MBAM'd a Trojan, explorer.exe won't open

Solved/Closed
Matt - Dec 15, 2010 at 04:33 AM
 Matt - Jan 10, 2011 at 07:03 PM
Hi,
A few days ago I contracted the Fake MS Security Essentials virus that is going round. I believe that it installed itself through a java backdoor - as the java splash logo came up, then firefox froze and crashed, and then the virus began spamming me with dialogs trying to warn me about viruses (oh, the irony!) and trying to sell me their anti virus software.

I am on a very tight schedule this week and so I thought I would start work on it immediately. I did the following:


I downloaded Rkill.exe to a USB and renamed it to trav7.exe. I then ran it on the infected PC - the virus processes were killed. Hurrah!

In order to remove them for good, I did an MBAM scan. I hibernated my PC overnight, resumed it in the morning, and went to school. When I came back, it had found about 24 infected files. I presuemd some of these were from previous events. I instructed MBAM to quarantine the files.

MBAM told me it had to restart in order to finish this process. I chose yes. I can't wait to see how much faster my computer is without all that nasty malware, I thought.

My computer rebooted. Or at least it tried to. It began to load Vista, then showed me a balck screen with a movable cursor on. About 2 seconds later, my mobo made a small noise, and my computer restarted. This cycle repeated each time I tried to restart the computer.

My computer prompted me to open the Recovery Console (this has OEM branding). The Vista Repair Environment told me that I needed to do a System Restore. I did this.

Some slight progress. Windows now boots to the same black screen with movable cursor, but this is stable, and I'm able to bring up task manager. Explorer.exe is not running. I try to open it using task manager - I get a command line window which flashes for a second but no more. I use task manager to try a further system recovery. I do this.

Still the same state of affairs. Black screen, movable cursor, can open task manager but can't launch explorer.


I'd be very grateful for any assistance in this matter. My current plan of action is:


Purchase xHDD

Create an Ubuntu Live CD

Use Ubuntu to back up my personal files

Reinstall Vista

Move my personal files back to my original HDD.


This obviously carries a LOT of associated hassle as I will effectively have to reinstall every piece of software I own. It also runs the risk of transferring the infection via my xHDD. This infection could not have come at a worse time for me (my university application form is due this week, as is a major assignment), so the quickest and most painless way is really what I am after. My dad has suggested that I simply take it to a local PC Engineer because he is worried that if I try meddling the virus coudl start deleting our personal files - is this something I should be worried about?


Thanks VERY much in advance,

Matt
Related:

5 responses

Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 15, 2010 at 05:08 AM
Greetings Matt,

The procedure you followed to kill the trojan was the best but the reason why you were prompted to restore gets me. Did you reboot after running RKill?

Anyhow, at least you have the task manager to work with.

We may be able to overcome. As we may not be in the same time zone, you may need to be patient.

Tell me with the task manager how you try to launch explorer.exe. Do you get a message following your attempt?

I will try to get my partner on your case also, jack4all, and we will work as a team.

Catch you later

P.S. Patience is a vertu.
2
Hi Ambucias, thanks for your response! My timezone is GMT btw.

Basically what happened was, I ran Rkill so that I could run MBAM with the trojan blocking it. The MBAM quarantine told me that I needed to reboot in order to complete the quarantine process, and I did this. It was that this point that I had the first problem with explorer.exe.

I was prompted on boot to start the Vista Recovery Console, and the automated system repair feature decided that I ought to try a System Restore. This allowed me to get a stable black screen with movable cursor and task manager, but I am still unable to load explorer.

To answer your question: with task manager I try to launch explorer.exe in this way:

1) CTRL+SHIFT+ESC to launch task manager
2) File - New task (I think these are the names of the options, I don't have access to the infected PC for the next few hours)
3) explorer.exe followed by enter key to submit
it's here where it gets weird
4) instead of loading explorer.exe , I get a black Command Prompt style window. This has a line of text in it. The window dissapears to quickly for me to read the line of text, however I was able to pick up the word 'memory' in it. Subsequent attempts to launch explorer.exe bring up a Command Prompt windows, which dies immediately.

Thanks very much for your help, I look forward to sorting this out!

P.S. It most certainly is - this is the fourth time I've been without my desktop in four weeks and I am fast learning that patience is the only way!
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 15, 2010 at 05:30 AM
Thank you Matt. Most interesting I must say! (But grotesque)

I am usually in the virus/security environment.

I would like jack4all's opinion and advice on this. He should be on line soon.

Please stand-by
0
jack4rall Posts 6428 Registration date Sunday June 6, 2010 Status Moderator Last seen July 16, 2020
Dec 15, 2010 at 06:00 AM
Hello,

First thanks to my friend "Ambucias"

Try this 1.

1) When you switch ON your computer, start tapping the "F8" key to get

"Windows Advanced Options"( if boot menu appears, press "Esc" key and keep

tapping the F8 key)

2) Select "Safe Mode with Networking"

3) Click on Start --> In search box, type regedt32 and press Enter.

Registry Editor will be opened. Navigate to the following location

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

At the right side, find the strings shell & userinit and check the following

shell value data should be
Explorer.exe

userinit value data should be
C:\WINDOWS\system32\userinit.exe,

If shell and userinit are having different data values then change it as mentioned

above.

Just double click shell and userinit and enter the data values as

shell --> "Value data" should be
Explorer.exe

userinit --> "Value data" should be
C:\WINDOWS\system32\userinit.exe,

Note: there is "," at the end of userinit.exe

Once again download "Malwarebytes' Anti-Malware" from the below link.

