Any Ideas Whats Going On?

Hi new here. Thought i would post to help those who may have felt the same effects and to try and finally find out what was going on.
To begin. Yesterday my friend turned on my laptop and ran internet explorer. (I normally use opera its safer).
Avast began to scream and i had some virus in my C:\ directory called quchoke.exe or somthing like that. There were two of them. My friend closed the alert (Idiot) so i manually deleted the files which had strange icons. Then they re-appeared and then disappeared.

This is when it got interesting. My taskbar and desktop disappeared. Completely. I hit Ctrl+Alt+Del. Explorer.exe was gone. I went run “explorer.exe” and it came back and then dissappeared straight away along with my desktop. Ran advanced windows care, avast and ad-aware and deleted all trackers etc. to no avail.

So i searched the net many people with same problem but no solution.

I renamed my explorer.exe to exp.exe and chaned the shell registry entry using regedit to shell=“exp.exe”

This worked and now my laptops back to normal.

Now im thinking that there must be something in my laptop stopping files named explorer.exe from opening and staying open. It is bugging me because i have only found a work around not a solution.

What could be preventing the default file name and how can i get rid of it so i can return to having explorer.exe in case of future issues.

Hope this is of use. Cheers.

What is the infected file name/s (relating to your friends alerts), where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections. You could google the file names to see what else comes up.

See http://forums.multiplay.co.uk/showthread.php?t=41680, which pretty much is what is happening to you, reply #6 and #7 would be a good start.
Checking what is running on startup using msconfig, startup tab, disable (don’t delete) the unknown ones, reply #6. Checking the Registry key as in reply #7.

Though they start going down the nuclear path of formatting C: which is way too soon and way to much ov an over reaction. Check the VA links given and see if there are any file associations or registry entries that are also on your system.

Also see http://forums.techguy.org/windows-nt-2000-xp/555379-task-bar-icons-gone.html, makes reference to a virus, ‘F-Nimda’.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

  1. AVG anti-spyware (formerly Ewido) If using winXP. or a-Squared free if using win98/ME. Or SUPERantispyware Or Spyware Terminator

Thanks for the help. I had come across the same thread. My reg values were fine but as in my previous post i have changed it so that my desktop has returned. I have found a work around the problem as i said above. I now need to find out what it is causing the problems so that i can get rid of it and restore my pc to how it should be. With my work around i cannot use explorere and search functionality.

I tried the Nimda reg key fix but it didnt work.
I have downloaded the spyware scan prog. but others have said they find no result.

Update: I now know for a fact that what ever the virus thing is it is made to stop my pc running anyfile called explorer.exe (I renamed some installer exe to explorer and i would not open…) also because it did not effect my desktop once renamed exp.exe

Now how to find what file is stopping me opening “Explorer.exe” files…
I am going to do the msconfig elimination to see hwat it is using to boot on start up…

If you didn’t run the suggested applications under safe mode what may be the malware might be running and protected in some way, so run from safe mode.

What is on there could be hidden and protected so it might be worthwhile checking this out, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm.

Also useful as a diagnostic tool - Download HiJackThis.zip HJT has now been sold to Trend Micro inc. but the 1.99.1 version should still be available here or at one of the download sites. - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2. If you need any help with any of the analysis let us know or post here.

On-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast).

Ok thanks for the advice i dont have time to sort now but i did a quick HJT scan and got a few entries supposedly bad although not sure about deleting stonedrv.exe im pretty sure its part of windows…

hi stonedrv.exe is a malware…its not a system process…check these links to confirm
http://www.bleepingcomputer.com/forums/topic62842.html
http://www.techspot.com/vb/topic58436.html

or

http://www.sophos.com/security/analyses/trojcosiaml.html

oh cheers had that one for a while then i guess