Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer And Desktop Not Coming Up At Boot


  • This topic is locked This topic is locked
8 replies to this topic

#1 Gcto

Gcto

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 14 August 2008 - 11:25 PM

For the last 2 days I'm trying to fix a XP problem at a friends machine. He inadvertantly opened a "greeting card" and it contained e-card.exe. That installed what I believe was the joke-bluescreen.c malware. McAfee showed it but doesn't seem to be able to get rid of it. I tried restore, but the malware did either not allow to get to the restore points or had deleted them...there were none (restore was enabled).
After reading and trying a variety of things we did run combofix based on the instructions and it seemed to have got rid of the problem. Screen was open again and we could reset the background.
However, since then, the following happens: When booting the machine, he get's the logon screen, then a blank desktop (no icons, no taskbar, nothing). But machine seems to be working in the background. CTRL-ALT-Del brings up the task manager and we can start explorer.exe from there. Desktop, taskbar etc all comes up, and all runs seemingly fine. Until the next boot.
I have done the following so far.
As Restore was out of the question I did a sfc scan...no change
I tried to manually set the shell to explorer, but all was according to defaults.
I set up a new user to see if profile was corropt. Nope, same result as default user
I installed Windows again (upgrade install over the existing). Same result...no change
reinstalled msgina and shgina.dll (just a hunch, but not diff)
Ran housecall.trendmicro found a few spyware, but nothing important and after deleting those...still no change.
Tried the fix on kelly-korner-xp to reset the msgina...still no change (this script couldn't fix the msgina as it was supposedly a 3rd party gina, but after overwriting it with the Microsoft version it still listed this as a 3rd party.

Ran Hijackthis and still no result. A scan of the log file did not result in anything claringly wrong.

Again, after starting explorer.exe in taskmanager all seems to work fine.
Tried to install Microsoft Defender as well...but can't do to an error with Windows installer (haven't figured out where this is coming from).

He is running spysweeper (didn't prevent it), McAfee (didn't prevent it), he ran adware and spybot...before we did the combofix...nothing.

What can we do ?
Thanks

BC AdBot (Login to Remove)

 


#2 projectfocus

projectfocus

  • Members
  • 479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brighton
  • Local time:10:09 AM

Posted 15 August 2008 - 04:56 AM

I would say that this is a knock on effect of the virus and it not loading windows properly. These issues are normally are hard to find the root cause of the issue. It could be a changed registry item and or file replacement that could cause these sort of issues. Finding them is a very difficult proceedure. Do you have a backup as I would advise taking off all files you want to keep onto a memory stick and or external drive and restore from a backup. If these don't exist I would do a reinstall of windows. This is the safest plan as the virus could still be running in the services somewhere. If the HiJackThis log has been created and the eam on here found no issue I would say this is def your best choice.

Although you could use a boot CD and run a seperate scan from that but it would all end up taking longer. After all a system clean out is always good to speed up the machine.
FocusToonSigStreched.jpg

#3 Gcto

Gcto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 15 August 2008 - 11:41 AM

did an install over the exisiting one....Upgrade install....problem did not disappear.

#4 Gcto

Gcto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 16 August 2008 - 11:37 PM

Is there anyone out there who might have some ideas what to do ?

Thanks

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:09 AM

Posted 17 August 2008 - 06:44 AM

Since you did the upgrade install (also known as a repair install), all of the critical system files have been replaced. As such, this means there's something else affecting this. It's also a good indication that the system is still infected - or that there are remnants of the infection left on the system.

Can you get into Safe Mode and does the problem still exist there?
Have you tried locating the System Restore points from outside of Windows (with the Recovery Console or another bootable CD)? If they're still there, you can try a manual system restore.
Once in Windows you can use this free app to check the stuff that starts with Windows: http://www.microsoft.com/technet/sysintern...s/Autoruns.mspx
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 Gcto

Gcto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 17 August 2008 - 07:21 PM

Thanks USASMA for your help so far, worked a bit more on this today and still no luck,

Yes, the problem persists in Safe mode as well. But there are some more puzzling things which might help you to get to the root.

I ran Malwarebytes today and found 6 more issues all related to the rogue.Wallpaper and Antivirus 2008 issues. Deleted those. but the system still comes up with a blank desktop.
After invoking taskmanager and then explorer, the system seems to come up fine, but we are not able to install any system related files. During the reinstall of XP, it reverted to IE6. We are not able to install IE7. The system downloads, works on install and then fails at the end with "Unable to install IE7".
Same with Defender. Same with Update to SP3.
I tried to unreg the msiexec and regserv it again...no luck. Running kellys-korner-xp utility to reset the desktop worked fine this time (didn't run before the malwarebyte run), but the result is still a blank desktop.

Installing other programs works fine, just not anything systems related from SP3 to google toolbar, everything fails.

I tried to locate old restore points, but there is nothing before 8-12 when the e-card.exe file got installed. This malware wiped out all of the previous restore points.


What could it be ?

#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:09 AM

Posted 18 August 2008 - 02:46 PM

I'm going to move this over to the Am I Infected forum so the experts there can help you to ensure that the system is clean. It must be clean before we attempt to repair things - otherwise we'll be beating our head against the wall trying to fix something that the malware is continually messing up.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#8 Gcto

Gcto
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 18 August 2008 - 07:14 PM

ok, a little bit more success here.
As mentinoned before, couldn't install Defender and some other programs. I ran malwarebytes again, didn't find anything.
Then ran Backlight and it highlighted a process in the device manager vvvfvfvv which supposedly was a legacy driver. I took this out, rebooted and it was back again. Tried to get it out of the registry...no luck.
then renamed it, and rebooted...then was able to clean it out. Since then, I can install Defender and also Spam assisin. Spam Assassin found another root problem and deleted it.
Was able to install IE7 in safemode..

Still can't install Windows updates and Desktop is still not coming up, nor the task bar.

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:09 AM

Posted 18 August 2008 - 09:05 PM

Hello Gcto,

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/163960/blank-desktop-no-taskbar-unable-to-install-updates/ Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users