Command prompt and regedit fail to open and restart explorer.exe
On a Windows XP SP2 machine I have had, both the command prompt (cmd.exe) and regedit (regedit32.exe) failed to load and just restarted explorer.exe which closed all open windows and brought you back to the desktop. This also brought up the Restore Active Desktop message on the desktop and the Restore button failed with a script error.
On most start ups, explorer didn’t load at all, but could be manually by bringing up the task manager (Ctrl + Alt + Delete) and going to File –> Run and typing ‘explorer.exe’ (without the quotes).
I don’t know where the malware came from, but there were traces from Limewire, so one could hazard a guess that this was likely the cause.
To fix the problem, you will need some knowledge of the registry and navigating around Windows explorer. As well as the following tools:
- HijackThis – Download (mirror)
- ComboFix – Download (Read all the documentation of Combofix before you proceed with this)
Step 1: Get the command prompt and regedit to work
- Navigate to C:\Windows\system32 in explorer
- Copy the file called regedit32 (regedit32.exe if you have extensions shown)
- Paste a copy of this file on your desktop
- Rename this file to anything you want other than cmd.exe or regedit32.exe, something like somerandomfile.exe
- Double click the file to open it. You should now have full access to the registry
Step 2: Remove the malware
- In the registry navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
- Under aux2 (maybe another entry) you will see a path like C:\DOCUME~1\USERNAME\LOCALS~1\Temp\..\esanx.igg
- Copy the whole path excluding the file and open it in Explorer. You should see the file in the folder.
- If so, open up HijackThis, and click the button for Misc Tools.
- Chose Delete a file on reboot.
- Navigate to the path of the file and select the file.
- When you have selected it you will be asked to restart. Say Yes and restart.
Step 3: Check it has gone
- After you have restarted, disable any Antivirus scanners and run Combofix following the instructions.
- Let Combofix do it’s thing and when finished, everything should be as good as it was beforehand.