Can't Logon

[Skye]

After a trojan was cleaned on my PC running XP Home I can no longer get back
into the operating system. I can't get past the logon screen using either
Administrator or User, nothing happens it just says logging on then
immediately logs off and I can't get into safe mode either. I remember seeing
that the trojan was in Windows User Logon Hotkey Registry, not necessarily in
that order though. Any advice guys?
Thanks, Skye.
--

 

[Elmo]

After a Trojan was cleaned on my PC running XP Home I can no longer get back
into the operating system. I can't get past the logon screen using either
Administrator or User, nothing happens it just says logging on then
immediately logs off and I can't get into safe mode either. I remember seeing
that the Trojan was in Windows User Logon Hotkey Registry, not necessarily in
that order though. Any advice guys?
Thanks, Skye.

Here are a few things to try:

- The registry might've been damaged. Press F5 repeatedly during the
Reboot, and select "Last Known Good Configuration".

- Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.

- Try a Repair Install of XP.
http://michaelstevenstech.com/XPrepairinstall.htm

 

[Skye]

Thanks for info. Last known good config doesn't work either and I don't know
how to check the infected PC if I can't get into the o/s. PC's here don't
come with an installation CD so I can't do a repair. Hmmmmm!!!
Skye

 

[Jose]

Thanks for info. Last known good config doesn't work either and I don't know
how to check the infected PC if I can't get into the o/s. PC's here don't
come with an installation CD so I can't do a repair. Hmmmmm!!!
Skye

What program(s) did you use to remove the trojan?

Unless you want to try a lot of things, the most efficient way to
troubleshoot and resolve your issue is to come up with (beg, borrow,
copy) a genuine bootable XP installation CD.

Failing that, create a bootable XP Recovery Console CD - which you can
do with no XP media.

Then troubleshoot and resolve the issue.

 

[Pegasus [MVP]]

After a trojan was cleaned on my PC running XP Home I can no longer get
back
into the operating system. I can't get past the logon screen using either
Administrator or User, nothing happens it just says logging on then
immediately logs off and I can't get into safe mode either. I remember
seeing
that the trojan was in Windows User Logon Hotkey Registry, not necessarily
in
that order though. Any advice guys?
Thanks, Skye.
--

There appear to be two issues here:
a) The virus infection.
b) The logon/logoff loop.

About a): In my opinion, machines that are infected are compromised and
should be reloaded. You will need to decide if it worth the trouble spending
a lot of time in an attempt at cleaning the machine and perhaps ending up
with an unstable machine. A re-installation would give you a result of
guaranteed quality within a few hours.

About b): This looping behaviour is usually caused by an inability of
Windows to locate the file userinit.exe. The cure depends on your setup:
- It is easy if the machine is networked with an other machine and if you
know the Administrator's password.
- It is less easy if you can connect its hard disk as a slave disk (or as a
USB disk) to some other machine.
- It is quite hard if none of the above apply.
"Hard" means that the process is quite complex, possibly difficult to
understand if you're a novice and very time consuming.

 

[Jose]

There appear to be two issues here:
a) The virus infection.
b) The logon/logoff loop.

About a): In my opinion, machines that are infected are compromised and
should be reloaded. You will need to decide if it worth the trouble spending
a lot of time in an attempt at cleaning the machine and perhaps ending up
with an unstable machine. A re-installation would give you a result of
guaranteed quality within a few hours.

About b): This looping behaviour is usually caused by an inability of
Windows to locate the file userinit.exe. The cure depends on your setup:
- It is easy if the machine is networked with an other machine and if you
know the Administrator's password.
- It is less easy if you can connect its hard disk as a slave disk (or asa
USB disk) to some other machine.
- It is quite hard if none of the above apply.
"Hard" means that the process is quite complex, possibly difficult to
understand if you're a novice and very time consuming.

I would not entertain reinstalling anything until the system is
determined to be unfixable using other methods. That has yet to be
determined.

The userinit.exe may indeed be the problem (I would start there too
given the information so far) and that can be determined and perhaps
fixed in just a few minutes using a bootable XP installation CD or a
bootable Recovery Console CD.

