[natureboy]

Before starting malware repair procedure, I boot XP from recovery disk, per instructions (in forum repair procedure), I am instructed to press R, which selects "Custom Recovery". My question is, Does this delete C:/ files? Thanks.

[Advertisements]

What malware are you trying to repair ? You should not at this stage need to use the recovery console. Unless you are doing a repair install due to file corruption

[Essexboy]

What malware are you trying to repair ? You should not at this stage need to use the recovery console. Unless you are doing a repair install due to file corruption

[natureboy]

I found some malware using spybot labeled "spywarefromHell" and removed it. Then logged off computer. The next time I logged on I got the loop of starting up and then system logs off as described in this forum entry:Becca

View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts Apr 8 2005, 11:09 AM Post #1


New Member

Posts: 2
From: Brighton, England
OS: Windows XP



I recently got a virus from MSN. I downloaded a virus removing program from the internet, did a virus sweep and then restarted my computer. Then when I reached the login screen and clicked on my username it started to log me in. My wallpaper flashed briefly and then it logged me out immediately.


I am implenenting a fix I found on this forum as follows:

gerryf

View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts Apr 19 2005, 10:32 AM Post #9


Retired Staff

Posts: 11,365
OS: windows 98, xp, 2000, linux



Had a chance to read up on this issue and I suspect I know why this is happening, but fixing it is a bit of a problem because we need to know what the bad file it.

The most common cause of this right now, is running a malware detection progam that deletes a file, but the registry still points at it. This, wsaupdater.exe, seems to be the most widely seen culprit, but it could potentially be other things, too.

Let's test it out.

Boot using your winxp cd.
Enter recovery console.
at the command prompt go to

C:/windows/system32

next type:
Dir *.exe

If you find, it, type

copy userinit.exe wsaupdater.exe

Exit and reboot normally. You should now be able to logon.

Run regedit

Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the right pane, you should see

C:\WINDOWS\System32\wsaupdater.exe,

Change it so that it reads:

C:\WINDOWS\System32\userinit.exe

That should solve the problem, if the malware was the one that caused the issue.

The scary thing is since more malware programs are inserting themselves into the winlogon key, this is going to be a moving target.

----------------
I just want to know if I select "Custom Recovery" option in the recovery console, which is what I get when I "press R" as instructed, (when booting up from XP recovery disc) will it clear my C:/ drive? Thanks. Please advise.

[Essexboy]

I am afraid that is a very vague answer with a few if's and maybe's as it may be any one of a score or more files and if you type dir. *.exe you will be presented with a list of all executable files in system32

If you can get into safe mode then run this programme and post it back here

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

However if you still wish to do it yourself the Microsoft step by step instructions are here http://support.microsoft.com/kb/892893

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.