Second day back at work and this problem arose and as I should’ve been doing a whole lot more of this, I thought it was time to get back into it. So the reception computer, which had phone software running on it – meaning external calls may have not been able to come in into reception, would not show the desktop after logging in.
Task manager was able to run using Ctrl-Alt-Del and if you check the services a whole heap were missing – namely explorer. I attempted to run explorer.exe, but it gave me an error saying that Windows cannot find explorer.exe which was a bit strange, because I could actually see it inside the windows directory. I renamed explorer.exe to explorer2.exe and explorer.exe was recreated immediately. It would also not run, but explorer2.exe would open up an explorer window.
After a short google, I found my way to http://pctechnow.blogspot.com/2008/08/cant-find-explorerexe-when-run-from.html which sums up what I have been describing.
It talks about removing the explorer.exe registry key from [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]. Make sure you back up your registry first before deleting anything. We noticed that inside the folder, there was a key which was a debugger which ran a wuauclt.exe from a non-standard location. The file actually didn’t exist, well it did, as a virus, but was removed by symantec and so actually wasn’t there. So during startup, it would try to load this debugger, but nothing was found, and all error messages were suppressed and so nothing else continued to load. So symantec removed the trojan, but left the machine in a state where nothing would work. Most people end up reformatting or doing a repair install, but I have to say to give this a try first, especially if you notice that there is something strange alongside the explorer key.
Written by Milton Lai