Jump to content

Explorer.exe won't start, File not found - fix


Recommended Posts

A combination of malware running around in the past few days has infected several of my client's PCs. One of the files that gets removed is C:\Program Files\Microsoft Common\*.* (typically the file contained in this folder is svchost.exe)

However, there is still a reference to this file and as a result, whenever Explorer.exe is attempted to be run, the following key is executed, the file isn't found, and the program won't run. With no shell, you get, well, you know. If you try running explorer.exe from the Task Manager, you get "file not found", even though it's there on the disk. What's isn't immediately obvious is the "file not found" isn't explorer.exe, it's the file in the registry key that was removed by anti-spyware programs.

The key is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

"Debugger"="C:\\Program Files\\Microsoft Common\\svchost.exe"

It would be great if you could add this to your WONDERFUL program and detect if this registry key exists and if so, add it to the list of items detected. (It might be worth check to see if the file it's pointing to still exists too, as it would make sense to detect it at the same time.)

Thanks again for making such a great program as your available.

Link to post
Share on other sites

That key probably should have been changed back to the default. Something could have been protecting it. You can actually hit Ctrl+Shift+Esc to open the task manager, and manually launch explorer.exe with the 'Run' function. That allows you to go about fixing the issue, assuming you don't prefer using a BartPE CD to edit the registry.

Link to post
Share on other sites

That key probably should have been changed back to the default. Something could have been protecting it. You can actually hit Ctrl+Shift+Esc to open the task manager, and manually launch explorer.exe with the 'Run' function. That allows you to go about fixing the issue, assuming you don't prefer using a BartPE CD to edit the registry.

Actually, when this key is in existence, which it normally is not, you CANNOT run explored if the file referenced in the key no longer exists. Trust me. Try it for yourself.

Link to post
Share on other sites

http://74.125.95.132/search?q=cache:zmkJhd...=clnk&gl=us

We did this once already and there were FPs .

We are trying again a slightly different way , hope this works with no FPs this time .

Thanks Bruce. While I'm not suggesting how to do this, I can say that if you find ANY references to non-existing files within this whole key (Image File Options), you aren't going to hit an FP. While most of the executables in this key are minor, the Explorer.exe key is clearly a VERY special case, and one that wouldn't expect to be listed here unless your a *shell* developer and in that case, you wouldn't be running MBAM...:-)

Thanks for looking into this. I ran into this problem a month or so ago, and now more than four times in the past week. I can't say for sure which Anti-Malware program is actually removing the malware file in \Microsoft Common\, as I typically run several while in PE mode and then flip back to safe mode to finish off the job. With MBAM not working in UBCD4Win right now, I can be certain that it wasn't MBAM that removed the referenced file. However, Had MBAM (or if done properly, the other programs that removed the malware) caught this dead-ended file reference in the registry, it would have made life a bit easier. Since a couple of months had passed, I had forgotten about this key so it took me a bit to track it down when explorer appeared to stop working due to "Cannot be found"...

Link to post
Share on other sites

Actually, when this key is in existence, which it normally is not, you CANNOT run explored if the file referenced in the key no longer exists. Trust me. Try it for yourself.

Sorry, you're right. I must have been half asleep when I read this earlier. :(

Link to post
Share on other sites

MBAM links from file to Image File Execution Options so if we hit the file we also clear the hijack , I am unsure how the initial case came to be as I cannot replicate it .

I believe the initial case happened due to SuperAnti-Spyware removing the svchost.exe program and the phoney "Microsoft Common" folder. But it FAILED to also remove the registry key and thusly caused the problem. So, no knocks against MBAM there. However, I was just hoping that if you happened to FIND the registry key, AND it had a reference to a non-existent file, you would REMOVE the reference (who cares if you leave the key if it's empty...). At least that way, you could FIX the "File not found" problem. Of course, one might also say, and, HOW might you actually RUN MBAM if you don't have the shell? Well, just like running any other program at that point--from Task Manager. Clearly, not your average run-of-the-mill user, but between you and me, everything ounce of heuristic you can deploy can help in this fight.

Cheers,

-Ken

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.