Log in/log off loop

Discussion in 'Software' started by epicfail13, Jun 4, 2009.

  1. epicfail13

    epicfail13 Private E-2

    I've spent about 10 hours surfing the net looking for help on this one.

    I have a friend that uses P2P applications. She runs only McAfee, and I don't know if she ever updates or runs it. I ran McAfee, and it only found one infection (so I'm not very willing to let her use it anymore). Her computer is XP Pro, about 5 years old, and only updated to SP2. She didn't notice the malware until it started aggressively hijacking her browser and changed her desktop to a warning that she had an infection (yeah, no kidding).

    Her computer refused to recognize my flash drive, so I had to burn the anti-malware programs to a CD. I started with Spybot S and D, but about halfway through the computer went to BSOD. I had some success stopping the scan after a few infections were found and removing them, scan and repeat, but I hit the BSOD whenever it was about halfway through. I switched to Ad-Aware by Lavasoft. It found 2 infections (sorry, thought I was safe and didn't note what they were) and removed them. When asked to restart, I did, and now it will not let me log in under any user, under any safe mode. From what I've read on a couple dozen pages, this is often caused when the malware has replaced userinit.exe.

    I believe her XP came pre-installed without the XP CD-ROM, which seems to mean that it's OEM-installed and the MS fix won't work. I can access her files using a Linux Live CD. I have read some tutorials on making an Ultimate Boot Disk from my/her C: i386 file, but I'm not certain I can do it. I can't reformat her computer without the XP CD-ROM? I'm a fast learner, but I'm feeling overwhelmed.
     
  2. dlb

    dlb MajorGeek

    :wave Welcome to Major Geeks! :major

    You are, indeed, a fast learner. AdAware has most likely removed the userinit.exe file due to an infection, or has removed the file that was linked to the userinit.exe file. Years ago, this was due to an infection caused by BlazeFind and/or the wsaupdater.exe infection. These days, the principle is the same, but the infection is different. You need to find a way to access the infected/misfiring drive. Whether it be thru creating a boot disk or whatever. You need to completely remove the userinit.exe file from the 'bad' drive and replace it with a clean userinit.exe file. You could remove the drive from the tower, hook it up as a 2nd drive to a healthy XP system with good virus/malware protection and simply delete the bad userinit.exe file and copy the same file from the healthy clean drive C: to the 'bad' drive. I've done this in the past and it has worked fine, but you should probably post in the MajorGeeks Malware Removal Forum and add a link to this post just to be sure that this is what the pros recommend.
    Good luck!

    [dlb]
     
  3. AustrAlien

    AustrAlien Specialist

  4. epicfail13

    epicfail13 Private E-2

    I did read that Major Geeks thread before I even considered registering to post here. One of the major problems I am having is that I do not have the XP CD-ROM. I don't think I can reformat. I can't use the Recovery Console without the CD-ROM. I don't believe it would even work since she has an OEM- installation. Microsoft tells me not to even try it on an OEM-installation.

    I am going to read the http://thinkinginpixels.com/quick-fixes/fix-windows-xp-log-onlog-off-loop/ and let you know how it goes.
     
  5. AustrAlien

    AustrAlien Specialist

    DomLuc,
    Thank you for the welcome.
    I just HAD to register to post when I saw the strife that epicfail13 was in, and I thought that I had the solution for him. After finding thinkinginpixels not so long ago, I was hoping to be able to use that "great find". I was planning to replicate the problem and test it myself, but haven't got around to it yet. I did provide the info to someone else on another forum in the same situation, but have not had any response to that.
    This site looks like a good place for me to spend some time having a look around and picking up some info. Who knows, perhaps I might actually get to contribute something worthwhile.

    epicfail13,
    Best of luck and I hope to read of your success in the not-too-distant future. The fix suggested looks too good to be true, but I, like DomLuc, think it looks genuine.

    Geoffrey
     
  6. epicfail13

    epicfail13 Private E-2

    Success!!!! :-D I can now log in!!!!

    Now that I can log in, I'm going to follow the cleaning directions listed there, and take a look at the thread here at Major Geeks labeled "Read and Run first" (or similar title). I can and do follow directions. If my problems continue, I will be sure to check in with the Malware Removal forum.

    AustrAlien, thank you for the tip!! Just what I was looking for! THANK YOU!!!

    I'm going to post this fix in the other places I was looking for help.
     
  7. AustrAlien

    AustrAlien Specialist

    Well, well, well ... That does give me goosebumps! So pleased to learn of your success. Thank you for letting me know the result. You have been busy ... all done within 4 hours. Best wishes,

    Geoffrey
     
  8. Trussman

    Trussman Private First Class

    I'm sure you have tried the restore to an earlier time, to no avail. These pre-installed OS are on her computer, you just have to access it.
    If all else fails!
    When starting the PC, keep pushing the F10 button until it opens the recovery console. It should give you a choice of the basis or the advance recovery options.
    The basis option will reload the OS files without losing any of your data you have on the PC.
    The Advance will reformat and reload back to factory settings.
    Either way, you will have to do all of your Windows updates, but this should straighten it out, and remove infections
     
  9. epicfail13

    epicfail13 Private E-2

    A final comment from me:
    After scanning and scanning and scanning in safe mode, I'm now logged on in normal mode (and scanning even more). According to Ad-Aware AE, it quarantined Win32TrojanDownloader.Fraudload, which had files in C:\WINDOWS\system32\userinit.exe, C:\WINDOWS\system32dllcache\userinit.exe, and also a registry entry HKLM:Software\Microsof[shortened and I can't find a way to expand it]\sion\Winlogon.UserInit. There were also various other files for fraudload, which is to be expected. So, yeah. Note to self: Look for UserInit in future result lists, then look for less drastic ways of removing it.

    There are probably other things that cause this problem, but thought I'd make sure this one got mention.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds