Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Login/logoff Loop (userinit Related) Caused by Malware


  • Please log in to reply
7 replies to this topic

#1 DeLuk

DeLuk

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:08:42 AM

Posted 24 January 2008 - 07:20 AM

:) Ooops! Oh dear, I only just noticed the mistake in the topic title, "caused my malware" instead of "caused by malware" as I intended to write. I'm so very sorry for that! Is there any way for the title to be edited in order to correct the mistake? Thank you.

Greetings to the forum. :cool:

Our home PC is stuck in a login/logoff loop due to a malware infection (which modified the Userinit entry in the registry) and I've been directed here by Charles from the HJT Team for expert assistance with this issue. Thus thank you so much already for any and all help. :P

I'll paste next my original initial post at the HJT Forum. (I tried to cut out some possibly irrelevant details for the analysis of the problem here. I apologise, though, for it's still a rather longish post... As I apologise if there are still any possibly unimportant details still included. On the other hand, for any further details if needed, do please refer to my original initial post at the HJT Forum.)

A couple weeks back, I was to find our home PC (running XP SP2) infected with a banker trojan.

Symptoms of the banker trojan were:

A fake message being displayed (when the blue screen for the desktop loads but still before any icon has appeared) saying that Adobe FlashPlayer 9 ActiveX was being installed. The window message had a cancel button and an installation progress bar which however was static at less than half way through completion.

WinPatrol warning of unsrvc.exe attempting to set as a startup entry.

Sygate Firewall warning of unsrvc.exe attempting to connect to spectrum.iitalia.com (82.196.5.223) on port 80 / HTTP protocol.

(unsrvc.exe was located in C:\WINDOWS\system32\.)

I denied each warning at once, of course. Then again, note that, when denying unsrvc.exe to set as a startup entry via WinPatrol, that would cause that fake message window of FlashPlayer being installed to be closed. Also, still regarding this message window, I did never click its cancel button nor the [X] to close it, since I didn't know whether those might just have some twisted function and instead of cancelling/closing the message window, it might instead fire up some other unwanted/malicious process/action. So, just to be on the safer side, I always got that to close from the WinPatrol warning.

As every other time I was to deal with malware infections, so I started out with the preliminary cleaning. Cleaned out all temp files (with CCleaner) which at once deleted one of the malware files, flash_wizard.exe, which was stored among the temporary internet files.

Next ran Ad-Aware + SpyBot + AVG Anti-Spyware + SuperAntiSpyware, all in Safe Mode. (A note, to say that, as I booted to Safe Mode, even then the fake message window of FlashPlayer being installed appeared. I checked on Windows Task Manager, and unsrvc.exe was among the processes running. As I didn't want to risk closing the message window by hitting its cancel button or [X], so I chose to terminate the unsrvc.exe process via Task Manager. This indeed caused the message window to close.)

I rebooted back to Normal Mode afterwards. As none of those previous anti-spyware scans had however detected the banker trojan, unsrvc.exe, obviously the fake message window of FlashPlayer being installed still appeared, as so unsrvc.exe was still present as well, of course. When I first took notice of the infection, as per usual at once I submitted the suspicious files for analysis at virustotal.com, and by then, actually not many of the scanners detected unsrvc.exe. So I held on a couple days more, and then ran a new scan on the file. More scanners detected it now, including Panda, so I proceeded to run Panda's online ActiveScan. It found and disinfected 3 items, all of which it reported as being the same malware/infection: unsrvc.exe, install_flash_player.exe which was stored on My Documents (and which, as I had previously checked, also had the same creation/modification date/time as unsrvc.exe, though a different size, which I presume must have been the program which my brother initially ran and which got the trojan installed), and yet sysstr.sys on C:\WINDOWS\. So, after this cleaning by Panda, I went for a new reboot. My intention was to follow up with a couple other online antivirus scans (F-Secure and Kaspersky) to check if and what else might still be left, yet I thought of rebooting after this cleaning by Panda, also to run a new HJT scan, to check if the entries referring to unsrvc.exe were also already gone by now.

