I have a question about How do get the taskbar and desktop back if Explorer crashes:

I have a similar problem to the one listed in the article. On log-in into windows xp, my wallpaper appears but nothing else. No taskbar, no icons. I don't think this is due to a crash of explorer because when I check with ctrl-alt-delete, it's still running. The only way I found to make everything appear is to close a random process (I usually close winupd.exe). Thene everything goes back to normal. However, I'd like to not have to do this every time. I checked for viruses, and while I found 1, a trojan, I got rid of it and repaired the damages, following symantec's instructions. Plus, my problem has nothing to do with the symptoms described for the virus. Could anyone help me ? Thank you, Xavier

[Reply or follow-up to this message]

Hi, the 'random process' you mention closing - winupd.exe - is itself a trojan. I'm currently searching for info on it cuz i was infected half an hour ago, that's how i arrived at this post. I noticed it when my firewall suddently asked if i wanted to let winupd.exe access the net.

As far as i know, in my case, it was delivered by malicious java script called js_exception.t [two instances of which are still sitting in my temp internet folder] after a winhelp box appeared in my taskbar like a stubborn popup, which caused 'winupd.exe' and 'regcpm32.exe' to end up residing in my C:\Windows\System\. folder [they appear as hidden files, so be sure to have the 'show all files' option selected in windows explorer view/folder options/view to see them. you'll notice regcpm32.exe at the bottom being updated/modified/refreshed every five seconds with it's modified date altering to a random day each time] It seems this exe and winupd.exe are installed together.

i've managed to determine two regkeys which they create and recreate if the exe files aren't removed, they are MsStartOptimizer & Regcompress in both 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' and ''HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices'.

There may be more reg entries associated and/or exe's, and more means of delivery, but this is all i know at present. Hopefully it's helpful. I'll now clean my machine of the exe's and then the reg entries, in that order, and if anything weird happens i'll post it here.

Nick


On Thursday, October 9, 2003 at 9:14 am, Xavier wrote:
>I have a question about How
>do get the taskbar and desktop back if Explorer crashes:

>
>I have a similar problem to the one listed in the article. On log-in into windows
>xp, my wallpaper appears but nothing else. No taskbar, no icons.
>
>I don't think this is due to a crash of explorer because when I check with ctrl-alt-delete,
>it's still running.
>The only way I found to make everything appear is to close a random process (I usually
>close winupd.exe). Thene everything goes back to normal.
>
>However, I'd like to not have to do this every time.
>
>I checked for viruses, and while I found 1, a trojan, I got rid of it and repaired
>the damages, following symantec's instructions. Plus, my problem has nothing to do
>with the symptoms described for the virus.
>
>Could anyone help me ?
>
>Thank you,
>Xavier

[Reply or follow-up to this message]

Nick, A friend of mine is having the exact same problems. I deleted winupd.exe, winupd.exeopen and winupd.exeopenopen and they keep coming back. This virus disallows the registry editor, so you have to end the virus and start regedit, then when the virus starts up again you have to end it very quickly before it closes reg edit. My stupid friend just payed a consultant to wipe his hard drive which was the dumbest thing he could ever do, I am perfecly cappable of that. Jeez. Well its to bad i found this post, maybe i could have helped him... for free.

[Reply or follow-up to this message]

i am having similar trouble with the winupd.exe file that carries the download.trojan. this particular file sucks becasue it constantly runs, so you can't delete the file directly, and norton antivirus can't delete it either. frustrating to begin with especially because symatech says this has only infected something like 50 machines, yeah, can we say corporate bs? i found the file in the registry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, listed as winupd.exe. past that i don't know what to do, but i imagine if i can go about stopping it from running i may be able to delete it, or alter the registry so that it won't open on start up. hopefully by deleting it from the registry that will happen. other then that i don't know. Any other ideas??


On Tuesday, January 13, 2004 at 7:29 pm, Nick wrote:
>Hi, the 'random process' you mention closing - winupd.exe - is itself a trojan.
>I'm currently searching for info on it cuz i was infected half an hour ago, that's
>how i arrived at this post. I noticed it when my firewall suddently asked if i wanted
>to let winupd.exe access the net.

>
>As far as i know, in my case, it was delivered by malicious java script called js_exception.t
>[two instances of which are still sitting in my temp internet folder] after a winhelp
>box appeared in my taskbar like a stubborn popup, which caused 'winupd.exe'
>and 'regcpm32.exe' to end up residing in my C:\Windows\System\. folder [they
>appear as hidden files, so be sure to have the 'show all files' option selected in
>windows explorer view/folder options/view to see them. you'll notice regcpm32.exe
>at the bottom being updated/modified/refreshed every five seconds with it's modified
>date altering to a random day each time] It seems this exe and winupd.exe are installed
>together.

