Explorer.exe not starting after Virtumonde (and more) fix

I am helping my sister fix her computer, which did not have antivirus software on it. The usual problems, pop-ups, slowness, etc. Virtumonde and many more viruses, including DNS hijack were on here.

Now I believe the viruses are finally gone. However, explorer.exe will not start at startup and it seemed to occur right after I ran Combofix. I can run explorer.exe from the taskmgr, but it will not start on its own.

I've followed all of the instructions in the readme and I'm pretty sure the viruses are gone but maybe I'm just not seeing it.

Any help in getting explorer.exe to come up at startup would be greatly appreciated! Apologies if I'm not posting this in the correct place.

TIA

Logfile of Trend Micro HijackThis v2.0.2

 

Re: Explorer.exe not starting after Combofix

Okay, I fixed this myself and just posting again to let others who have had the same problem know what I did to fix it.

The problem, again, was that explorer.exe would not start at startup after I ran Combofix. I forgot to mention that I could not restore to a previous restore point because every time I tried it failed.

After I posted yesterday and closed down IE, there was a popup window on the screen (!). I decided to go through the cleaning process in the README all over again one more time.

Checked Add/Remove programs and noticed a weird install program called BChanger that I must have missed. I removed it. I also removed Java Runtime again.

Rebooted, still needed to load explorer.exe manually.

I reinstalled Java Runtime. Did not reboot.

I ran a SuperAntiSpyware scan - which found no threats. Did not reboot.

I ran a MalwareBytes scan - again, no threats. Did not reboot.

I ran Spybot S&D - a-ha! - found 3 instances of Win32.Agent.es (2 Root class, 1 Type library). Spybot S&D detected it in a previous scan but could not remove it. When I removed BChanger via Add/Remove programs it probably was then able to remove it. This is the previous log:

Win32.Agent.es: [SBI $F044382C] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BChanger.Helper

Win32.Agent.es: [SBI $F044382C] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BChanger.Helper.1

Win32.Agent.es: [SBI $092564BF] Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{9552F3B2-4183-4473-A347-96F82AF15F26}

I rebooted. Explorer.exe started, desktop is back, wallpaper is changed to a nice blue color, which I don't know but am assuming was the color my sister had it before the viruses (was fixed to Dell wallpaper after Virtumonde fix).

I don't know if the explorer startup fix was the Java Runtime, the trojan/worm that Spybot fixed or just a lucky break that either of them just so happened to change something in the system to restore explorer.

Good luck to others with this problem!

 

Thank you TimW. I wouldn't be surprised if there are more viruses. This computer is for the record books.

 

These guys won't go away. I've tried before and, still, when I do a scan they are still there in Hijackthis. (And yes, all browsers are closed and antivirus is disabled when I try)

 

Avenger ran fine.

Logs attached.

Thank you!

 

Thank you so much!

The registry patch worked.

I cleaned up all of the removal tools.

Fingers crossed!

You guys rock!