Explorer.exe not running

Question

Hello I've read a few other threads concerning this issue, yet none seemed to match mine. Here's the rundown:   I had a trojan virus on my computer a few weeks ago which required vundofix.exe. I looked and found on this website a way to rid my computer of the problem via hijackthis. I deleted the affected file which was c:\windows\system32\vturq.dll   A week went by and all was well   Suddenly, an almost exact duplicate of the the same virus popped up as trojan.vundo which affected the same file; vturq.dll. This one was more persistent however, and would not delete easily. I downloaded fixvundo from norton (different from vundofix.exe) and it said the file was deleted. I restarted, the file came back. I restarted in safe mode...which is an issue in iteself since I cannot get desktop items or icons or taskbar to show up in safe mode, therefor I must run everything through task manager. After a few tries of getting rid of vundo using norton, it wasn't working, so I went back and used hijackthis in safe mode. In the first command, I typed C:\WINDOWS\System32\vturq.dll in the second command, i typed C:\WINDOWS\System32\qrutv.dll Opened hijack this, and it was listed in a 020 file, yet it also mentioned that the file could not be found. So I checked the box, selected fix checked, and it disappeared.   I restarted windows, and now explorer.exe is not running. I have no desktop, no taskbar, no icons. As in safe mode, I must run everything through task manager. What did I do wrong? Is there anyway I can get this back withough formatting my computer and reinstalling windows (I cannot reinstall windows from the cd as is because the program from the cd ends up with the message 'not responding' in task manager every time I click 'Install Windows XP')   Any help would be greatly appreciated.

Nicholas_D · Answer

Oh and exlporer.exe cannot be found when I try to run it from task manager...and neither will regedit now

Nicholas_D · Answer

One more thing, I figured you might want a hijackthis log, so here it is Logfile of HijackThis v1.99.1Scan saved at 11:51:08 AM, on 11/19/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32	askmgr.exeC:\Documents and Settings\Nicholas Doscher\My Documents\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080R3 - URLSearchHook: SearchHook Class - {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - C:\PROGRA~1\HALFLE~1\HALFLE~1.DLLF2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\vturq.dll (file missing)O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocxO4 - HKLM\..\Run: [PivotSoftware] 'C:\Program Files\WinPortrait\wpctrl.exe'O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe'O4 - HKLM\..\Run: [ccRegVfy] 'C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe'O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exeO4 - HKLM\..\Run: [HPHUPD04] 'C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe'O4 - HKLM\..\Run: [DeadAIM] rundll32.exe 'C:\Program Files\AIM\DeadAIM.ocm',ExportedCheckODLsO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /rO4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exeO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123549561725O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.regence.com/remote/msrdp.cabO16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cabO16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cabO20 - Winlogon Notify: vturq - C:\WINDOWS\System32\vturq.dll (file missing)O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exeO23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

ky331 · Answer

a few comments:   you wrote:  ' I went back and used hijackthis in safe mode. In the first command, I typed C:\WINDOWS\System32\vturq.dll in the second command, i typed C:\WINDOWS\System32\qrutv.dll'   I'm taking for granted you typed-in these two lines as the filenames requested by the Atribune VundoFix (and not by HiJackThis itelf).   If so, the second line should have been C:\WINDOWS\System32\qrutv.*      However, I don't see that your error (typing .dll instead) would cause your Explorer problem.   **********************   the Atribune VundoFix (or whatever else you might have used) in fact seems to have done its job, as the current HJT entries for this file are now clearly marked (file missing)   O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\vturq.dll (file missing)   O20 - Winlogon Notify: vturq - C:\WINDOWS\System32\vturq.dll (file missing) in fact, if you can, run HJT, place a check-mark in the box in front of each of these lines, Click on FIX CHECKED, and close HJT, it should completely remove them. ******************************* I'm gonna try to call in someone else to see if they can determine what's really going on in your Explorer / RegEdit problems.... sounds like a (Smitfraud-type) Desktop Hijack.

ky331 · Answer

I did not expect removing those 2 lines to fix your explorer problem... was just trying to clean up those stray entries, to make your log simpler for the next helper.

be advised that i have sent out an "SOS" to at least 3 helpers, so hopefully one one them will arrive "soon".

