Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer Fails To Run On Boot


  • Please log in to reply
12 replies to this topic

#1 Chree

Chree

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:10:25 PM

Posted 10 April 2008 - 12:48 PM

Hi all,

Could do with some advice....

....I had some nasty spyware (antispyware master) which I have eventually managed to get rid of. Only problem is that now every time I boot my machine (running XP sp2) after log in explorer doesn't run......so I have to do task manager --> file --> run --> explorer. Which obviously does the trick but is a bit of a pain. I've looked round various forums and can't find a solution. I can reinstall windows as i have my hard drive partioned and all my personal docs are there but it's a bit of a pain tbh.....and lots of apps to reinstall as well. Does anyone have any advice on how to solve this issue. As I say, I'm sure my machine is now clean.

Thanks in advance
Chris

:thumbsup:

BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:25 PM

Posted 10 April 2008 - 01:05 PM

Hello, Chree.
Lets get this fixed up for ya:

PLEASE NOTE THAT THIS ASSUMES THERE IS NO MORE MALWARE ON THIS MACHINE. DO THIS AT YOUR OWN RISK:

We need to back up your registry before we can continue the fix.
  • Please download ERUNT and save it to your desktop.
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
And here is the fix:
  • Open regedit (Run, type in regedit, press enter), and navigate to this key on the left side:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  • There should be a shell key in the right side. Make sure the Shell key's value is "Explorer.exe"
  • Reboot.
Good luck!
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 HitSquad

HitSquad

    You're Bleepin' or you're Weepin'


  • Members
  • 1,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Momma
  • Local time:04:25 PM

Posted 10 April 2008 - 01:16 PM

Hi Chris, welcome to BC.

after log in explorer doesn't run......so I have to do task manager --> file --> run --> explorer. Which obviously does the trick but is a bit of a pain.

If by "doesn't run" you mean that it is not listed as a process in task manager and does not run automatically, then most likely antispyware master has changed it's path in the registry.
If the above doesn't help, open your registry and navigate to the following locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

If the explorer and\or iexplorer keys exist, delete them and reboot. They should not be there.

Let us know

Edited by HitSquad, 10 April 2008 - 01:19 PM.


#4 Chree

Chree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:10:25 PM

Posted 10 April 2008 - 01:30 PM

Hi Chris, welcome to BC.

after log in explorer doesn't run......so I have to do task manager --> file --> run --> explorer. Which obviously does the trick but is a bit of a pain.

If by "doesn't run" you mean that it is not listed as a process in task manager and does not run automatically, then most likely antispyware master has changed it's path in the registry.
If the above doesn't help, open your registry and navigate to the following locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplorer.exe

If the explorer and\or iexplorer keys exist, delete them and reboot. They should not be there.

Let us know


Hi Hitsquad,

Thanks for the advice....have checked the registry and those keys do not exist. Will try Billy's advice now......and yes by "doesn't run" thats what I mean!

Thanks
Chris

#5 Chree

Chree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:10:25 PM

Posted 10 April 2008 - 01:37 PM

Hello, Chree.
Lets get this fixed up for ya:

PLEASE NOTE THAT THIS ASSUMES THERE IS NO MORE MALWARE ON THIS MACHINE. DO THIS AT YOUR OWN RISK:

We need to back up your registry before we can continue the fix.

  • Please download ERUNT and save it to your desktop.
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
And here is the fix:
  • Open regedit (Run, type in regedit, press enter), and navigate to this key on the left side:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
  • There should be a shell key in the right side. Make sure the Shell key's value is "Explorer.exe"
  • Reboot.
Good luck!
Billy3


Hi Billy,

Thanks for your response...I checked the rgistry and the shell key's value is "explorer.exe" - i'm not sure if the values are case sensitive???? Is it worth doing the ERUNT methos in this case?

Many thanks again
Chris

#6 Chree

Chree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:10:25 PM

Posted 10 April 2008 - 02:30 PM

Hi Billy/HitSquad,

Have either of you got any more advice please? Still no joy :thumbsup:

Thanks again,
Chris

#7 CyberDoug

CyberDoug

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Teh Internetz
  • Local time:04:25 PM

Posted 10 April 2008 - 02:43 PM

I had a problem like this a while back.
Basically i had been hit by the Virtumonde virus and it had messed up the explorer.exe (It wouldn't load at all)
I downloaded SuperAnti Spyware and Spybot S + D and let them both run full system scans.
Both came up with varying results.
I deleted all spyware and upon next startup the computer was running fine with no explorer.exe bugs.

Hope this helps but don't take it as bleepingcomputer advice, just some newbies.

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:25 PM

Posted 10 April 2008 - 03:10 PM

Have you tried Spybot S&D? It looks for settings that are commonly broken by malware and fixes them.

ERUNT is worth it even when you aren't editing the registry.. but since we are not editing it you should be fine.
It's always nice to have a backup :thumbsup:

Can you export the winlogon key and send it to me? http://billy-oneal.com/fileUpload

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Chree

Chree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:10:25 PM

Posted 10 April 2008 - 03:58 PM

Have you tried Spybot S&D? It looks for settings that are commonly broken by malware and fixes them.

ERUNT is worth it even when you aren't editing the registry.. but since we are not editing it you should be fine.
It's always nice to have a backup :thumbsup:

Can you export the winlogon key and send it to me? http://billy-oneal.com/fileUpload

Billy3


Hi again Billy,

Thanks for your reply......I have run Spybot S&D - it found a few cookies but nothing else - I ran SuperAntiSpy and that found another remnant of Antispyware master which has now been removed. I'm about to upload the winlogon key to your URL....just done it - you should have it on your site now!

Thanks so much for your help - I really appreciate it.

Speak soon,
Chris

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:25 PM

Posted 10 April 2008 - 04:14 PM

Alright... the key looks okay.

Try this tutorial here to verify the integrity of Windows.

http://www.bleepingcomputer.com/forums/t/43051/how-to-use-sfcexe-to-repair-system-files/

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Chree

Chree
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:uk
  • Local time:10:25 PM

Posted 10 April 2008 - 04:59 PM

Alright... the key looks okay.

Try this tutorial here to verify the integrity of Windows.

http://www.bleepingcomputer.com/forums/t/43051/how-to-use-sfcexe-to-repair-system-files/

Billy3


Thanks Billy, running the check now...will let you know the results....but maybe tomorrow as it's late here now!
Thansk again for your help,
Chris

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:25 PM

Posted 10 April 2008 - 06:14 PM

It shouldnt give you any results.... SFC silently replaces anything it fixes. When it's done, you can look in the application event log (Start -> Run... -> compmgmt.msc -> Event Viewer (on the left side) -> Look for events originating from system file protection) to see which files, if any are replaced.

For other helpers:
If I missed anything in this key, let me know:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AutoRestartShell"=dword:00000001
"DefaultUserName"="A User"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="explorer.exe"
"ShutdownWithoutLogon"="0"
"System"=""
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\
  00,00,00
"LogonType"=dword:00000001
"Background"="0 0 0"
"DefaultPassword"=""
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000000
"AltDefaultUserName"="A User"
"AltDefaultDomainName"="D27TWY1J"
"DefaultDomainName"="D27TWY1J"
"AutoAdminLogon"="0"

Have a nice night,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Mauricio

Mauricio

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:25 PM

Posted 13 April 2008 - 02:18 AM

:thumbsup:

Thanks for the help.

I resolved my problem by seting the commented defaults for the WINLOGON key.
In my case, the value for SHELL was: explorer.exe "c:\windows\explorer.exe"
I changed it simply to: explorer.exe

That solved my problem.
Thanks a lot guys




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users