Win7 almost loads desktop (after malware cleanup)

F

ftcnet

New member
Local time
7:06 PM
Messages
3
My friend brings me his Win7Pro laptop with some newish variant of the Ukash malware (Trojan.Winlock). System Restore didn't work, so I used the Admin account to run Malwarebytes scan which helped. His usual login account (Fred) has admin privs, but just before it should load the desktop, it shows a black screen with just a CMD (DOS window) at the C:\Windows\system32 prompt. Typing 'explorer' loads desktop as expected.

The Admin login goes to desktop -no problem, but Fred (admin) login stops at CMD (DOS Windows) and requires 'explorer' command to proceed to desktop.

The registry entry Computer\HKEY_CURRENT_USER\Software\Microsoft\Command Processor \
had an AUTOBOOT entry to some random named file which I removed. Apparently there's still something else I need to find.

Any suggestions or ideas on how to resolve this would be most appreciated. Thanks,
 

My Computer My Computer

Computer Manufacturer/Model Number
Toshiba Satellite C650D-026
OS
7 Home Premium x64 build 7601 SP1
Memory
3GB
Please run Autoruns and then click on File> Save.. Save the file in .arn format and upload here. Will have a look
 

My Computer My Computer

Computer Manufacturer/Model Number
Nothing specific....what ever the clients provide for Repair
OS
Windows 7 ultimate x64
ftcnet said:
My friend brings me his Win7Pro laptop with some newish variant of the Ukash malware (Trojan.Winlock). System Restore didn't work, so I used the Admin account to run Malwarebytes scan which helped. His usual login account (Fred) has admin privs, but just before it should load the desktop, it shows a black screen with just a CMD (DOS window) at the C:\Windows\system32 prompt. Typing 'explorer' loads desktop as expected.

The Admin login goes to desktop -no problem, but Fred (admin) login stops at CMD (DOS Windows) and requires 'explorer' command to proceed to desktop.

The registry entry Computer\HKEY_CURRENT_USER\Software\Microsoft\Command Processor \
had an AUTOBOOT entry to some random named file which I removed. Apparently there's still something else I need to find.

Any suggestions or ideas on how to resolve this would be most appreciated. Thanks,
Click to expand...
In Fred account check:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
and
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and

HKEY_Current_User\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
 

My Computer My Computer

Computer type
Laptop
Computer Manufacturer/Model Number
ACER ASPIRE 5742G
OS
Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
CPU
Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz
Motherboard
Acer Aspire 5742G
Memory
4,00 GB
Graphics Card(s)
ATI Mobility Radeon HD 5400 Series
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
WDC WD5000BEVT-22ZAT0
display screenshot of fred's HKEY_CURRENT_USER\Software\Microsoft\Command Processor
 

My Computer My Computer

Computer type
Laptop
Computer Manufacturer/Model Number
ACER ASPIRE 5742G
OS
Microsoft Windows 7 Home Premium 64-bits 7601 Multiprocessor Free Service Pack 1
CPU
Intel(R) Core(TM) i3 CPU M 370 @ 2.40GHz
Motherboard
Acer Aspire 5742G
Memory
4,00 GB
Graphics Card(s)
ATI Mobility Radeon HD 5400 Series
Sound Card
(1) AMD High Definition Audio Device (2) Realtek High Defi
Screen Resolution
1366 x 768 x 32 bits (4294967296 colors) @ 60 Hz
Hard Drives
WDC WD5000BEVT-22ZAT0
.. thanks all for the replies with useful suggestions. Fred says his boss is getting him a new laptop, so he's OK with it the way it is until the new laptop arrives in a day or so.
 

My Computer My Computer

Computer Manufacturer/Model Number
Toshiba Satellite C650D-026
OS
7 Home Premium x64 build 7601 SP1
Memory
3GB
You must log in or register to reply here.
Back
Top