H32IR2W\MGtools[1].exe

Doing this can frequently lead to improper execution.


I also suggest that you disable whatever you are allowing to do the remote connections. The below are related to your remote connection and perhaps this is somehow related to your issue with explorer as no malware seems to be present.

At least disable this while you are trying to debug your problem.

 

I don't see any problems other than the below:

C:\Documents and Settings\Administrator\Desktop\MGtools.exe

As stated in the READ & RUN ME, you need to save MGtools to C:\MGtools.exe

Even the Image File Execution Options registry key is not showing explorer.exe

 

Yes.

 

As I stated earlier, this infection is called W32.Auraax. You can read some addition info about it in the below link. While we are seeing some of the info mentioned, we are not seein the C:\Program Files\Microsoft Common\wuauclt.exe file or folder I asked about earlier.

http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-092409-4704-99&tabid=3

I think it would be best to take the approach of disabling autoruns since this feature of Windows is now being misused by dozens of infections to keep PCs infected and to reinfect them once they have been cleaned.


First please disable Windows Defender to make sure it does not get in the way of the below.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now reboot your PC and then look for any of the below files and if found, delete them:
C:\Program Files\Microsoft Common\wuauclt.exe
C:\AUTORUN.INF
C:\system.exe
C:\windows\Temp\rld*.tmp
C:\widnows\system32\config\systemprofile\Local Settings\History\desktop.ini
C:\widnows\system32\config\systemprofile\Cookies\index.dat
C:\widnows\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini

Now run Ccleaner!

Now let me know if the problem has returned.

 

You're welcome.

You don't want to disable all .ini files from running.

What you do want to do is look in the ROOT folder drives including every removeable type device you have incluing flash drives, usb cameras with flash cards of any kind.....etc for the below files and delete them if found.

autorun.inf
wuauclt.exe

 

Did you find a load1.exe file anywhere. What registry keys did you delete?

Hope so. Was the problem only coming back after a reboot or did it ever return without doing a reboot?

 

You're welcome. If everything is still good, you should complete my final instructions given back in message # 28.