>
>i've managed to determine two regkeys which they create and recreate if the exe files
>aren't removed, they are MsStartOptimizer & Regcompress in both 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
>and ''HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices'.

>
>There may be more reg entries associated and/or exe's, and more means of delivery,
>but this is all i know at present. Hopefully it's helpful. I'll now clean my machine
>of the exe's and then the reg entries, in that order, and if anything weird happens
>i'll post it here.

>
>Nick
>

[Reply or follow-up to this message]

Bada Bing....so that worked, if you can locate the file in the registry, run-->regedit, then you can delete the file there, and on restart you can delete the file from the location on the harddrive. when i went into delete the file norton nailed it and deleted it, something it hadn't been able to do prior. hope that helps deal with the rather pertinacious file. Cheers!


On Tuesday, April 13, 2004 at 9:54 am, krash1201 wrote:
>i am having similar trouble with the winupd.exe file that carries the download.trojan.
> this particular file sucks becasue it constantly runs, so you can't delete the file
>directly, and norton antivirus can't delete it either. frustrating to begin with
>especially because symatech says this has only infected something like 50 machines,
>yeah, can we say corporate bs?
>
>i found the file in the registry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
>listed as winupd.exe. past that i don't know what to do, but i imagine if i can
>go about stopping it from running i may be able to delete it, or alter the registry
>so that it won't open on start up.
>
>hopefully by deleting it from the registry that will happen. other then that i don't
>know.
>
>Any other ideas??
>
>
>

[Reply or follow-up to this message]

So you are aware, winupd.exe is a keylogger, and an e mail worm, amongst other things. It also opens port 6667 i believe. The reason it keeps coming back, is that it is spawned from another program called STROPEN.exe, which also installs CMD32.dll, and SDSINI.ini (both in \Windows). You will have to get rid of these files, and any instance of them in your registry as well. Also, you may want to look for slipped.exe, enterprise.exe and leiame.exe which can also be bundled with this trojan. A good reference page can be found here: http://www.sophos.com/virusinfo/analyses/trojtofgeru.html


On Tuesday, April 13, 2004 at 12:58 pm, krash1201 wrote:
>Bada Bing....so that worked, if you can locate the file in the registry, run-->regedit,
>then you can delete the file there, and on restart you can delete the file from the
>location on the harddrive. when i went into delete the file norton nailed it and
>deleted it, something it hadn't been able to do prior. hope that helps deal with
>the rather pertinacious file. Cheers!
>
>
>

[Reply or follow-up to this message]

Hello. Thank you for your tips on removing the winupd.exe file. However, when I go to Start|Run|regedit, it never comes up! If I try to access it again, it gives me a Windows error message saying "Registry Editor has encountered a problem and needs to close. We are sorry for the inconvenience." What can I do??? This trojan is driving me nuts! Thanks!


On Tuesday, April 27, 2004 at 8:39 am, WhiskeyDrinker wrote:
>So you are aware, winupd.exe is a keylogger, and an e mail worm, amongst other things.
> It also opens port 6667 i believe. The reason it keeps coming back, is that it
>is spawned from another program called STROPEN.exe, which also installs CMD32.dll,
>and SDSINI.ini (both in \Windows). You will have to get rid of these files, and
>any instance of them in your registry as well. Also, you may want to look for slipped.exe,
>enterprise.exe and leiame.exe which can also be bundled with this trojan.
>
>A good reference page can be found here:
>http://www.sophos.com/virusinfo/analyses/trojtofgeru.html
>
>
>
>

[Reply or follow-up to this message]

I also have winupd.exe on my comp, but when I end the process, it just comes back, and I've tried about everything, I deleted the reg key and restarted and the bastard was still there


On Wednesday, May 5, 2004 at 8:11 pm, Alexander wrote:
>Hello.
>Thank you for your tips on removing the winupd.exe file. However, when I go to Start|Run|regedit,
>it never comes up! If I try to access it again, it gives me a Windows error message
>saying "Registry Editor has encountered a problem and needs to close. We are sorry
>for the inconvenience." What can I do??? This trojan is driving me nuts! Thanks!
>
>
>

[Reply or follow-up to this message]

Hey, I got it too...I deleted the winupd.exe, the registry key for the the LOCAL_MACHINE/...WINDOWS/current version/run (and maybe run services). I also found a /winupd folder in the current User/software/winupd/ and deleted it. I ran the symantec av tool for Beagle_N; but it doesn't work completely.


