Missing Login Screen

[Steve Jensen]

I thought I had posted this but cannot find it, so I apologize if this
appears twice.

Anyway, I had a situation with Windows XP Professional that I have never
seen, and am trying to find out if anyone else has.

My customer reported that he was browsing the internet when his computer
locked up. He rebooted, and when the computer came back up, the Ctl-Alt-Del
prompt did not show up - only a blank desktop and a mouse arrow.

I tried booting the machine in safe mode. It came up with the normal safe
mode screen - except no login screen. I could not find a startup mode that
would allow me to log in. I tried a reinstall repair and it copied the files
and rebooted - and came up to the same blank screen (with a bigger mouse
arrow because now we're in VGA).

Finally, finding nothing on the net about it, I did a fresh install of
Vista, which proceeded normally (which rules out hardware problems).

The whole episode acts like a virus except that I can't find anything about
it on the virus information sites, besides which the computer was protected
by antivirus firewall.

Any information about this would be appreciated.

 

[Daave]

I thought I had posted this but cannot find it, so I apologize if this
appears twice.

Anyway, I had a situation with Windows XP Professional that I have
never seen, and am trying to find out if anyone else has.

My customer reported that he was browsing the internet when his
computer locked up. He rebooted, and when the computer came back up,
the Ctl-Alt-Del prompt did not show up - only a blank desktop and a
mouse arrow.

I tried booting the machine in safe mode. It came up with the normal
safe mode screen - except no login screen. I could not find a
startup mode that would allow me to log in. I tried a reinstall
repair and it copied the files and rebooted - and came up to the same
blank screen (with a bigger mouse arrow because now we're in VGA).

Finally, finding nothing on the net about it, I did a fresh install of
Vista, which proceeded normally (which rules out hardware problems).

The whole episode acts like a virus except that I can't find anything
about it on the virus information sites, besides which the computer
was protected by antivirus firewall.

Any information about this would be appreciated.

Although I don't have any specific information on the names of malware
that cause what you observed, I would imagine it is directly a result of
malware, especially since your "customer reported that he was browsing
the internet when his computer locked up."

Did you image or clone the drive before you started experimenting with
the XP repair install?

Was the Vista experiment on the customer's hard drive or one of yours
that you temporarily swapped?

If you still have the original drive with the borked XP installation,
why not scan it for malware (either by using an emergency boot CD like
Knoppix, Ubuntu, Bart's PE, or UBCD4Win ... or by removing it and
placing it in another PC as a slave or inside a USB enclosure)? That
really should have been the first thing you tried! Repair installs
should never be done in this type of situation, by the way. They should
only be done to address a specific OS issue that can't be addressed any
other way. But attempting a Repair Install on a compromised system is
just a recipe for disaster, IMO.

In the future, if you want to rule out hardware issues, simply boot off
a live Linux CD (like Knoppix or Ubuntu).

For dealing with malware issues, I think this page is a great resource:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

 

[Elmo]

Yo guys...don't know if anybody is still following this thread but I think I
made some progress.

After checking with yet another scanner, I ran across the infected file C:\
Windows\cfe.bak.

I deleted it and now Windows seems to continue the repair installation I
tried on the first day.

Could you guys check if this file exists on your machines?

Best of luck

zarniwoop

Mine doesn't have that file. And since it's probably a backup, with
that extension, it's surely not needed for the system to function.

 

[Elmo]

I pulled out the hard drive from the problem PC and hooked it up to
another PC via a usb port. I ran a scan on the entire hard drive and
found two different files infected by two different trojans. I don't
remember the file names but the trojans were:

Generic Del.x!a
Lindo

Neither infected file appeared to be a remotely important or system
file. I haven't found that much information about these two trojans but
they did make it past Symantec Antivirus Corporate Edition with
up-to-date virus definitions so I am a bit concerned about that. I
guess I'll be scanning some other hard drives over the weekend too.

McAfee quarantined both files so I am going to attempt to boot the
computer again over the weekend.

Thanks for the tip on the disk and tools you used to scan your
computer. If I make any progress over the weekend I'll update this site
again.

Rather than move hard drives around, it'd surely be less effort to
create a BitDefender CD and run it on any suspect system. The "Knoppix
Live" CD updates its malware definitions and does a scan.. you check
back later and manage anything it finds.

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.

 

[Elmo]

Joe,

I will look at the links you posted but I always carry my usb adapters
with me and it is quite easy to yank a hard drive. Plus, I have already
done it.

Now, when I put the hard drive back in the PC and try and boot I may
need a Knoppix CD if it doesn't come up.

BTW, have you ever heard of "Generic Del.x!a" or "Lindo?" I have not
turned up anything definitive on either one a this point.

Thanks again.

No, but here's a Google search on each name:

http://www.google.com/#hl=en&source=hp&q="Generic+Del.x!a"&aq=f&aqi=&oq=&fp=8ec9ea851cee2c5b

http://www.google.com/#hl=en&q=lindo+malware&aq=f&aqi=&oq=&fp=8ec9ea851cee2c5b