Jump to content
N-Europe

Recommended Posts

Posted

Hey guys, got a problem recently, and I have tried everything to fix it. Here is a step by step on what happens.

 

- I shut down, or restart, or even completely log off of Windows Vista Ultimate.

- Once the logon screen comes up, I type in my password.

- It starts the Welcome screen, and it actually seems to take a particularly long time.

-Once it completes, I am presented with a solid black screen and a white cursor. As flattered as I am by the simplicity, Windows isn't especially useful in this state.

- I can leave it sit here for hours, I tried up to four hours, it just sits there.

- I can then hit Ctrl+Alt+Del and click to open the task manager. There are very few processes running at this point, 34.

- I run Explorer.exe, and Windows springs to life. My icons pop up, the taskbar, my wallpaper, processes suddenly start popping up (Virus scanner, Gtalk, Trillian), and I even get the Windows Vista login sound chime. This jumps to about 54 processes.

- From here, Vista runs completely normally.

 

As you can tell, the problem is easily fixed, but it is annoying none the less, and just the fact that there has to be a problem annoys me. What to do?

 

List of stuff tried:

- System Restore

- Uninstall Java and Quicktime

- System clean

- Startup repair on Vista disk

- Replace Explorer.exe

- Add Explorer.exe to the Startup folder

 

Random known things:

- In the Windows Defender Startup list, Explorer.exe is listed as "Not yet classified" Other stuff is listed as permitted.

- UAC is turned off

 

Thanks for the help guys.

Posted

I don't know if this will work or not but you can try it. Won't take 10 seconds probably.

 

Click Start->Click Run->Type msconfig->Click Start Up Tab and I guess see if explorer.exe is in there or not. If it is and it's unchecked then check it. If it isn't there then I don't know.:) Hope it helps.

Posted

Haha, nice try Marshy. If only life were that simple. No, that isn't it. Explorer is not a standard Startup Process, it is a login process. (Won't run unless you login to an account)

Posted
Haha, nice try Marshy. If only life were that simple. No, that isn't it. Explorer is not a standard Startup Process, it is a login process. (Won't run unless you login to an account)

 

I knew that, I was just, tricking you thats it! :heh:

 

 

*goes and cries*

Posted
Completely disable windows defender and its shield,restart, and try again. I want to check something...

 

Also, what AV and Antispy(s) are you using with vista?

 

Do you know of any advanced way to disable Windows Defender? I tried that by just unchecking the service and startup entires in MSconfig.exe.

 

I am using Nod32 for AV and Windows Defender for Antispy.

 

-------------------------

 

Also, here is the task manager at the step where I open the task manager:

 

running.png

 

So, you can see what is running before I start explorer.

Posted

I did a quick search to see if I could find anyone having similar probelms and it seems that a lot of people are, anyways, heres a link to a forum thread which seems to suggest various causes including driver conflicts, the control panl being a non-standard item? :wtf: and the first windows vista virus/exploit, which was the cursor bug, which is really an IE issue; apperently.

 

http://forums.whirlpool.net.au/forum-replies-archive.cfm/759057.html

 

Anyways, I dk if it will help but sometimes randomly browsing through forum topics of people who have had similar problems can often bring about a solution somewhere in the thread or might suggest something you haven't tried yet, even though evidently you have tried lots of things to fix it, but often there is always something that hasn't been tried even if you don't realise it at the time, it's sometimes the way with errors.

Posted
Do you know of any advanced way to disable Windows Defender? I tried that by just unchecking the service and startup entires in MSconfig.exe.

 

I am using Nod32 for AV and Windows Defender for Antispy.

 

To my knowledge, that is the way to do it, again I don't use vista as my primary OS. Windows defender is a bit crappy at detection anyway, NOD32 on the other had has a great track record on low resource consumption and detection rates. I would post your hijack log below, and give spybot and ad-ware a a download then a full system scan. AVG also has a freeware spyware scan which also does a decent job at cleaning, but I would not use its active shield.

 

Can you give anymore details on when it first started? What you were doing before, etc.

