Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe Not Loading After Removing Spysheriff Spyware


  • Please log in to reply
8 replies to this topic

#1 RTW DC2

RTW DC2

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 03 December 2005 - 07:56 PM

If Im not mistaken, Explorer.exe is supposed to load on bootup in winXP, which lets things like the desktop icons and start menu load. I think its associated with the Shell or something?

I had to remove SpySheriff spyware program and it was a complicated process to remove it. I followed directions here http://www.bleepingcomputer.com/forums/How...-tx17258-0.html

I made it all the way through running Ewido. After rebooting, I had no desktop icons, start menu, or anything, just a blank blue screen. Can move the mouse, but cant right click. I can Cntl Alt Del and open/close programs and whatnot from there. I just have no function of the desktop. When checking the process list, I noticed explorer.exe was not running and it usually is automatically in winXP. I know on a normal winXP machine if you terminate explorer.exe your whole desktop freezes up so Im guessing its associated with that file.

Able to browse Windows Explorer, able to see explorer.exe, but it wont let me run it, says it cant find it or something. I ran SFC /Scannow, no errors found. no strange processes are left running, checked MSCONFIG and didnt see any strange entries, registry Run entries are clean and checked Shell entry set to explorer.exe, tried System Restore but there were no restore dates to choose from, unable to Repair from the XP disk because I dont know the admin password. Running Automatic updates right now, hoping SP2 will take care of it but not sure if it will. Any other suggestions?

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:15 PM

Posted 03 December 2005 - 08:12 PM

If you're using Windows Explorer to browse to the location of explorer.exe - then you're using explorer.exe Try opening Task Manager (Ctrl-Alt-Del) and switch to the Processes tab and look for explorer.exe while Windows Explorer is open - it should show up.

Explorer.exe is the shell that your Desktop shows up in. It's also a program used to browse your computer. It does this by either working everything in one process - or (if you've elected this option) opening up each one in a different explorer.exe process.

There are several possibilities here. One is that you're still infected (the most likely), and 2) is that your system is suffering from "a cure that was worse than the disease". Sometimes the viruses get into the system files, and the fix ends up hosing the file involved.

One other thing to try (probably won't work, but it's worth a shot). Open up Task Manger (Ctrl-Alt-Del) and select "New Task" in the lower right corner of the Task Manager window. In the next box, type this in: C:\Windows\explorer.exe and then press Enter. Does this show your Desktop? (FWIW - you can run a lot of your other programs using this method until your system is fixed)

I'd suggest a visit to the HiJackThis Forum and, after reading the information and instructions there, post a HiJackThis Log for review by the experts. Once you log is clean (if that hasnt' fixed your problems), c'mon back here and we'll fix 'em then!
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 RTW DC2

RTW DC2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 03 December 2005 - 08:26 PM

hmmm, let me clarify. I can BROWSE files on the system when hitting the BROWSE button when trying to run a new task. I can see the file there, but when I try to run it from the New Task window after browsing to it, it gives the error that the file isnt found. Yet I can browse to other files such as MSCONFIG and it opens with no problem. And this is basically the only way I can get into control panel tools, IE, etc to run any programs. I dont know if this information makes a difference to you or not.

I dont know if you are familiar with the SpySheriff spyware program, but it changes your desktop screen among other things. I no longer have that screen and its just a blank blue screen. I can go into Display and select other desktop pictures, but they dont show up after hitting Apply/OK.

I guess its possible the machine is still infected. It had many virus/spyware issues and it took quite awhile to get rid of most of them. Hopefully installing updates and eventually SP2 will correct it. If not I will have to run some other online scan tools and see what else I find. I dont think a HJT log is going to help you guys much, its clear of anything out of the ordinary.

#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:15 PM

Posted 03 December 2005 - 08:43 PM

Yes, your system is hosed. It's not working as it should be. Normally, if you end the explorer.exe process - your desktop will shut down, and then a short bit later it'll redraw itself (when another explore.exe process is launched automatically).

When you're able to Browse - you're using explorer.exe. Even when you browse to find explorer.exe. Yet, it won't recognize it, and won't let you run it that way (but it's running anyway!) That's why your system is hosed - this isn't how explorer.exe is supposed to work and, in addition, it's broken the link that makes it run your Desktop.

There are fixes that don't involve getting the HJT log checked. One is a repair install of Windows that will replace even more of the system files than SFC.EXE /SCANNOW did (this is supposed to keep your data intact - but I wouldn't count on it with this degree of damage!). Another option is to format you hard drive (a low-level format is best, but a regular format will usually work), and then reinstall everything from the ground up (a clean install). This includes all of your drivers, all of your hardware, all of your software, and seemingly endless visits to Windows Update. (and if you've saved your data - it can reinfect this spanking new operating system in a heartbeat!).

The choice is yours - we're just here to give advice.