The yet to be determined software used to remove the trojan could also
be the culprit. Some, in their zeal, can render a system inoperative,
but usually easy to fix - once the system boots on something.

Please add ~5-10 minutes to create a bootable XP Recovery Console CD.
Do you need those instructions?

After the system boots properly, more comprehensive scans for
malicious software can be run.

 

[Skye]

The programme that cleaned the trojan was Mischel Internet Security's Trojan
Hunter.
No-one we know has a bootable XP installation CD unfortunately but I do have
a Factory Recovery DVD bootable CD but I'm not sure if, and how, I can use it
to repair the problem, it's a Norton Ghost CD of the O/S after it was
installed.
Does this help?

 

[Skye]

I am a novice as far as your resolutions are concerned and it may be that I
will need to do a re-installation. The machine isn't networked either, see my
reply above to Jose re the CD I do have.
Many thanks for your help.

 

[Skye]

I have no idea how to create a bootable XP CD

 

[Pegasus [MVP]]

There appear to be two issues here:
a) The virus infection.
b) The logon/logoff loop.

About a): In my opinion, machines that are infected are compromised and
should be reloaded. You will need to decide if it worth the trouble
spending
a lot of time in an attempt at cleaning the machine and perhaps ending up
with an unstable machine. A re-installation would give you a result of
guaranteed quality within a few hours.

About b): This looping behaviour is usually caused by an inability of
Windows to locate the file userinit.exe. The cure depends on your setup:
- It is easy if the machine is networked with an other machine and if you
know the Administrator's password.
- It is less easy if you can connect its hard disk as a slave disk (or as
a
USB disk) to some other machine.
- It is quite hard if none of the above apply.
"Hard" means that the process is quite complex, possibly difficult to
understand if you're a novice and very time consuming.

I would not entertain reinstalling anything until the system is
determined to be unfixable using other methods. That has yet to be
determined.

Please add ~5-10 minutes to create a bootable XP Recovery Console CD.
Do you need those instructions?

After the system boots properly, more comprehensive scans for
malicious software can be run.

===========

Please reply to the OP, not to me when your response is meant for him/her.

 

[Jose]

I would not entertain reinstalling anything until the system is
determined to be unfixable using other methods.  That has yet to be
determined.

Please add ~5-10 minutes to create a bootable XP Recovery Console CD.
Do you need those instructions?

After the system boots properly, more comprehensive scans for
malicious software can be run.

===========

Please reply to the OP, not to me when your response is meant for him/her..

I'll try to do better!

 

[Jose]

I have no idea how to create a bootable XP CD
--

You can easily make a bootable Recovery Console CD by downloading an
ISO file and burning it to a CD.

This is not the same as bootable XP installation CD, but it may be all
you need to resolve your issue, and it may come in handy some other
day.

See if you can get this much working:

The bootable ISO image file you need to download is called:

xp_rec_con.iso

Download the ISO file from here:

http://www.mediafire.com/?ueyyzfymmig

Use this free and easy program to create your bootable CD:

http://www.imgburn.com/

It would be a good idea to test your bootable CD on a computer that is
working.

You may need to adjust the computer BIOS settings to use the CD ROM
drive
as the first boot device instead of the hard disk. These adjustments
are
made before Windows tries to load. If you miss it, you will have to
reboot
the system again.

When you boot on the CD, follow the prompts:

Press any key to boot from CD...

The Windows Setup... will proceed.

Press 'R' to enter the Recovery Console.

Select the installation you want to access (usually 1: C:\WINDOWS)

You may be asked to enter the Administrator password (usually empty).

You should be in the C:\WINDOWS folder. This is the same as the
C:\WINDOWS folder you see in explorer.

 

[Skye]

Thanks for your help. I will have to wait until this evening before I have
time to follow these instructions but first, when I do get into the C/Windows
folder, what will be the advantage as I wouldn't know what to do from
here-on-in?

 

[Jose]

Thanks for your help. I will have to wait until this evening before I have
time to follow these instructions but first, when I do get into the C/Windows
folder, what will be the advantage as I wouldn't know what to do from
here-on-in?

