JMarimon Posted June 28, 2007 Posted June 28, 2007 Hey guys, got a problem recently, and I have tried everything to fix it. Here is a step by step on what happens. - I shut down, or restart, or even completely log off of Windows Vista Ultimate. - Once the logon screen comes up, I type in my password. - It starts the Welcome screen, and it actually seems to take a particularly long time. -Once it completes, I am presented with a solid black screen and a white cursor. As flattered as I am by the simplicity, Windows isn't especially useful in this state. - I can leave it sit here for hours, I tried up to four hours, it just sits there. - I can then hit Ctrl+Alt+Del and click to open the task manager. There are very few processes running at this point, 34. - I run Explorer.exe, and Windows springs to life. My icons pop up, the taskbar, my wallpaper, processes suddenly start popping up (Virus scanner, Gtalk, Trillian), and I even get the Windows Vista login sound chime. This jumps to about 54 processes. - From here, Vista runs completely normally. As you can tell, the problem is easily fixed, but it is annoying none the less, and just the fact that there has to be a problem annoys me. What to do? List of stuff tried: - System Restore - Uninstall Java and Quicktime - System clean - Startup repair on Vista disk - Replace Explorer.exe - Add Explorer.exe to the Startup folder Random known things: - In the Windows Defender Startup list, Explorer.exe is listed as "Not yet classified" Other stuff is listed as permitted. - UAC is turned off Thanks for the help guys.
Marshmellow Posted June 28, 2007 Posted June 28, 2007 I don't know if this will work or not but you can try it. Won't take 10 seconds probably. Click Start->Click Run->Type msconfig->Click Start Up Tab and I guess see if explorer.exe is in there or not. If it is and it's unchecked then check it. If it isn't there then I don't know. Hope it helps.
JMarimon Posted June 28, 2007 Author Posted June 28, 2007 Haha, nice try Marshy. If only life were that simple. No, that isn't it. Explorer is not a standard Startup Process, it is a login process. (Won't run unless you login to an account)
=NukeBlaze= Posted June 28, 2007 Posted June 28, 2007 Completely disable windows defender and its shield,restart, and try again. I want to check something... Also, what AV and Antispy(s) are you using with vista?
Marshmellow Posted June 28, 2007 Posted June 28, 2007 Haha, nice try Marshy. If only life were that simple. No, that isn't it. Explorer is not a standard Startup Process, it is a login process. (Won't run unless you login to an account) I knew that, I was just, tricking you thats it! *goes and cries*
JMarimon Posted June 28, 2007 Author Posted June 28, 2007 Completely disable windows defender and its shield,restart, and try again. I want to check something... Also, what AV and Antispy(s) are you using with vista? Do you know of any advanced way to disable Windows Defender? I tried that by just unchecking the service and startup entires in MSconfig.exe. I am using Nod32 for AV and Windows Defender for Antispy. ------------------------- Also, here is the task manager at the step where I open the task manager: So, you can see what is running before I start explorer.
S.C.G Posted June 28, 2007 Posted June 28, 2007 I did a quick search to see if I could find anyone having similar probelms and it seems that a lot of people are, anyways, heres a link to a forum thread which seems to suggest various causes including driver conflicts, the control panl being a non-standard item? and the first windows vista virus/exploit, which was the cursor bug, which is really an IE issue; apperently. http://forums.whirlpool.net.au/forum-replies-archive.cfm/759057.html Anyways, I dk if it will help but sometimes randomly browsing through forum topics of people who have had similar problems can often bring about a solution somewhere in the thread or might suggest something you haven't tried yet, even though evidently you have tried lots of things to fix it, but often there is always something that hasn't been tried even if you don't realise it at the time, it's sometimes the way with errors.
Guest Jordan Posted June 28, 2007 Posted June 28, 2007 http://help.lockergnome.com/general/Explorer-exe-loading-properly-booting-ftopict52455.html Thats the only thing i could find on the topic, nice and stupidly complicated too...
=NukeBlaze= Posted June 28, 2007 Posted June 28, 2007 Do you know of any advanced way to disable Windows Defender? I tried that by just unchecking the service and startup entires in MSconfig.exe. I am using Nod32 for AV and Windows Defender for Antispy. To my knowledge, that is the way to do it, again I don't use vista as my primary OS. Windows defender is a bit crappy at detection anyway, NOD32 on the other had has a great track record on low resource consumption and detection rates. I would post your hijack log below, and give spybot and ad-ware a a download then a full system scan. AVG also has a freeware spyware scan which also does a decent job at cleaning, but I would not use its active shield. Can you give anymore details on when it first started? What you were doing before, etc. http://help.lockergnome.com/general/...pict52455.html Thats the only thing i could find on the topic, nice and stupidly complicated too... Thats not a bad idea to ask for the hijack log. You can find it directly linked below. http://www.spywareinfo.com/~merijn/programs.php
JMarimon Posted June 28, 2007 Author Posted June 28, 2007 http://help.lockergnome.com/general/Explorer-exe-loading-properly-booting-ftopict52455.html Thats the only thing i could find on the topic, nice and stupidly complicated too... I actually did go step-by-step on that. Didn't work. --------------------- Here is my HijackThis log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 2:56:35 AM, on 6/28/2007 Platform: Windows Vista (WinNT 6.00.1904) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\Taskmgr.exe C:\Windows\explorer.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Nod32\nod32kui.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Program Files\Trillian\trillian.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\mobsync.exe C:\Users\Justin\Desktop\HiJackThis_v2.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winlogon.exe O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\RealPlayer\rpbrowserrecordplugin.dll O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Nod32\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Nod32\nod32krn.exe --
Guest Jordan Posted June 28, 2007 Posted June 28, 2007 What the hell is that C:\Program Files\Bonjour ?
JMarimon Posted June 28, 2007 Author Posted June 28, 2007 What the hell is that C:\Program Files\Bonjour ? http://www.apple.com/macosx/features/bonjour/ Installs when you install Quicktime. I thougt that could be the issue, so I deleted the file. :P Here is what interests me from the hijackthis: "F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winlogon.exe" "O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" Someone I was talking with said to NEVER hit "Fix checked" in Hijackthis, as it can fuck stuff up even more. So, those two entries sound related...? I gather that winlogon.exe reads system.ini, and doesn't see an item for shell, and stops; hence not loading the shell... explorer.exe. Makes sense to me, what do you guys think? Here is my System.ini: " ; for 16-bit app support [386Enh] woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON [drivers] wave=mmdrv.dll timer=timer.drv [mci] "
=NukeBlaze= Posted June 28, 2007 Posted June 28, 2007 http://www.apple.com/macosx/features/bonjour/ Installs when you install Quicktime. I thougt that could be the issue, so I deleted the file. :P This is why I use quicktime alternative, instead of the apple quicktime installer as it cuts out some of the extras. http://www.free-codecs.com/download/QuickTime_Alternative.htm "O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" Thats your Nvidia control panel, as I image you have an Nvidia graphics adapter. F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winlogon.exe It may be a normal process for Vista, but winlogon.exe is a commonly infected file. To completely rule this out, I strongly recommend checking your system with various other Spyware/Malware programs as windows defender does not come close to catching everything. I will provide the direct links to the ones I mentioned in my previous post. I will look more on this processes, but offhand instinct tells me there is some oddity here. Spybot: http://www.safer-networking.org/en/download/index.html Ad-ware: http://www.download.com/Ad-Aware-2007-Free/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5 AVG Antispyware: http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free Update their definiations and run the full sweeps. Someone I was talking with said to NEVER hit "Fix checked" in Hijackthis, as it can fuck stuff up even more. It deletes the entry. In many cases it can help, it is deleting the "Wrong" item which causes issues. This is why you create a restore point before you do it. ----------------------------------- I once again recommend uninstalling quicktime and installing quicktime alternative in its place. Make a restore point and have hijackthis fix the below entries. O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing O13 - Gopher Prefix: --------------------------------- Sending the command "netsh winsock reset" in command line will also reset the LSP stack and would be good as well after removing it. Test and see. Spyware scan still recommended from those programs I mentioned.
