Command prompt and regedit fail to open and restart explorer.exe

Posted on Tue, 2009-04-21 23:57

On a Windows XP SP2 machine I have had, both the command prompt (cmd.exe) and regedit (regedit32.exe) failed to load and just restarted explorer.exe which closed all open windows and brought you back to the desktop. This also brought up the Restore Active Desktop message on the desktop and the Restore button failed with a script error.

On most start ups, explorer didn’t load at all, but could be manually by bringing up the task manager (Ctrl + Alt + Delete) and going to File –> Run and typing ‘explorer.exe’ (without the quotes).

I don’t know where the malware came from, but there were traces from Limewire, so one could hazard a guess that this was likely the cause.

Fix

To fix the problem, you will need some knowledge of the registry and navigating around Windows explorer. As well as the following tools:

  • HijackThis – Download (mirror)
  • ComboFix – Download (Read all the documentation of Combofix before you proceed with this)

Step 1: Get the command prompt and regedit to work

  1. Navigate to C:\Windows\system32 in explorer
  2. Copy the file called regedit32 (regedit32.exe if you have extensions shown)
  3. Paste a copy of this file on your desktop
  4. Rename this file to anything you want other than cmd.exe or regedit32.exe, something like somerandomfile.exe
  5. Double click the file to open it.  You should now have full access to the registry

Step 2: Remove the malware

  1. In the registry navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
  2. Under aux2 (maybe another entry) you will see a path like C:\DOCUME~1\USERNAME\LOCALS~1\Temp\..\esanx.igg
  3. Copy the whole path excluding the file and open it in Explorer. You should see the file in the folder.
  4. If so, open up HijackThis, and click the button for Misc Tools.
  5. Chose Delete a file on reboot.
  6. Navigate to the path of the file and select the file.
  7. When you have selected it you will be asked to restart.  Say Yes and restart.

Step 3: Check it has gone

  1. After you have restarted, disable any Antivirus scanners and run Combofix following the instructions.
  2. Let Combofix do it’s thing and when finished, everything should be as good as it was beforehand.

Step 4: Remove any junk (to be on the safe side)

  1. Either download CCleaner or ATF-Cleaner (Only for Windows XP and Windows 2000)
  2. Clean out all your temporary files

Comments

Ravindra Kulkarni

Fri, 2009-07-17 15:39

Very good.I accesed registry.Thank you.

rehs

Sat, 2009-08-01 08:50

I have almost similar problem. When I reboot my pc, all I see is desktop screensaver ( no desktop icons, start menu or taskbar). I can bring up the task manager by ctrl+alt+del. I tried running explorer.exe from task manager's "New Task (Run...)" but it failed. I mean nothing happens and I dont see explorer.exe in the task manager. Can someone help me resolve this?

Toby

Mon, 2010-03-08 00:42

Awesome info mate! Much appreciated.