(There was, for sure, at least this entry: F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\unsrvc.exe -runservice. Can't say for sure whether there was also this other: O4 - HKLM\..\Run: [unsrvc] C:\WINDOWS\system32\unsrvc.exe -runservice; sincerely I can't recall it, and then, after all the many similar logs I've gone through in my search for helpful hints over the forums, honestly I can't confirm it anymore, whether this entry was on my own HJT log or not, I'm sorry... Though I'm also in doubt about it, cos of WinPatrol; I mean, if denying unsrvc.exe attempt to set as a startup entry, is it possible that that entry in the registry would still be created nonetheless? Or does it all depend on whether WinPatrol detects that on time to prevent such entry from being created or not? Hmm, that wouldn't make WinPatrol all too efficient in such purpose, then, or?... This really has caused me some doubt, all of a sudden... Then again, I also am not certain whether C:\WINDOWS\system32\unsrvc.exe appeared as a running process on my HJT log, shamingly haven't taken notice of this detail... As I was saying above, I don't recall having confirmed it, in Task Manager, whether unsrvc.exe kept running after closing the fake message window for FlashPlayer via WinPatrol, thus I'm not certain whether the process would still be running when the HJT scan was ran... I'm also in doubt seen that Panda was able to delete the file; would it be possible that Panda had deleted unsrvc.exe in case it was a running process?)

Thing is, when rebooting after this cleaning by Panda, the computer got stuck in the login screen. (Note that, previously, it was not set for no login screen, it would enter Windows directly and load the desktop after the welcome screen.) And as attempting to login, it just automatically logged off again. It would only say "loading your personal definitions", show the blue background (as when it's about to load the desktop) for only a couple seconds, and then automatically logoff, saying "saving your personal definitions", and that was it. And this would happen even in Safe Mode. So, I'm just stuck in this login/logoff loop, and wondering of what step to take next?...

(After some research, I understand now that this is caused by UserInit currently being referred to C:\WINDOWS\system32\unsrvc.exe for login, instead of to C:\WINDOWS\system32\userinit.exe as it should, and as that file C:\WINDOWS\system32\unsrvc.exe isn't there anymore since Panda had it be deleted, so this causes the loop and the impossibility to login at all, correct? I wasn't at all aware of the importance on this UserInit detail, otherwise I wouldn't have dared to proceed with even the preliminary cleaning without asking for guidance from the start... Guess it goes to show that it may just not always be the most advisable, to start off with such preliminary cleaning on our own, to only then come for expert help at the forum... Also I always thought that any antimalware/antivirus scanner would also always "take care" of any related correction necessary to be made to the registry when removing malware, I always trusted this was how "things worked"?... Just painfully learned otherwise, so I see...)



And back to the start then, back to our home PC stuck in the login/logoff loop, (which is also my most main concern after all), what step must I take next, then, in order to solve this situation, I wonder?... When I was first faced with the situation, at once I panicked, as at once my thought was that this was certainly a "no return" situation, and so I thought that the only "solution" to such a case should innevitably be having to format C:\... Moreover, after some research for other cases of such trojan infection, the few pages found by the time also didn't sound too cheering (various other users had too come to the same login/logoff loop, and eventually ended up formatting; even a helper in a forum plainly replied to someone "if you can't start the system, then I see no other solution than to format")...

(At once, at this point, a doubt came up, and I wonder if it's ok to share it here?... Well, you see, this computer was bought second-hand and, while it has only one physical hard-drive, there were two "local disks" on My Computer, disk C:\ and disk F:\. I suppose then that those were two partitions in which the physical hard-drive must have been "divided" when it was prepared for installing the OS... correct?... I really am pretty much lay when it comes to the "computer's world", so I only hope I'm not actually saying nonsense words, sorry if I am... :trumpet: So, my doubt here was: in such a case that one would have to format the partition in which the OS is installed in order to re-install the OS afterwards, and in this specific case that partition being C:\; in such a case, when formatting C:\, would that cause also the contents of, in this specific case, F:\ to be erased/lost as well, or?... I do really wonder... From what I've been reading, from what I can understand, I believe the answer to my question is "no"; no contents of any other partition are erased/lost, other than those of the partition which is formatted... correct?... Yet, as I just ain't 100% certain, so I thought I'd take the chance to share the doubt here, in hope for a straight-forward "yes or no" answer... Or, isn't this actually a straight-forward "yes or no" answer kind of matter?... :inlove:)

By the time I also considered to choose to "reset" the system to the "last known good configuration" (from the startup menu one gets when hitting F8 on boot). But then, as every other case I had read about of other users who had the same infection and had also tried this option, seemingly that didn't work for anyone, so I dropped the thought myself too... (Also, as I've never tried this before, and wasn't quite even sure of whether that might do good or eventually wrong to "my case", I didn't feel all too confident to try it anyway... Should I still?...)

