Repairing malware XP logging on then logging off question please. [CLO
Started by
natureboy
, Jul 14 2008 02:35 PM
#1
Posted 14 July 2008 - 02:35 PM
#2
Posted 14 July 2008 - 02:39 PM
What malware are you trying to repair ? You should not at this stage need to use the recovery console. Unless you are doing a repair install due to file corruption
#3
Posted 14 July 2008 - 04:09 PM
I found some malware using spybot labeled "spywarefromHell" and removed it. Then logged off computer. The next time I logged on I got the loop of starting up and then system logs off as described in this forum entry:Becca
View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts Apr 8 2005, 11:09 AM Post #1
New Member
Posts: 2
From: Brighton, England
OS: Windows XP
I recently got a virus from MSN. I downloaded a virus removing program from the internet, did a virus sweep and then restarted my computer. Then when I reached the login screen and clicked on my username it started to log me in. My wallpaper flashed briefly and then it logged me out immediately.
I am implenenting a fix I found on this forum as follows:
gerryf
View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts Apr 19 2005, 10:32 AM Post #9
Retired Staff
Posts: 11,365
OS: windows 98, xp, 2000, linux
Had a chance to read up on this issue and I suspect I know why this is happening, but fixing it is a bit of a problem because we need to know what the bad file it.
The most common cause of this right now, is running a malware detection progam that deletes a file, but the registry still points at it. This, wsaupdater.exe, seems to be the most widely seen culprit, but it could potentially be other things, too.
Let's test it out.
Boot using your winxp cd.
Enter recovery console.
at the command prompt go to
C:/windows/system32
next type:
Dir *.exe
If you find, it, type
copy userinit.exe wsaupdater.exe
Exit and reboot normally. You should now be able to logon.
Run regedit
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the right pane, you should see
C:\WINDOWS\System32\wsaupdater.exe,
Change it so that it reads:
C:\WINDOWS\System32\userinit.exe
That should solve the problem, if the malware was the one that caused the issue.
The scary thing is since more malware programs are inserting themselves into the winlogon key, this is going to be a moving target.
----------------
I just want to know if I select "Custom Recovery" option in the recovery console, which is what I get when I "press R" as instructed, (when booting up from XP recovery disc) will it clear my C:/ drive? Thanks. Please advise.
View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts Apr 8 2005, 11:09 AM Post #1
New Member
Posts: 2
From: Brighton, England
OS: Windows XP
I recently got a virus from MSN. I downloaded a virus removing program from the internet, did a virus sweep and then restarted my computer. Then when I reached the login screen and clicked on my username it started to log me in. My wallpaper flashed briefly and then it logged me out immediately.
I am implenenting a fix I found on this forum as follows:
gerryf
View Member Profile
Add as Friend
Send Message
Find Member's Topics
Find Member's Posts Apr 19 2005, 10:32 AM Post #9
Retired Staff
Posts: 11,365
OS: windows 98, xp, 2000, linux
Had a chance to read up on this issue and I suspect I know why this is happening, but fixing it is a bit of a problem because we need to know what the bad file it.
The most common cause of this right now, is running a malware detection progam that deletes a file, but the registry still points at it. This, wsaupdater.exe, seems to be the most widely seen culprit, but it could potentially be other things, too.
Let's test it out.
Boot using your winxp cd.
Enter recovery console.
at the command prompt go to
C:/windows/system32
next type:
Dir *.exe
If you find, it, type
copy userinit.exe wsaupdater.exe
Exit and reboot normally. You should now be able to logon.
Run regedit
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the right pane, you should see
C:\WINDOWS\System32\wsaupdater.exe,
Change it so that it reads:
C:\WINDOWS\System32\userinit.exe
That should solve the problem, if the malware was the one that caused the issue.
The scary thing is since more malware programs are inserting themselves into the winlogon key, this is going to be a moving target.
----------------
I just want to know if I select "Custom Recovery" option in the recovery console, which is what I get when I "press R" as instructed, (when booting up from XP recovery disc) will it clear my C:/ drive? Thanks. Please advise.
#4
Posted 15 July 2008 - 11:36 AM
I am afraid that is a very vague answer with a few if's and maybe's as it may be any one of a score or more files and if you type dir. *.exe you will be presented with a list of all executable files in system32
If you can get into safe mode then run this programme and post it back here
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
However if you still wish to do it yourself the Microsoft step by step instructions are here http://support.microsoft.com/kb/892893
If you can get into safe mode then run this programme and post it back here
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
- Close all other windows before proceeding.
- Double-click on dss.exe and follow the prompts.
- When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
However if you still wish to do it yourself the Microsoft step by step instructions are here http://support.microsoft.com/kb/892893
#5
Posted 19 July 2008 - 04:14 AM
Due to lack of feedback, this topic has been closed.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users