Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What Was I Thinking?!


  • Please log in to reply
8 replies to this topic

#1 bumstead

bumstead

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 19 February 2008 - 09:48 PM

Before I tell the long story leading up to this and complicate things, maybe someone has a simple solution. I found some other similar posts here, but no solution for me.

Against better judgement I let M$ online scanner scan my system:

no viruses or spyware
454 registry items to clean
two drives need defrag

I'm always real chicken to let anything mess with the registry, but I googled and read of several people who used let it "fix" hundreds of items, the only complaint being it tended to fix all but one (for some reason or another?).

D/L'd and ran erunt and did a backup, I think--never used before so don't know how it should act--backed up system reg and current user reg, and it took only about 3 seconds.

So, I let the scanner rip, and it said it cleaned 453 items with 1 error and 0 skipped by user, and cleaned out some temp files.

Rebooted
Windows welcome
logged on with admin pw
"loading your personal settings"
"saving your personal settings"
"logging off"
back pops the welcome screen

Several attempts, same result. Reboot > safe mode = same result (several tries)

booted to safe mode
last known good...
same result

Used a somewhat flawed BartPE and got to Explorer and located what appears to be the erunt backups. And the boot disk has the Windows check disk utility, if that could help. Before I do anything else, I'd really appreciate if some expert here has a trick to getting me back into Windows--hoping for something simple before resorting to more drastic measures.


Thanks for your help.

XP Pro SP2 almost fully updated

Note: I don't have a MS Windows CD, just the OEM disk was provided and I haven't located it yet. If that is the only solution, it will depend on me finding the disk. I hope it's not!

Edited by bumstead, 19 February 2008 - 11:25 PM.


BC AdBot (Login to Remove)

 


m

#2 bicycle bill

bicycle bill

  • Banned
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 20 February 2008 - 07:21 PM

Is this the file you found for Erunt backups?

C\WINDOWS\ERDNT\AutoBackup. THat is where they are on my PC . IF you find your backup click it and you should see this. Click the one I have circuled.

Attached Files


Edited by bicycle bill, 20 February 2008 - 07:35 PM.


#3 bumstead

bumstead
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 20 February 2008 - 08:17 PM

Is this the file you found for Erunt backups?

C\WINDOWS\ERDNT\AutoBackup. THat is where they are on my PC . IF you find your backup click it and you should see this. Click the one I have circuled.


Thanks for your reply, bicycle bill. Yes, I have all those files in C:\Windows\ERDNT\2-19-2008, plus subfolders:

...\2-19-2008\users\00000001\ntuser.dat, and ...\00000002\usrclass.dat - which are my current user registry, I believe.

I know ERDNT.EXE is supposed to restore the registry, but, as I said, I'm a big chicken when it comes to programs that work on the registry (I've had them render my computer useless) and have no experience with ERUNT. I was hoping there might be some simpler way around my obstacle.

The question I should be asking is whether the registry is likely the problem and restoring it the solution. If questionable, are there other benign things to try first? What is your advice?

Thanks for your time.

Edited by bumstead, 20 February 2008 - 08:54 PM.


#4 bicycle bill

bicycle bill

  • Banned
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 20 February 2008 - 08:59 PM

Is this the file you found for Erunt backups?

C\WINDOWS\ERDNT\AutoBackup. THat is where they are on my PC . IF you find your backup click it and you should see this. Click the one I have circuled.


Thanks for your reply, bicycle bill. Yes, I have all those files in C:\Windows\ERDNT\2-19-2008, plus subfolders:

...\2-19-2008\users\00000001\ntuser.dat, and ...\00000002\usrclass.dat - which are my current user registry, I believe.

I know ERDNT.EXE is supposed to restore the registry, but, as I said, I'm a big chicken when it comes to programs that work on the registry (I've had them render my computer useless) and have no experience with ERUNT. I was hoping there might be some simpler way around my obstacle.

The question I should be asking is whether the registry is likely the problem and restoring it the solution. If questionable, are there other benign things to try first? What is your advice?

Thanks for your time.


Well I am not a geek by any stretch of the imagination but I don't see why trying Erdnt restore would cause more problems than you have now. It is up to you. Maybe someone with a better suggestion will chime in. I have used Erunt with no problem several times. If you see the icon I circled it will restore the backup.

Edited by bicycle bill, 20 February 2008 - 10:11 PM.


#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:06 PM

Posted 21 February 2008 - 08:04 AM

I'd suggest using the ERUNT restore - but Bicycle Bill is probably more familiar with it than I am (haven't used it in a couple of years).
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 lowtek_otc

lowtek_otc

  • Members
  • 280 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 21 February 2008 - 10:57 AM

Follow These Instructions EXACTLY

This has worked for me in the past to resolve a logon/logoff loop.

http://thinkinginpixels.com/quick-fixes/fi...-onlog-off-loop

#7 bumstead

bumstead
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 22 February 2008 - 11:08 AM

bicycle bill and USASMA: I may well have to run ERUNT. Thanks for the encouragement. I feel more comfortable that others can attest to its functioning.

First, though, I think I'll follow lowtek_otc's suggestion and try the runscanner plugin. I already have all the BartPE downloads and slipstreamed SP2 on my wife's computer. I can copy them over the network to this notebook, add the runscanner plugin and burn a new boot disk. If that doesn't get me into my desktop, I can fall back on ERUNT to restore the whole registry.

It will be next week before I'll be albe to get back to this project (the honey-do list for the weekend, you know), but will post back with the outcome either way. Thanks again to all. Meanwhile, if anyone else wants to add their 2 cents, please do.

bumstead

#8 bumstead

bumstead
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 24 February 2008 - 09:48 PM

Thanks, lowtek_otc, I owe you 1! :thumbsup:

I followed that procedure and it worked! I noticed in Dan Fischbach's intructions he mentioned a potential issue with userinit.exe (although the "normal instructions" did work for me). After getting back into windows, winpatrol popped up with some message (don't recall what now), and it led to more information about an issue with userinit. One link led to MS KB555648, which described a problem with "Windows log on and log off immediately." It gave a solution involving editing the registry values for shell and userinit. It was indicated the problem applied only to Windows Server 2003 and Windows 2000, so I don't know if exactly the same solution would apply to this issue in XP, but I'm wondering if runscanner and FixLogOnOffLoop just make those registry fixes.

In any event, I post this info for the possible use by others who are looking for answers. To those who have never built a BartPE, the process may look daunting, and they may want to research the logon, logoff issue to see if those manual registry changes would work for XP. Of course, it would only work if you had network access to the locked up XP computer (following the KB's instructions for regedit over the network.)

Note: the BartPE procedure and adding this FixLogOnOffLoop plugin is really not all that difficult, if you just take your time and follow the instructions step-by-step.

#9 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:06 PM

Posted 26 February 2008 - 02:30 PM

The only major difference between the registry file used in the Bart PE method and the Microsoft KB is that the Microsoft article also has you validate the Shell= entry.

This is solely dependent upon how/what the malware changes - if it only changes userinit, then that's all that needs to be fixed, should it change the shell, then that would need to be fixed also.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users