JMarimon Posted June 28, 2007 Author Posted June 28, 2007 This is why I use quicktime alternative, instead of the apple quicktime installer as it cuts out some of the extras. http://www.free-codecs.com/download/QuickTime_Alternative.htm Thats your Nvidia control panel, as I image you have an Nvidia graphics adapter. It may be a normal process for Vista, but winlogon.exe is a commonly infected file. To completely rule this out, I strongly recommend checking your system with various other Spyware/Malware programs as windows defender does not come close to catching everything. I will provide the direct links to the ones I mentioned in my previous post. I will look more on this processes, but offhand instinct tells me there is some oddity here. Spybot: http://www.safer-networking.org/en/download/index.html Ad-ware: http://www.download.com/Ad-Aware-2007-Free/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5 AVG Antispyware: http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free Update their definiations and run the full sweeps. It deletes the entry. In many cases it can help, it is deleting the "Wrong" item which causes issues. This is why you create a restore point before you do it. ----------------------------------- I once again recommend uninstalling quicktime and installing quicktime alternative in its place. Make a restore point and have hijackthis fix the below entries. O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing O13 - Gopher Prefix: --------------------------------- Sending the command "netsh winsock reset" in command line will also reset the LSP stack and would be good as well after removing it. Test and see. Spyware scan still recommended from those programs I mentioned. Wow, thanks for all the help. I do really appreciate you taking the time to really try and help me out. I will spend my afternoon and try all of that stuff and report back here. Only think I can say now is that Ad-Aware won't work with Vista. That is what I used back on XP, so that is why I was just using Windows Defender; waiting until Ad-Aware came out. Anyhow, thanks again, I'll try that stuff and report back here. ------------------------------------ I am now scanning with Spybot, but scanning with AVG brought about an interesting result: So, it quarantined the infected file, and replaced it with a good working one? ------------------------------------ Ohhh, it feels so good to say this. It is officially fixed! Thank you so much for your help, I guess it was that Trojan infecting the winlogon.exe. I'm so happy. Again, thank you so much for your help. I'm glad I posted it here, I love the Tech Talk.
=NukeBlaze= Posted June 28, 2007 Posted June 28, 2007 Nifty. Glad to hear you got it working. AVG does a pretty good job on antispy, the only problem is that I have yet to find a program that finds most of them, thats why I usually run the gamut of anti-spy programs. God speed.
Chris16 Posted July 5, 2007 Posted July 5, 2007 Hello guys. I am facing the same problem lately only i have Windows Vista Premium...It caused from a keygen that i have downloaded recently and it was a Trojan. I have tried many ways you have posted here to get it fixed but i failed. I did a scan with AVG Anti-spyware. I have quarantined the infected file but, it didn't replace it with a working one...So i deleted it from the quarantined section. So now i am stacked out of ideas. Can anyone help me please?
AeroScap Posted July 5, 2007 Posted July 5, 2007 Total stab in the dark here. Tried run>msconfig then looking through the tabs and trying to find explorer.exe and tick it or add it to the startup lists on boot
Chris16 Posted July 5, 2007 Posted July 5, 2007 Total stab in the dark here. Tried run>msconfig then looking through the tabs and trying to find explorer.exe and tick it or add it to the startup lists on boot First, thank you for replying. I runned msconfig, i did look for the explorer.exe, but i didn't find it. How can i add it there?
Chris16 Posted July 6, 2007 Posted July 6, 2007 I tried to re-install Windows Vista, without losing any data and files, using the upgrade trick... But it still doesn't work... I can't stand this anymore...I will format the disk (like i haven't done this about 20 times in 2 months!). I will never download stuff, like cracks and keygens from bad sites, even when there isn't what i want elsewhere. It's a big risk, i'll never take it, no thanks.
=NukeBlaze= Posted July 7, 2007 Posted July 7, 2007 ^ You can copy a new explorer.exe and winlogin.exe into your windows folder from the VISTA disc if you have been damaged. If you can, just put XP on your computer and get NOD32 for your antivirus, and pick a spyware protection solution(Not windows defender, Try AVG's antispyware for realtime protection, and Spybot and spywareblaster for passive. Its all free save nod32, just don't use for AV norton ,macafee or something equally horrible). Don't use IE if you can, its more prone to infection, get Firefox or something comparable. Give vista another year to become more stable, and the drivers more concrete.
Recommended Posts