Posted 14 August 2008 - 11:25 PM
For the last 2 days I'm trying to fix a XP problem at a friends machine. He inadvertantly opened a "greeting card" and it contained e-card.exe. That installed what I believe was the joke-bluescreen.c malware. McAfee showed it but doesn't seem to be able to get rid of it. I tried restore, but the malware did either not allow to get to the restore points or had deleted them...there were none (restore was enabled).
After reading and trying a variety of things we did run combofix based on the instructions and it seemed to have got rid of the problem. Screen was open again and we could reset the background.
However, since then, the following happens: When booting the machine, he get's the logon screen, then a blank desktop (no icons, no taskbar, nothing). But machine seems to be working in the background. CTRL-ALT-Del brings up the task manager and we can start explorer.exe from there. Desktop, taskbar etc all comes up, and all runs seemingly fine. Until the next boot.
I have done the following so far.
As Restore was out of the question I did a sfc scan...no change
I tried to manually set the shell to explorer, but all was according to defaults.
I set up a new user to see if profile was corropt. Nope, same result as default user
I installed Windows again (upgrade install over the existing). Same result...no change
reinstalled msgina and shgina.dll (just a hunch, but not diff)
Ran housecall.trendmicro found a few spyware, but nothing important and after deleting those...still no change.
Tried the fix on kelly-korner-xp to reset the msgina...still no change (this script couldn't fix the msgina as it was supposedly a 3rd party gina, but after overwriting it with the Microsoft version it still listed this as a 3rd party.
Ran Hijackthis and still no result. A scan of the log file did not result in anything claringly wrong.
Again, after starting explorer.exe in taskmanager all seems to work fine.
Tried to install Microsoft Defender as well...but can't do to an error with Windows installer (haven't figured out where this is coming from).
He is running spysweeper (didn't prevent it), McAfee (didn't prevent it), he ran adware and spybot...before we did the combofix...nothing.
What can we do ?