Jump to content
cwalker21

After reboot xp logs on logs off

Recommended Posts

College daughter's Dell Latitude D620 laptop infected with rogue Antivirus Live (smss32.exe). SAS found and removed. I got a message to reboot to complete removal and did so. Now when logging on, desktop background shows briefly, then it logs off ('Saving your settings...Logging off'). This happens with all users and all Safe Mode options. I can enter Recovery Console with boot from XP cd, and confirmed existence of userinit.exe in the System32 folder.

Any suggestions would be most welcome.

Chris

Share this post


Link to post
Share on other sites

Never mind, I guess. Somehow I had forgotten the XP boot from cd thing where Recovery Console really isn't the place to go for repairs. You have to go to Install and select Repair. Makes you wonder about the way the brains at Microsoft work. Anyway, ran the Repair Installation thingy, and the the old machine booted without logging off instantaneously. Of course it's never easy to exit the Windows Wilderness, so Firefox couldn't connect to anything even though the wireless connection looked fine. Shockingly, IE, which I never use, fixed it with Tools/Diagnose Connection Problems. It is always good to have one's assumptions challenged, humility is under-experienced these days.

I have to say I think I like the SAS product, but I am still wondering if I should have said yes to the restart message after removing the evildoers.

Chris

Share this post


Link to post
Share on other sites

Seth--She was running AVG Free 9.0. I switched to Avira Free after the incident.

Please explain what chkdsk does that might address the rogue infestation. Thanks.

Chris

Share this post


Link to post
Share on other sites
Please explain what chkdsk does that might address the rogue infestation. Thanks.

Chris

You're welcome.

However, I never stated that chkdsk addresses a rogue.

Chkdsk can often repair Window's file system errors that prevent proper startup, or the need to resort to a repair install.

Share this post


Link to post
Share on other sites

Seth--Got it, thanks for the clarification.

I hope you and the other helpers may be around Saturday; she thinks the ugly thing is back. I wonder if the rogue may be in a song she downloaded from who knows where. Does that make any sense? If so, how might I determine that? I plan to back off her key data (90% music & pictures, 10% school related docs) to a desktop unit, get rid of current restore points, delete her current user and create a new one without administrator rights for every day use. During the infestation, malwarebytes would not work. Should I use that in conjunction with SAS, and should I uninstall/reinstall MWB first? Any suggestions on the plan of attack would be appreciated. Thanks.

Regards,

Chris

Share this post


Link to post
Share on other sites

Your "plan of attack" is not only drastic, but probably won't work. Reason being, any rogue worth it's weight will load regardless of a new user account.

The infection will be easy to clean ( I do it every day), but the process I use may be in violation of this forums policy. As such, I have to refrain from giving you further advice until my concerns are addressed with the admins.

Share this post


Link to post
Share on other sites
Your "plan of attack" is not only drastic, but probably won't work. Reason being, any rogue worth it's weight will load regardless of a new user account.

The infection will be easy to clean ( I do it every day), but the process I use may be in violation of this forums policy. As such, I have to refrain from giving you further advice until my concerns are addressed with the admins.

@Seth - it's not against any policy to help a user - we like to run diagnostics so we can catch any portion of an infection that is missed.

@User - if you would submit a support request here, we can run a diagnostic and find out exactly what is infected and update our definitions to remove the threat:

https://www.superantispyware.com/csrcreateticket.html

Share this post


Link to post
Share on other sites

We are back to the log on-instant log off routine. The only way in is XP Recovery Console. Ran chkdsk, got message 'The volume appears to be in good condition and was not checked.' Should I run chkdsk/p?

Share this post


Link to post
Share on other sites

I found an Autorun entry Ffuzevad run from oquyijike.dll at Startup C:\Windows. Deselecting in sysinternals Autoruns doesn't stop it, it's there when I go back in. No search engine I have tried yields any results for either term. Suggestions?

Share this post


Link to post
Share on other sites
We are back to the log on-instant log off routine. The only way in is XP Recovery Console. Ran chkdsk, got message 'The volume appears to be in good condition and was not checked.' Should I run chkdsk/p?

Chkdsk will not likely fix a shutdown problem. However, it doesn't hurt to run a chkdsk occasionally, but use the "R" switch as that will physically check the disks surface.

Also, you can try going into Safe Mode With Networking, updating SAS, then run a complete scan.

Share this post


Link to post
Share on other sites

College daughter's Dell Latitude D620 laptop infected with rogue Antivirus Live (smss32.exe). SAS found and removed. I got a message to reboot to complete removal and did so. Now when logging on, desktop background shows briefly, then it logs off ('Saving your settings...Logging off'). This happens with all users and all Safe Mode options. I can enter Recovery Console with boot from XP cd, and confirmed existence of userinit.exe in the System32 folder.