On reboot, the process is somehow spawned by something else. It infects other .exe with its own code. It modified regedit so when I opened it, it spawned winupd.exe even after I updated it. Once winupd.exe is running, it shutdown those important .exe's like regedit. Ugg. I got that cleaned up, but it still reappears on boot up. It also copies itself into any folder that has "shar" in it (SHARed folder) with lame names. I found them in every folder with "shar" in it. But they are alll the same sizes (24.2, or 25k). This looks like a new variant of previous ones. Let me know if u find a fix... I'm just not sure what is creating and starting winupd.exe on boot up.


On Saturday, May 8, 2004 at 11:33 am, ma562 wrote:
>
>I also have winupd.exe on my comp, but when I end the process, it just comes back,
>and I've tried about everything, I deleted the reg key and restarted and the bastard
>was still there
>
>

[Reply or follow-up to this message]

Alright, here's what I did and it worked: 1. Download McAffee's Stinger virus scan program, you can just save it on your desktop. 2. Turn off system restore, if you have XP. 3. Restart into Safe Mode. 4. Run Stinger. 5. Restart back into Windows. 6. It should be gone, no regkey, no winupd.exe as a running process. 7. Turn system restore back on.


On Sunday, May 9, 2004 at 12:24 am, js777 wrote:
>Hey, I got it too...I deleted the winupd.exe, the registry key for the the LOCAL_MACHINE/...WINDOWS/current
>version/run (and maybe run services). I also found a /winupd folder in the current
>User/software/winupd/ and deleted it. I ran the symantec av tool for Beagle_N; but
>it doesn't work completely.
>

[Reply or follow-up to this message]

Thats cool. I seem to have a bit of a different challenge. I did the above (downloaded Stinger, Symantec's Tool, and Sohos's tool, in SafeMode, and Restore Disabled x 8) and it didn't work: because, as stinger indicated, it couldn't fix C:\windows\explorer.exe which was infected with the virus. It can't repair explorer.exe because its running the OS (shell). So I was kind of stuck. The programs killed everything else. My solution: (not simple) 1) I took the HD out, and made it a slave to another OS System, 2) Ran and told stinger to search D:/ directory (which is the Slave Hard Drive infected. 3) The only way I could figure out how to "disinfect" explorer.exe was to have it not running, thus being just a D:/ logical drive to another system. 4) It fixed the explorer file : ). 5) I thought about trying to replace the explorer.exe with a new one, but I have those annoying manufacturer dumb CD's that don't let you have that control. Anyhow, thought I'd share just in case your curious. JS. Hey, its not practical for most users, but that's the only way I could think to disinfect the main shell executible. Maybe there was an easier way. But the standard utilities were not effective in this case. thx.

[Reply or follow-up to this message]

Okay, I've read all the messages and still don't know what to do....what is regedit? I am not a technology genius so give me simple instructions on what to do...after reading all the replies to this problem, it seems like you all know what your doing but I know very little about the computer other than how to use the software....please help me. Thanks

[Reply or follow-up to this message]

I have been working on trying to get winupd.exe from continuosly being from WHERE??? Norton keeps quarantining it, but returns. I've tried so many suggestions incl above posts. Can't get to internet to dwnld any additional tools. Can a looping batchjob be written which would delete this exe maybe long enuf to get to the internet for help? Looks like we are not able to get rid of this & a system rebuild is in order - yuk!!

[Reply or follow-up to this message]

AHUM ... Haven't you read this?: The reason it keeps coming back, is that it is spawned from another program called STROPEN.exe, which also installs CMD32.dll, and SDSINI.ini (both in \Windows). You will have to get rid of these files, and any instance of them in your registry as well. Also, you may want to look for slipped.exe, enterprise.exe and leiame.exe which can also be bundled with this trojan.


On Thursday, November 4, 2004 at 12:06 pm, paul p wrote:
>I have been working on trying to get winupd.exe from continuosly being from WHERE???
>
>Norton keeps quarantining it, but returns.
>
>I've tried so many suggestions incl above posts.
>Can't get to internet to dwnld any additional tools.
>Can a looping batchjob be written which would delete this exe maybe long enuf to
>get to the internet for help?
>
>Looks like we are not able to get rid of this & a system rebuild is in order - yuk!!

[Reply or follow-up to this message]

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum