Explorer.exe doesnt start after antivirus Kaspersky deleted file

[leerzeichen]

Hello everyone,
After my ant-virus-program "Kasperski free" deleted some "trojans", windows doesnt start explorer.exe anymore at start. I can still open task manager and start it manually, but it really pisses me of. Can someone help me?
The protocol is in german, so I translated it into english as well as I could. If I need to provide more intel please ask.

21.11.2019 19.45.14 Aktive Desinfektion the task has endeed. End: Today, 21.11.2019 19:45
21.11.2019 19.43.12 The found Objekt (File) has been deleted. C:\Users\jancl_000\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe File: C:\Users\jancl_000\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe Objektname: Trojan.Win64.Miner.omv
21.11.2019 19.43.09 The found Objekt (File) has been put inot quarantine. C:\Users\jancl_000\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe File: C:\Users\jancl_000\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe Objektname: Trojan.Win64.Miner.omv
21.11.2019 19.42.58 The found Objekt (Autostart-Objekt) has been desinfected. HKU\S-1-5-21-3781047705-571251519-1133667-1001\Software\Microsoft\Command Processor\AutoRun Autostart-Objekt: HKU\S-1-5-21-3781047705-571251519-1133667-1001\Software\Microsoft\Command Processor\AutoRun Objektname: Trojan.Win64.Miner.omv
21.11.2019 19.42.46 An Objekt (File) has been found. C:\Users\jancl_000\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe Datei: C:\Users\jancl_000\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe Objektname: Trojan.Win64.Miner.omv
21.11.2019 19.42.43 Aktive Desinfektion The Task has been started. Date: Today, 21.11.2019 19:42

Thanks in advance for your help!

Jan Class

 

[Regedit32]

Hi Jan, Welcome to the Forum.

There are some steps you can take to address this, that should sort things, provided the infection you had is completely eradicated now.

• Type cmd into your Cortana search field, then press Ctrl + Shift + Enter keys together simultaneously.
• A User Account Control dialog will appear.
  
  Click Yes to allow an Elevated Command Prompt to run ( i.e. Run command prompt as Administrator ).
  
  
• You will now need to type or copy & paste a series of commands, pressing Enter key after each command to execute.
  
  

  REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"

  
  
  After pressing Enter you ought to see the following result:
  
  
  
  
  
  If you do not see Shell REG_SZ explorer.exe then this is why its not automatically starting when you boot your computer.
  
  To resolve this, at the Elevated Command Prompt type or copy & paste the following command:
  
  

  REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f

  
  
  After press Enter you ought to see the command executed successfully, as illustrated below:
  
  
  
  
  
  
  
• With that dealt with, some other commands will be needed to ensure the Windows System is healthy. At the Elevated command prompt type or copy & paste the following four commands, pressing Enter after each command:
  
  Note: Use the following commands in the exact order provided!
  
  

  SFC /SCANNOW

  
  

  Dism /Online /Cleanup-Image /CheckHealth

  
  

  Dism /Online /Cleanup-Image /ScanHealth

  
  

  Dism /Online /Cleanup-Image /RestoreHealth

  
  
  
• When you've done all of the above, type exit at the elevated command prompt, then press Enter to close the console.
  
  Now close any open applications, then Restart Computer. All going well, your issue should be sorted.

Regards,

Regedit32

 

[leerzeichen]

Hi regedit32,
first, thanks for the fast response. Unfortunately, I can't even open the command prompt. Is it because my antivirus deleted the folder "C:\Users\jancl_000\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe "?
It opens really fast and closes instantly. I already tried to change the layout to 80/25, but it didnt solve my problem. Opening it as administrator has the same problem. I cant start it in C:\Users\jancl_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools and not in system 32.
I also cant open user Account control setting. It just closes instantly

Regards,
Jan

 

[Regedit32]

The issue you have, is the infection itself, can multiply on your System. That is, it can download variants of itself, and further infect your computer. From what you are describing, this infection is still active, or at least the effects of the infection are still present.

Are you able to open the Registry Editor at all?