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Update it and perform "Full Scan"

Note : Default selected option is "Quick Scan"

Good Luck.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 15, 2010 at 06:14 AM
Hello Matt,

Told you that jack4all would find a solution. When you can access to you ill computer, please let my friend jack4all know... and me to
0
Hi,

Thanks for the help - (un)fortunately the registry values were just as they should be, so this isn't the problem.

I'm now on the infected PC using an Ubuntu Live CD and I have retrieved the MBAM log.

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org



Database version: 5302



Windows 6.0.6000

Internet Explorer 7.0.6000.16757



13/12/2010 16:44:53

mbam-log-2010-12-13 (16-44-53).txt



Scan type: Full scan (C:\|S:\|)

Objects scanned: 699871

Time elapsed: 3 hour(s), 52 minute(s), 11 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 3

Files Infected: 26



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{73E0BD4D-0A0F-4C5D-BDB0-FC2B18ADDE1A}_is1 (Rogue.ErrorWiz) -> Quarantined and deleted successfully.



Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0B2E3ADD-830D-5AFC-171F-273EDF331439} (Spyware.Passwords.XGen) -> Value: {0B2E3ADD-830D-5AFC-171F-273EDF331439} -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Value: Shell -> Quarantined and deleted successfully.



Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.



Folders Infected:

c:\Users\Family\AppData\Roaming\ErrorWiz (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\program files\ErrorWiz (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz (Rogue.ErrorWiz) -> Quarantined and deleted successfully.



Files Infected:

c:\Users\Family\AppData\Roaming\Efseab\saixo.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\program files\ErrorWiz\ErrorWiz.exe (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\562422.exe (Trojan.GBFE) -> Quarantined and deleted successfully.

// ^ I THINK THIS IS THE FAKE MS SECURITY TROJAN

c:\Users\Family\AppData\Local\71638.exe (Trojan.GBFE) -> Quarantined and deleted successfully.

//^ I THINK THIS IS ALSO PART OF THE FAKE MS SECURITY TROJAN

c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\5VQ7E5W1\setup1014[1].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\5VQ7E5W1\setup1014[2].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\5VQ7E5W1\inst[1].exe (Trojan.GBFE) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\DJL1RH1F\fda[1].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\K3MNMANZ\212[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\Temp\CD73.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\Temp\8A19.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\Temp\A21C.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\Temp\1F6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Roaming\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\Family\downloads\gsfq32.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.

c:\Users\Family\downloads\errorwiz_setup.exe (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\Users\Family\downloads\fbx200611_2_converter_win.exe (Adware.BetterInternet) -> Quarantined and deleted successfully.

c:\Windows\System32\madCHook.dll (MadCodeHook) -> Quarantined and deleted successfully.

c:\program files\ErrorWiz\blockprocess.dll (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\program files\ErrorWiz\errorwiz.exe.manifest (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\program files\ErrorWiz\unins000.dat (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\program files\ErrorWiz\unins000.exe (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz\errorwiz on the web.pif (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz\ErrorWiz.lnk (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz\uninstall errorwiz.lnk (Rogue.ErrorWiz) -> Quarantined and deleted successfully.

c:\Users\Family\AppData\Local\Temp\explorer.dat (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
0
jack4rall Posts 6428 Registration date Sunday June 6, 2010 Status Moderator Last seen July 16, 2020
Dec 15, 2010 at 09:51 AM
Hello,
Try this 1
When the black screen appears --> Open the task manager --> Click on File --> New Task--> Now enter the below line including the double quotation i.e; " "
"C:\Program Files\Internet Explorer\iexplore.exe" "http://info.prevx.com/download.asp?GRAB=BLACKSCREENFIX"
---> Now click on OK --> Internet explorer will be opened and tries to download the file --> When
the download window appears --> Click on "Run". The file will be download and run automatically to fix the issue --> Later restart your PC.
Good Luck
0

Didn't find the answer you are looking for?

Ask a question
Hi,

I have tried this fix, and it has also not worked :(

There is one interesting thing I've noticed:

If I open regedit from the Windows OS and navigate as directed, Shell is "explorer.exe". If I open it from the command prompt in the recovery console, it is "cmd.exe /k start cmd.exe"
0
jack4rall Posts 6428 Registration date Sunday June 6, 2010 Status Moderator Last seen July 16, 2020
Dec 15, 2010 at 02:26 PM
Hello,
Try this 1

1)Open task manager --> File --> New Task --> type regedt32 and press Enter.
Registry Editor will be opened.
Look at the following location for the suspicious entry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run. Also in Runonce,
RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Run. Also in Runonce,
RunOnceEx

2)Open task manager --> File --> New Task --> type cmd and press Enter.
When the command prompt opens, enter the below commands

cd\ and press Enter. Now your command prompt changes to C:\>

cd windows and press Enter. Now your command prompt changes to C:\windows>

ren explorer.exe exp.exe and press Enter.

cd system 32\dllcache and press Enter. Now you command prompt changes to C:\windows
\system32\dllcache>

copy explorer.exe c:\windows and press Enter
1 file copied message should appear.
type exit and press Enter
Hold the Ctrl and Shift keys --> Press the Esc key. Task manager will be opened.
In the task manager > File --> New Task --> type explorer.exe and press Enter.

Good Luck
0
NO the problem is after you remove the malware!!!! Go to internet explorer -> Tools -> Internet options -> Connections tab -> LAN settings -> at the bottom make sure the proxy settings are UNCHECKED!! Problem Solved
0
Hi,
Thanks for all the advice - luckily I was able to get an xhDD, back up my work, and format/reinstall windows, which worked great

Cheers

Matt
0