Thankfully though, as time passed on and more similar topics popped up around, I could learn that there may be a chance that formatting C:\ may not be so innevitable after all... (Fingers crossed here!) I came across a few "fix alternatives", as follows:

1) http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Suggested by the site admin on this other Internet Security dedicated forum is to use the boot CD available from the site above in order to be able to edit the registry and change the necessary value for Userinit. According to the instructions in that post, (also see the detailed walkthrough-guide on using this boot disk for instructions on each precedent step), upon loading the SOFTWARE part of the registry (which is the part including the Winlogon\Userinit key and thus the one nedeed to be loaded for editing) and "entering" the registry editor, one must write on the prompt >

cd Microsoft
cd Windows NT
cd CurrentVersion
cd Winlogon
ed Userinit

(I take it that these sequential "cd" commands is for changing from one key level to another in order to get us to the Winlogon key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, where there's Userinit which we want to edit, thus the "ed" for Userinit there, correct? My only doubt is regarding the "Windows NT" in there... cos of the space between "Windows" and "NT"... are spaces allowed in such command line prompts, or?...)

It is said that at this point the value for Userinit should be displayed, yet, since it's corrupted, nothing should appear. One should then just write:

userinit.exe

(Which I take it is for editing/changing the current value for Userinit, the malicious unsrvc.exe -runservice, for the necessary default userinit.exe, correct? I wonder, though, what should one do in the event that a value for Userinit is displayed initially, upon entering the command "ed Userinit" before?...)

And then follow the prompts, in order to save the changes, and reboot.

So I wonder, should this be a/the method to consider, or?... (It seems to be pretty much straight-forward... Anyone by chance "familiar" with this boot disk?...) Please advise.

---

2) http://thinkinginpixels.com/quick-fixes/fi...onlog-off-loop/

Instructions here are to apply the provided reg fix by using BartPE boot CD. Should this be a/the preferred method? (I'm not familiar with using BartPE boot CD either... Though I'm well aware that this is pretty much the "reference boot disk" for mostly everyone! Only "hesitation" for me here is that, for going for this, I would still have to create the XP CD slipstreamed with SP2, since the CD we have is of XP without SP2... Oh dear, I wonder only if I'm capable of doing this "procedure" successfully... :) Hmm, maybe it's just better to try to ask any friend who may have a XP CD including SP2 already, for lending it to us for this... Or, can't it be done with a borrowed CD?...)

---

3) http://www.winxptutor.com/wsaremove.htm

Down the page there's also reference to dealing with such a login/logoff loop. Instructions there do not refer specifically to the malicious file I'm dealing with myself, yet, assuming that those may be adapted to my case (don't know if they may at all, though?), would this also be a/the method to consider, or?... (Two doubts here. At once: seen that the computer runs XP SP2, can the XP CD be used for launching the Recovery Console? Or does it too have to be a XP CD with SP2?... And also: what about the Run key also referring to unsrvc.exe? What would happen then, if copying the file userinit.exe as unsrvc.exe, in this case that this Run key exists, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > "unsrvc"="C:\\WINDOWS\\system32\\unsrvc.exe -runservice"? Would or might this cause any problem, or?...)

(Ed.: Reference to this is also found in the following Microsoft article: http://support.microsoft.com/kb/892893)

---

4) ERUNT

I do have ERUNT installed in our home PC. Don't actually have it set for making a backup on each boot, but, I do make backups regularly, so there should be a backup recent enough for restoring the registry to a state previous to the infection, in order to get those unsrvc.exe-related entries fixed and thus consequently the login/logoff loop as well (correct?). So, ERUNT being an option for me, should this be a/the preferred method after all? (Also never used ERUNT for restoring the registry before... :thumbsup: But heck, any time has to be the first, right? My doubt here is: the "Recovery Console method" is no valid option for my case, seen that, according to the ERUNT instructions, "Note that you can use this method only if you saved the registry
backup inside the Windows folder, and that using this procedure only
the system registry is restored."
, and, while I do indeed have the registry backups saved inside the Windows folder as by default, the part of the registry which I need restored is the SOFTWARE part and not the SYSTEM one, and therefore the "Recovery Console method" just wouldn't do, in my case, correct? Thus the "BartPE method" is then the one I should go for, right? A doubt here too: seen that the SOFTWARE part of the registry is that we want fixed, would it then be ok/advisable to restory only that part of the registry, the SOFTWARE part? Or is it just best/advisable to simply restore the registry in full? One last general/basic doubt: if the registry is restored to a date previous to, for example, some legit program had been installed, then chances are that that program will afterwards be "broken"/not function, correct? I mean, hmm, I don't think that should be my case, as I don't think I have installed any program after the last registry backup, but still anyway... Thought of asking, just to know it, for reference for any future time...)


So, to sum it up:

After a preliminary cleaning, the home PC got "stuck" in login/logoff loop. What to do in order to "recover" it from such login/logoff loop (to then proceed with removing the remainder of the trojan infection)?

I do thank you in advance for all of your patience with my "case" (and with all of my questioning and doubts and sometimes perhaps even confusing explanation of things) as much as I truly appreciate all guidance/help you may please provide to hopefully solving it. :)

(And yet I do as well apologise for the rather long post, and all the many details included, some even perhaps useless, I don't know, but in any case I thought I'd detail it all the most I could, hoping that it may be of help, who knows, to any other users "googling" for helpful hints in any such similar case as mine... Thank you for your understanding, and again, patience, overall.)



Note: Per Charles request, I have by now tried the "last known good configuration" boot option. Yet, as we were antecipating, it did not work in the end.

Also, by now, I've come to a couple more links which I wonder if may be of help too?...

How to edit the registry offline using BartPE boot CD > http://windowsxp.mvps.org/peboot.htm

Ultimate Boot CD for Windows > http://www.ubcd4win.com (referred in this BC post)

How to start the System Restore tool at a command prompt in Windows XP > http://support.microsoft.com/kb/304449 (referred in this BC post)

In short words: I'm somewhat lost, as to what to do, and what should be best to do. :flowers: I so would most appreciate your advicing on what should be the following step to try. What way would you recommend be best (and possibly/hopefully easiest) to try to recover from this login/logoff loop situation? Would you recommend that I'd go for any of those solution options as referred in my initiall post? Or would you actually recommend yet any other alternative procedure? I'd truly very much appreciate your guidance with regards to this matter, thank you so much, once more. :)

P.S. Just to add that this is no brand computer (I mean, it's not an HP or Compaq or Dell etc). (Reading other threads, I see that this is usually something which you ask at once, so I thought I'd mention it.) Also, if there's any further detail needed about the computer, which I can provide?...

Edited by DeLuk, 24 January 2008 - 07:26 AM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,866 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:42 AM

Posted 24 January 2008 - 07:52 AM

Once you've posted a HJT log, you should not take any advice from anyone other than the person handling your log or someone else in that forum.

You should go back and read all the rules/suggestions applicable to posting a HJT log...and follow such.

Louis

Ooops...ignore, I missed the key line about being directed here. So much for speed reading a lengthy post :thumbsup:.

Edited by hamluis, 24 January 2008 - 07:59 AM.


#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:42 AM

Posted 24 January 2008 - 07:52 AM

I fixed the title of your post.

As for your issue, I'd suspect that the easiest fix would be to do a repair installation of Windows XP by using your XP installation CD. This will leave your programs and data intact.

If you have Internet Explorer 7 installed, you must remove it according to these directions before starting the repair install: http://www.bleepingcomputer.com/forums/ind...mp;#entry692141

Then use these instructions for the repair install: http://www.michaelstevenstech.com/XPrepairinstall.htm
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#4 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:08:42 AM

Posted 25 January 2008 - 10:04 AM

Ooops...ignore, I missed the key line about being directed here. So much for speed reading a lengthy post.


