PQRemove and then...logon means logoff.

Bless you all and cheers for your continued help here!

OK, another day, another hosed machine. "Get rid of the popups" So, we quickly discovered that it had Bagle.n

PQRemove from Panda seemed to remove it nicely enough. However, after the next boot, when I logged on, it immediately logs me off. Same in safe mode, with any user.

Tried fixboot, fixmbr, and even a repair install of Windows XP. Still no logon.

Thanks!!

 

Did you try to repair at the second one, after it detect previous windows.

 

I'm not sure what you are asking here. - thanks.

 

Ok, when dealing with malware related issues it is best to read and follow the following sticky's from the Spyware Specific Forum:
1. READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
2. NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
3. How to Protect yourself from malware!

Why did you think that a fixboot, fixmbr, and repair install were necessary. You only need to issue fixboot or fixmbr from the recovery console when the mbr and bootsector are corrupt. Repair installs do not fix registry issues, which if your system was infected by a virus, it most likely has some entries in the registry that reload it at system start.

Try this fix first:

1. Start the Recovery Console. If you do not have the Recovery Console installed, start it from the Windows XP compact disc (The CD). Follow the a. b. c. d. steps to install Recovery Console:

a. Insert the Windows XP CD in your CD drive and restart your computer. If prompted, select any options required to boot from the CD.

b. When the text-based part of Setup begins, follow the prompts; you need to choose the repair or recover option by pressing R .

c. If you have a dual-boot or multiple-boot system, choose the installation that you need to access from the recovery console.

d. When your prompted, type the Administrator password.

2. At the command prompt, type cd system32 , and then press ENTER.

3. Type ren kernel32.dll kernel32.old , and then press ENTER.

4. Type map , and then press ENTER.

5. Note the drive letter assigned to the CD-ROM drive that contains the Windows XP CD. It is displayed in a format similar to the following:

D: \Device\CdRom0

6. Type expand drive \i386\kernel32.dl_ (where drive is the drive letter of the CD-ROM drive that contains the Windows XP CD), and then press ENTER. For example:

Expand d:\i386\kernel32.dl_
Note the underscore character after the "L" in Kernel32.dl_

The following message appears:

Kernel32.dll
1 file(s) expanded.

7. Type in exit, after the computer restarts remove the Windows XP CD and start the computer normally

 

Solution #2:

1. Start the Recovery Console. If you do not have the Recovery Console installed, start it from the Windows XP compact disc (The CD). Follow the a. b. c. d. steps to install Recovery Console:

a. Insert the Windows XP CD in your CD drive and restart your computer. If prompted, select any options required to boot from the CD.

b. When the text-based part of Setup begins, follow the prompts; you need to choose the repair or recover option by pressing R .

c. If you have a dual-boot or multiple-boot system, choose the installation that you need to access from the recovery console.

d. When your prompted, type the Administrator password.

2. At the command prompt, type cd system32 , and then press ENTER.

3. Type ren userinit.exe wsaupdater.exe , and then press ENTER.

4. Type map , and then press ENTER.

5. Note the drive letter assigned to the CD-ROM drive that contains the Windows XP CD. It is displayed in a format similar to the following:

D: \Device\CdRom0

6. Type expand drive \i386\userinit.ex_ (where drive is the drive letter of the CD-ROM drive that contains the Windows XP CD), and then press ENTER. For example:

Expand d:\i386\userinit.ex_ C:\WINDOWS\SYTEM 32
Note the underscore character after the "X" in userinit.ex_

The following message appears:

userinit.exe
1 file(s) expanded.

7. Type in exit, after the computer restarts remove the Windows XP CD and start the computer normally

You should be able to log into windows

goto start , run then type regedit

find the following registerkey :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit string value should be:

C:\WINDOWS\system32\userinit.exe,

On the damaged installations it's one of these:

C:\WINDOWS\system32\wsaupdater.exe,
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wsaupdater.exe,

In this case edit the string to :

c:\windows\system32\userinit.exe,

Everything should work fine now !

 

Shadow_Puter_Dude, you are verry so kind in this. I can not remember all......

 

I have this really extensive 'Knowlege Base' that I use. Matter of fact, I believe, it's the same one Adrynalyne uses, Google.

As I find solutions that are know to work for different problems, I create a boiler plate template; so, all I have to do is cut and paste the solution to my reply.

 

Thank you all!

It turned out (someone at DSLReports suggested this) that userinit.exe was simply missing. I was looking for a corrupted winlogon, but missed looking for userinit. Simply copied it from the i386 directory on my laptop, and good to go.

Two more questions:
1) IS it possible to have a logon script which immediately logs you off? I had also tried disabling wscript.exe and cscript.exe...to no avail, of course.

2)Are there any books on solving these problems? I go to Borders and see lots of books on everything Windows, or Everything Security Prevention, but not on how to look at a broken or infected Windows system.

Thanks,
Ed