MBAM'd a Trojan, explorer.exe won't open
Solved/Closed
Related:
- Explorer.exe virus
- Goose virus - Download - Other
- Explorer.exe download - Download - Diagnosis and monitoring
- Ntuser.dat virus - Guide
- Can jpg have virus - Guide
- How to get rid of trojan virus ✓ - Viruses & Security Forum
5 responses
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 15, 2010 at 05:08 AM
Dec 15, 2010 at 05:08 AM
Greetings Matt,
The procedure you followed to kill the trojan was the best but the reason why you were prompted to restore gets me. Did you reboot after running RKill?
Anyhow, at least you have the task manager to work with.
We may be able to overcome. As we may not be in the same time zone, you may need to be patient.
Tell me with the task manager how you try to launch explorer.exe. Do you get a message following your attempt?
I will try to get my partner on your case also, jack4all, and we will work as a team.
Catch you later
P.S. Patience is a vertu.
The procedure you followed to kill the trojan was the best but the reason why you were prompted to restore gets me. Did you reboot after running RKill?
Anyhow, at least you have the task manager to work with.
We may be able to overcome. As we may not be in the same time zone, you may need to be patient.
Tell me with the task manager how you try to launch explorer.exe. Do you get a message following your attempt?
I will try to get my partner on your case also, jack4all, and we will work as a team.
Catch you later
P.S. Patience is a vertu.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 15, 2010 at 05:30 AM
Dec 15, 2010 at 05:30 AM
Thank you Matt. Most interesting I must say! (But grotesque)
I am usually in the virus/security environment.
I would like jack4all's opinion and advice on this. He should be on line soon.
Please stand-by
I am usually in the virus/security environment.
I would like jack4all's opinion and advice on this. He should be on line soon.
Please stand-by
jack4rall
Posts
6428
Registration date
Sunday June 6, 2010
Status
Moderator
Last seen
July 16, 2020
Dec 15, 2010 at 06:00 AM
Dec 15, 2010 at 06:00 AM
Hello,
First thanks to my friend "Ambucias"
Try this 1.
1) When you switch ON your computer, start tapping the "F8" key to get
"Windows Advanced Options"( if boot menu appears, press "Esc" key and keep
tapping the F8 key)
2) Select "Safe Mode with Networking"
3) Click on Start --> In search box, type regedt32 and press Enter.
Registry Editor will be opened. Navigate to the following location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
At the right side, find the strings shell & userinit and check the following
shell value data should be
Explorer.exe
userinit value data should be
C:\WINDOWS\system32\userinit.exe,
If shell and userinit are having different data values then change it as mentioned
above.
Just double click shell and userinit and enter the data values as
shell --> "Value data" should be
Explorer.exe
userinit --> "Value data" should be
C:\WINDOWS\system32\userinit.exe,
Note: there is "," at the end of userinit.exe
Once again download "Malwarebytes' Anti-Malware" from the below link.
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Update it and perform "Full Scan"
Note : Default selected option is "Quick Scan"
Good Luck.
First thanks to my friend "Ambucias"
Try this 1.
1) When you switch ON your computer, start tapping the "F8" key to get
"Windows Advanced Options"( if boot menu appears, press "Esc" key and keep
tapping the F8 key)
2) Select "Safe Mode with Networking"
3) Click on Start --> In search box, type regedt32 and press Enter.
Registry Editor will be opened. Navigate to the following location
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
At the right side, find the strings shell & userinit and check the following
shell value data should be
Explorer.exe
userinit value data should be
C:\WINDOWS\system32\userinit.exe,
If shell and userinit are having different data values then change it as mentioned
above.
Just double click shell and userinit and enter the data values as
shell --> "Value data" should be
Explorer.exe
userinit --> "Value data" should be
C:\WINDOWS\system32\userinit.exe,
Note: there is "," at the end of userinit.exe
Once again download "Malwarebytes' Anti-Malware" from the below link.
https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/
Update it and perform "Full Scan"
Note : Default selected option is "Quick Scan"
Good Luck.
Ambucias
Posts
47310
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
February 15, 2023
11,164
Dec 15, 2010 at 06:14 AM
Dec 15, 2010 at 06:14 AM
Hello Matt,
Told you that jack4all would find a solution. When you can access to you ill computer, please let my friend jack4all know... and me to
Told you that jack4all would find a solution. When you can access to you ill computer, please let my friend jack4all know... and me to
Hi,
Thanks for the help - (un)fortunately the registry values were just as they should be, so this isn't the problem.
I'm now on the infected PC using an Ubuntu Live CD and I have retrieved the MBAM log.
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5302
Windows 6.0.6000
Internet Explorer 7.0.6000.16757
13/12/2010 16:44:53
mbam-log-2010-12-13 (16-44-53).txt
Scan type: Full scan (C:\|S:\|)
Objects scanned: 699871
Time elapsed: 3 hour(s), 52 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 26
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{73E0BD4D-0A0F-4C5D-BDB0-FC2B18ADDE1A}_is1 (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0B2E3ADD-830D-5AFC-171F-273EDF331439} (Spyware.Passwords.XGen) -> Value: {0B2E3ADD-830D-5AFC-171F-273EDF331439} -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Value: Shell -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\Users\Family\AppData\Roaming\ErrorWiz (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
Files Infected:
c:\Users\Family\AppData\Roaming\Efseab\saixo.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\ErrorWiz.exe (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\562422.exe (Trojan.GBFE) -> Quarantined and deleted successfully.
// ^ I THINK THIS IS THE FAKE MS SECURITY TROJAN
c:\Users\Family\AppData\Local\71638.exe (Trojan.GBFE) -> Quarantined and deleted successfully.
//^ I THINK THIS IS ALSO PART OF THE FAKE MS SECURITY TROJAN
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\5VQ7E5W1\setup1014[1].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\5VQ7E5W1\setup1014[2].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\5VQ7E5W1\inst[1].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\DJL1RH1F\fda[1].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\K3MNMANZ\212[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\CD73.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\8A19.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\A21C.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\1F6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Roaming\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Family\downloads\gsfq32.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
c:\Users\Family\downloads\errorwiz_setup.exe (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\Users\Family\downloads\fbx200611_2_converter_win.exe (Adware.BetterInternet) -> Quarantined and deleted successfully.
c:\Windows\System32\madCHook.dll (MadCodeHook) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\blockprocess.dll (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\errorwiz.exe.manifest (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\unins000.dat (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\unins000.exe (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz\errorwiz on the web.pif (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz\ErrorWiz.lnk (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz\uninstall errorwiz.lnk (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\explorer.dat (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Thanks for the help - (un)fortunately the registry values were just as they should be, so this isn't the problem.
I'm now on the infected PC using an Ubuntu Live CD and I have retrieved the MBAM log.
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org
Database version: 5302
Windows 6.0.6000
Internet Explorer 7.0.6000.16757
13/12/2010 16:44:53
mbam-log-2010-12-13 (16-44-53).txt
Scan type: Full scan (C:\|S:\|)
Objects scanned: 699871
Time elapsed: 3 hour(s), 52 minute(s), 11 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 26
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{73E0BD4D-0A0F-4C5D-BDB0-FC2B18ADDE1A}_is1 (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0B2E3ADD-830D-5AFC-171F-273EDF331439} (Spyware.Passwords.XGen) -> Value: {0B2E3ADD-830D-5AFC-171F-273EDF331439} -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Value: Shell -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\Users\Family\AppData\Roaming\ErrorWiz (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
Files Infected:
c:\Users\Family\AppData\Roaming\Efseab\saixo.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\ErrorWiz.exe (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\562422.exe (Trojan.GBFE) -> Quarantined and deleted successfully.
// ^ I THINK THIS IS THE FAKE MS SECURITY TROJAN
c:\Users\Family\AppData\Local\71638.exe (Trojan.GBFE) -> Quarantined and deleted successfully.
//^ I THINK THIS IS ALSO PART OF THE FAKE MS SECURITY TROJAN
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\5VQ7E5W1\setup1014[1].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\5VQ7E5W1\setup1014[2].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\5VQ7E5W1\inst[1].exe (Trojan.GBFE) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\DJL1RH1F\fda[1].exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\K3MNMANZ\212[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\CD73.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\8A19.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\A21C.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\1F6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Roaming\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Family\downloads\gsfq32.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
c:\Users\Family\downloads\errorwiz_setup.exe (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\Users\Family\downloads\fbx200611_2_converter_win.exe (Adware.BetterInternet) -> Quarantined and deleted successfully.
c:\Windows\System32\madCHook.dll (MadCodeHook) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\blockprocess.dll (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\errorwiz.exe.manifest (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\unins000.dat (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\program files\ErrorWiz\unins000.exe (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz\errorwiz on the web.pif (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz\ErrorWiz.lnk (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\programdata\microsoft\Windows\start menu\Programs\ErrorWiz\uninstall errorwiz.lnk (Rogue.ErrorWiz) -> Quarantined and deleted successfully.
c:\Users\Family\AppData\Local\Temp\explorer.dat (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
jack4rall
Posts
6428
Registration date
Sunday June 6, 2010
Status
Moderator
Last seen
July 16, 2020
Dec 15, 2010 at 09:51 AM
Dec 15, 2010 at 09:51 AM
Hello,
Try this 1
When the black screen appears --> Open the task manager --> Click on File --> New Task--> Now enter the below line including the double quotation i.e; " "
"C:\Program Files\Internet Explorer\iexplore.exe" "http://info.prevx.com/download.asp?GRAB=BLACKSCREENFIX"
---> Now click on OK --> Internet explorer will be opened and tries to download the file --> When
the download window appears --> Click on "Run". The file will be download and run automatically to fix the issue --> Later restart your PC.
