Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe starts in priority high, prevents GUI from appearing.


  • Please log in to reply
20 replies to this topic

#1 Shadowflare

Shadowflare

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 13 June 2010 - 01:11 PM

Hello. I've been having a problem with my Explorer.exe process. When I freshly boot my computer, sometimes nothing will popup after I finish logging in, as in, no desktop icons, no start bar, or programs showing up, just my normal desktop background. I can however bring up the task manager, and I've noted that my process "Explorer.exe" is running in priority high. When I end the process, and restart it, if I'm quick enough, I can change its priority to normal again and all my icons will show up.

I've tried using process explorer to set the priority and Prio to save the process priority on normal (which doesn't work). So, I have a fix for my icons not showing up, but I just need a way to make it so explorer stays and starts on a normal priority level.

I'm on a Windows SP3 machine (freshly updated) and I've been having this problem after I'd been using SP2 for about 2-3 months.

Currently using an up to date copy of ESET NOD32 and ran a full scan overnight last night without finding anything malicious.

Specs
AMD Athlon 64 X2 Dual Core Processor 4200+ /2.40 Ghz
2GB RAM
Geforce 7600 GS


Thanks in advance!

BC AdBot (Login to Remove)

 


#2 joseibarra

joseibarra

  • Members
  • 1,224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:10:26 PM

Posted 13 June 2010 - 04:28 PM

As you can imagine, explorer.exe is a vital part of important things - like your desktop, icons, etc. Being such, it is a target for malicious software - sometimes the mechanism is so afflicted it just won't run until you run it from the Task Manager, and that can sometimes get it running to relieve the symptom of the problem but that does not fix the actual problem :thumbsup:

Malicious software (annoyingware as I call it) would love for you to think you have to reinstall XP to fix your problem, but I would rather outsmart it.

If the executable itself is so afflicted or your system is just unusable you can replace explorer.exe from Task Manager, but it doesn't make sense to try to fix something on a system that has malicious software on it.

Please perform the following to rule out obvious malicious software and tell us more about your system.

Download, install, update and do a full scan with these free malware detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

To eliminate questions and guessing, please provide additional information about your system.

Click Start, Run and in the box enter:

msinfo32

Click OK, and when the System Summary info appears, click Edit, Select All, Copy and then paste the information back here.

There will be some personal information (like System Name and User Name), and whatever appears to be private information to you, just delete it from the pasted information.

Edited by joseibarra, 13 June 2010 - 04:39 PM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#3 Shadowflare

Shadowflare
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 13 June 2010 - 05:17 PM

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Name JESUS
System Manufacturer MICRO-STAR INTERNATIONAL CO., LTD
System Model MS-7312
System Type X86-based PC
Processor x86 Family 15 Model 75 Stepping 2 AuthenticAMD ~2419 Mhz
BIOS Version/Date Phoenix Technologies, LTD V1.7, 3/7/2008
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume3
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
User Name JESUS\Shadowflare
Time Zone Eastern Daylight Time
Total Physical Memory 2,048.00 MB
Available Physical Memory 744.96 MB
Total Virtual Memory 2.00 GB
Available Virtual Memory 1.96 GB
Page File Space 3.85 GB
Page File C:\pagefile.sys


Ran Malwarebytes and that other new program, Malwarebytes found one object and removed it.

Registry Keys Infected:
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

I've rebooted the system and re-ran the scan, didn't find it again, however I did have the same problem with the process priority causing issues with explorer properly displaying anything at all xD

EDIT: Please hold..re-ran superantispyware and found some new entries. Will post when it finishes again.

Edited by Shadowflare, 13 June 2010 - 05:29 PM.


#4 joseibarra

joseibarra

  • Members
  • 1,224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:10:26 PM

Posted 13 June 2010 - 05:42 PM

I was gonna say... that was pretty fast.

If your system still feels afflicted, here is how to replace your explorer.exe from Task Manager (it works, I just tried it again).

To replace explorer.exe:

Look in TM and if explorer.exe is running, terminate the process and your desktop will disappear (as expected).

From the Task Manager, clcik File, New Task, and Browse (do not run) to:

c:\windows

Locate and rename the explorer.exe file to something you can remember like:

jose.exe

Windows File Protection should quickly and silently replace the missing explorer.exe (it will magically
appear) with the one from c:\windows\system32\dllcache.

Rebrowse the c:\windows folder (you may have to go up a level and come back in) and you should see jose.exe
and a fresh copy of explorer.exe which you can now launch from Task Manager.

You should also see an Information event message from Windows File Protection similar to this in the
Event Viewer System log:

File replacement was attempted on the protected system file c:\windows\explorer.exe. This file
was restored to the original version to maintain system stability. The file version of the
system file is 6.0.2900.5512.

