Can't get past login page - virus?

[Big Bill]

Hi, I opened a couple of those fake CNN emails and thought they were
comedy spoofs, which in a way I suppose they were. Anyhoo, I had
trojan problems but fixed them.

Several days later, after turning machine on and off a few times, it
crashed a little too often for my liking and I thought this might be
because it was due for some tuning so I ran Registry Healer. Then I
optimised the registry using NTregopt. Then I rebooted. Now I can't
get past the login screen. There's no password set by myself, I should
point out. Now it asks for a password and obviously whatever I input
is wrong. This sounds like a virus to me. How do I get past this
please? I have XP Pro SP3. It's the same in safe mode.

BB

 

[Frank Saunders MS-MVP IE,OE/WM]

Hi, I opened a couple of those fake CNN emails and thought they were
comedy spoofs, which in a way I suppose they were. Anyhoo, I had
trojan problems but fixed them.

Several days later, after turning machine on and off a few times, it
crashed a little too often for my liking and I thought this might be
because it was due for some tuning so I ran Registry Healer. Then I
optimised the registry using NTregopt. Then I rebooted. Now I can't
get past the login screen. There's no password set by myself, I should
point out. Now it asks for a password and obviously whatever I input
is wrong. This sounds like a virus to me. How do I get past this
please? I have XP Pro SP3. It's the same in safe mode.

BB
--

http://www.kruse.co.uk/seo-services.htm
http://www.kruse.co.uk/internet-marketing-uk.htm
http://www.here-be-posters.co.uk/

Do a thorough check for malware, following all of the steps at one of these
Web pages.
Help with malware:
All MS-MVP Sites.
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/darnit.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Unexplained computer behavior may be caused by deceptive software.
http://support.microsoft.com/kb/827315

So How Did I Get Infected Anyway?
For quite a few people it's by installing programs like Messenger Plus,
whose ads for malware don't identify the malware as such and try to convince
you that you owe it to the author. See also:
http://www.wilderssecurity.com/showthread.php?t=27971
Don't ever do a "default" install of anything. Always choose Custom and see
what else is being carried along. Don't install any extras you're not sure
of.

 

[Big Bill]

Do a thorough check for malware, following all of the steps at one of these
Web pages.
Help with malware:
All MS-MVP Sites.
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/darnit.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Unexplained computer behavior may be caused by deceptive software.
http://support.microsoft.com/kb/827315

So How Did I Get Infected Anyway?
For quite a few people it's by installing programs like Messenger Plus,
whose ads for malware don't identify the malware as such and try to convince
you that you owe it to the author. See also:
http://www.wilderssecurity.com/showthread.php?t=27971
Don't ever do a "default" install of anything. Always choose Custom and see
what else is being carried along. Don't install any extras you're not sure
of.

Frank, I suspect that was a knee-jerk response post - I did say that I
don't have access to Windows, not even to safe mode. None of the above
applies to me. When I try to boot into safe mode with command prompt,
I can't enter safe mode even as I still can't get past the login
screen. I suppose it could be a problem with the machine but my
money's on a virus for now, a sleeper one if you will. So, I think I
should be booting from the CD-ROM and running a virus check from there
- what will do that best please? Anyone?

BB

 

[Malke]

Hi, I opened a couple of those fake CNN emails and thought they were
comedy spoofs, which in a way I suppose they were. Anyhoo, I had
trojan problems but fixed them.

Several days later, after turning machine on and off a few times, it
crashed a little too often for my liking and I thought this might be
because it was due for some tuning so I ran Registry Healer. Then I
optimised the registry using NTregopt. Then I rebooted. Now I can't
get past the login screen. There's no password set by myself, I should
point out. Now it asks for a password and obviously whatever I input
is wrong. This sounds like a virus to me. How do I get past this
please? I have XP Pro SP3. It's the same in safe mode.

You can try virus/malware scanning from outside of Windows. Do this by
either pulling the drive and slaving it in another computer (or put it in
an external USB enclosure and attach it to another computer) OR create a
bootable Linux-based CD or Bart's PE and scan from it. Here are two rescue
disks that might work:

http://www.avira.com/en/support/faq/details.html?id=230
http://www.f-secure.com/weblog/archives/00001474.html

You might also be able to fix the winlogon/userinit.exe entry by loading the
registry hives with a Bart's PE or other rescue disk such as ERD Commander
(discontinued, expensive when available).

However, because you used a registry cleaner all bets are off. See this
thread for why you should never use a registry cleaner:

http://aumha.net/viewtopic.php?t=28099

Only you know your level of computer skill and whether the above is
something you can try. The alternative would be to retrieve your data (if
not previously backed up) with one of the aforementioned methods and then
clean install Windows OR take the machine to a local computer professional
(who may still need to wipe and reinstall). I don't recommend using a
BigComputerStore/GeekSquad type of place.

Malke

 

[Big Bill]

Hi there Malke,

You can try virus/malware scanning from outside of Windows. Do this by
either pulling the drive and slaving it in another computer (or put it in
an external USB enclosure and attach it to another computer) OR create a
bootable Linux-based CD or Bart's PE and scan from it. Here are two rescue
disks that might work:

I used Barts. I forgot I had it. What I did, I tried a password reset
program I bought from the web which didn't work. It was designed to
work in instances where the passwords had been frazzled by registry
problems, assuming I understood it right. The makers did mention that
there was a virus creating the same symptoms and it might be that was
the problem, if so they offered a downloadable free solution, which
turned out to be Barts, I believe, I never got it loaded. They said to
restore an older version of the registry with it, and I used my copy
of Barts to do exactly that. I got my computer back - yay!

http://www.avira.com/en/support/faq/details.html?id=230
http://www.f-secure.com/weblog/archives/00001474.html

You might also be able to fix the winlogon/userinit.exe entry by loading the
registry hives with a Bart's PE or other rescue disk such as ERD Commander
(discontinued, expensive when available).

However, because you used a registry cleaner all bets are off. See this
thread for why you should never use a registry cleaner:

http://aumha.net/viewtopic.php?t=28099

The registry cleaner I use does make a backup of the registry. I see
comments about full and partial backups being merged and I can't say
which old registry version I used, apart from it was dated very
recent. I don't know what program I have that creates them, there's a
load of recent ones anyway. They seem to be automatically created by
something.

I also tried to do system restore from the command prompt and nothing
happened. I tried C/Windows/system32/restore/rstrui.exe and it just
went to C/Windows/system32/restore/, nothing got restored at all,
there was no system restore screen came up, not even a weird one like
I was expecting.

So I was a bit miffed about that. While I was in there somewhere I ran
Spybot 1.5 a few times. I noticed that every time I booted I got
registry changes again so I suspect something's lurking in there still
waiting to pounce. I don't think I'm out of the woods on this one.

I'll probably be back with more info.

BB