No prob. :thumbsup:

@ usasma: Thanks for fixing the topic title. Also thanks so much for your reply and directions. :cool:

I had actually been through reading also about Windows XP repair installation before: http://www.freerepublic.com/focus/f-chat/1664082/posts (as it is also referred in that BC post by quietman7 which I had mentioned in my previous post).

(And while the whole lot of instructions for this sounds to be somewhat complex causing me some scare from the start) I'm though afraid that possibly this may not be an option for me in the end. As I was saying above, this computer was bought second-hand, and regretably the previous owner did not include the respective XP CD along "in the package". :flowers: The most I can is just really to borrow a XP CD from some friend... And, from what I could understand from reading the instructions, so I wouldn't be able to complete the repair installation then, while missing the XP CD used in the original installation (thus, the corresponding product key), correct?

In any case, since what is needed to be fixed is that one entry in the registry, I wonder whether there wouldn't be an alternative procedure (eventually even preferable, in the sense of not doing so many go-back-changes to the system, and which would permit to only fix that registry entry) to such a repair installation of Windows?...

In fact, from the start I have been inclined to try that second solution I referred in my initial post: http://thinkinginpixels.com/quick-fixes/fi...onlog-off-loop/ (Guess I'm just too afraid to go ahead "alone on my own", so to speak... :) Would this be a solution you guys would recommend at all, or?... It does sound to be a "spot on" solution for my case...)

Or eventually even try that first solution, using the referred boot disk to that way offline editing the required registry entry: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html (This does seem, in the end, to be the easiest boot disk to make... Again, it's just that I'm afraid, afraid to run into any unexpected event and then to not know how to get out of it... :trumpet: Not that, while not being familiar with it, not that I'm afraid to use such a command line "environment". So long that I'm guided step-by-step... As said before, some doubts do remain for me, regarding some of the steps, if I was to try this...)

Then again, as I mentioned in my previous post, Amazing Andrew here also refers to using the Ultimate Boot CD for Windows: http://www.ubcd4win.com (instead of the above mentioned command line boot disk) for having offline access to the registry and being able to edit any such required entry. Should I eventually preferably opt for this boot disk, then (since while providing a GUI makes it easier to operate with)?...

Though, speaking of the alternative to have a boot disk with a GUI, and as I also mentioned in my initiall post, I came across also the option to use BartPE's boot CD, in order to edit the registry offline: http://windowsxp.mvps.org/peboot.htm (Thus, again I wonder, what to opt for?... Should by any chance any of these two boot CD's with a GUI, BartPE's and the above mentioned Ultimate Boot CD for Windows, be preferred over the other, for any reason at all, or?...)

Sorry for all the hesitation... :inlove:

And thanks so much, once more, for your guidance, as much as for all of your time and patience. :P

P.S. @ usasma: On a side note, and if I may and you allow me, I would even dare to humbly say "congratulations" to you, for your recent promotion to Moderator of BC! :) While not being much of an active user, in what comes to writing in the forum (too much a layman with too many doubts and too less knowledge :)), I do many times come here for reading/learning, searching for helpful info and tips on all sorts of subjects, and not rarely do I run into so much helpul posts by you. For this I too take the chance to saying thank you, for your continued efforts in contributing to the community and sharing your valuable knowledge with all of us, and thus, again, congratulations, in being promoted to Moderator. :)

Edited by DeLuk, 25 January 2008 - 10:08 AM.


#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,866 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:42 AM

Posted 25 January 2008 - 10:34 AM

You can borrow a identical (XP Home for XP Home, XP Pro for XP Pro) CD for the O/S...or you can simply have someone burn you one.

The key (no pun intended) is the Windows key, not the media on which the files are stored. The key is the control for protecting MS rights.

You can observe the key to the system by using SIW System Information for Windows - http://www.gtopala.com/ , a tool which will reveal more info about your system than you ever wanted to know :thumbsup:.

The XP key can be found by clicking on the Licenses sub-heading.