Any suggestions would be most welcome.

Chris

I got excatly the same problems on my HP desktop. My PC was infected with worm32.netsky and using SAS to scan, it showed smss32.exe as one of the infected. so I ran in safe mode and proceed to clean the infected with SAS. After that, I couldn't log in successfully. Everytime I tried to login, it will go "loading settings etc", then log off.

I tried to reboot in Safe Mode but the same thing happens. Even rebooting in Safe Mode with command prompt or networking won't help. My PC is admin locked so my solutions are limited.

Somebody at SAS pls help!!

ng@alum.com

Share this post


Link to post
Share on other sites

I got excatly the same problems on my HP desktop. My PC was infected with worm32.netsky and using SAS to scan, it showed smss32.exe as one of the infected. so I ran in safe mode and proceed to clean the infected with SAS. After that, I couldn't log in successfully. Everytime I tried to login, it will go "loading settings etc", then log off.

I tried to reboot in Safe Mode but the same thing happens. Even rebooting in Safe Mode with command prompt or networking won't help. My PC is admin locked so my solutions are limited.

Somebody at SAS pls help!!

ng@alum.com

Here's what you need to do. This is a little bit complicated, but I've ran into this problem before. What has happened is that your registry is not pointing to userinit.exe when you logon. To change this you can either slave the hard drive to another computer and load the hive, or download BartPE http://www.nu2.nu/pebuilder/ as this will be a much faster way in the future if it happens again. Either way, here's what you need to do.

NOTE: IF YOU'VE NEVER MESSED WITH REGISTRY CHANGES, BE VERY CAREFUL, AS DELETING ANYTHING OTHER THEN TOLD WILL LEAD TO YOUR SYSTEM BEING IRRECOVERABLE.

Open up the registry editor by clicking on START, RUN, then type in REGEDIT.

Highlight HKEY_LOCAL_MACHINE.

Click on FILE, then LOAD HIVE.

Locate your hard drive, then go to the following folder. C:\windows\system32\config\ (Note: Sometimes the folder may be hidden. Just type the folder name in the file box and hit ENTER.)

Select the file labeled SOFTWARE

It will ask you for a name, for this let's name it SoftTest.

Now, let's go to the following folder in the registry tree. HKEY_LOCAL_MACHINE\SoftTest\Microsoft\WindowsNT\CurrentVersion\Winlogon\

On your right side, you will see the following REG_SZ key: Userinit

Double click on the name, and change the Value Data to "C:\Windows\system32\userinit.exe," (without the quotations, but make sure the comma is in there!)

If this key was anything else besides the Value Data I provided, that would be your issue.

Now, highlight our original folder of SoftTest, click on FILE, and this time click UNLOAD HIVE.

Exit the registry editor and reboot, (or if you slaved the drive, shut down and hook the drive back up)

I hope this has been helpful to you!

Share this post


Link to post
Share on other sites

Here's what you need to do. This is a little bit complicated, but I've ran into this problem before. What has happened is that your registry is not pointing to userinit.exe when you logon. To change this you can either slave the hard drive to another computer and load the hive, or download BartPE http://www.nu2.nu/pebuilder/ as this will be a much faster way in the future if it happens again. Either way, here's what you need to do.

NOTE: IF YOU'VE NEVER MESSED WITH REGISTRY CHANGES, BE VERY CAREFUL, AS DELETING ANYTHING OTHER THEN TOLD WILL LEAD TO YOUR SYSTEM BEING IRRECOVERABLE.

Open up the registry editor by clicking on START, RUN, then type in REGEDIT.

Highlight HKEY_LOCAL_MACHINE.

Click on FILE, then LOAD HIVE.

Locate your hard drive, then go to the following folder. C:\windows\system32\config\ (Note: Sometimes the folder may be hidden. Just type the folder name in the file box and hit ENTER.)

Select the file labeled SOFTWARE

It will ask you for a name, for this let's name it SoftTest.

Now, let's go to the following folder in the registry tree. HKEY_LOCAL_MACHINE\SoftTest\Microsoft\WindowsNT\CurrentVersion\Winlogon\

On your right side, you will see the following REG_SZ key: Userinit

Double click on the name, and change the Value Data to "C:\Windows\system32\userinit.exe," (without the quotations, but make sure the comma is in there!)

If this key was anything else besides the Value Data I provided, that would be your issue.

Now, highlight our original folder of SoftTest, click on FILE, and this time click UNLOAD HIVE.

