Issue with explorer

[drakath]

Well regretfully I am unable to solve this on my own. So here is the story.

This computer had trojan generic10 and after using some of the recommended malware scanners it also had vundo or else they are one and the same.

I followed these steps: Viruses/Spyware/Malware, preliminary removal instructions

The computer is now mostly clean, but when we try to login to the user, explorer.exe does NOT open on its own. I must go into task manager and open it using run.

Here is the hijack this log and also, the computer indicates that trend micro is uninstalled, though I do see traces of it within the hijack log, as well as google desktop, which I removed in attempting to fix explorer.

The shell reg_sz key is explorer.exe so that looks correct.

Your advise is greatly appreciated.

 

[kimsland]

Sorry this is my automatic response to this question:

Check the Shell value for Winlogon in your registry. Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
should show:

Shell REG_SZ explorer.exe

Or download this tool: http://www.dougknox.com/xp/utils/XP_FixLogon.zip
This utility checks for the correct GINA value in the Registry and will allow you to restore it, if its incorrect.

 

[drakath]

Not a problem, and I tried to state this response in my first statement, but those values are correct and I tried that tool that you linked.

 

[kimsland]

Is this the same in Safe Mode too?
You may need to Repair Windows, I have not checked your log, as I'm not a HJT expert (but hopefully another member will)

 

[drakath]

I would have tried the repair, except that I don't have the customers disk for this installation. I tried sfc /scannow with my disk and that didn't work, it asks for disk 2 for windows xp pro ?!? I believe safemode did the same thing, but I'd have to confirm again.

 

[kimsland]

disk 2 for windows xp pro ?!?

I think one is the boot floppy, one is the actual CD (not sure.)

Anyway, what about creating another account (with Admin rights)
If it works, you could copy all user documents over. But don't remove the old account fully, as some programs (like Norton) need the original account for removal

 

[drakath]

That is definitely an option, in the end it probably would make this all easier.

 

[drakath]

Well here we are:
1. I tried doing a nice windows repair but still no explorer startup
2. I tried creating a alt user account but still no explorer startup

I also ask, could any of the programs that I used to clean up the computer, have caused this?

 

[kimsland]

No
Unless explorer.exe had a virus attached to it, and the explorer.exe is now removed!
That's why I asked about Safe Mode

So you did a Windows Repair from Windows CD bootup (second R prompt) ?

 

[drakath]

So you did a Windows Repair from Windows CD bootup (second R prompt) ?

That would be the repair I did, 1st ENTER 2nd R

 

[kimsland]

Yes that's right

And Safe Mode (I've asked 3 times!)

 

[kimsland]

Actually try this tool:

http://rathat.geekstogo.com/Applications/RatsCheddar.zip

enable all
then restart

 

[drakath]

I believe safemode did the same thing, but I'd have to confirm again.

Yes it does do the same thing in safe mode.

 

[kimsland]

Does explorer.exe even exist?

 

[drakath]

Yes it does. What is happening is explorer.exe is not starting on windows boot up, but instead I have to manually start it. So I'd guess at this being registry or windows settings based.

 

[kimsland]

Actually hang on, I'll just check my autoruns program, where it states run explorer
(Also of course it exists - silly me!)

I'll edit this post, unless you reply (which then I'll create a new reply)

 

[kimsland]

Found it ! (oh I double posted)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"

Go to

Start-->Run-->Regedit
Expand: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Right click on Winlogon folder, and select New String
Value Name: Shell
Value data: Explorer.exe

Close Regedit

Restart

 

[drakath]

If I am correct that is the same as you mentioned earlier. I even tried removing the old entry and creating a new one with the same value, which is correct,

 

[kimsland]

Hmm yes it is

Ok delete the existing one, and create a new one (reg entry I mean)


edit
You did this already

Edit2

I must have a meeting here where I am (unrelated)
But don't format yet, I want to know why Explorer doesn't start (especially in Winlogon startup ?)

 

[drakath]

I agree, I would like to know why this is happening so it can be solved. Yes we have a nice winlogon service when the computer starts up, but no explorer.exe. Is it possible for winlogon to be the issue?

I removed all left over security on the computer...did that quite a bit earlier. I made sure all items in msconfig are set to boot, now I am gonna try the opposite.

Trend micro was NOT removed correctly in the past, but I was able to use the tool in its folder to remove it, so there might be traces of this as well?

 

[kimsland]

I'm getting it

Start-->Run-->gpedit.msc-->ok

Have you got anything configured in there (Note:I haven't found the exact area yet)

It's:
Winlogon\RunLogonScriptSync

RunLogonScriptSync can be in registry under HKEY_CURRENT_USER
Not sure where yet (Stupid MS support, you have to read a gazillion pages to find this!!)

Still on it, but just go through the entire of Group Policy

Edit:

There should be no Winlogon key (on the right hand side) in the registry under winlogon yellow folder (LHS)
ie here (I'm copy pasting, whilst reading TechNet !!)
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows NT
\CurrentVersion
\WinLogon

Check for any Winlogon entry on the RHS and remove it (don't remove the winlogon yellow folder of course!)

 

[kimsland]

Hey someone said SP3 update fixed it

This was in a really good thread with users who had tried everything
Including Group Policy and moving User Accounts around.

Here's SP3: http://www.microsoft.com/windows/products/windowsxp/sp3/default.mspx

 

[drakath]

Hey someone said SP3 update fixed it

This was in a really good thread with users who had tried everything
Including Group Policy and moving User Accounts around.

Here's SP3: http://www.microsoft.com/windows/pro...3/default.mspx

I have done this already, with the repair disk it was sp3, plus I recently tried re-installing sp3, it did is successfully but still the same issue.

I'm getting it

Start-->Run-->gpedit.msc-->ok

Have you got anything configured in there (Note:I haven't found the exact area yet)

I checked a few items in here, anything related to logon, but I havn't found anything configured.

RunLogonScriptSync can be in registry under HKEY_CURRENT_USER
Not sure where yet (Stupid MS support, you have to read a gazillion pages to find this!!)

I did find some entries for this in the registry, but with 0x0000001(1) value

Check for any Winlogon entry on the RHS and remove it (don't remove the winlogon yellow folder of course!)

What would RHS be?

 

[kimsland]

There should be no Winlogon key (on the right hand side) in the registry under winlogon yellow folder (LHS)
ie here (I'm copy pasting, whilst reading TechNet !!)
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows NT
\CurrentVersion
\WinLogon

Check for any Winlogon entry on the RHS and remove it (don't remove the winlogon yellow folder of course!)

Arrr! The only one that I really want you to check for (the others were less favourable options)

Right Hand Side

 

[drakath]

There is no winlogon entry on the right hand side, within the winlogon registry folder.