Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I tried to remove malware and now xp won't start


  • Please log in to reply
24 replies to this topic

#1 20bugsys

20bugsys

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 17 February 2010 - 06:01 PM

Given that I have no working OS, I could not go through the preparation procedures before posting this. I hope I have some potential to at least backup one very important file from my computer before doing anything drastic.

I have a toshiba satellite 105 laptop running MS Windows XP (Media Center Edition). Running the latest service pack.

I am connected to the internet through a wired ethernet connection to my router. I am running the zonealarm free firewall, ad-aware live, AVG free Antivirus software and Spybot search and destroy with teatimer.

Currently, I cannot get Windows to boot in normal, safe, or last known good configuration. Just after typing my password and hitting enter (including administrator), windows shuts down and returns to the password prompt.

Here is how I got to this point:

Last night I was running Google chrome, ms word and itunes simultaneously. AVG free started a daily scheduled virus scan which I manually paused due to a lagging system. Withing moments, my desktop turned bright green with an infection alert and about 3 or 4 pop ups indicated a trojan attack. I did not write down the name of it. This type of thing has happened before and adaware and spybot have usually taken care of it. Not this time.

I should have immediately backed up a few important files but failed to do so. Call it over confidence in my software or just late night distractions. Regardless, there is one very important file for my financial software that I must retrieve. My outlook emails would be helpful but are not essential. They all come through online email servers which hold the originals. Other than this, I am willing to let everything else go. I have a recent backup of my personal files on an external hard drive.

I proceeded to update Adaware and spybot search and destroy, and then disconnected from the internet before running both programs.
AdAware located one trojan file which was sent into quarantine. I then ran spybot which located 10 items, 4 of which were identified as trojans and 1 identified as malware. I don't remember what the other items were identified as. I opted to "fix" all 10 of these items.

I then restarted my computer and am at the point where I am now. I tried to boot in safe mode. I then tried to boot with the last known good configuration. I then tried to boot with automatic restart disabled. Nothing is working and I am now seeking your help. Please don't advise me to do anything that could harm the file on my hard drive first. This is the most important item to address before trying to solve my system problem. Thanks in advance.

Tim

Edited by Orange Blossom, 17 February 2010 - 06:29 PM.
Move to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 Tingnome

Tingnome

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Duluth, Minnesota
  • Local time:02:25 PM

Posted 17 February 2010 - 07:43 PM

Hello there,

How far exactly does your system get into booting? What i mean by this is, when you tell it to boot normally does it restart immediately, a few seconds later or about how long? You may be getting hung up on a BSOD (Blue Screen of Death) but dont let the name scare you.

#3 20bugsys

20bugsys
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 17 February 2010 - 08:05 PM

In normal boot it gets to to the user password prompt, then I enter my password, then my desktop image appears (no icons or taskbar) then after 10 seconds of just the desktop image, it returns to the blue user screen, says, "saving settings" as if it is shutting down, and then returns to a blank password box.

In safe mode it gets to to the user password prompt, then I enter my password, then within a second or two the screen goes black for a millisecond and it jumps directly back to the blue user screen, says, "saving settings" as if it is shutting down, and then returns to a blank password box.

Edited by 20bugsys, 17 February 2010 - 08:06 PM.


#4 Tingnome

Tingnome

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Duluth, Minnesota
  • Local time:02:25 PM

Posted 17 February 2010 - 09:53 PM

Great! This is common actually, it could be one of a few things though honestly. I think you have a corrupt "userinit" its basically what starts the login process. Ok so first things first, this IS fixable and i think we can fix it on the first try, secondly no you wont loose information if you follow my directions. Let me know if ANYTHING is unclear or you are confused

You sound somewhat savy so im not going to dumb this down all the way. First we need a windows xp boot disc, the same disc that installs the OS is also the disc that can help us today.

Put the disc in and boot to it, if you have never used it before it will take about 5-10 min before the disc is fully booted but once you are there, on the first menu, press R for recovery console. (it will will be a blue screen with white letters)

Pick the OS you want to boot in (usually C:\windows), and enter your administrator password. If you don't have one or can't remember if you do, just hit [enter].

This will bring you to the recovery console, kinda like command prompt...or similar to DOS

Then, once you get the C:\Windows> prompt type in the following command

(I am assuming that your CD drive is letter E, but change to your CD drive letter accordingly) type:"EXPAND E:\i386\userinit.ex_ C:\WINDOWS\SYSTEM32"
Without the quotes and it doesn't have to be in caps.

This should replace any corrupt files needed to login.

