Win2k Hangs on Boot (Windows Installer)

[David Reed]

Good Morning,

I have a problem with one of my users computesr, and I've been beating my
head for three days trying to figure it out.

On a Windows 2k SP4 system, (A Dell Dimension 2350, as if that matters),
using MS Office 2k and Symantec Enterprise Edition 8.x.

The computer, when it boots, and the user logs in under their profile, the
computer boots to the desktop, and then, Windows Installer "takes over", and
seems to be trying to install something. I can't tell what, it doesn't show
me. It appears twice, and then the users desktop (background) disappears,
and the Windows default "Bubbles" background appears, the screen goes blank
(except for that), and just sits there, with the mouse cursor.

I can still move the mouse cursor. The system doesn't seem to freeze. But
it does seem to hang after the Windows Installer tries to install something,
though I have no idea what.

I have manually removed MS Office 2k and Symantec Enterprise Edition 8.x,
including registry keys. This was because Windows Installer was originally
trying to "install" both of those as well. So I removed them manually by
going into Safe Mode, and running REGEDIT to remove the keys and delete the
folders.

Whatever the problem is, it doesn't occur in Safe Mode.

Oh, and I have tried to run REGMON, but, it hangs before I can get to the
prompt to run it (of course).

And I have also followed these instructions:
http://support.microsoft.com/kb/q269251/

Does anyone have any ideas?

-David

 

[Dan Tate]

Interesting - Here's what i'd try:

Disable the Windows installer service in safemode.

Boot into Windows in normal mode, then start regmon and filemon from
sysinternals

Start the windows installer service and see what's trying to install.

 

[RWS]

------------------------------------------------------------------
Description of the Windows Installer CleanUp Utility
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301
------------------------------------------------------------------

Interesting - Here's what i'd try:

Disable the Windows installer service in safemode.

Boot into Windows in normal mode, then start regmon and filemon from
sysinternals

Start the windows installer service and see what's trying to install.

 

[David Reed]

I've found the "symptomatic cause" of what the problem is...for some reason,
Explorer.exe is either launching and then shutting down after the user is
logged in (and the login script, etc, has run), or it is failing to launch
at all (the first I think is more likely, as the users background comes up
during the login, then goes away. Then, if I CTRL-ALT-DEL and manually run
Explorer.exe, it's fine, as if nothing was ever wrong.

Except that, obviously, I can't have my user manually running Explorer.exe
everytime they log in...especially this one, if you catch my drift...

Any ideas?

Thank-you!

-David

 

[mobigital-ggrp]

some of the trojan horses or other spyware does this - they kill
explorer upon logon. You may be able to open task manager quickly and
see if there is a process with name that looks like gibberish
characters?

 

[David Reed]

Hi there,

You know, I just re-installed Symantec Anti-Virus, and it detected two
virus:

Trojan.Lodear.C (and)
Trojan.Lodav.B

Cleaned up those two virus', and it's been running fine since then.

The Symantec website description for those two virus' doesn't say anything
about it shutting down Explorer.exe, and yet, the computer is running fine,
now...with one exception...

Something is preventing a connection to the MS Exchange server. I can PING
it by IP or FQDN, but not access it, even to check the username when trying
to set up the user's profile in Outlook.

I tried logging out and logging in as another user, to set a profile up
(mine), and see if I could contact the Exchange 2003 sever then. No luck.

I uninstalled MS Office 2000 with the Office Removal Utility, rebooted,
re-installed MS Office 2000. No go.

I upgraded from MS Office 2000 to MS Office 2003 Pro (Retail Upgrade).
STILL can't make a connection with Exchange Server.

I noted that when I upgraded from Office 2000 to Office 2003, it asked me
which previous versions of Office software I wanted to remove. ALL Office
applications were checked (including Outlook), but Outlook 2000, and Outlook
alone, was "grayed out", so I couldn't make any changes to the checkbox.

Any other ideas?

-David

 

[mobigital-ggrp]

There was some issue with RPC configuration for outlook, and there was
a registry fix for it.
sorry can't be more specific, but may be you can find it on ms
knowledgebase.

 

[David Reed]

Is this what you were thinking of?

http://support.microsoft.com/?kbid=827330

If so, it seems that it's for problems connecting to the server, outside the
firewall? This is a client Outlook, operating in a Corporate or Workgroup
Mode, inside our firewall, on our local network.

-David

 

[mobigital-ggrp]

hmm, no, I was thinking of non-HTTP RPC issue, and my problem was
using outlook through VPN (not through firewall or proxy). That
connection was direct as far as TCP/IP concerned. The issue might have
been with outlook XP.

 

[David Reed]

I don't think it's the version of Outlook that's the problem, because the
exact same problem was occuring on Outlook 2000, and I upgraded to Outlook
2003, in an effort to resolve the problem.

I don't seem to be able to UNINSTALL Outlook.

I can still ping the exchange server, by IP and FQDN both, from the command
prompt...

I just tried one suggestion, which was to force it to ask for user name and
password when opening Outlook, and then save it, but that didn't work
either.

-David

 

[David Reed]

Hmmm...I found this in the Application Log...

The MOF file created for the Outlook service could not be loaded. The error
code returned by the MOF Compiler is contained in the Record Data. Before
the performance counters of this service can be collected by WMI the MOF
file will need to be loaded manually. Contact the vendor of this service
for additional information.

I don't know what this means...

-David

 

[David Reed]

I found this in the Application Log:

The MOF file created for the Outlook service could not be loaded. The error
code returned by the MOF Compiler is contained in the Record Data. Before
the performance counters of this service can be collected by WMI the MOF
file will need to be loaded manually. Contact the vendor of this service
for additional information.

Along with it was EventID #2002, and on the Source "LoadPerf"

EventID.net says to refer to Symantec Article: "I had this problem after
reinstalling Symantec Antivirus Client. I had some errors while updating so
I had to remove it and reinstall it again, after that I kept getting this
error. See the link to "Symantec Support Document ID:2004060116454248" to
fix this problem. "

I went to that document, and it said to use a Fix tool, which I did. Still
no-joy. It didn't help...

-David

 

[Daniel Tate]

Hi there,

You know, I just re-installed Symantec Anti-Virus, and it detected two
virus:

Trojan.Lodear.C (and)
Trojan.Lodav.B

Cleaned up those two virus', and it's been running fine since then.

The Symantec website description for those two virus' doesn't say anything
about it shutting down Explorer.exe, and yet, the computer is running fine,
now...with one exception...

Something is preventing a connection to the MS Exchange server. I can PING
it by IP or FQDN, but not access it, even to check the username when trying
to set up the user's profile in Outlook.

I tried logging out and logging in as another user, to set a profile up
(mine), and see if I could contact the Exchange 2003 sever then. No luck.

I uninstalled MS Office 2000 with the Office Removal Utility, rebooted,
re-installed MS Office 2000. No go.

I upgraded from MS Office 2000 to MS Office 2003 Pro (Retail Upgrade).
STILL can't make a connection with Exchange Server.

I noted that when I upgraded from Office 2000 to Office 2003, it asked me
which previous versions of Office software I wanted to remove. ALL Office
applications were checked (including Outlook), but Outlook 2000, and Outlook
alone, was "grayed out", so I couldn't make any changes to the checkbox.

Any other ideas?

-David

Lodear is a nasty bugger!

 

[David Reed]

I'm not familiar with Lodear...first time I've ever heard of it, when this
happened...

 

[Daniel Tate]

I'm not familiar with Lodear...first time I've ever heard of it, when this
happened...

I've had a fight or two with it; makes me want to support capital
punishment for malware writers.