• In the Cortana search field, type regedit, then press your Enter key
• When the User Account Control prompts you, click Yes
  
  Assuming the infection has not taken over the Registry Editor's executable file, you now ought to see the following:
  
  
  
  
  
  If you can get here, then left-click inside the Address bar, where it currently says Computer and replace this with the following:
  
  

  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  
  After entering the above into the Registry Explorer Address bar, press Enter and you will now see this:
  
  
  
  
  
  Note the String value in the right hand pane named Shell. It's Data value ought to read explorer.exe
  
  In your case it may read %comspec% or something else, that would be pointing to a infected file.
  
  If the Data Value for the String named Shell does not display as explorer.exe then do the following:
  
  
• Right-click on Shell in the right hand pane and select Modify
• In the dialog that opens, the Value data field will be highlighted. Replace what is there, with explorer.exe then click OK
• Now press your F5 key once, to refresh the Registry
• Close the Registry Editor
  

If you can do this, let me know, and I'll post some additional steps to take, to attempt to get your System working again.

If you cannot do this step, then you will need to run Windows Defender, or Microsoft's Malicious Removal Tool and do a full scan of your hard drive, to attempt to rid yourself of this infection.

The Malicious Removal Tool has an executable named MRT.exe

• To run this tool, type mrt into the Cortana search field and press Enter
• When the User Account Control prompts you, click Yes
• Now follow the prompts as Microsoft's Malicious Removal Tool runs.
  
  Note: Select a full scan and be patient. It will take a while to complete the scan.

 

[davehc]

" I can still open task manager "
Reg regedit's fir suggestions, in the task manager, click "File" on the top bar and then "run new task". Type in Cmd and enter. You, hopefully, will be in the Command prompt

 

[leerzeichen]

" I can still open task manager "
Reg regedit's fir suggestions, in the task manager, click "File" on the top bar and then "run new task". Type in Cmd and enter. You, hopefully, will be in the Command prompt

Hi, yes I tried that, but it closes instantly.

 

[leerzeichen]

The issue you have, is the infection itself, can multiply on your System. That is, it can download variants of itself, and further infect your computer. From what you are describing, this infection is still active, or at least the effects of the infection are still present.

Are you able to open the Registry Editor at all?

• In the Cortana search field, type regedit, then press your Enter key
• When the User Account Control prompts you, click Yes
  
  Assuming the infection has not taken over the Registry Editor's executable file, you now ought to see the following:
  
  View attachment 10915
  
  If you can get here, then left-click inside the Address bar, where it currently says Computer and replace this with the following:
  
  

  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  
  After entering the above into the Registry Explorer Address bar, press Enter and you will now see this:
  
  View attachment 10916
  
  Note the String value in the right hand pane named Shell. It's Data value ought to read explorer.exe
  
  In your case it may read %comspec% or something else, that would be pointing to a infected file.
  
  If the Data Value for the String named Shell does not display as explorer.exe then do the following:
  
  
• Right-click on Shell in the right hand pane and select Modify
• In the dialog that opens, the Value data field will be highlighted. Replace what is there, with explorer.exe then click OK
• Now press your F5 key once, to refresh the Registry
• Close the Registry Editor

If you can do this, let me know, and I'll post some additional steps to take, to attempt to get your System working again.

If you cannot do this step, then you will need to run Windows Defender, or Microsoft's Malicious Removal Tool and do a full scan of your hard drive, to attempt to rid yourself of this infection.

The Malicious Removal Tool has an executable named MRT.exe

• To run this tool, type mrt into the Cortana search field and press Enter
• When the User Account Control prompts you, click Yes
• Now follow the prompts as Microsoft's Malicious Removal Tool runs.
  
  Note: Select a full scan and be patient. It will take a while to complete the scan.

Hi,

thanks for your help. I am able to open the registry editor. and it reads excactly as in your picture. Shell - REG_SZ - explorer.exe.
I have to work now, but am trying to do a full Search with paid kaspersky 2020. Maybe he will find something.

 

[leerzeichen]

Hi,
I let kaspersky search everything, and he found no more malware, but I still cant open cmd, neither normal nor as administrator. It starts, but closes instantly.

 

[Regedit32]

I am able to open the registry editor. and it reads excactly as in your picture. Shell - REG_SZ - explorer.exe

Ok, that is good news.