Edited by joseibarra, 13 June 2010 - 05:44 PM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#5 Shadowflare

Shadowflare
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 13 June 2010 - 05:50 PM

File replacement was attempted on the protected system file explorer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.

Did work, I will have to see if it will start on a normal priority later, I'll set my programs to do scans of all my drives overnight and see what turns up.

Will post back later, thanks!

#6 joseibarra

joseibarra

  • Members
  • 1,224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:10:26 PM

Posted 13 June 2010 - 07:10 PM

Please do.

Good luck!

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#7 Shadowflare

Shadowflare
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 14 June 2010 - 12:15 PM

SuperAntiSpyware removed 3 tracking cookies overnight, so I restarted, had the same problem, and then ran a new set of scans while I was out today, all clear, however upon restart, I encounter the same issue of nothing but my desktop image loading until I start an instance of explorer.exe on priority normal. I re-replaced explorer again, but no luck.

#8 joseibarra

joseibarra

  • Members
  • 1,224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:10:26 PM

Posted 14 June 2010 - 02:21 PM

Okay, lets verify something else. You may not be infected now, but it sounds like you were.

We are going to check the registry to be sure that where explorer.exe is supposed to get started has not been removed or tampered with.

Before editing your registry make a backup with this popular free tool:

http://www.larshederer.homepage.t-online.de/erunt/

Click Start, Run and in the box enter:

regedit

Click OK and navigate to:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

On the right side look for the values called Shell which on a good day should have the value of just:

explorer.exe

What is the current contents of Shell?

Delete anything after explorer.exe if there is anything, or if the value of Shell has no value make it read:

explorer.exe

Reboot and test.

Edited by joseibarra, 14 June 2010 - 02:23 PM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#9 Shadowflare

Shadowflare
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 15 June 2010 - 06:27 AM

Shell only has the value Explorer.exe, which seems normal. Nothing extra.

#10 joseibarra

joseibarra

  • Members
  • 1,224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:10:26 PM

Posted 15 June 2010 - 09:03 AM

Does Shell really say Explorer.exe or explorer.exe?

Please use regedit to navigate to here:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Is there anything under there that says Explorer.exe or explorer.exe?

There shouldn't be either one, but let's see what your find.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#11 Shadowflare

Shadowflare
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 15 June 2010 - 12:47 PM

It says "Explorer.exe" and there is nothing under the other area related to explorer

#12 joseibarra

joseibarra

  • Members
  • 1,224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:10:26 PM

Posted 15 June 2010 - 01:12 PM

I can't image what difference it makes, but please change it in the registry from Explorer.exe to explorer.exe, reboot and test. I don't think I have ever seen Explorer.exe there.

When you reboot, is there just no explorer.exe running at all in TM until you start it and then does it run okay?

In other words, is the only problem right now that when you reboot, explorer.exe is not running at all, but when you launch it from TM, things are okay until the next reboot. Or does explorer.exe launch okay when you reboot, but with High priority (and stay that way).

Perhaps somebody else has some other ideas now - I am getting low on ideas (that do not involve trial and error) on this at the moment.

Edited by joseibarra, 15 June 2010 - 01:13 PM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#13 Shadowflare

Shadowflare
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 15 June 2010 - 07:31 PM

No effect, explorer still started on high during startup.

#14 joseibarra

joseibarra

  • Members
  • 1,224 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Downstairs
  • Local time:10:26 PM

Posted 15 June 2010 - 08:16 PM

So explorer.exe starts properly on startup (now) but the issue is that it starts at high priority?

When we started, explorer.exe was not even starting and you had to start it manually from TM but that part is resolved now?

If it reboots and runs High and you end it and restart it from TM is it still High or Normal?

Can you test your system by booting into Safe Mode and see how that looks?

If you just reboot and look in TM (no folders open) how many explorer.exes are running? I figured out a way to get my system to launch the regular explorer.exe on reboot in Normal priority, but if I then browse a folder it launches another explorer.exe and the second one runs at High priority. That could be a good clue.

What is the CPU column say in TM for your afflicted explorer.exe?

Please do a regual Windows Search for explorer.exe and copy/paset the locations found.

I'm not trying to mince words - just making sure I get it.

Edited by joseibarra, 15 June 2010 - 08:23 PM.

The mediocre teacher tells. The good teacher explains. The superior teacher demonstrates.


#15 Shadowflare

Shadowflare
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 15 June 2010 - 08:23 PM

The initial problem is that it started in high priority, but failed to load any user interface. In order to make it start properly, I would have to open task manager, set it to normal, then shut down again, upon the next restart it will start on normal, but if I open additional instances of explorer, or restart, they will start on high again. I will try safe mode next.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users