XP boot/logon problem

Hi,

I caught some malware and after a little messing about, SuperAntiSpyware seemed to clean a few things. On reboot, the OS comes up to the desktop, then immediately closes the desktop and displays the login icons. If I try to logon, then it starts to open the desktop and then immediately closes it again.

Same things happens in Safe Mode.

Details and logs can be seen in this thread:
http://forums.majorgeeks.com/showthread.php?t=209989


SAS deleted some files and I suspect that registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon still points to one of those files, but I can't access regedit to check.

A Microsoft entry http://support.microsoft.com/kb/892893 suggests that it might be possible to copy userinit.exe to each of the deleted entries to allow bootup. I tried this using Recovery Console to copy userinit.exe to smss32.exe, winlogin32.exe & SDRA64.exe and reboot.

It doesn't fix the problem. In fact, the symptoms remain the same and when I check the entries in WINDOWS\system32, the 3 files I copied smss32.exe, winlogon32.exe & SDRA64.exe are gone!

Is it possible that my anti-virus software, AVG9, is deleting the files? Or it may be another virus that is causing the problem, but until I can get to the desktop I can't continue the process of cleaning the malware.


My machine is:
XP Pro SP3 32bit X86
1GB RAM

Can anyone offer any suggestions?

Thanks for your time
David

 

I'm a little confused. You can't log in either safe or normal modes, so how are you checking for specific files in your system 32 folder?

Have you tried last known good configuration? Although, that has NEVER worked for me. I suspect it's a MS joke.

You need to get booted to do anything at all. You may need to boot from your install/recover disk, enter BIOS to instruct CD boot.

 

I have been booting into Recovery Console from the install CD.

I have tried to go back to earlier checkpoints, but they didn't seem to work.

Last known good configuration does the same thing.

Thanks
David

 

I did the following commands:

"expand d:\i386\userinit.ex_ c:\windows\system32"
"copy c:\windows\system32\userinit.exe c:\windows\system32\dllcache\userinit.exe"
"expand d:\i386\winlogon.ex_ C:\windows\system32"
"copy c:\windows\system32\winlogon.exe c:\windows\system32\dllcache\winlogon.exe"

rebooted - same problem.

 

But Dave, those aren't the commands Tim gave you??

In any case, since you can access the c partition, I'd suggest you get any needed/wanted data copied off of it.
Then try a repair, you may need to reinstall if you can't get there.

 

As I found out yesterday, the syntax for expand is:

expand source_file destination_directory

What are you suggesting I do for a repair?

Everything seems to be working - I just can't logon.

This happened to me some time ago, when AVG scored a false positive on an old (slightly dated) system file. AVG kept deleting the system file every time I replaced it, until I eventually totally rebuilt the system on a new disk.

Of course, I didn't know at the time that that was what AVG was doing. It was only when I got a working system that I found out. The simple fix would have been to turn off AVG, replace the file, boot normally, update AVG database and enable AVG again.

Do you know if there is any way to disable AVG by deleting/renaming its files to prevent it running?

Is there any way to access regedit from the install disk?

Thanks
David

 

As suspected, the registry "userinit" key in HKEY_LOCAL_MACHINE\SoftTest\Microsoft\WindowsNT\CurrentVersion\Winlogon was set incorrectly, left over from the malware.

Found PCRegedit, which allows the registry to be edited from a live CD.
Changed the entry back to "userinit.exe," and can now logon to the desktop.

Does anybody know what the correct entry for the "shell" key should be? I suspect that is incorrect also?

Thanks for your help.

 

It only works if the computer does not start successfully or you have yet to reboot:

http://support.microsoft.com/kb/307852/en-us