 

 

 

http://help.lockergnome.com/general/...pict52455.html

 

Thats the only thing i could find on the topic, nice and stupidly complicated too...

 

Thats not a bad idea to ask for the hijack log. You can find it directly linked below.

 

http://www.spywareinfo.com/~merijn/programs.php

Posted
http://help.lockergnome.com/general/Explorer-exe-loading-properly-booting-ftopict52455.html

 

Thats the only thing i could find on the topic, nice and stupidly complicated too...

 

I actually did go step-by-step on that. Didn't work.

 

---------------------

 

Here is my HijackThis log:

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 2:56:35 AM, on 6/28/2007

Platform: Windows Vista (WinNT 6.00.1904)

Boot mode: Normal

 

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\explorer.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Nod32\nod32kui.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE

C:\Program Files\Trillian\trillian.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\System32\mobsync.exe

C:\Users\Justin\Desktop\HiJackThis_v2.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winlogon.exe

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\RealPlayer\rpbrowserrecordplugin.dll

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Nod32\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing

O13 - Gopher Prefix:

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Nod32\nod32krn.exe

 

--

Guest Jordan
Posted

What the hell is that C:\Program Files\Bonjour ?

Posted
What the hell is that C:\Program Files\Bonjour ?

 

http://www.apple.com/macosx/features/bonjour/

 

Installs when you install Quicktime. I thougt that could be the issue, so I deleted the file. :P

 

Here is what interests me from the hijackthis:

 

"F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winlogon.exe"

"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup"

 

Someone I was talking with said to NEVER hit "Fix checked" in Hijackthis, as it can fuck stuff up even more.

 

So, those two entries sound related...? I gather that winlogon.exe reads system.ini, and doesn't see an item for shell, and stops; hence not loading the shell... explorer.exe. Makes sense to me, what do you guys think?

 

Here is my System.ini:

 

"

; for 16-bit app support

[386Enh]

woafont=dosapp.fon

EGA80WOA.FON=EGA80WOA.FON

EGA40WOA.FON=EGA40WOA.FON

CGA80WOA.FON=CGA80WOA.FON

CGA40WOA.FON=CGA40WOA.FON

 

[drivers]

wave=mmdrv.dll

timer=timer.drv

 

[mci]

"

Posted
http://www.apple.com/macosx/features/bonjour/

 

Installs when you install Quicktime. I thougt that could be the issue, so I deleted the file. :P

 

This is why I use quicktime alternative, instead of the apple quicktime installer as it cuts out some of the extras.

 

http://www.free-codecs.com/download/QuickTime_Alternative.htm

 

 

"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup"

 

Thats your Nvidia control panel, as I image you have an Nvidia graphics adapter.

 

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winlogon.exe

 

It may be a normal process for Vista, but winlogon.exe is a commonly infected file. To completely rule this out, I strongly recommend checking your system with various other Spyware/Malware programs as windows defender does not come close to catching everything. I will provide the direct links to the ones I mentioned in my previous post. I will look more on this processes, but offhand instinct tells me there is some oddity here.

 

Spybot:

http://www.safer-networking.org/en/download/index.html

Ad-ware:

http://www.download.com/Ad-Aware-2007-Free/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

AVG Antispyware:

http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free

 

Update their definiations and run the full sweeps.

 

Someone I was talking with said to NEVER hit "Fix checked" in Hijackthis, as it can fuck stuff up even more.

 

It deletes the entry. In many cases it can help, it is deleting the "Wrong" item which causes issues. This is why you create a restore point before you do it.

 

 

-----------------------------------

I once again recommend uninstalling quicktime and installing quicktime alternative in its place. Make a restore point and have hijackthis fix the below entries.

 

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

 

 

O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing

 

O13 - Gopher Prefix:

 

---------------------------------

 

Sending the command "netsh winsock reset" in command line will also reset the LSP stack and would be good as well after removing it.

 

Test and see. Spyware scan still recommended from those programs I mentioned.

Posted
This is why I use quicktime alternative, instead of the apple quicktime installer as it cuts out some of the extras.