Exit the registry editor and reboot, (or if you slaved the drive, shut down and hook the drive back up)

I hope this has been helpful to you!

It doesn't work. As mentioned, the pc is admin locked hence I could not edit the registry. What I did was to use PEbuilder to go to command prompt, and copy userinit.exe to wasupdate.exe . But the situtation remained the same..

Share this post


Link to post
Share on other sites

It doesn't work. As mentioned, the pc is admin locked hence I could not edit the registry. What I did was to use PEbuilder to go to command prompt, and copy userinit.exe to wasupdate.exe . But the situtation remained the same..

How about running the repair again?

Then go into Safe Mode with networking, update and run SAS/MBAM.

Share this post


Link to post
Share on other sites

How about running the repair again?

Then go into Safe Mode with networking, update and run SAS/MBAM.

Did the repair many times but no use. As for Safe mode, useless also as it could log in at all.

Guess i have to format it.

Cant say I'm impressed with SAS...

Share this post


Link to post
Share on other sites

It doesn't work. As mentioned, the pc is admin locked hence I could not edit the registry. What I did was to use PEbuilder to go to command prompt, and copy userinit.exe to wasupdate.exe . But the situtation remained the same..

Would you be able to use the PEBuilder to load the registry hive? That way you're not in Windows and you shouldn't be locked out of the file. The reason for editing the registry is that there may be more than one file loading via this key.

Share this post


Link to post
Share on other sites

Did the repair many times but no use. As for Safe mode, useless also as it could log in at all.

Guess i have to format it.

Cant say I'm impressed with SAS...

You have hijacked a thread instead instead of starting one of your own.

You blame SAS for an issue that has NOTHING to do with SAS. In other words, you could have used any other antimalware program and it would have produced the same results.

An infected computer has no black and white and answer...anything goes.

Share this post


Link to post
Share on other sites

Here's what you need to do. This is a little bit complicated, but I've ran into this problem before. What has happened is that your registry is not pointing to userinit.exe when you logon. To change this you can either slave the hard drive to another computer and load the hive, or download BartPE http://www.nu2.nu/pebuilder/ as this will be a much faster way in the future if it happens again. Either way, here's what you need to do.

NOTE: IF YOU'VE NEVER MESSED WITH REGISTRY CHANGES, BE VERY CAREFUL, AS DELETING ANYTHING OTHER THEN TOLD WILL LEAD TO YOUR SYSTEM BEING IRRECOVERABLE.

Open up the registry editor by clicking on START, RUN, then type in REGEDIT.

Highlight HKEY_LOCAL_MACHINE.

Click on FILE, then LOAD HIVE.

Locate your hard drive, then go to the following folder. C:\windows\system32\config\ (Note: Sometimes the folder may be hidden. Just type the folder name in the file box and hit ENTER.)

Select the file labeled SOFTWARE

It will ask you for a name, for this let's name it SoftTest.

Now, let's go to the following folder in the registry tree. HKEY_LOCAL_MACHINE\SoftTest\Microsoft\WindowsNT\CurrentVersion\Winlogon\

On your right side, you will see the following REG_SZ key: Userinit

Double click on the name, and change the Value Data to "C:\Windows\system32\userinit.exe," (without the quotations, but make sure the comma is in there!)

If this key was anything else besides the Value Data I provided, that would be your issue.

Now, highlight our original folder of SoftTest, click on FILE, and this time click UNLOAD HIVE.

Exit the registry editor and reboot, (or if you slaved the drive, shut down and hook the drive back up)

I hope this has been helpful to you!

I did this and got it to work. I didn't do exactly what he did but I used UBCD that is piratically bartPE on steroids. I couldn't load the hives using the run and regedit. That way just displays the content of what is on the running live disk. I did find a regedit(remote) program in the program files that loaded the registry automatically. Went to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ and sure enough it wasn't right. Changed it and rebooted and all was good.

Hope this helps!

Share this post


Link to post
Share on other sites

I did this and got it to work. I didn't do exactly what he did but I used UBCD that is piratically bartPE on steroids. I couldn't load the hives using the run and regedit. That way just displays the content of what is on the running live disk. I did find a regedit(remote) program in the program files that loaded the registry automatically. Went to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ and sure enough it wasn't right. Changed it and rebooted and all was good.

Hope this helps!

Glad to hear that this helped you! I've been working with computers and infections for a while now, and you'll see a lot of weird things. I will say that lately SAS has not been picking them up as well as other programs such as Malwarebytes, but that's just the way it goes. We still install SAS on every computer we sell, and the repair tools that come with the program are priceless! More power to everyone for the war against infection!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...