Good Luck
Try this 1
When the black screen appears --> Open the task manager --> Click on File --> New Task--> Now enter the below line including the double quotation i.e; " "
"C:\Program Files\Internet Explorer\iexplore.exe" "http://info.prevx.com/download.asp?GRAB=BLACKSCREENFIX"
---> Now click on OK --> Internet explorer will be opened and tries to download the file --> When
the download window appears --> Click on "Run". The file will be download and run automatically to fix the issue --> Later restart your PC.
Good Luck
Didn't find the answer you are looking for?
Ask a question
Hi,
I have tried this fix, and it has also not worked :(
There is one interesting thing I've noticed:
If I open regedit from the Windows OS and navigate as directed, Shell is "explorer.exe". If I open it from the command prompt in the recovery console, it is "cmd.exe /k start cmd.exe"
I have tried this fix, and it has also not worked :(
There is one interesting thing I've noticed:
If I open regedit from the Windows OS and navigate as directed, Shell is "explorer.exe". If I open it from the command prompt in the recovery console, it is "cmd.exe /k start cmd.exe"
jack4rall
Posts
6428
Registration date
Sunday June 6, 2010
Status
Moderator
Last seen
July 16, 2020
Dec 15, 2010 at 02:26 PM
Dec 15, 2010 at 02:26 PM
Hello,
Try this 1
1)Open task manager --> File --> New Task --> type regedt32 and press Enter.
Registry Editor will be opened.
Look at the following location for the suspicious entry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run. Also in Runonce,
RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Run. Also in Runonce,
RunOnceEx
2)Open task manager --> File --> New Task --> type cmd and press Enter.
When the command prompt opens, enter the below commands
cd\ and press Enter. Now your command prompt changes to C:\>
cd windows and press Enter. Now your command prompt changes to C:\windows>
ren explorer.exe exp.exe and press Enter.
cd system 32\dllcache and press Enter. Now you command prompt changes to C:\windows
\system32\dllcache>
copy explorer.exe c:\windows and press Enter
1 file copied message should appear.
type exit and press Enter
Hold the Ctrl and Shift keys --> Press the Esc key. Task manager will be opened.
In the task manager > File --> New Task --> type explorer.exe and press Enter.
Good Luck
Try this 1
1)Open task manager --> File --> New Task --> type regedt32 and press Enter.
Registry Editor will be opened.
Look at the following location for the suspicious entry
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Run. Also in Runonce,
RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Run. Also in Runonce,
RunOnceEx
2)Open task manager --> File --> New Task --> type cmd and press Enter.
When the command prompt opens, enter the below commands
cd\ and press Enter. Now your command prompt changes to C:\>
cd windows and press Enter. Now your command prompt changes to C:\windows>
ren explorer.exe exp.exe and press Enter.
cd system 32\dllcache and press Enter. Now you command prompt changes to C:\windows
\system32\dllcache>
copy explorer.exe c:\windows and press Enter
1 file copied message should appear.
type exit and press Enter
Hold the Ctrl and Shift keys --> Press the Esc key. Task manager will be opened.
In the task manager > File --> New Task --> type explorer.exe and press Enter.
Good Luck
Dec 15, 2010 at 05:16 AM
Basically what happened was, I ran Rkill so that I could run MBAM with the trojan blocking it. The MBAM quarantine told me that I needed to reboot in order to complete the quarantine process, and I did this. It was that this point that I had the first problem with explorer.exe.
I was prompted on boot to start the Vista Recovery Console, and the automated system repair feature decided that I ought to try a System Restore. This allowed me to get a stable black screen with movable cursor and task manager, but I am still unable to load explorer.
To answer your question: with task manager I try to launch explorer.exe in this way:
1) CTRL+SHIFT+ESC to launch task manager
2) File - New task (I think these are the names of the options, I don't have access to the infected PC for the next few hours)
3) explorer.exe followed by enter key to submit
it's here where it gets weird
4) instead of loading explorer.exe , I get a black Command Prompt style window. This has a line of text in it. The window dissapears to quickly for me to read the line of text, however I was able to pick up the word 'memory' in it. Subsequent attempts to launch explorer.exe bring up a Command Prompt windows, which dies immediately.
Thanks very much for your help, I look forward to sorting this out!
P.S. It most certainly is - this is the fourth time I've been without my desktop in four weeks and I am fast learning that patience is the only way!