Jump to content
Sign in to follow this  
63Busman

Unable to log in after scan?

Recommended Posts

Ran SUPERAntiSpyware tonight and now I'm unable to log on. Running XP sp3. Can't get in using safe mode and CD drive is no longer working. Have tried doing a repair install using the XP disk. No clue what to try next.

Andy

Share this post


Link to post
Share on other sites

Swapped CD drives and drive now works. Tried to do a repair install of XP and it asks for a Administrator Password. I do not have an Admin Password on the administrator - blank. Problem is nothing I type in for Administrator Password when trying to do the repair/reinstall works. Any ideas?

Share this post


Link to post
Share on other sites

Ran SUPERAntiSpyware tonight and now I'm unable to log on. Running XP sp3. Can't get in using safe mode and CD drive is no longer working. Have tried doing a repair install using the XP disk. No clue what to try next.

Andy

Do you have Mcafee on your system?

Share this post


Link to post
Share on other sites

Is there a way to undo the last SUPERAntiSpyware scan? I'm guessing that it'd be tough to do without being able to log on. Repair install of XP hangs up with C:\WINDOWS\ on the screen and will not finish. Have tried restarting in last known good mode and no luck there either. Any help greatly appreciated!

Share this post


Link to post
Share on other sites

Are you using McAfee?

In post #2 you said you logged in and it logs you back out, so when you get to the part of the recovery section that you posted about in post #3 use the same password you used to log in that you were using from post #2. If that doesn't work then when the recovery console ask for a password don't try typing anything in just leave it blank and hit the enter key. You will have three changes before windows restarts itself.

It sounds like you had a really bad malware infection that had changed a value of the Winlogon registry key, to check the key you will have to boot from a live CD or slave the drive in another computer. The key should look similar to this:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right pane of the registry editor, the userinit value should be:

C:\Windows\System32\Userinit.exe,

(the value includes the comma on the end)

Share this post


Link to post
Share on other sites

Are you using McAfee?

In post #2 you said you logged in and it logs you back out, so when you get to the part of the recovery section that you posted about in post #3 use the same password you used to log in that you were using from post #2. If that doesn't work then when the recovery console ask for a password don't try typing anything in just leave it blank and hit the enter key. You will have three changes before windows restarts itself.

It sounds like you had a really bad malware infection that had changed a value of the Winlogon registry key, to check the key you will have to boot from a live CD or slave the drive in another computer. The key should look similar to this:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right pane of the registry editor, the userinit value should be:

C:\Windows\System32\Userinit.exe,

(the value includes the comma on the end)

OK. How do I get to the recovery console? I was trying to reinstall the OS using the Dell disk and doing the repair option. Shouldn't the Dell OS disk be a bootable disk? I can probably slave the drive tonight if I have to but am probably going to need some really good directions for what I need to do. Thanks a bunch!

Share this post


Link to post
Share on other sites

Note: Always make a backup of your files. If you don't have a complete understanding of what needs to be done then don't try to change it, exit out and ask someone for more help, editing the Windows registry keys can be a dangerous task because it saves automatically. Make sure you know what you are changing, some changes may be irreversible and you could only change it back if you remember the old value. Always make a backup of your files.

To use the Windows Recovery Console you will need to have a Windows OS disc or have the Recovery Console already install on your computer. You can not check the registry from the Recovery Console, the Recovery Console is used to replace missing files and do other repairs. The Dell disc should not be a Windows OS disc, it should be a restore disc that is used to restore your computers files back to the way they were when you got the computer, if you use the Dell restore disc it may delete all of your data.

Before you try slaving the disc it would be easier to just boot from a live CD like "BartPE" or "PCRegedit" etc. The link to BartPE describes how to "Verifying and fixing the Userinit value in the registry" like what I posted about.

If you want to slave the drive and load the registry here is "some really good directions" I copied for you on how to do.