One thing: To do a repair install of XP that is updated through SP2, you must use a CD that includes SP2 (no earlier disk will work). If you cannot find one with SP2, there are ways of making what are called "slipstreamed" CDs which are simply earlier CD contents updated to include SP2.

Louis

#6 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:08:42 AM

Posted 02 February 2008 - 09:56 AM

Thanks, Louis, for further reply. :P

Certainly, I know that "The key (no pun intended) is the Windows key, not the media on which the files are stored. The key is the control for protecting MS rights.", yes I know. :) Since I had never previously retrieved the key to the installation on this computer, though, and now it wasn't booting, I thought that, as not having the key then (as I didn't even had the respective original CD set to check it there), thus that would make it impossible to go for such a repair install...

I do wonder, though, you mention "SIW System Information for Windows" for retrieving the key to the system. Thanks for the tip and link, by the way, that surely sounds as a most useful tool (and surely to serve as reference for future occasions), yes indeed! :) But so, I wonder, would it be possible (and how?) to retrieve the key, even in such a case when Windows doesn't boot?... :inlove: Hmm, what, by including it in a boot CD such as for example BartPE, and running it from there, something like this, or?... Just wondering now...

In any case, as I was saying above, as I didn't feel all too confident on my own to go ahead with such a repair install, and seen as also the one thing needed to be fixed (to revert from the login/logoff loop so Windows would boot again) was that one Winlogon\Userinit entry in the registry, so I opted for an alternative way (which I felt more comfortable with in the end).

I built myself an "Ultimate Boot CD for Windows" (as referred in my previous posts), booted from it, and so I manually edited the required entry in the registry via remote regedit (i.e. changed the value for Userinit under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon from the malicious C:\WINDOWS\system32\unsrvc.exe -runservice to the correct default value C:\WINDOWS\system32\userinit.exe,). Rebooted back and everything is now ok (login/logoff loop solved). :) (I'll now only have to go back to the HJT Forum to check whether there are any remainders of the infection left which still need to be taken care of. :cool:)

Nonetheless, all in all, thank you so much once more, to you both, usasma and Louis, for your input and all helpful hints and links; most appreciated! :trumpet:

And then agin, even though not really "on topic", I wonder if I may still take the chance to share just this one other lil' previous doubt with you guys here?... Here goes then:

At once, at this point, a doubt came up, and I wonder if it's ok to share it here?... Well, you see, this computer was bought second-hand and, while it has only one physical hard-drive, there were two "local disks" on My Computer, disk C:\ and disk F:\. I suppose then that those were two partitions in which the physical hard-drive must have been "divided" when it was prepared for installing the OS... correct?... I really am pretty much lay when it comes to the "computer's world", so I only hope I'm not actually saying nonsense words, sorry if I am... :) So, my doubt here was: in such a case that one would have to format the partition in which the OS is installed in order to re-install the OS afterwards, and in this specific case that partition being C:\; in such a case, when formatting C:\, would that cause also the contents of, in this specific case, F:\ to be erased/lost as well, or?... I do really wonder... From what I've been reading, from what I can understand, I believe the answer to my question is "no"; no contents of any other partition are erased/lost, other than those of the partition which is formatted... correct?... Yet, as I just ain't 100% certain, so I thought I'd take the chance to share the doubt here, in hope for a straight-forward "yes or no" answer... Or, isn't this actually a straight-forward "yes or no" answer kind of matter?... :thumbsup:


And thanks again, for your time and patience... :flowers:

#7 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:03:42 AM

Posted 02 February 2008 - 10:06 AM

Interesting series of posts here. The unsrvc.exe malware dumps stuff in many different places on the system - so congratulations on finding the correct entry to fix your issue!

Hard drives can be partitioned into different drives - so you can have a since hard drive with a C: and an F: on it - or you can have a hard drive with a C: on it, and another hard drive with an F: on it.

To reinstall the OS, you can either format the drive yourself, let Windows do it for you, or you can simply reinstall Windows over itself (what a repair installation does).

When doing so, if your OS is installed on the C: drive - then the F: drive will be left alone and will retain all of it's information.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#8 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:08:42 AM

Posted 04 February 2008 - 07:12 AM

Ok, thanks usasma, for clarifying that for me. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users