Thursday, September 6, 2007

Getting rid of "can't find explorasi.exe" or "eksplorasi.exe" and "can't find copy.exe"

Hi y'all!

I've been having a terrible time getting rid of these two annoying messages and finally tracked down the solutions, so I want to save you the time and agony!

The first was some residual from malware that affected my registry. The problem is supposed to be caused by WORM_RONTOKBRO.K. Apparently "explorasi.exe" (or eksplorasi.exe) is a part of that worm or some such infectious bugger that got removed by my anti-virus software but the error notice remains because it left a trace of its existence in the registry so that the computer thinks it needs to find it everytime it boots up.

To get rid of this command I did the dangerous deed of going into my registry and deleting the reference. It actually wasn't so hard, but as they say "BE CAREFUL" because the registry is one huge initialization file (a .ini) that needs to load properly for your computer to work. It is like a genetic code and a single mutation can cause disaster I'm told.

Getting rid of the reference to explorasi.exe however, proved fairly easy:
Because the worm disabled my ability to edit the registry from within my username, I had to reboot my computer (which is a MacBook Pro running Bootcamp and Windows XP) in SAFE MODE so that I could access my administrator log in. This meant booting into windows and holding down the F8 key so that it asked if I wanted to boot into safe mode.

Once in safe mode, logged in as "administrator", I typed "regedit" in the "RUN" command line (you find that under the start button). This opened up regedit. And then I went to the Edit menu and went to "Find" and asked it to find "explorasi.exe" (or "eksplorasi.exe, depending on your problem). I had to do this many times, hitting F3 (for "find next"). The first times I looked for "explorer.exe" because what the machine is doing is telling itself that when it launches explorer it should look for "explorasi". But doing it this way you have to search through every reference to explorer.exe to find the one that references explorasi (or eksplorasi) . If you can find explorasi directly you are better off. Anyway, you have to delete this.
Here is what the worm added:
"Shell" = "Explorer.exe "%Windir%\eksplorasi.exe""
It is telling your computer that any time the Shell loads "Explorer.exe" it should also load %Winddir%\eksplorasi.exe. Since the eksplorasi.exe was deleted by the anti-virus software, the computer is looking for something that doesn't exist any more, and that is the hangup.
So what you do is simply delete "%Windir%\eksplorasi.exe".
This is a minor change and doesn't adversely affect your computer at all -- it effectively stops the machine from asking for the damn eksplorasi.exe file, which was the virus that fortunately got removed.
Check here for more info: http://www.greatis.com/appdata/d/_/_windir__eksplorasi.exe_Removal.htm

The best source of info for all these problems that I have found is http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RONTOKBRO.K&VSect=Sn

You theoretically should be able to edit the registry from your own user account and not have to go into Safe mode and into your administrator account. But if you have the same problem as me, your computer will tell you that the administrator has disabled your ability to edit the registry. I recently learned that this is "the virus speaking" -- the sneaky bugger tells you that your administrator won't let you edit the registry so that you can't get in and delete it easily. It is the virus (or worm or malware or whatever) that actually disabled your ability to edit the registry! Clever.

The solution to this dilemma came from this wiki:
http://wiki.answers.com/Q/How_do_you_enable_Registry_Editing_again_if_it_has_been_disabled_by_your_administrator

To re-enable your ability to edit the registry from within your account, you can download Symantecs "Tool to reset shell\open\command registry keys" from their website and follow the instructions here: http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99

Basically they tell you to download this .inf file called UnHookExec.inf to you desktop, right-click on it and choose install. It works like magic!
If you can't find it for some reason, here is the text in the file. I imagine you can copy the text below, paste it into a simple text file and name it UnHookExec.inf, save it to your desktop, right click on install and it should work just as well. I haven't tried this, so you are on your own, but it should work, because the text below is what is in the file:

___________________________________________________________________________

[Version]
Signature="$Chicago$"
Provider=Symantec

[DefaultInstall]
AddReg=UnhookRegKey

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe ""%1"""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0
_______________________________________________________________________________________

Now, having solved those problems, we have to deal with this issue of the computer saying "Cannot find "copy.exe" whenever you try to double-click on the C drive (this is supposedly another effect of the same worm).
The best and simplest solution came thanks to Blog Marco:
http://blog.photos2view.com/2007/05/28/windows-cannot-find-copy-exe.htm
Thankfully it does NOT involve going into the registry at all.
Happily, in this case, all you need to do is find the autorun.inf file for the drive that has the problem and delete the reference to "copy.exe". Unfortunately this wasn't so easy for me, as a search for the autorun.inf showed only the autorun.inf for my StarWars Battlefront game on my external hard drive. I learned that you can have many autorun.ini files on your machine, and you want the ones that are causing the problem. Blog Marco suggested that you go into Start/Run and simply type in C:\autorun.inf. This brings up the file in a Notepad text windo. For me it was a simple matter of deleting all the text in the file and saving it. For Marco, because his file was "read only" he had to save the file to the desktop and find a way to copy, paste it where the original file was, overwriting it. Since I don't know where my file was to begin with, I wouldn't know how to do that. Fortunately, all I had to do was delete the offending text (where it told the computer to find "copy.exe"; in other words, I erased ALL the text in the autorun.inf file).

Problem solved!

One last thing: My machine also kept giving me warning messages saying it couldn't find some files that were in chinese! It showed squares and chinese characters. To stop that message, I had to go to start/run and type in msconfig.exe. This brought up the System Configuration Utility. From there I clicked on the STARTUP tab and UNCHECKED the checkbox that loaded the entry with the funky chinese letters under the COMMAND column (apparently located in SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)
I have no idea what this software is, or why it was in startup items, but unchecking it (i.e. disabling it) seems to have worked.

Hopefully, if you have the same problems, having done all this, your computer now boots up fine!

Happy modding!

T

No comments: