Came across this little bugger in my manager’s pc. The whole thing is that after logging into windows, the windows explorer continuously restart and exits. You can click the start button, open something but will naturally kill itself when explorer exits. You can’t even open the drives and folders normally since it will close sooner or later, anything running under Explorer.exe will die when Explorer.exe dies. Simplest way around the folder and drives is using the good ol’ command prompt. Did this and amazingly it didn’t die, thank God for command prompts. As usual scouring the RECYCLER folder for hidden trojans resulted in a no show, next was the usual system32 and system folder under windows folder. These little buggers get smarter everyday. There weren’t and hidden files so I was already assuming the exe file is there and ran through windows startup using the registry. Using autoruns from sysinternals, found one of the problems, a rogue exe is started everytime the system starts. Deleted the entry from the registry, located the file under system32 folder and also removed it.
That didn’t fixed the problem.
There was something else running when windows starts up. Next target… DLLs. Amazingly, there were dlls that was out-of-placed and curiously named. Example crypt32.dll that wasn’t signed by microsoft. Removed the entry and tried to remove the dll. No luck, its being used. Next tool that was very useful was Unlocker. I ‘unlocked’ the hook for the dll and restarted. Still didn’t fix it but I was getting close. There were two more dlls I found that was very suspicious. I tried to kill one and removed, the other regenerated the dll. I try to unhook the other dll, the whole pc restarts. Smart bugger. Thank goodness for safe mode. Restarted in safe mode and use unlocker again to unhook the dll. Removed one of the dll and its entry in the registry. Good… it didn’t restart… just a countdown for a system shutdown.. freaking dll.
The system restarted and good news is the dll that forced the shutdown wasn’t regenerated. Last dll was a bit simpler. Used unlocker to unhook the dll, deleting was not successful, though unlocker had a feature to delete the dll after a restart. Selected the option and waited. Thankfully, the whole ordeal ended there. All three dlls didn’t regenerate after that.
Note to PC users who watch videos from torrent ( Heroes, Prison break…). If it asks you to download a player to run the video you downloaded.. DON’T!!