After this is completed just type EXIT and hit [enter] and you will reboot automatically and hopefully you will be on your way to a usable computer again!

#5 20bugsys

20bugsys
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 17 February 2010 - 10:15 PM

The xp software on this machine is oem and did not come with an install disc. I do have another xp install disc but it is not the (media center edition) installed on the problem computer. It is xp home which is installed on the pc I am typing on now. Will it work?

#6 JUICYboy

JUICYboy

  • Members
  • 537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Anaheim, Ca
  • Local time:04:25 PM

Posted 17 February 2010 - 10:33 PM

Yea Normally it will beacuse the Root files are all the same.

But i think if you try what he told you you should be well on your way to a good working comp.

If you can't do it that way try to Repair the files autmaticly.
Install OEM XP Cd> Go into Repair Mode> Type Check DSK / R
It will take like 10-20 min depending on hard drive size and partitions that got coruppetted
Then it should reboot
let us now how it all went

#7 20bugsys

20bugsys
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 17 February 2010 - 10:53 PM

I will let you all know. Thanks so much.

#8 20bugsys

20bugsys
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 February 2010 - 01:56 AM

Neither of these methods are working.

When I type EXPAND d:\i386\userinit.ex_ C:\WINDOWS\SYSTEM32 it looks as though it will work but then when I reboot the problem still exists.

When I type check dsk/r I get a message that says, "the command is not recognized". I typed help for a list of commands and used chkdsk but cannot get it to do anything even with the /r extension

Edited by 20bugsys, 18 February 2010 - 02:28 AM.


#9 Tingnome

Tingnome

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Duluth, Minnesota
  • Local time:02:25 PM

Posted 18 February 2010 - 10:14 AM

I was afraid that might happen,
90% of the time it is a common problem when removing malware, There is a registry key that usually needs to be repaired.
In the registry an element is labeled
UserInit=c:\windows\system32\???????.exe,
but it Should be:
UserInit=c:\windows\system32\userinit.exe,

ok phase two, how fast do you need this data? Should we first focus on getting the file off? What i mean by this question is, do you need the file anytime within the next day or so?
If so i will walk you through how to extract the data that is time critical, if its not time critical then we can go on with fixing the computer

#10 20bugsys

20bugsys
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 February 2010 - 10:16 AM

Since the last post, I retreived the data. I used Ubuntu to access the HD and backed up the contents to an external drive. I am no longer concerned about the data. Maybe Ubuntu will help with the registry fix?

Edited by 20bugsys, 18 February 2010 - 10:41 AM.


#11 20bugsys

20bugsys
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 February 2010 - 10:58 AM

OK, Edit. I tried to run chkdsk c: /r again this morning and now it is working. It is 50% complete right now. I don't know why it didn't work last night.

#12 20bugsys

20bugsys
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 February 2010 - 12:23 PM

OK. Chkdsk ran and reported problems found and repaired, but the problem persists. I'm back to square one.

#13 flyingduck15

flyingduck15

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 February 2010 - 12:31 PM

Hi, I'm not a senior member here but I've had this problem before.

What I did is copy the userinix.exe file from another healthy computer, and put it on my USB, and plug it into my infected laptop. Then when my computer loads, just when it's on the blue welcome screen, I press alt + ctrl + delete or ctrl + shift + Esc to load the task manager.

That will give you about 2 minutes to do something.

In the task manager, I load the cmd process.

Then I do a copy like this: COPY X:\userinit C:\system32\userinit.exe.

If your fingers are fast enough, then you can also do the final task. Load regedit from task manager, and change the registry key as described above from the ???? to userinit.exe .

Hope this helps.. (if there is no healthy laptop/computer near you maybe you can get the userinit.exe file from your XP CD). If not, I'm sure a moderator here will help you asap. :thumbsup:

EDIT: I'm not sure if you need the full path of the registry key? If you need it I think I'll need to google it around, as I forgot the full path..

Edited by flyingduck15, 18 February 2010 - 12:32 PM.


#14 20bugsys

20bugsys
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 February 2010 - 01:03 PM

I do have the userinit file on my flash drive, but I'm not sure I understand the instructions

#15 flyingduck15

flyingduck15

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 February 2010 - 01:10 PM

Sorry, hope I can make it clearer.

My problem was something like this:
- Turn on laptop
- Laptop shows blue screen with 'welcome' written on it
- Laptop loads desktop wallpaper, but with no icons or the explorer
- Laptop loads login screen, and everytime I click my user account to login, it directly logs me off.

Is this the same as yours?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users