Windows XP logs me out after malware removal - can't boot

Hi, and thanks for the work you do!

My computer (Dell dimension 4600 desktop, Windows XP) was infected with the virus that gives the "worm.win32.netsky" errors and popups and wants you to buy their software, which I did NOT do.

I followed all the steps in the READ ME in the malware forums, until I hit a big problem. In Step 6, SuperAntiSpyware found three items, which it quarantined/removed:
C:\WINDOWS\SYSTEM32\HELPER32.dll
C:\WINDOWS\SYSTEM32\SMSS32.exe
C:\WINDOWS\SYSTEM32\WINLOGON32.exe

Then it asked me to reboot. When I did, the computer started normally, the Windows logon screen came up, and I logged in and it immediately said "logging off... saving your settings" and logged me out again. I tried restarting several times, and starting in safe mode didn't help either. It logged me out both from my account and the administrator account.

So I'm in a bind... can't get on to my computer to fix things. Would REALLY like not to have to reinstall Windows! I saw a post about fixing registry entries, but thought I would ask for help before trying that on my own.

Thank you so much!

 

Thanks Tim!

On that link I see an error message about OEM software. (I have a feeling you've been through this with others before...) My Windows installation came with the Dell machine, and I have the Dell Windows CD's, but they're not the stand-alone Windows XP discs made by Microsoft.

Am I OEM? Would this be a problem?

In reading the other threads I saw similar problems with logon/logoff loops... one person suggested to log in as administrator in safe mode and then use System Restore. Thought I would check first before trying that (really don't want to make things worse) and don't know if I could log on, but if so, is that a good idea?

thanks!!!!

Julie

 

Too bad, can't log in. Just immediately logs me out again.
Should I follow the steps in the link you gave? (unsure about OEM issue) Or, I could try to use the Windows restore utilities that came on the CD's with the computer to see if I can restore back to last restore point.

Julie

 

This is what you are looking for: It will get you back in to Windows ...

Fix Windows XP LogOn/LogOff Loop ..... thinkinginpixels

 

Thanks for the suggestion! Looks like a great site and good for most people. I followed the whole procedure but unfortunately it didn't work for me.
I'm wondering if my problem has to do somehow with the files that SAS quarantined, or with userinit.exe

Anyone have ideas???

 

I just went through this with a machine that was infected with "Internet Security 2010"

I elected to follow the manual process documented on the site noted by AustrAlien. Mainly because I wanted to know what was going on, but also because when the automatic process fails you usually have no recourse.

Most likely the registry key HKLM\software\microsoft\windows nt\current version\winlogon\userinit needs to be repaired. It's value should be C:\Windows\System32\Userinit.exe, (including the comma).

The best way to fix it is with a utility like BART PE that runs an XP from a CD which will allow you to edit the bad registry on the hard drive of the machine that is not working.

 

Thank you again AustrAlien for pointing me in the right direction! I emailed Dan Fischbach saying that after the procedure, I still couldn't login. Dan has been unbelievably helpful. He called me 5 minutes after I emailed him, and sent me an email with instructions to follow using the SaveMe program that he has on his website.

jconstan, you're absolutely right, it was a problem with the path to the userinit file. Instead of "C:\Windows\System32\Userinit.exe," mine read ":\Windows\System32\Userinit.exe," All I had to do was type in the C and it worked again. Didn't have to go through the Bart CD process because Dan's software guided me through it.

Upon login, I found a couple things still wrong:
1) No internet connection.
2) "Warning" desktop image still there and icons still highlighted.
3) Ctrl-Alt-Del doesn't work.
4) Can't access the control panel.

Dan is helping me fix these things now. We already used the LSPfix utility to fix #1. Currently I'm running all of the virus scan software that Dan recommends on his website. We'll see how it goes. If anyone knows of a solution for #2-4 above, I'd love to hear it.

Mostly I'm posting my results to help other people - I read pages and pages of forums (and the Windows website was absolutely useless) that had me trying all sorts of crazy things, and Dan was able to fix it. His instructions were right on every time for me. I plan to donate to him when this is fixed!

Julie

 

Re: Windows XP logs me out after malware removal - can't boot - NEW PROBLEM: BSOD!

Hi everyone, I could use some guidance!
I fixed the logon/logoff loop and had almost successfully rid my computer of the Internet Security Virus. Malwarebytes found 8 files and quarantined them successfully, but when I rebooted, I get the Blue Screen of Death. I can't boot in Safe Mode either (same Blue Screen), or in Last Known Good Configuration. I'm running Windows XP SP3 on a Dell Dimension desktop (so my Windows is the Dell version).

Here's what happened. First I used Spybot, which worked OK (rebooted fine), but didn't catch everything.
Spybot: Found and successfully fixed 7 problems:
- Microsoft.Windows.ActiveDesktop (registry change)
- Microsoft.Windows.Explorer (registry change)
- Spam.VistaPrint (Firefox bookmark)
- Win32.Agent.chn (C:\WINDOWS\SYSTEM32\winupdate86.exe)
- Win32.Agent.chn (C:\WINDOWS\SYSTEM32\winlogon86.exe)
- Win32.Agent.wu (registry value)
- Statcounter (tracking cookie)
Rebooted fine, though after restart desktop was still set to the "warning" wallpaper and strange cookie activity continued whenever connected to the Internet.

Malwarebytes: Connected to the internet long enough to update the program, and then disconnected.
Did a full scan of all disks. Found 8 objects:
- Hijack.Wallpaper (Registry file)
- Trojan.FakeAlert (C:\WINDOWS\SYSTEM32\41.exe)
- Trojan.FakeAlert (C:\WINDOWS\SYSTEM32\IS15.exe)
- Trojan.FakeAlert (C:\WINDOWS\SYSTEM32\warning.html)
- 4 instances of Hijack.DisplayProperties (Registry data). Unfortunately I didn't write more information about the registry items.
Out of curiosity, I looked in the SYSTEM32 folder and found 8 other .exe files, all created on the same day, and all showing a 0kb size like the two trojans above, and all with random number filenames. I renamed them and put them in the quarantine folder manually. (They were 6334.exe, 11478, 15724, 18467, 19169, 26500, 26962, 29358)
Malwarebytes said all 8 were successfully removed, and then restarted.

Upon reboot: Blue Screen of Death.
"A problem has been detected and Windows has been shut down to prevent damage to your computer."
Techical information: STOP: 0x0000007B (0xF78A2528, 0xC0000034, 0x00000000, 0x00000000)
Tried to start in safe mode, had the exact same screen.

Anyone know how to recover from this kind of error? There is data on the hard drive that I would like to back up. I can pull the drive and boot as a slave (I hope!) to recover the data. But really, I would like to save the OS if possible because my system is very carefully configured for audio/video editing and has a lot of drivers and hardware installed, and it would take me at least a week to rebuild everything. And it would be a bummer to get so far, only to fail now I would be so grateful for any advice!!

Julie

 

Can you boot from one of those Dell CD? You may have to go into the BIOS first and change the boot sequence to enable this, (F2 on startup will get you there).
Then try a "repair" I believe is the option, maybe recover.

 

Thanks, brandypeppy. I should have the Dell recovery disk. I'll try it tonight.

Will this delete my data? To be safe I guess I should find a way to boot the drive as a slave and get the data off first, but that would require using someone else's computer. My other computer is a laptop and I'd have to buy an enclosure to boot the HD from there.

Anyone else ever do this?
thanks so much! (bumps head on table)
Julie

 

Thanks plodr. (glad I asked, I've never tried to repair an installation of Windows.)

It's a Dell Dimension 4600 desktop. Souped up with 2 SATA PCI cards, a ProTools sound card, and a widescreen monitor, all of which require drivers. Four hard drives are attached (two internal and two external, all SATA) but that's easy to undo. No RAID setup.

I wish I didn't care about the data on the boot drive. If I can't get the data off safely with a Windows restore, I'll have to get another HD, install Windows on that, and boot my current drive as a slave to get the data off. A lot of data shuffling would be involved... I have about 2 TB of sound and picture files total on various drives.

 

Re: Windows XP logs me out after malware removal - can't boot - NEW PROBLEM: BSOD!

Julie,

I just had the exact same situation as you are experiencing. I am still finishing my cleanup, but as AustrAlien said above, you need to go see Dan Fischbach at thinkinginpixels. Dan is amazing, super patient, explains things in detail, knows his stuff, and is more than willing to help. He has instructions on the website (see the address below), but if your situation has a twist that requires more work, he is willing to help you out (go to page one and click on the "you can contact me at any point" part of, "Remember, you can contact me at any point if you have questions or concerns. Comments on this guide have been disabled as of January 1st, 2010. Please email me if you need help."

Dan's advice is free, but he accepts "thanks donations". I will be sending him some well earned Paypal funds for the help he gave me.

If anyone can, Dan can get get you back in to Windows with your precious files still intact...

Here's the link:

http://thinkinginpixels.com/quick-fixes/fix-windows-xp-log-onlog-off-loop/

Good luck!

Kdmigloo Dawn