If you can get that far, and if this issue is the "userinit.exe
issue", we can replace your userinit.exe if it is missing or
corrupted. It could be that your scanning software thought the
userinit.exe was infected and removed it. If you have no
userinit.exe, you will not be able to login - ever. Maybe it was
infected and if so, we will replace it.

If sure sounds like it - you login, loading your personal settings,
then saving your personal settings and back to the login screen, yes?

It is a popular target for malware - fix your system so you can't
login. Ha-ha!

Another symptom of the userinit.exe infection is the registry may be
modified to point to another executable instead of userinit.exe and
the bogus executable was removed by the scan (the scan worked!), but
the registry is still afflicted and pointing to a file that does not
exist instead of userinit.exe. If that is the case, we can fool the
system temporarily to allow you to boot and then fix it properly.

The userinit.exe controls all the logins for all users - regular mode,
and kind of Safe Mode... This is why "trying" to boot in any kind
Safe Mode is a waste of time. You can "try" all the Safe Modes if you
want, but it will never work. You can "try" to login as Administrator
but that is also a waste of time and even if any of that worked, what
would you do next? Try some more things?

You can reinstall Windows and all your applications - that will fix it
for sure but is not very convenient and you don't even have an XP
installation CD to do that.

You could "try" to repair XP, but you don't have an installation CD to
do that either.

Is your machine on some network so you can access it from some other
machine? Probably not for the typical home user. You could "try" to
get your computer on some network - then what?

You can take your HDD out and put it in another machine and scan it
there, but why? That is a complicated process if you are not handy
moving around computer hardware. Plus, that will not replace the
userinit.exe. If you got it moved, what would you do next? Try some
more things?

There is too much trying. You need to be doing.

Get your RC disk made and booting, then we can do some things.

While you are waiting, see if you can find a genuine bootable XP
installation CD (not a manufacturers recovery CD) and make yourself a
copy and put it with you new bootable RC disc.

 

[Skye]

Thanks sooooooooooooooooo much for your time and effort in helping me sort
the problem. With your info and the help of a pal next door, between us we
have managed to get the userinit back into the registry somehow and now I am
up and running again. Ran Spysweeper and Malwarebytes which found numerous
virus', trojans and other errors which have now been rectified and all seems
ok except for the System Restore, it no longer works. As soon as I access it
a message appears saying I must restart my computer after which the same
message appears again. Any ideas on this one?

 

[Pegasus [MVP]]

Thanks sooooooooooooooooo much for your time and effort in helping me sort
the problem. With your info and the help of a pal next door, between us we
have managed to get the userinit back into the registry somehow and now I
am
up and running again. Ran Spysweeper and Malwarebytes which found numerous
virus', trojans and other errors which have now been rectified and all
seems
ok except for the System Restore, it no longer works. As soon as I access
it
a message appears saying I must restart my computer after which the same
message appears again. Any ideas on this one?

Mhm, yes, at the danger of repeating myself: Machines that are/were infected
are compromised and should be reloaded. You will need to decide if it worth
the trouble spending a lot of time in an attempt at cleaning the machine and
probably ending up with an unstable machine, in particular since your virus
infestation was severe. A re-installation would give you a result of
guaranteed
quality within a few hours. Remember also that virus scanners are good at
*preventing* virus attackes but in many cases they cannot possibly repair
the damage done by viruses. When you write "which have now been rectified"
then you're probably kidding yourself.

You also need to ask yourself how your machine got so badly infected. Do
you have a good virus scanner? Is it up-to-date? Do you practise safe hex?

 

[Skye]

You're right, things just ain't the same but for the time being it's a good
compromise as no doubt I'll eventually end up doing a clean install. My virus
scanner is updated at least once a day, probably more but there was an
occasion when the firewall went missing so maybe things got in during that
period, first time this has ever happened in 10 years so not a bad record eh?
I would like to point out that it would be much more helpful though if you
concentrated on helping solve the problem rather than harping on about what
one should have done/be doing, it's too negative for me.

 

[Pegasus [MVP]]

You're right, things just ain't the same but for the time being it's a
good
compromise as no doubt I'll eventually end up doing a clean install. My
virus
scanner is updated at least once a day, probably more but there was an
occasion when the firewall went missing so maybe things got in during that
period, first time this has ever happened in 10 years so not a bad record
eh?
I would like to point out that it would be much more helpful though if you
concentrated on helping solve the problem rather than harping on about
what
one should have done/be doing, it's too negative for me.

