Jump to content

Explorer.exe... broken?

Recommended Posts

Hi guys,

So I bought a new video card yesterday, installed it, overclocked it, and benchmarked it like I always do. The only apps I used were EVGA precision, Furmark, and the Crysis demo.

I restarted the computer and it worked fine for the first couple of reboots. Then, one time I started it up after a couple of hours, and I was greeted with a desktop with no icons, taskbar, or anything. Explorer.exe was running, but then I ended it and started a fresh process. Everything came up and worked fine.

After doing some research, I found out it had something to do with my registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and then the value of Shell). Mine says Explorer.exe "C:\Users\Randall\AppData\Roaming\lsass.exe", but apparently it's just supposed to read "explorer.exe". After changing it, the system boots up perfectly, but the value is reset to the one that was causing me trouble.

This is how lsass.exe (isn't that supposed to be in the System32 folder? o_o) turns out on Virustotal:

Antivirus Version Last Update Result

a-squared 2010.03.27 -

AhnLab-V3 2010.03.27 -

AntiVir 2010.03.26 -

Antiy-AVL 2010.03.26 -

Authentium 2010.03.27 -

Avast 4.8.1351.0 2010.03.27 -

Avast5 5.0.332.0 2010.03.27 -

AVG 2010.03.27 -

BitDefender 7.2 2010.03.27 -

CAT-QuickHeal 10.00 2010.03.27 -

ClamAV 2010.03.27 -

Comodo 4405 2010.03.27 -

DrWeb 2010.03.27 -

eSafe 2010.03.25 -

eTrust-Vet 35.2.7391 2010.03.26 -

F-Prot 2010.03.26 -

F-Secure 9.0.15370.0 2010.03.27 -

Fortinet 2010.03.27 -

GData 19 2010.03.27 -

Ikarus T3. 2010.03.27 -

Jiangmin 13.0.900 2010.03.27 -

K7AntiVirus 7.10.1004 2010.03.22 -

Kaspersky 2010.03.27 -

McAfee 5933 2010.03.27 -

McAfee+Artemis 5933 2010.03.27 -

McAfee-GW-Edition 6.8.5 2010.03.27 -

Microsoft 1.5605 2010.03.27 -

NOD32 4978 2010.03.26 -

Norman 6.04.10 2010.03.27 -

nProtect 2009.1.8.0 2010.03.27 -

Panda 2010.03.27 -

PCTools 2010.03.27 -

Prevx 3.0 2010.03.27 -

Rising 2010.03.27 -

Sophos 4.52.0 2010.03.27 -

Sunbelt 6101 2010.03.26 -

Symantec 20091.2.0.41 2010.03.27 Suspicious.Insight

TheHacker 2010.03.27 -

TrendMicro 2010.03.27 -

VBA32 2010.03.27 -

ViRobot 2010.3.27.2248 2010.03.27 -

VirusBuster 2010.03.27 -

So basically 1/42, leading me to believe it's a false positive.

This is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 9:53:33 AM, on 3/28/2010

Platform: Unknown Windows (WinNT 6.01.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:







C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\FileHippo.com\UpdateChecker.exe


C:\Program Files\AltDrag\AltDrag.exe


C:\Program Files\Greenshot\Greenshot.exe















C:\Program Files\HiJack This\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=Explorer.exe "C:\Users\Randall\AppData\Roaming\lsass.exe"

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: FlashGetBHO - {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - C:\Users\Randall\AppData\Roaming\FlashGetBHO\FlashGetBHO3.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [EVGAPrecision] "C:\Program Files\EVGA Precision\EVGAPrecisionWrapper.exe" /s

O4 - HKLM\..\Run: [MSWUpdate] "C:\Users\Randall\AppData\Roaming\lsass.exe"

O4 - HKCU\..\Run: [Google Update] C:\Users\Randall\AppData\Local\Google\Update\GoogleUpdate.exe /c

O4 - HKCU\..\Run: [FileHippo.com] "C:\Program Files\FileHippo.com\UpdateChecker.exe" /background

O4 - HKCU\..\Run: [AltDrag] "C:\Program Files\AltDrag\AltDrag.exe"

O4 - HKCU\..\Run: [MSWUpdate] "C:\Users\Randall\AppData\Roaming\lsass.exe"

O4 - HKCU\..\Run: [superbarMonitor.Volume] "C:\Volume.exe"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

O4 - Startup: Greenshot.lnk = C:\Program Files\Greenshot\Greenshot.exe

O4 - Startup: slui.lnk = C:\Windows\System32\slui.exe

O8 - Extra context menu item: Download All By FlashGet3 - C:\Users\Randall\AppData\Roaming\FlashGetBHO\GetAllUrl.htm

O8 - Extra context menu item: Download By FlashGet3 - C:\Users\Randall\AppData\Roaming\FlashGetBHO\GetUrl.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll

O13 - Gopher Prefix:

O15 - Trusted Zone: http://software.kuaiche.com

O15 - Trusted IP range:

O15 - ESC Trusted IP range:

O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s...el_4.1.66.0.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C00E0456-F4F7-47B3-B628-A7739BA29A23}: NameServer =,

O17 - HKLM\System\CS1\Services\Tcpip\..\{C00E0456-F4F7-47B3-B628-A7739BA29A23}: NameServer =,

O17 - HKLM\System\CS2\Services\Tcpip\..\{C00E0456-F4F7-47B3-B628-A7739BA29A23}: NameServer =,

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: lxea_device - - C:\Windows\system32\lxeacoms.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe


End of file - 8920 bytes

Starting a new user account and logging into it gives me an error about lsass.exe.

Could someone help me figure out what's wrong with my machine?

Link to post
Share on other sites

Hello, and welcome to Malwarebytes.org

It looks like you have been infected by a Trojan.

But we don't work on malware removal in the general forums.

If you would like expert help with malware removal, please print out, read and follow the directions here:


Try to complete all the steps, but you can skip any steps you are unable to complete. Then post a NEW topic here:


If your computer is un-bootable and you cannot run any of the steps, just post a description of the problems you are having there.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.