Windows stuck at login screen

Status
Not open for further replies.

Transform

Posts: 42   +0
Hi.

For several weeks I have been trying to solve a problem on a family members desktop computer.

The scenario is as follows:

User clicks on their profile and their custom background appears. From here, the taskbar and desktop icons do not appear automatically and the user must open task manager and manually launch the process 'explorer.exe' to force the desktop to appear correctly.

The problem occurs with all the profiles on the computer and there is nothing in the event log to suggest that there is a problem.

Could someone help me out?
 
Check the Shell value for Winlogon in your registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
should show:

Shell REG_SZ explorer.exe

Or download this tool: http://www.dougknox.com/xp/utils/XP_FixLogon.zip
This utility checks for the correct GINA value in the Registry and will allow you to restore it, if its incorrect.


By the way, this is usually a sign of Virus\Malware infection
You are therefore advised to go here, and complete all steps:
Viruses/Spyware/Malware Preliminary Removal Instructions
 
The registry value was ok.

I have gone through all 8 steps of the malware link you gave me. here are my results (attached) as instructed...
 

Attachments

  • Malwarebyte's.txt
    837 bytes · Views: 6
  • SuperAntiSpyware.txt
    10.6 KB · Views: 5
  • HijackThis.txt
    9.5 KB · Views: 5
I'd try a Windows repair at this point. Do you have your Windows installation CD?

-- Andy
 
my computer was purchased from Dell so I will need to have a look if they sent me a Windows XP disk with it...
 
As your logs are now a week old

You may be best providing a new HJT log

Before supplying the log, please do these things:

Run CCleaner (to remove old temp files)
Reset IE, using this proceedure
Remove any known, not required startups, using this tool

Restart, then create a new log
 
I used to work for Dell and they stopped shipping CDs more than 2+ years ago. You have to pay for them separately now. If you can get your hands on a Windows installation CD for the version you have, then you can do the Windows repair. Either get one from a friend or from an independent computer store.

Best,
-- Andy
 
I have Windows XP Home Edition.

So as long as I can find a Home Edition CD it will allow me to do the repair?

Will I still keep my legitimate Windows key?
 
Check the Windows sticker on your computer. If it's for the same version as the CD, you're home free!!

-- Andy
 
No! Windows repair does not touch your personal files, program or settings. It only check the Windows system files and associated settings.

Pop the installation CD in the CD drive. Boot to it. On the first screen, press <enter> for an installation. It's the next choice where it asks if you want to install a clean copy or repair. That's when you select 'r'.

Repost if you have questions.

-- Andy
 
Transform as you are being told to Repair Windows
I must state that you should back up first!

Yes there is always the chance that you can lose data
 
Although Windows repair does not specfically touch your person files, yes, Kimsland is correct, it can fail and result in the installation being corrupted. In my experience, that happens because your file system is corrupted to being with. That doesn't appear to be your case. Nonetheless, if you want to be prudent, back up your files first.
 
Don't sweat it then. In my expereince the only Windows repair backfires and corrupts the installation is simply because the file system was corrupt to begin with. This isn't your case. Your files are safe.

You can proceed with the Windows repair.

-- Andy
 
Option #1
  • Already stated in post#7 above (not done)
Option #2
  • Click on Start -> Run -> control userpasswords2
  • Tick "Users must enter a username and password to use this computer"
  • Click to highlight your username
  • Click "Apply"
  • Un-Tick "Users must enter a username and password to use this computer"
  • Click "Apply"
  • Type in your current password (or leave blank if you don't have one)
  • Click OK
  • Restart your computer
Option #3
  • Please backup your Kaspersky licence information and key
  • Then fully uninstall Ad-Aware
  • Then fully uninstall Kaspersky
  • Once complete restart your computer

Reply with results
 
Good news, bad news.

Good news is that if the Windows repair completed and you can boot to the Desktop, your Windows system is probably fine.

Bad news is, your still having problems and it's something outside your Windows system.


I don't think in all of this I ever asked or you ever mentioned this but can you boot to Safe Mode? If so, do you still have the same problems?

I might suggest if you haven't tried this but create a new user account (call it "Sparky" for fun!) See if "Sparky" has the sames problems.

-- Andy
 
Please follow through with the guides from kimsland first.

Although the logs aren't the most current, I did check them and found the following:
At that time, Mbam show no malware.
At that time, SAS showed numerous Tracking Cookies. Have SAS remove them. Here is an image to help with that:
http://screenshots.en.softonic.com/en/scrn/50000/50803/3_antispy4.jpg

You need to reset Cookies:
Open Internet Options (through Tools or Control Panel)> Privacy tab> Advanced button> CHECK 'override automatic Cookies handling'> CHECK 'allow first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Update Java: Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

HijackThis log items to review first:
This program is running> TightVNC Software>> TightVNC is a free remote control software package derived from the popular VNC software. With TightVNC, you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer. It is not without risks. Please see it's features on http://www.tightvnc.com/
If you are not actively using this, remove it:

C:\Program Files\TightVNC\WinVNC.exe
It appears that you have two Kaspersky program running. Please verify this. If duplicate, and uninstall ONE of them:
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

Be cautious about this. It is a social networking feature and may expose you to malware. If you do not actively use it, remove it.
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab

You may at one time have used this scanner online. But it is still loading and running in the background and could conflict with the Kaspersky AV. It should be stopped and uninstalled.
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot. into Safe Mode:
Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 10

Reboot into Normal Mode. Run a new HijackThis scan and attach the log.

We will also update the Adobe program or use an alternate next go round.
 
As asked in post #7, I here is my HJT log after completing the steps required.

I also completed option #2 from post #18 which hasn't worked. I will try option #3 next time I have a chance (remote desktoping from overseas).

----------

Moderator Edit:
Pasted HJT log removed, and then attached
Please attach your logs, do not paste them into a reply
.
 
Update Java: Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Update Adobe: Your Adobe Reader is out of dale. Vulnerabilities can be exploited. Click here to download the latest version v9: https://www.techspot.com/downloads/2083-adobe-reader-dc.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn't’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php
Click on ‘Get it Free button

HijackThis log item to review first:
Verify that this is what is being used for the Remote Desktop overseas.
This program is running> TightVNC Software>> TightVNC is a free remote control software package derived from the popular VNC software. With TightVNC, you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer. It is not without risks. Please see it's features on http://www.tightvnc.com/
If you are not actively using this, remove it:
C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: VNC Server (winvnc) - TightVNC Group - C:\Program Files\TightVNC\WinVNC.exe

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
Be cautious about this. It is a social networking feature and may expose you to malware. If you do not actively use it, remove it.
:
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab

You may at one time have used this scanner online. But it is still loading and running in the background and could conflict with the Kaspersky AV. It should be stopped and uninstalled.
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot. into Safe Mode:

Control Panel> Add/Remove Programs Uninstall the following:
All Java EXCEPT v6u10
All Adobe Reader EXCEPT v9.

Reboot into Normal Mode. Run a new HijackThis scan and attach the log.

Please give us system status.
 
I just tried uninstalling Ad-Aware and Kaspersky and restarted but the problem still exists :( I have installed AVG Anti-Virus just to keep the computer safe for now.

I will complete the above post next and post back the results.
 
Just passing by

Try Free Antivirus like Avast or Avira

I use Avira, it seems pretty good. AVG seems a bit slow, and has stopped networks working with past faults (now resolved)

Just thought I'd mention that, before you totally get set on AVG
 
Status
Not open for further replies.
Back