In my first response I listed the options that were available to you to
resolve the userinit.exe problem. I was quite prepared to step you through
the process, as I have done in the past with other posters, in spite of this
being quite difficult and time consuming for a novice. Fortunately you
managed to get the job done with the assistance of your neighbour.

If you use a dial-up modem then it is likely that your machine got infected
while the firewall was down. If you use an ADSL or a cable modem to connect
to the Internet then you need to look elsewhere for the cause of this
incident. ADSL and cable modems form a hardware firewall that protects your
PC very effectively against intruders.

While I understand that you prefer positive words from respondents, keeping
you in blissful ignorance would be irresponsible. I try to keep my responses
factual, and if the facts are not good then I say so. Using encouraging
words won't fix your PC but making the right decisions will.

 

[Daave]

The most important thing to do before you do anything else is to make
sure all your data is backed up. Perhaps your neighbor can help you do
this. If you need guidance, post back.

I happen to agree with Pegasus that the most prudent course for you is a
Clean Install. Otherwise, you are just taking unnecessary chances.

That being said, as a learning opportunity, have a look at this page:

http://bertk.mvps.org/html/srfail.html

The probabble cause of your inability to run System Restore is the
malware changed key settings, causing this situation. Then again, there
can be other causes, and they can be found in the Web page referenced
above.

 

[Jose]

Thanks sooooooooooooooooo much for your time and effort in helping me sort
the problem. With your info and the help of a pal next door, between us we
have managed to get the userinit back into the registry somehow and now Iam
up and running again. Ran Spysweeper and Malwarebytes which found numerous
virus', trojans and other errors which have now been rectified and all seems
ok except for the System Restore, it no longer works. As soon as I accessit
a message appears saying I must restart my computer after which the same
message appears again. Any ideas on this one?

You have to think like malicious software - which is really more
annoying that anything else.

It will do what it finds fun to keep you from removing it - like keep
you from logging it, keep you from loogin in in safe mode, keep
popular malware scanners from running (MBAM & SAS), keep you from
running regedit, and of course keep you from running System Restore.
The world is lucky malicious software is not as malicious as it could
be - it is merely an annoyance.

Your login issue is well known and easy to fix from Recovery Console
which is why I wanted you to make a RC CD in the first place, and
don't know if you did or not.

It is not difficult and time consuming and my copy/paste directions
from having fixed this so many times would have had you running in
minutes - after you got the RC going.

Then you could run some good scans and clean up the leftovers and
anything else. We don't know how you fixed that issue either and
maybe you fixed it "right" or had some good luck, but it doesn't
matter now.

After fixing the userinit issue, you would not want to do a SR anyway
because your RPs are probably compromised as well, so you would just
reinfect your machine. Do you know if SR has ever worked in the first
place or is this the first time you have tried to use it? SR is
certainly not a time machine.

SR is often the fist thing people try to do and of course it doesn't
work after an attack. It is broken and it is broken because the
malicious software broke it on purpose. Malicious software breaks
things that can be used to detect and remove it. Removal programs
sometimes don't fix everything.

One you get your machine cleaned up, you should whack all your old RPs
and make a new one. Trying to "fix" a broken SR is generally easy,
but the best advice is to not count on or try to use any of your old
RPs.

Reinstalling XP is an option, but to me it is an admission of defeat,
losing and giving up. I have never reinstalled XP or needed to -
ever.

Your SR problem is also well known and likely quite fixable, but the
solution will cost you your all of your old (and probably worthless)
RPs - why would you want to use them anyway? I certainly would not
trust any of them. You would also have to answer a few more
questions, and might (but probably not) have to come up with a copy of
an XP installation CD that matches your configuration.

It is not in my nature to guess at what might could be or have been or
suggest things to try that might work. People need specifics to solve
these issues, not vague guesses about what it might be.

You did not mention SAS but you should run it too.

Perform some scans for malicious software first, then fix any
remaining issues:

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

Then let us know if you want to fix your SR or do you want to
reinstall.