I haven't used SpySherriff - but have noticed a few problems with it in my travels around the web.

I studied the spyware trade at spywareinfo.org's Boot Camp for a while before I had to quit (eye problems prevented me from staring at HJT logs for hours on end). One thing that I learned was that no one, except a certified HJT log expert, can ever be sure that your log is clean. And, even if it's clean - that doesn't mean that there's not something lurking on your hard drive just waiting to respawn itself.

The online scans are a good idea. Here's my list of the free one's that are available:

http://housecall.trendmicro.com/ - *For Internet Explorer*
http://uk.trendmicro-europe.com/consumer/h...call_launch.php - *For Firefox*
http://www.kaspersky.com/scanforvirus
http://safety.live.com/site/en-US/default.htm
http://security.symantec.com/sscv6/default...id=ie&venid=sym
http://www.bitdefender.com/scan8/ie.html
http://www.pandasoftware.com/products/activescan.htm
http://onlinescan.avast.com/
http://support.f-secure.com/ols/start.html
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Trojan scans:
http://scan.sygatetech.com/pretrojanscan.html
http://www.windowsecurity.com/trojanscan/trojanscan.asp

My usual advice is to do 2 or 3 of them to be reasonably sure that you're clean of viruses. Some of the scans will also look for spyware.

Good luck! Let us know what happens!
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#5 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:08:15 PM

Posted 03 December 2005 - 09:00 PM

I dont think a HJT log is going to help you guys much, its clear of anything out of the ordinary.

Have you been trained in the use of HijackThis?
If not, you should submit a log for examination.

One thing, about the use of HijackThis, you must NEVER attempt to fix stuff using HijackThis, until someone who is experienced at reading the log outputs has a chance to review it.
Fixing the wrong items can make a computer unbootable.

Spaces, extra characters, spelling, file location, plus numerous other subtle changes, all make the difference between a good, or bad, file entry.

Hijack this is an ennumerator.
It lists what is found in certain areas of the registry, or system files, in an easily accessible manner, so that those familiar with the use and reading of HijackThis logs, and windows programs, can determine what is infecting the machine, and how to remove it.

It is not a removal tool.
It will indeed remove the entries listed, but that does not cure the underlying problem.
The problem must be properly identified first, and cured, prior to removing the entries with HJT.
Otherwise you leave the infection, and remove the keys which are needed to identify and remove it .

Removing entries in HJT before the problem is properly identified, and correct removal instructions posted, can make the problem undetectable to other detection and removal tools.
Do not have HJT fix anything without consulting with someone with HijackThis logfile knowledge.

Hijack this should only be used to clean up the entries left behind, after you have properly removed the offending program, file, trojan, worm, hijacker etc.
And this usually requires help.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#6 RTW DC2

RTW DC2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 04 December 2005 - 06:46 PM

Thanks for all the replies.

Update on what I have done so far. I installed another copy of XP into a different directory in C:, and was able to log into that directory no problem. I was then able to install and run several programs like Spybot, Panda, Norton AV, and found/removed numerous entries. Updated to SP2, rebooted, still no desktop function.

The computer seems to work just fine, except for the fact that I have no desktop functionality at all. I can still get into programs and browse files via New Task option on the Task Manager. Explorer.exe still is not running, or atleast not showing in the process list. Im beginning to wonder if something could be corrupted in desktop.ini or something like that? Im curious if you delete desktop.ini, and reboot, does it recreate the file? Sort of how you can delete Winsock from the registry and it recreates it at bootup?

Ill post up a HJT log as soon as I get one.

#7 RTW DC2

RTW DC2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 04 December 2005 - 07:33 PM

ONE OTHER THING I JUST NOTICED!!!

In the Display properties, there is no Desktop tab in there??? This HAS TO be related to the problem. The Themes, Screen Saver, Appearance, and Settings tabs are there and work fine. If I can figure out how to get that back, I may be in business. Is there a way to reload or reinstall the Desk.cpl in Control Panel? Maybe copy and replace Desk.cpl from a working machine??

Edited by RTW DC2, 04 December 2005 - 07:35 PM.


#8 RTW DC2

RTW DC2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 04 December 2005 - 08:38 PM

OK...fixed the Desktop tab problem, and was actually able to set a desktop picture and apply it. Did this by changing the "Classic Shell" registry entry to 0 instead of 1. I now have a backround picture, but still no other functionality.

#9 RTW DC2

RTW DC2
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:15 PM

Posted 05 December 2005 - 02:27 PM

Digging into it even further today on www.sarc.com and overviewing some of the virus information, after checking a few registry keys, I noticed that the CurrentControlSet001 is missing from HKLM\System. CurrentControlSet002, 003, etc are there. Im not sure at all what the CurrentControlSet is responsible for but it shows up on all other XP machines I compared.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users