Explorer does not auto run on login, have to manually run it to get desktop?

[tweaks_sav]

I've got a PC with 3 users. It was pretty infected. It's since been totally cleaned. I did scans with Avast, AVG, Spybot, Adaware, A-Squared, Smitfraudfix, Combofix, Malware Bytes, and Hijackthis. Fully clean now.
I think it was after combofix, but I may be mistaken, explorer shell wouldn't run when logging into windows. When I click on any user to login, their background comes up, but no desktop icons, start bar, or such. I have to ctrl-alt-del and use task manager to run explorer.exe, then everything pops up.

I've tried:

1) Re-running combofix to see if it would fix itself

2) checking: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "shell" is set to: explorer.exe

3) using the startup "Run" and "RunServices" (ie: msconfig entries) to call a batch file to run explorer.exe. It calls explorer perfect, but those don't run till I run explorer manually, so it just opens the My Documents windows explorer window.

4) using group policy to set a logon script of a batch file to call explorer.exe, same as #3.

5) Windows XP Repair Install


Any more ideas/help? Thanks!

 

[kimsland]

Other than everything here: https://www.techspot.com/vb/topic108632.html

Backup and re-install Windows clean (ie remove partition first during install)

 

[tweaks_sav]

Hmm, attempted all that you had suggested as well.
Bummer, a wipe/reload, just what I was trying not to do
Oh well, I'll keep bugging with it.
Thanks.

Any other suggestions?

 

[kimsland]

Yes, I have replied to the other member (having the same issue as you)
To source where the problem lies in his backup of registry in his working fresh install of Windows.

You could actually do the same thing, (not sure who's more technically minded)

Create a registry backup
Install clean
Backup the clean registry
Restore the old (faulty backup)
Same fault? Must be in the Registry then!

-> Restore the working backup (or system restore)
Half the faulty registry backup file (using Notepad)
Merge the half faulty backup reg
Same fault
Start from this paragraph again ->

Reply back with which reg key it was (eventually!)

 

[drakath]

Also, you don't have to wipe, you can just re-install windows. The installation will put in a new registry and you get to keep your files, you'd just have to reinstall everything for registry keys. At least thats what I have done.

 

[kimsland]

I've just sent drakath the following:

Are you still there drakath
Can you at least send me the backup of Winlogon (possibly faulty) registry entry (zipped up)
So as I can view it, against mine?

I'm not interested in any user stuff or licence issues (don't think they're stored in here anyway)
And I have serviced (in person) about thousand computers (could be more, actually probably is)
Pretty sure Winlogon does not contain any private stuff, I just checked mine, and nothing in there to worry about.

Could you also zip up your "exported" registry file of Winlogon
Also I need to know what version of Xp you are running, drakath is running Pro
I have access to any OS!

 

[tweaks_sav]

It's XP Pro SP2. Was SP3, but I did a repair install XP, and it brought it back to SP2.
Awesome. yea I'm a computer tech as well, with thousands of repair too.
Thanks for the help. I wouldn't mind sending the whole registry, no worries, let me know.

 

[kimsland]

Please do the following registry changes

"Shell"="Explorer.exe" <-change (capitalize E)
"ShutdownWithoutLogon"=dword:00000001 <-change to
"UIHost"="C:\\WINDOWS\\system32\\logonui.exe" <-change to
"DefaultPassword"="" <- remove entire string
"AutoAdminLogon"="1" <- change to

The next key, I do not have at all (but leave in for the moment)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
And all those numbers under it !!!

Once you have made the registry changes, restart
Report back

Also, you can edit your previous post (advanced edit) and remove the attachment

 

[tweaks_sav]

Damn, thanks for the continued help, but still same thing.

1)Changed explorer.exe to Explorer.exe
2)The original key was a REG_SZ so I changed it to ShutdownWithoutLogonOLD and made a new REG_DWORD and named it ShutdownWithoutLogon and set it to 1
3) Changed UIHost from logonui.exe to C:\WINDOWS\system32\logonui.exe
4,5) I have 3 users so this doesnt matter. I need to logon, not auto. (http://www.computerperformance.co.uk/Registry/registry_hacks_AutoAdminLogon.htm)

Hmmm was looking into the WgaLogon/Settings and found this....http://www.threatexpert.com...

 

[tweaks_sav]

Still same issue but I tried this as well:

2) So I checked my PC here and ShutdownWithoutLogon is a REG_SZ and set to just 0, so I changed that back.

I also checked my PC for the WgaLogon key and it's not there. So I deleted the whole WgaLogon key. It had exactly what ThreatExpert had. On reboot, the registry key was recreated, but no values or anything are in them now.
Here is another case of desktop not loading with the same WgaLogon/Settings entry...hmmm! http://forums.techguy.org/malware-removal-hijackthis-logs/564750-windows-xp-sp2-desktop-not.html
I haven't triend any of the tools they posted in that thread yet.

All I did was a google search for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings http://www.google.com/search?q=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows+NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings

I'm going to run online BitDefender scan and AntiVir just in case. Since I've done AVG and Avast.

 

[kimsland]

Sorry for delay, I had to check correct download links, and legal requirement!

Download RemoveWGA here: http://www.majorgeeks.com/RemoveWGA_d5170.html

More info here: http://support.microsoft.com/?kbid=921914

 

[tweaks_sav]

Pssh, legality doesn't bother me

AntiVir and BitDefender didn't find anything.
I actually already had the RemoveWGA in my tools, but when I ran it I got "The WGA Notification is not active on your system". Which makes sense since this PC was already genuine.

Still no dice.

 

[kimsland]

I actually already had the RemoveWGA in my tools, but when I ran it I got "The WGA Notification is not active on your system". Which makes sense since this PC was already genuine.

The WGA Notify, is for genuine Windows. Now that'll mess with you!

Anyway, I don't think it's in Winlogon key any longer.
I'm starting to think you should replace Explorer.exe with the Windows CD Explorer.ex_
This may do it.