[Windwardman]

Howdy,

The wife of a friend of mine has a Toshiba laptop (Satellite P105-S6114) running XP Home, and she asked if I could get it running. She said that she had received warnings from her AVG program that five viruses (or something--she's not very conversant in computer lingo) had infected her machine. The next day, she had this logon/immediate logoff problem.

I've read through and tried most all of the fixes I've seen on this site and another: Safe Mode (still logs off immediately), Bart's PE, going into the registry, etc. I've pulled out the hard drive and plugged it in as an external drive on my computer to try to yank the user My Documents files. When I performed the userinit.ex fix, the file was successfully copied. After all of these, the logon/logoff problem is still there.

Everything seems to go fine with all of these approaches until I reach the user files. When I was attempting to alter the user key in the registry, access was denied. When I tried to copy the user's Documents folder, access was denied. A password was never put on the machine, so that's not the problem. When I ran the cursor over the folder, it indicated that the file was empty, but I know that files are in it--or at least were.

I would like to be able to salvage those files. Does anyone know why access is being denied? Is this a symptom of the malware infestation?

Thanks for any responses.

Edited by Windwardman, 27 January 2010 - 03:02 AM.

[Advertisements]

I ran Norton Internet Security 2010 on the affected hard drive tonight, and it found and dealt with a number of problems. When I tried to log on to the computer after putting the drive back in, a box saying something about VPN was on the desktop. I clicked "OK" (only option) and the computer logged off. It is still in the old logon/logoff loop, and access was still denied to the user's folder (katelyn c) in Documents and Settings when I tried to copy it to my computer.

Here is a copy of the Norton Resolved Threats Report (g: is the infected computer's c: drive, as my computer sees it):

CoreGuardAntivirus2009
Type: Anomaly
Risk: Medium (Medium Stealth, Medium Removal, Medium Performance, Medium Privacy)
Categories: Misleading Application
Status: Fully Resolved
-----------
1 Registry Entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\->Start:2 - Repaired
1 File
g:\program files\internetsecurity2010\is2010.exe - Deleted
1 Browser Cache

Trojan Horse
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
g:\windows\system32\helper32.dll - Deleted
1 Browser Cache

Trojan.FakeAV
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
3 Registry Entries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->AntiVirusDisableNotify:0 - Repaired
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->FirewallDisableNotify:0 - Repaired
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->UpdatesDisableNotify:0 - Repaired
1 File
g:\windows\system32\warning.html - Deleted
1 Browser Cache

Downloader
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
g:\documents and settings\katelyn c\application data\sun\java\deployment\cache\javapi\v1.0\jar\common.jar-21c9c0c4-3a50cc57.zip - Deleted
1 Browser Cache

Trackware.SmartShopper
Type: Anomaly
Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)
Categories: Trackware
Status: Fully Resolved
-----------
1 File
g:\documents and settings\katelyn c\local settings\temp\pkg_17381335b0\installer_smartshopper.exe - Deleted
1 Process
C:\Program Files\Internet Explorer\iexplore.exe - No Action Required
1 Browser Cache

CoreGuardAntivirus2009
Type: Anomaly
Risk: Medium (Medium Stealth, Medium Removal, Medium Performance, Medium Privacy)
Categories: Misleading Application
Status: Fully Resolved
-----------
1 Registry Entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\->Start:2 - Repaired
1 File
g:\documents and settings\katelyn c\local settings\temporary internet files\content.ie5\ohinopmn\setupis2010[1].exe - Deleted
1 Browser Cache

Trojan.Brisv.A
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
g:\documents and settings\katelyn c\my documents\limewire\saved\busted baby part 2 plise neyo.mp3 - Deleted
1 Browser Cache

Edited by Windwardman, 27 January 2010 - 02:47 AM.

[Windwardman]

I ran Norton Internet Security 2010 on the affected hard drive tonight, and it found and dealt with a number of problems. When I tried to log on to the computer after putting the drive back in, a box saying something about VPN was on the desktop. I clicked "OK" (only option) and the computer logged off. It is still in the old logon/logoff loop, and access was still denied to the user's folder (katelyn c) in Documents and Settings when I tried to copy it to my computer.

Here is a copy of the Norton Resolved Threats Report (g: is the infected computer's c: drive, as my computer sees it):

CoreGuardAntivirus2009
Type: Anomaly
Risk: Medium (Medium Stealth, Medium Removal, Medium Performance, Medium Privacy)
Categories: Misleading Application
Status: Fully Resolved
-----------
1 Registry Entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\->Start:2 - Repaired
1 File
g:\program files\internetsecurity2010\is2010.exe - Deleted
1 Browser Cache

Trojan Horse
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
g:\windows\system32\helper32.dll - Deleted
1 Browser Cache

Trojan.FakeAV
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
3 Registry Entries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->AntiVirusDisableNotify:0 - Repaired
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->FirewallDisableNotify:0 - Repaired
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\->UpdatesDisableNotify:0 - Repaired
1 File
g:\windows\system32\warning.html - Deleted
1 Browser Cache

Downloader
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
g:\documents and settings\katelyn c\application data\sun\java\deployment\cache\javapi\v1.0\jar\common.jar-21c9c0c4-3a50cc57.zip - Deleted
1 Browser Cache

Trackware.SmartShopper
Type: Anomaly
Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)
Categories: Trackware
Status: Fully Resolved
-----------
1 File
g:\documents and settings\katelyn c\local settings\temp\pkg_17381335b0\installer_smartshopper.exe - Deleted
1 Process
C:\Program Files\Internet Explorer\iexplore.exe - No Action Required
1 Browser Cache

CoreGuardAntivirus2009
Type: Anomaly
Risk: Medium (Medium Stealth, Medium Removal, Medium Performance, Medium Privacy)
Categories: Misleading Application
Status: Fully Resolved
-----------
1 Registry Entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\->Start:2 - Repaired
1 File
g:\documents and settings\katelyn c\local settings\temporary internet files\content.ie5\ohinopmn\setupis2010[1].exe - Deleted
1 Browser Cache

Trojan.Brisv.A
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Fully Resolved
-----------
1 File
g:\documents and settings\katelyn c\my documents\limewire\saved\busted baby part 2 plise neyo.mp3 - Deleted
1 Browser Cache

Edited by Windwardman, 27 January 2010 - 02:47 AM.

[The Skeptic]

The best solution that I know of for login/logoff problems is here. Follow the instructions, prepare the two CDs and run it.