[lenlo]

One of our pc's at home is exhibiting strange behaviour similar to what others have experienced.

When you logon, the splash screen shows a logging in splash, plays the logon sound and then the splash says saving user information and logs you right back out again.

I've tried with every logon to the machine - Local user, local Administrator, domain Administrator - I fear all I have done is given all of my passwords to a keylogger.

I've followed the instructions in the post: 20552-1 (XP Pro logs off immediately after you log in) and best that I can tell is that this is a new variant of that issue.

That post had me do the following:
Open the registry remotely from a different machine
Navigate to: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
change the current value to "C:\WINDOWS\system32\userinit.exe,"
NOTE: The value was set to: "C:\WINDOWS\system32\scmss.exe -Service" which best from what I can tell is a trojan. This did not work.

Later in the post, it suggested copying userinit.exe to wsaupdater.exe, this did not work.
Also suggested copying from another computer with same windows version... I did this through the repair console (DOS prompt) and this did not work (and it was from another computer that was identical when it was originally installed).

Did a complete repair through Windows installer, still no joy.

I'm at a complete loss and I think there are a good number of folks experiencing the same issue.

[Advertisements]

Hello lenlo, welcome to GeeksToGo!

My name is Tal, and I will be helping you in the process of removing malware from your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!

You may also want to Track This Topic. This feature of the forum will send out an email to the email address you've signed up with as soon as I reply, so you can be notified of my reply. To do this, please locate the Options menu, located just under the New Topic and New Reply icons. Once you've found it, click it, and choose Track This Topic from the dropdown menu (the first option). In the page that appears after you have clicked Track This Topic, select Immediate Email Notification, then click Proceed.

This appears like a serious issue - but first, have you tried accessing Safe Mode? If not, please do so now and let me know if you can. To get into Safe Mode, please restart your computer and tap F8 as soon as it starts booting up. Select 'Safe Mode' from the menu that appears and click Enter. Do not choose Safe Mode with Networking yet, since it's possible that you might get infected even more.

Now, if you do manage to log into Safe Mode - I'd like you to do the following, so we can get a deep view on what's going on there. On another computer that's connected to the internet, download Deckard's System Scanner. Place it on a USB drive or burn it on a CD, then connect it to the infected PC (while in Safe Mode). Copy dss.exe from it to your desktop, then run it:

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

If you can't manage to boot into Safe Mode - let me know.

Regards,

Tal.

[Tal]

Hello lenlo, welcome to GeeksToGo!

My name is Tal, and I will be helping you in the process of removing malware from your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!

You may also want to Track This Topic. This feature of the forum will send out an email to the email address you've signed up with as soon as I reply, so you can be notified of my reply. To do this, please locate the Options menu, located just under the New Topic and New Reply icons. Once you've found it, click it, and choose Track This Topic from the dropdown menu (the first option). In the page that appears after you have clicked Track This Topic, select Immediate Email Notification, then click Proceed.

This appears like a serious issue - but first, have you tried accessing Safe Mode? If not, please do so now and let me know if you can. To get into Safe Mode, please restart your computer and tap F8 as soon as it starts booting up. Select 'Safe Mode' from the menu that appears and click Enter. Do not choose Safe Mode with Networking yet, since it's possible that you might get infected even more.

Now, if you do manage to log into Safe Mode - I'd like you to do the following, so we can get a deep view on what's going on there. On another computer that's connected to the internet, download Deckard's System Scanner. Place it on a USB drive or burn it on a CD, then connect it to the infected PC (while in Safe Mode). Copy dss.exe from it to your desktop, then run it:

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

If you can't manage to boot into Safe Mode - let me know.

Regards,

Tal.

[lenlo]

Tal, thank you. This is the first time I've ever had an issue I couldn't resolve on my own - You can probably see from my post that I did try a good number of things before having to solicit help from others. When it came time to solicit help, I had to then do research into the best site to go to for help - I decided on GeeksToGo.

Safe Mode would be a wonderful bet, but I forgot to add to my original post that I tried SafeMode - I am still unable to log in.

I have to think others are experiencing this variant...

[Tal]

Hi lenlo,

Let's try a different approach and attempt to restore your computer to an earlier restore point, through the recovery console. You will need your XP CD. If you don't have an XP CD, please download RC.iso (which contains a bootable version of the recovery console found in the Windows CD). You will also need a burning tool like ISO Recorder. Burn the ISO on a CD using ISO Recorder.

First, insert the Windows / RC.iso CD to your drive, and boot from it (you will get a note asking you to press any key to boot), do it. after the first several screens load, you will be given a choice to choose R for Recovery Console. You will then be asked to log in. Choose the installation to be repaired by number (usually 1) and press "Enter". When you are asked for the Administrator password, leave it blank and press "Enter".

When you get to the recovery console prompt:

• Type cd \ and press Enter.
• Type cd system~1\_resto~1 and press Enter.
• Type dir and press Enter.

After you press enter you will see a list of folders (like rp1, rp2) If the list of restore points has more than one page then press the "Enter" key until you reach the end of the list.

• Type cd rp {number of the second to last folder in the list} and press "Enter". (Example: Type cd rp9 if rp10 is the last restore point.)
• Type cd snapshot and press Enter.
• Type copy _registry_machine_system c:\windows\system32\config\system and press Enter.
• Type copy _registry_machine_software c:\windows\system32\config\software and press Enter.
• Type exit and press "Enter".

Your PC will reboot.

If you get an access denied error when doing the above, then do the following at the recovery console:

• Type cd \ and press Enter.
• Type cd windows\system32\config and press Enter.
• Type ren system system.bak and press Enter.
• Type exit and press "Enter".

Your PC will reboot, go back into the Recovery Console and start from the beginning. Once you've managed to complete the second step, try to boot to Windows. If you do manage to boot into it, please download dss.exe as instructed in the previous post, run it and include the two logs in your next reply.

Thanks to wannabe1 for the writeup.

Tal

Edited by Tal, 08 May 2008 - 10:26 AM.

[lenlo]

Tal, I will try that tonight, however, I have Windows 2000 Pro - Does that have the restore points you are describing?

[Tal]

No, that's going to be a slight problem. I'll get back to you soon - don't follow the above instructions until further notice.

[Tal]

Hi lenlo,

Let's try this. Thanks to wannabe1 for this idea.

Preparation
We will attempt to repair your registry with the Windows 2000 Registry Repair Utility from Microsoft. You will need:

• A Windows XP computer to download the utility and prepare the floppy disks. Note: You will need to validate your Windows installation with Microsoft to initiate the download
• 6 empty floppy disks, and a floppy drive both on the Windows 2000 computer, and the XP computer.

Downloading & Running
Using the Windows XP machine, please go HERE. If you haven't validated your Windows installation, you will need to press Continue and follow the on-screen instructions to validate your installation of Windows. If you already have validated it, you should see a blue box with a Download button. Please follow the instructions on that page to create the floppy disk required for this repair install.

After you have followed the above steps and completed them successfully, try to boot into Windows. If you manage to boot to Windows, include a DSS log in your next reply, as instructed in my previous posts. If not, let me know and we'll see how we proceed from here.

Regards,

Tal.

Edited by Tal, 08 May 2008 - 04:10 PM.

[Tal]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.