 

http://www.free-codecs.com/download/QuickTime_Alternative.htm

 

 

 

 

Thats your Nvidia control panel, as I image you have an Nvidia graphics adapter.

 

 

 

It may be a normal process for Vista, but winlogon.exe is a commonly infected file. To completely rule this out, I strongly recommend checking your system with various other Spyware/Malware programs as windows defender does not come close to catching everything. I will provide the direct links to the ones I mentioned in my previous post. I will look more on this processes, but offhand instinct tells me there is some oddity here.

 

Spybot:

http://www.safer-networking.org/en/download/index.html

Ad-ware:

http://www.download.com/Ad-Aware-2007-Free/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5

AVG Antispyware:

http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free

 

Update their definiations and run the full sweeps.

 

 

 

It deletes the entry. In many cases it can help, it is deleting the "Wrong" item which causes issues. This is why you create a restore point before you do it.

 

 

-----------------------------------

I once again recommend uninstalling quicktime and installing quicktime alternative in its place. Make a restore point and have hijackthis fix the below entries.

 

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

 

 

O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing

 

O13 - Gopher Prefix:

 

---------------------------------

 

Sending the command "netsh winsock reset" in command line will also reset the LSP stack and would be good as well after removing it.

 

Test and see. Spyware scan still recommended from those programs I mentioned.

 

Wow, thanks for all the help. I do really appreciate you taking the time to really try and help me out. I will spend my afternoon and try all of that stuff and report back here.

 

Only think I can say now is that Ad-Aware won't work with Vista. That is what I used back on XP, so that is why I was just using Windows Defender; waiting until Ad-Aware came out.

 

Anyhow, thanks again, I'll try that stuff and report back here.

 

------------------------------------

 

I am now scanning with Spybot, but scanning with AVG brought about an interesting result:

 

avgscan.png

 

So, it quarantined the infected file, and replaced it with a good working one?

 

------------------------------------

 

Ohhh, it feels so good to say this. It is officially fixed! Thank you so much for your help, I guess it was that Trojan infecting the winlogon.exe. I'm so happy. Again, thank you so much for your help. I'm glad I posted it here, I love the Tech Talk. :D

Posted

Nifty. Glad to hear you got it working.

 

AVG does a pretty good job on antispy, the only problem is that I have yet to find a program that finds most of them, thats why I usually run the gamut of anti-spy programs.

 

God speed.

Posted

Hello guys. I am facing the same problem lately only i have Windows Vista Premium...It caused from a keygen that i have downloaded recently and it was a Trojan.

 

I have tried many ways you have posted here to get it fixed but i failed.

I did a scan with AVG Anti-spyware. I have quarantined the infected file but, it didn't replace it with a working one...So i deleted it from the quarantined section.

 

So now i am stacked out of ideas. Can anyone help me please?

Posted

Total stab in the dark here. Tried run>msconfig then looking through the tabs and trying to find explorer.exe and tick it or add it to the startup lists on boot

Posted
Total stab in the dark here. Tried run>msconfig then looking through the tabs and trying to find explorer.exe and tick it or add it to the startup lists on boot

 

First, thank you for replying. I runned msconfig, i did look for the explorer.exe, but i didn't find it. How can i add it there?

Posted

I tried to re-install Windows Vista, without losing any data and files, using the upgrade trick...

 

But it still doesn't work...:(

 

I can't stand this anymore...I will format the disk (like i haven't done this about 20 times in 2 months!). I will never download stuff, like cracks and keygens from bad sites, even when there isn't what i want elsewhere. It's a big risk, i'll never take it, no thanks.

Posted

^ You can copy a new explorer.exe and winlogin.exe into your windows folder from the VISTA disc if you have been damaged.

 

If you can, just put XP on your computer and get NOD32 for your antivirus, and pick a spyware protection solution(Not windows defender, Try AVG's antispyware for realtime protection, and Spybot and spywareblaster for passive. Its all free save nod32, just don't use for AV norton ,macafee or something equally horrible). Don't use IE if you can, its more prone to infection, get Firefox or something comparable.

 

Give vista another year to become more stable, and the drivers more concrete.

×
×
  • Create New...