Windows unable to run explorer.exe or IE

[Dave Sell]

Windows is unable to execute explorere or ie. Desktop icons do not show on
reboots. This all started after trojen removal but not certain that is what
broke this PC. I can execute a few things from taskmgr like Norton AV and
currently claims machine virus free. But if I try to start explorer.exe
from taskmgr I get "Windows cannot find C:\WINDOWS\explorere.exe. Check
spelling.....". Same with IE. I have been able to update to SP2 via cmd
prompt. Currrent config: WinXP Home with SP2.

I had Trojan.StartPage with files: Tmntsrv32.EXE, SMSSU.EXE, & xmlib.dll.
Problems seem to have started after I lilled these processes then restarted.
Several techsupport sites suggested killing with taskmgr or hijack but since
both only kill one process at a time it doesn't work with this since the 3
files associatied with the trojan seem to monitor each other and restart as
soon as one is killed. I was unable to fine removal tool so wrote batch file
that renamed each with .tmp extension then copied FREECELL.EXE to each of
the 3 original names and gained control of the PC then able to run NAV. But
on next boot the icons on desktop didn't show up and seems there might be
where all this started.

One other thing is that both the original CD with XP Home and SP2 have
problems updateing several programs and hardware dirvers with error saying
that file being installed has not passed Windows certification. I read
where I could rename the 2 catroot folders in SYSTEM32 to .TMP extension
might clear that up when I try to reinstall. but want to confirm first.

I'm not ready to start from scratch yet. I have tried a repair with the
original CD. A complete reinstall creates a new user account and I dont
think I want that yet. I'd like to maintain the current structure as much as
possible. What's up with my machine?

Dave Sell
(e-mail address removed)

 

[NotMe]

strange...explorer.exe IS windows, if it's not running, you aren't in
windows.

iexplore.exe on the other hand is internet explorer.
it sounds like you may still be infected.

 

[Dave Sell]

Partial reply to NotMe

As I understand Windows is a conglom of many processes including
explorer.exe & iexplore.exe. What I get on a reboot is my desktop
background and the mouse pointer in the middle of the screen. I am able to
move the mouse and <CTRL+ALT+DEL> brings up taskmgr. So mouse and keyboard
portions of Win is working. A program called explorer.exe and iexplore.exe
exist. Their versions claim current Microsoft. I get the feeling that those
versions have been denied access maybe by the virus or by some other action.
I have looked at properties and both have the same properties as NOTEPAD.EXE
and FREECELL.EXE which both work. Where else would access rights to progrmas
be? What other reason would they now run? Is there a way to check if any
other files have been denied access? Or maybe something simpler is broke?

NAV is current and a check of ALL files reveals nothing now. I am able to
access the internet for updates for both Wndows and Norton. Windows update
is set to auto download and install. I can run all the .CPL files so I can
make some changes. I can rename, delete, move files with taskmgr.

I have tried SFC.EXE with original WinXP Home CD. I think I'll have to load
SP2 again - I'm not sure if versions of all system files go back to
original. ...?
Dave Sell

------------------
NotMe
strange...explorer.exe IS windows, if it's not running, you aren't in
windows.

iexplore.exe on the other hand is internet explorer.
it sounds like you may still be infected.

 

[Malke]

Partial reply to NotMe

As I understand Windows is a conglom of many processes including
explorer.exe & iexplore.exe. What I get on a reboot is my desktop
background and the mouse pointer in the middle of the screen. I am
able to
move the mouse and <CTRL+ALT+DEL> brings up taskmgr. So mouse and
keyboard
portions of Win is working. A program called explorer.exe and
iexplore.exe
exist. Their versions claim current Microsoft. I get the feeling that
those versions have been denied access maybe by the virus or by some
other action. I have looked at properties and both have the same
properties as NOTEPAD.EXE and FREECELL.EXE which both work. Where else
would access rights to progrmas
be? What other reason would they now run? Is there a way to check if
any other files have been denied access? Or maybe something simpler is
broke?

NAV is current and a check of ALL files reveals nothing now. I am
able to
access the internet for updates for both Wndows and Norton. Windows
update
is set to auto download and install. I can run all the .CPL files so
I can make some changes. I can rename, delete, move files with
taskmgr.

I have tried SFC.EXE with original WinXP Home CD. I think I'll have to
load SP2 again - I'm not sure if versions of all system files go back
to
original. ...?
Dave Sell

------------------
NotMe
strange...explorer.exe IS windows, if it's not running, you aren't in
windows.

iexplore.exe on the other hand is internet explorer.
it sounds like you may still be infected.

Actually explorer.exe is just the Graphical User Interface (gui). It is
not "Windows". However, you need to have it run for normal operation.
Here's the thing - the OP didn't know this simple piece of information
but yet wrote a "batch file" to do who-knows-what and made numerous
other changes in his efforts to remove the trojan (for which there are
removal steps if you know where to look). I'm not saying this to hurt
Mr. Sells' feelings - I'm just stating an apparent fact and being
practical regarding remedies.