A couple more steps you can take:

• Press Windows Key + R together to open the run dialog
• In the run dialog type %appdata% then press Enter
• Open the Microsoft folder
• If you see a folder named SoundMixer inside the Microsoft folder, then delete the SoundMixer folder
  
  Note: It's possible you may not see the SoundMixer folder there, as Kaspersky may have already quarantined it.
  
  
• When done, close the File Explorer window
  
  
  
• Now type regedit into your Cortana search field, then press Enter
• When the User Account Control prompts you, click Yes to allow the Registry Editor to open
• In the Address bar, of Registry Editor, replace Computer with the following:
  
  

  Computer\HKEY_CURRENT_USER\Software\Microsoft

  
  
• Press Enter key after entering the above into the Address bar
• Now on the LEFT pane of the Registry Editor, you will see a series of sub-folders below Microsoft
  
  Sample image
  
  
  
  
  Look at these sub-folders. If you see a sub-folder called Command Processor, then right-click on it and select Delete
  
  
• Press F5 key to refresh Registry.
• Close Registry Editor
• Close any other open programs, then restart computer

 

[leerzeichen]

Thank you for your help so far. Now I can finally open cmd, also as administrator. Should I follow the instructions you gave me in your first post now?

 

[Regedit32]

Should I follow the instructions you gave me in your first post now?

That would not be a bad idea.

 

[leerzeichen]

After I typed in
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"

the results you showed me popped up (Shell REG_SZ explorer.exe)
Then I did what you told me to, one after another. But explorer.exe still doesnt autostart on its own, but cmd.exe does. So now when I log in, I still have a blackscreen with my mouse, but now with the command center window
I tried your suggestion again, but the result stayed the same.

 

[Regedit32]

I'm beginning to think your best option would be to do a clean install of Windows 10.

The infection while found by Kaspersky and to some degree, now mitigated, seems to have done a lot of damage to the OS anyway.

 

[davehc]

Once again!! An image would have solved the problem in ten minutes

 

[leerzeichen]

I'm beginning to think your best option would be to do a clean install of Windows 10.

The infection while found by Kaspersky and to some degree, now mitigated, seems to have done a lot of damage to the OS anyway.

Yes, I think this will be the safest option. Nevertheless, thanks a lot for the help and your time.

 

[leerzeichen]

Once again!! An image would have solved the problem in ten minutes

An Image of what excactly? My black screen with mouse?!?
And why "once again"? You never asked for any image.

 

[Bighorn]

An Image of what excactly? My black screen with mouse?!?
And why "once again"? You never asked for any image.

Since this is the Crashes, BSODs and Debugging section of the forum image usually means a backup image of the drive to allow an easy or quick restoration. In other sections an image usually means a screenshot or photo of what is on the monitor.

 

[davehc]

Sorry. I should have expandex. You will fine, many times, users are reccomended to keep frequent images stored. This means, of couse, that when you run into unexplained problems, you can revert back, quickly, to an earlier installation where the problem did not exist.

 

[Maazin]

I had the exact same problem, but after creating a new user account and deleting the old one somehow fixed it for me.

 

[kickassgaz]

Ok, that is good news.

A couple more steps you can take:

• Press Windows Key + R together to open the run dialog
• In the run dialog type %appdata% then press Enter
• Open the Microsoft folder
• If you see a folder named SoundMixer inside the Microsoft folder, then delete the SoundMixer folder
  
  Note: It's possible you may not see the SoundMixer folder there, as Kaspersky may have already quarantined it.
  
  
• When done, close the File Explorer window
  
  
  
• Now type regedit into your Cortana search field, then press Enter
• When the User Account Control prompts you, click Yes to allow the Registry Editor to open
• In the Address bar, of Registry Editor, replace Computer with the following:
  
  

  Computer\HKEY_CURRENT_USER\Software\Microsoft

  
  
• Press Enter key after entering the above into the Address bar
• Now on the LEFT pane of the Registry Editor, you will see a series of sub-folders below Microsoft
  
  Sample image
  View attachment 10918
  
  Look at these sub-folders. If you see a sub-folder called Command Processor, then right-click on it and select Delete
  
  
• Press F5 key to refresh Registry.
• Close Registry Editor
• Close any other open programs, then restart computer

I had the exact same problem and your fixed worked, I registered on this forum just to thank you