I am stuck after the login on the XP Pro

[CameraShy]

History:
I have tried to clean out my PC by uninstalling all my unused programs. Some programs I could remove automatically and other programs I had to remove manually by deleting the unused program directories, going into the REGEDIT, and doing the search and delete. I have also tried to remove viruses by using a trial version of an anti-spyware program. The name of that program which I have forgotten but I do remember I told it "OK to remove all the infected files". After I did the restart, I got the problem.

Problem:
The problem is that I can login fine but I got stuck right before the desktop items and the START bar should have come on. In this stuck mode, I can do the CTRL-ALT-DEL and the Windows Task Manager would pop up and I can run many programs from the Task Manager (File > New Task (Run…) > REGEDIT).

Things I have tried:
I have browsed my problem PC from the Task Manager and it has shown all the drives, directories, and files.
I have run "sfc /scannow" but it didn't show any problem.
I have run msconfig, compmgmt.msc, freecell, regedit, and others.
I have upgraded the XP Home Edition to the XP professional thinking that it would solve my problem but the result is the same.
When I ran the explore.exe, I saw the START bar appeared and then disappeared very quickly.

I have a feeling that I have deleted some thing in the registry that I shouldn’t have. I hate to do a fresh install because of the programs have installed.

Please help.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Can you boot into safe mode?

If so, try the following.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Then try doing a system restore to before your problems started.

See if that helps any.

Regards Howard :wave: :wave:

 

[CameraShy]

I tried the safe mode - I got stuck in the same place.

Thanks,

 

[howard_hopkinso]

The next thing to try is a Windows repair as per this thread HERE.

See if that helps.

Regards Howard

 

[CameraShy]

Howard,

I have no luck with the windows repair - It gets stuck in the same place after a successful repair. Any more ideas?

 

[howard_hopkinso]

Other than a reformat and reinstall I have no other ideas I`m afraid.

Regards Howard

 

[divawstyle]

Window login on XP Pro

Explorer.exe is not running. If you look in task manager you will see explorer.exe is not there. Go to windows task manager. Create a new task and type in explorer.exe and hit enter. This should bring your taskbar back and your icons.

Hope this helps

 

[CameraShy]

Howard -
I am not given up yet. Is there a tutorial you know of that shows what window xp is doing after you login?

divawstyle - I tried that already - when I run the Explorer.exe, the STARTMENU bar flashed very quickly. I originally thought that file was corrupted so I replaced it and run it again, and the result was the same.

Thanks,

 

[howard_hopkinso]

Howard -
I am not given up yet. Is there a tutorial you know of that shows what window xp is doing after you login?

Not that I`m aware of.

I`ve just thought of something else you might want to try.

Open your task manager and click file/new task. Type msconfig and click ok. When the msconfig window appears, click on the Launch system restore button. See if you can restore your computer to before your problems started.

Regards Howard

 

[CameraShy]

I didn't create any restore points in the past so there was nothing to restore from.

 

[Sjbrand99]

Okay, I have experienced this problem before, however im not too sure how i fixed it. It was some sort of trojan that denied me access to explorer.exe. If you can create new tasks then try opening Firefox or IE or whatever you use and download the removal tools. You will find them in the security + web forum (I think please back me up with the link on this one Howard). If you cannot do that, then try locating explorer.exe file (if this is possible?) and try running it using "admin" credentials.

You could try downloading A43 or some alternative to explorer.exe to browse your computer whilst trying to find the cause.

Hope this helps!

 

[howard_hopkinso]

That`s a shame.

Normally, Windows creates it`s own restore points every so often.

Well, that`s me out of ideas then.

Edit: As Sjbrand99 says, it`s possibly a malware infection, but since you said it only happened after you deleted stuff from the registry, I don`t think it`s the case with your system, but it might be.

However, if you could find a way to post a HJT log as per these instructions HERE, I`ll gladly take a look at it for you.

Regards Howard

 

[CameraShy]

Here is the HJT log for you to analysis. I also included a registry export of the [HKEY_LOCAL_MACHINE\...\Winlogon] key at the end of the log file.

 

[howard_hopkinso]

Your system is infected with a rootkit infection. I have therefore moved your thread to our security and the web forum.

Go HERE and follow the instructions(if you can), for removing ntsystem.exe.

If you manage to do that, please rename HJT as per the instructions in the first link I gave you and post a fresh HJT log.

Regards Howard

BTW; Good call Sjbrand99.

This thread is for the use of CameraShy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Sjbrand99]

Cheers, but how do we know that he can follow the instructions. Also, a combofix.exe log would be better for targeting the execact infection. Also, where (in which folder) is the ntsystem file found???

 

[howard_hopkinso]

Cheers, but how do we know that he can follow the instructions.

I don`t know whether CameraShy can follow the instructions, that`s why I said "if you can"

If CameraShy can`t follow the instructions, then the only way to get rid of the rootkit is to reformat the drive. That would be a shame, as I know for a fact that the instructions I have given will fix the above file. I`ve come across this file only a few times and in all instances, that`s the only fix I have found that works, other than a reformat.

This is the location of the nasty file.

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

Combofix wouldn`t fix this file as it requires special treatment.

The ntsystem.exe file must not be confused with another infection of the same name, which is easy to get rid of. The only difference between the two is the [gwiz] in brackets. This file is based on a rootkit.

Regards Howard

This thread is for the use of CameraShy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Sjbrand99]

Ouch! reformat... im sure that he can fingd awy around doin the required processes without using explorer.exe. ALOT can be done with task manager... Is it possible that CameraShy can fix the problem with out a program... and that he can simply hit the delete button??? He could youse a file browser, alternate explorer access from another computer etc!

CameraShy, we DO need to know exactly what you CAN do... are you using the current machine to use the internet and post here?

 

[howard_hopkinso]

Is it possible that CameraShy can fix the problem with out a program... and that he can simply hit the delete button???

Unfortunately not.

That file can only be got rid of via the fix I have given or a reformat.

Edit: See this thread HERE.

Regards Howard

This thread is for the use of CameraShy only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.