At this point, the system is in an unknown state. Undocumented changes
have been made, so unwinding from these will be most difficult. I would
back up any data first, either with Knoppix or a Bart's, and then try a
Repair Install. If the Repair Install doesn't work, the easiest and
probably best solution will be a Clean Install.

http://www.michaelstevenstech.com/XPrepairinstall.htm - Repair Install
http://michaelstevenstech.com/cleanxpinstall.html - Clean Install

http://www.knoppix.net
http://www.nu2.nu/pebuilder/

Malke

 

[Dave Sell]

If it would help the steps I took were
1) run Trend Micro Housecall. I was able to run it from SafeMode with
network. It was able to remove most of the junk except for 3 files needed
for Trojan.StartPage. NortonAV would not load at all or when it did load at
one point it would be disabled by Trojan.StartPage on subsequent reboot.
Still had explorer.exe.
2) Attempt to remove the 3 file associated with Trojan.StartPage that
continue to restore themselves. At that time the trojan processes running
were 2 instances of SMSSU.EXE, 1 of Tmntsrv32.EXE, & 1 of xmlib.dll. I tried
sharing drive C:\ (including Program Files, Documents and Settings, and
Windows) with my laptop which has current ver of NAV. - didn't work
3) There is such a mixed bag of sugggestions on how to remove these files
and none I tried worked. Several websites (not newsgroups) suggested use of
taksmgr or hijack to kill processes - didn't work. Another suggested using
hijack to delete files on reboot feature - didn't work. All sites seemed to
be in agreement as to the files involved so that is where I thought the
batch file would be able to run all the way through befor the trojan files
could replace themselves. All the batch file really did was copy
freecell.exe to Tmntsrv32.EXE, SMSSU.EXE, & xmlib.dll. That worked. I got 4
instances of freecell but trojan was stopped. and NortonAV loaded and was
able to clean a bunch more. On reboot this time none of my desktop icons
showed up. I was unable to run explorer.exe after that. Norton & Windows
were able to connect to web to update.

So there a few things I did befor this went FUBAR. All the files I can run I
have to start from taskmgr. Control panel files run OK. Why can't I run
explorer.exe but notepad.exe runs just fine?

Dave Sell
---------------------

 

[Malke]

If it would help the steps I took were
1) run Trend Micro Housecall. I was able to run it from SafeMode with
network. It was able to remove most of the junk except for 3 files
needed for Trojan.StartPage. NortonAV would not load at all or when it
did load at one point it would be disabled by Trojan.StartPage on
subsequent reboot. Still had explorer.exe.
2) Attempt to remove the 3 file associated with Trojan.StartPage that
continue to restore themselves. At that time the trojan processes
running were 2 instances of SMSSU.EXE, 1 of Tmntsrv32.EXE, & 1 of
xmlib.dll. I tried sharing drive C:\ (including Program Files,
Documents and Settings, and Windows) with my laptop which has current
ver of NAV. - didn't work 3) There is such a mixed bag of sugggestions
on how to remove these files and none I tried worked. Several websites
(not newsgroups) suggested use of taksmgr or hijack to kill processes
- didn't work. Another suggested using hijack to delete files on
reboot feature - didn't work. All sites seemed to be in agreement as
to the files involved so that is where I thought the batch file would
be able to run all the way through befor the trojan files could
replace themselves. All the batch file really did was copy
freecell.exe to Tmntsrv32.EXE, SMSSU.EXE, & xmlib.dll. That worked. I
got 4 instances of freecell but trojan was stopped. and NortonAV
loaded and was able to clean a bunch more. On reboot this time none of
my desktop icons showed up. I was unable to run explorer.exe after
that. Norton & Windows were able to connect to web to update.

So there a few things I did befor this went FUBAR. All the files I can
run I have to start from taskmgr. Control panel files run OK. Why
can't I run explorer.exe but notepad.exe runs just fine?

I guess you can't run explorer.exe because it has been damaged. There
really isn't any way for me to give you a more definitive answer
without actually looking at the machine. Try:

1. Run the System File Checker. Since you can run the Task Manager, you
can make a new task of cmd and then sfc /scannow.

2. If that doesn't work, do the Repair Install.

3. If that doesn't work, clean install Windows and restore data from
backups.

Otherwise you may want to take the machine to a computer professional
(not your local equivalent of BigStoreUSA) and have them take a look.
They may see something in a hands-on situation that people reading
about the issues in a newsgroup might miss.

Good luck,

Malke

 

[Guest]

I'll try another angle..

I renamed explorer.exe to exp.exe and iexplore.exe to iexp.exe. Both work
like that but associations are not there. Is there some part of the rigistry
that would block usage of a program?