Explorer and Internet Explorer not running...

Question

I just got rid of trojan-spy.HTML.smitfraud.c but still have problems. Neither explorer.exe or iexplore.exe will run.

I though it was smitfraud but it seems not. Any ideas on how to get explorer and internet explorer up and running again? at the moment i'm running my computer through the task manager and 'run...'. everytime I try to run explorer.exe i get the message "Windows cannot find 'C:\WINDOWS\explorer.exe'. Make sure you typed the name correctly and try again. To search for a file..." and i get the equivalent message for IE, I get this message when I run either program from their directory. As far as I know only explorer.exe and iexplore.exe are affected. Help???

Thanks

Here's my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 21:07:32, on 02/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=374
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Thanks

RKinner · Answer

Get rid of this line:

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll

Then make the changes at the bottom of:

http://tinyurl.com/b7ha3

If, when you get your desktop back, it still has problems left over from smitfraud then:

Start, Run, regedit, OK to bring up the regedit program.

find HKey_Current_User->Software ->Microsoft->Windows->CurrentVersion>policies (Hit the + sign in front of each Key as you find them. That will open up the subkeys.)

Under Policies is usually an entry named System. If you find it highlight it and press the Delete key. Then OK. Close the program and reboot.

Start, Control Panel, Display (Properties). This should bring up Display Properties/Background. Change the wallpaper to something else and Apply. You may also need to select Web and uncheck the box where it says View My Active Desktop as a web page. OK

Ron

ky331 · Answer

let me ask the obvious question.... in the process of removing the trojan, did you (accidentally) delete (or uninstall or rename)

windows explorer: c:\windows\explorer.exe

or

internet explorer: c:\Program Files\Internet Explorer\iexplore.exe

?

the message that "Windows cannot find 'C:\WINDOWS\explorer.exe'" certainly would appear to indicate that the file has been deleted (or perhaps renamed)

Message Edited by ky331 on 05-02-2005 05:30 PM

6h05t · Answer

Yes explorer.exe and iexplore.exe are where they should be and when I run them from their directories it says they are not there(Straight after I click on them to run, so I know the files are there)

I followed your steps and the situation is no better. Explorer still doesn't run... Any last ditch ideas? Its looking grim.

ky331 · Answer

there was advice from RKinner that indicated:

"Then make the changes at the bottom of: http://tinyurl.com/b7ha3 "

but it seems unclear just where the "bottom" changes should start from. hopefully, he will see this, and chime back in.

reading that page, i took note of the following:

Trojan.StartPage.O

May add the value:

"Debugger" = "%Windir%\explorer32dbg.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

so that Trojan.Startpage.O is executed every time explorer.exe is run.

May add the value:

"Debugger" = "%Windir%\iexplore_dbg.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

so that Trojan.Startpage.O is executed every time iexplore.exe is run.

this could explain why you say the files (explorer and iexplore)are present, but are not functioning properly.

hence, the Regedit instructions given later in that same page (removal step 5, parts (f g h i) talk about deleting these registry values. you may want to re-read this page carefully, and decide how to proceed. keep in mind that editing a registry is highly technical, and if you make a mistake, the result could severely damage your system.

6h05t · Answer

Problem Solved!!! I now have a startbar :-) and internet explorer is working too. Thanks loads for the help and just to let you know it was the 'debugger' registry entries which were causing the problem.

Thanks Again

Jak

ky331 · Answer

Jak,

if my last reply, about the 2 debugger entries helped solve your problem, i'll take credit for interpretation of the article, but i must give full credit for diagnosing your problem, and finding the solution page, to RKinnner. without his valued input, i could not have assisted at all.

if you haven't done so already, i would suggest you now re-read the web page he referred you to, especially all the removal instructions. the point being, there were several other registry keys potentially involved, beside just the two debugger keys i indicated. for example,

May add the values:

"SMSSU" = "%System%\SMSSU.EXE"
"Tmntsrv32" = "%System%\Tmntsrv32.EXE"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that Trojan.Startpage.O runs every time Windows starts.

meaning that, unless you take care of the remaining entries as well, you risk getting REinfected every time you start up your pc :smileysad:

it seems like you can handle registry editing, so go down their entire list (step 5), deleting the entries listed there (if you find them). also, consider that you may have to "kill" the active processes before deleting them... see step 3:

To end the malicious process:

Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for SMSSU.EXE and Tmntsrv32.EXE.
If you find the files, click them, and then click End Process.
Exit the Task Manager.

also, if present, be sure to delete these files!

The kill-process, and delete files, are best done in SAFE MODE

RKinner · Answer

Thanks Jak,  I am going to have to learn to be more specific with my instructions.    Ron

Virus & Spyware

Explorer and Internet Explorer not running...

Was this post helpful?