Explorer.exe

I already tried the last known good config and it didn't work. The windows button doesn't work for me. The only thing I can get to start up is the windows task manager. If I knew where the system restore file was located I could prolly navigate to it from there but I don't.

seoulsux, The rstrui.exe file is located in the C:\Windows\System32\Restore directory (folder) assuming the C is the letter of the hard drive that Windows is installed on.

If you can't access it that way check out the link below.

http://support.microsoft.com/kb/304449

Tufenuf

1. Restart your system
2. When the system first boots, type F8 to bring up the boot menu
3. Select the Safe Mode with Command Prompt option
4. Log-on as administrator if needed
5. At your command prompt type -
%systemroot%\system32\restore\rstrui.exe
6. Hit Enter -- This will open the system restore wizard...


Have fun.

I found out how to do a system restore when I went into msconfig. I also tried out all those ideas in those links Tom gave me. Did a scan with ad-aware SE, did a registry scan with registry mechanic. Funny thing is on those sites I notice a lot of people got it to work by doing this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

but when I went there I didn't find any of those items in my registry.

I know my IE works fine because I used it to do a windows update when I had this problem.

Maybe I'm missing explorer.exe. Does anyone know where I can find it or how can I search for it using windows task manager?

I also did a HiJackThis scan which I'll copy below in case it helps. Thanks for all your suggestions and help

Logfile of HijackThis v1.99.1
Scan saved at 12:15:18 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\owner\Desktop\maintanece\HijackThis\analyze.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: (no name) - {3829B588-0A7E-40B0-84EA-4BF42F3EAC8D} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A6807262-1D7A-44AB-947B-23B71E97915C} - C:\WINDOWS\system32\hggfcba.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [Windows Mode Verifier] windll.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\RunServices: [Windows Mode Verifier] windll.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [

I don't have those entries in my Registry either. Well, I have everything except the explorer.exe and iexplorer.exe. But then I'm on XP Home Edition. I don't know if that makes a difference.

If those reg keys are supposed to be on your OS, then you would have to create them. If you create them, I would definitely first backup the parent keys to a location other than the Desktop.

Since the CNET Forums do not assist with HJT reports, I would suggest posting it at http://forums.tomcoyote.org/HijackThis_Logs_Malware_Removal_f27.html

I don't know if those registry entries are suppose to be there either. It was just a fix that worked for the people in those links that Tom provided. I'm just frustrated trying to figure out what happened. I did virus/adware scans and it's not that, I've done registry scans and fixed those, I don't even remember going into the windows folder and messing with explorer.exe or anything like that. I even restored the Alcohol 120% threat that AVG found and still no luck. BTW do you know how to access the recycle bin from from the windows task manager menu. If I can delete some stuff from the recycle bin I can get some work done at least while I work on this. Thanks

Try CCLEANER which will clean the recycle bin and more.There are three versions available,i use the slim version which has no yahoo toolbar and is english only.

Tom

CNET doesn't analyze HJT logs and there seems to be some questionable entries.

You can try AVG ANTI SPYWARE,preferably in SAFE MODE

I suggest you have this log analyzed,this LINK will provide instructions.

I've done a spybot search and destroy, ad-aware, avg and nod32 scan in safe mode. I've also done a cleaning/fixing of the registry while in safe mode. I've posted my HiJackThis report on one of those sites that Tom recommended and am waiting on any feedback. I did a chkdsk using the command prompt, but it only runs in read only mode. Do you know of a way that I can schedule it to run the next time I reboot? Maybe that will pick up and repair any errors. Thanks for any help

Did you type chkdsk or chkdsk /f,try the latter.

Patience is needed with HJT log forums since they are very busy.

Tom

For some reason explorer.exe just decided to stop being crazy and start working. Before it did I opened process explorer, started it and suspended it, then I did a debug with drwatson which crashed. I tried this several times and on the last time, I got this error:

Buffer Overrun Detected
C:Windows\Explorer.exe
A buffer overrun has occured which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.

I'm afraid to press the OK button in case it crashes again.

Did you try the link I provided for avg anti spyware?

You could also try trojan hunter and Prevx2.0

This LINK which mentions this
Buffer Overrun Detected
C:Windows\Explorer.exe
A buffer overrun has occured which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated.

Scan in safe mode

I haven't tried the avg anti-spware yet but I did try the F-Secure Online Virus scan I saw someone used in one of your links after I enable my winpatrol again, I noticed that a awtqn.dll and a hggdc.dll(It was something like this) message kept popping up to asking me to allow these add-ons for IE. They still kept popping up even when I clicked No. The F-Secure Online scanner showed these results

Stealth

C:\WINDOWS\SYSTEM32\VBSKPRO2.OCX (Submitted)

Vundo.dam

C:\WINDOWS\SYSTEM32\AWTQN.DLL (Submitted)

This one I think is a false Positive
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\MISC\TOYCON-CRYSTALXP.NET-EN-1207\TOYCON\UPDATER.EXE (Submitted)

I'm gonna do a reboot and see if this fixed the problems. Also If I boot in safe mode with networking I'll be able to use Firefox and the internet right? I wanna use that AVG antispyware you recommended.

I don't understand why the hesitation in installing avg anti spyware and prevex (links that I supplied)and run them in safe mode,or maybe purge system restore (disable system restore),run the scans in safe mode then enable system restore.

Also check this LINK and click #8

Sorry It wasn't hesistation. It's just that I was trying every Idea you recommended and what I saw in those links and it takes time to get thru them all, especially the online virus scans. I'm in safe mode now but Prevx doesn't work. So I'm gonna run the avg-antivirus and see if that helps. I did the chkdsk and got no errors. But after booting to safe mode I still got that buffer overrun error which closes explorer if I click Ok. How do you disable system restore?

To disable SYSTEM RESTORE

I noticed you typed "avg anti virus".Use avg anti spyware.

Tom

After 2 hrs + of avg anti-spware, f-vmonde, disabling system restore and prevx it still doesn't work f-vmonde took care of that hggcda.dll, but now i'm not even getting that buffer overrun error. No one has replied to my HiJackThis log post yet. After several tries with process explorer to debug explorer.exe, I noticed that some of the time just before it crashed I saw a verclsid.exe. I did a google search and it turns out there is a glitch with this program and explorer. I also noticed that when I suspended explorer.exe and looked at the strings I keep seeing this. awtqn.dll+0x2cfe0 and some others like that. I know awtqn.dll is/was a virus and I don't have it anymore, but it seems that Explorer.exe keeps trying to load this file. Maybe that's the problem? I'm gonna install and update I found for the verclsid.exe on the microsoft website and see if that works.