1. Slave the drive that contains the bad registry you want to edit to a computer as a data drive.

2. On the computer you are using for the editing, start regedit.exe

3. Highlight the HKEY_LOCAL_MACHINE (HKLM) key and click File->Load Hive. For all keys/files being edited, HKLM, on the host computer, is the key under which to load.

4. Navigate to the registry hive you wish to edit on the drive you connected in step 1 and double click the hive. Although you can edit any of the 5 (at least theoretically), the useful hives to edit are: SOFTWARE, SYSTEM, DEFAULT and for the HKCU key, NTUSER.DAT. The first three files will be located in %windir%\system32\config. As mentioned in the preamble, for NTUSER.DAT, you can, if you choose, edit any user while this drive is connected as a data drive (as it is now) or while the target installation is actually running. %windir% is normally \Windows.

5. You will be prompted for a name for the hive. I use the letter "a" so that the new key (under HKLM) will be listed first or you can call it whatever it is only temporary.

6. Edit to your heart's content.

7. When finished, move to the top level of the named key ("a"), and click File->Unload Hive. DO NOT SKIP THIS STEP.

Share this post


Link to post
Share on other sites

Since its my first post, I want to first thank the developers for a great product. Now on to my question.

SUPERAntiSpy, you asked earlier if the OP had Mcafee on his system. I'm in a similar situation WITH Mcafee on my XP (SP3) system. I performed a scan with SUPERAntiSpyware and found several malware/viruses that needed to be removed. (I had previously scanned with MSE, Spybot, & Avira and removed all detections, so I was surprised by the number that SAS found.) I allowed SAS to remove the checked items, and I was prompted to reboot the system after their removal. Upon rebooting all user accounts (five) plus a newly visible Administrator account were displayed, but each is password protected, and previously no account had a password. I tried to reboot into Safe Mode, but at the F8 screen, where normally I can select Safe Mode, no option is presently selectable. I've searched fairly extensively for a solution and perhaps the best for my circumstances would be to use Offline NT Password & Registry Editor to see if I can turn off the passwords on the accounts. But before I start tinkering any more, I wanted to see if there is perhaps a SAS-Mcafee interaction that is responsible for my present predicament (locked out of my system). Any help would be greatly appreciated.

Share this post


Link to post
Share on other sites

I haven't heard of any conflicts with SAS and Mcafee.

Have you tried just leaving the admin password blank on both the log in and repair install?

What do you mean by "no option is selectable" when attempting Safe Mode?

Share this post


Link to post
Share on other sites

I haven't heard of any conflicts with SAS and Mcafee.

Have you tried just leaving the admin password blank on both the log in and repair install?

What do you mean by "no option is selectable" when attempting Safe Mode?

Thanks for the quick response. The "no option is selectable" issue is no longer an issue. I am working with the machine remotely, and the person whom I was instructing somehow believed (correctly or incorrectly) that he could not select any of the on-screen options after pressing F8. I had him use Offline NT Password & Registry Editor last night to remove passwords, and once he had rebooted back to the Safe Mode option screen he found he could select all the options. I don't know what--if anything--had changed, but it now works. Nevertheless, all accounts are password-protected in Safe Mode so I'm as stuck there as I am at the normal log in screen.

I have tried leaving the password blank and that did not work. Resetting all passwords (with ONTP&RE) did not work. Each account was still password-protected after booting back to the log in screen. I have the latest Hiren's Boot CD (12.0) so I can boot with that to make changes to the registry if you can suggest anything I might fix there.

My reason for intially asking about conflicts with SAS & McAfee is the question that both SUPERAntiSpy & B Trevathan asked earlier in the thread. Why they asked is unclear to me, but the fact I have McAfee on that system prompted me to ask. It suggests to me that those two may suspect that McAfee had a hand in locking the OP out of his machine after the SAS scan.

I'm still stuck in the same predicament. What course of action would you recommend at this point?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×