Nicholas_D · Answer

Yes you're right, I'm sorry I made a mistake. I did in fact type in qrutv.* and not qrutv.dll. I ran hijack this in safe mode again and deleted the two items that were missing, yet I got this error: Unexpected error occurred at prodecure:modBackup_makebackup(sItem=O20 - Winlogon Notify: vturq - C:\WINDOWS\System32\vturq.dll (file missing)) Error #53-File Not Found However, I ran HJT again after this and both files were gone. But I've already done this and those two seem to keep coming back  regardless of fixing the checked files. After I deleted, I saved the log and this is what I have: Logfile of HijackThis v1.99.1Scan saved at 10:57:57 PM, on 11/19/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32	askmgr.exeC:\Documents and Settings\Nicholas Doscher\My Documents\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080R3 - URLSearchHook: SearchHook Class - {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} - C:\PROGRA~1\HALFLE~1\HALFLE~1.DLLF2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocxO4 - HKLM\..\Run: [PivotSoftware] 'C:\Program Files\WinPortrait\wpctrl.exe'O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe'O4 - HKLM\..\Run: [ccRegVfy] 'C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe'O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exeO4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exeO4 - HKLM\..\Run: [HPHUPD04] 'C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe'O4 - HKLM\..\Run: [DeadAIM] rundll32.exe 'C:\Program Files\AIM\DeadAIM.ocm',ExportedCheckODLsO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /rO4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /backgroundO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: The Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {2863ACA1-9AA0-4432-8CFE-88C12B3B2E5E} - file://C:\Program Files\Upromise_RemindU\Sy1050\Tp1050\scri1050a.htm (file missing) (HKCU)O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exeO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123549561725O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://www.regence.com/remote/msrdp.cabO16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cabO16 - DPF: {D94AAA2A-C415-42E3-82B6-49FAB4EBFFE9} (SearchHook Class) - http://www.halflemon.com/Halflemon.cabO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exeO23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Both files are gone, but I still have no explorer.

Nicholas_D · Answer

Okay thank you very much

RKinner · Answer

Task manager, File, New Task(run), sigverif, OK.  Then press Start when the new program comes up.   When it finishes look and see if you have wininet.dll in the list of files it does not like.  If it's not there what does it find?  If there are a whole bunch then just give me a few examples of .dll or .sys files.   If it finds   wininet.dll then try running   http://noahdfear.geekstogo.com/   Open up a command prompt:   Task manager, File, New Task(run), cmd, OK   type:   cd \ dir /s explorer*.exe   Does it find explorer.exe in the C:\Windows folder?  What size and date does it find?  Does it find explorer32dbg.exe ? Then make the registry changes given here:   http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.o.html   Oops.  You have no regedit.exe in a cmd window do:   copy \windows\regedit.exe \windows\regedit.com regedit.com     IF that doesn't work then try: copying the following text (between the ***'s but don't include the ***'s) to a notepad file and saving it as 'fixexe.reg'  (don't forget the quotes).   ********   Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command] @='\'%1\' %*' [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command] @='regedit.exe \'%1\'' *******   If you put this on a floppy you can install it from task manager with Task manager, File, New Task(run), a:\fixexe.reg, OK   Ron

Nicholas_D · Answer

Okay I went as far as opening up the command because I'm not sure if I qualify to do the regedit. The sigverify did not find the wininet.dll. It came up with 9 or 10 different files, all .dlls. They are devenum.dll dpmodemx.dll dpnet.dll dpvoice.dll dsdmoprp.dll mswebdvd.dll qcap.dll qedit.dll quartz.dll   I didn't download and install that program since it didn't find that file. I went ahead to the next step and it noted explorer.exe. Size is 1,004,032 and date is 3/31/2003 It did not display a explorer32dbg.exe so I wasn't sure if I needed that in order to continue with your instructions. Thanks for the help

RKinner · Answer

It looks like you have a good copy of explorer.exe so it's odd that it says it can't find it.

Try doing the fixexe.reg part and see if that helps.

If not then what happens if you start a cmd window as before and type:

c:\windows\explorer.exe

Does Window Explorer come up?

c:\Windows\regedit.exe

Does regedit come up?

Get the shellexview program from:

http://www.nirsoft.net/utils/shexview.html

Run it and have it disable everything that does not say it comes from Microsoft. Sometimes that will help.

Ron

Nicholas_D · Answer

*sigh* Nothing worked   tried the fixexe.reg onto floppy, but when I hit ok, a window pops up saying it can't find regedit.exe   going to cmd and typing c:\windows\explorer.exe or regedit.exe comes up with 'c:\windows\explorer.exe (or regedit.exe) is not recognized as an internal or external command, operable file or batch command'   I ran that program you had me install and I disabled every program that Microsoft, yet I didn't know what to do from there. I rebooted and still nothing.   I'm beginning to feel like there's no hope here

RKinner · Answer

Did you try this?   Open up a command prompt:   Task manager, File, New Task(run), cmd, OK   type:   copy \windows\regedit.exe \windows\regedit.com regedit.com   If you can get regedit to come up then you can make the changes manually to the registry.   Go to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command doubleclick on (default) in the right pane and set the value to:   '%1' %*   in words that is: doublequote percent one doublequote space percent asterisk   Ron

Nicholas_D · Answer

yeah I tried that...but I don't know if I typed that in correctly cause it didn't do anything.   c:\>copy \windows\regedit.exe \windows\regedit.com regedit.com   is what I typed. I don't know dos commands very well

rkinner2 · Answer

It should have been two separate lines.   copy \windows\regedit.exe \windows\regedit.com    regedit.com   Ron (other login is broken)

Nicholas_D · Answer

still, it says the system cannot find the specified file

RKinner · Answer

It seems to be similar to verona. Let's see if you can run the panda verona fix:

http://www.pandasoftware.com/download/utilities/validacion.aspx?CodigoProducto=12&TipoUsuario=2&TipoLead=2&Tipo=5&DocID=Z29&Ref=WW-DES-PQR&Idioma=2

Ron

Virus & Spyware

Was this post helpful?