Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer keeps rebooting


  • This topic is locked This topic is locked
7 replies to this topic

#1 FranTic64

FranTic64

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:04:30 PM

Posted 19 August 2010 - 07:04 AM

I'm helping a friend get rid of viruses on her computer and now it's worse than when I started!
The computer is an HP Pavillion 734n with Windows XP, It has a CD drive (ROM) and a floppy. I'm not sure if SP3 has been applied or not.
I found and cleaned Antivir2010, Koobface and TDSS on the computer using Malwarebytes Anti-malware. I was still receiving errors so I edited the registry...I know, dumb idea. I did back it up first though. Now the computer keeps rebooting. It gets all the way to the desktop, stays there for a few seconds, then reboots. During the reboot it doesn't respond to F1, F10 or F8 to boot into safe mode. I've put a bootable disk in the CD drive and it ignores it.

Because the computer doesn't have a rewritable drive I couldn't back up to CD, and I didn't want to risk getting her viruses on my computer by backing it up to my USB drive. The main thing I'm concerned about is getting her outlook express data and wordperfect docs off the drive.

What can I do to get it to boot and/or get the Outlook Express files off of there?

Thanks,
Fran

BC AdBot (Login to Remove)

 


#2 Joe C

Joe C

  • Members
  • 774 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 19 August 2010 - 08:10 AM


You can try this to see if you can gt it to boot up

Boot from a Windows XP CD
Select "R" for Repair
Select "1" for you Windows operating system
At the C:\WINDOWS prompt, type CD SYSTEM32 and press Enter
Then type COPY USERINIT.EXE WINLOGON32.EXE and press Enter
If you get the 1 FILE COPIED, then type EXIT and reboot your system.
You should now be able to log in.

If you got a message stating that the file is not recognised or missing, do the following:

Type D: and press Enter - assuming D: is the letter for your CDROM drive. If not, put in the drive letter for you CDROM.
Type CD I386 and press Enter (that is the letter I and 386)
Then type EXPAND USERINIT.EX_ C: and press Enter
Type C: and press enter

You should now be back at C:\WINDOWS\SYSTEM32
Type COPY USERINIT.EXE WINLOGON32.EXE and press Enter
You should get 1 FILE COPIED.
Type EXIT and reboot system.

Now you should be able to log back into Windows XP.



Method #2:
Boot using your winxp cd.
Enter recovery console.
at the command prompt go to

C:/windows/system32

next type:
Dir *.exe

If you find, it, type

copy userinit.exe wsaupdater.exe

Exit and reboot normally. You should now be able to logon.

Run regedit

Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the right pane, you should see

C:\WINDOWS\System32\wsaupdater.exe,

Change it so that it reads:

C:\WINDOWS\System32\userinit.exe,

That should solve the problem, if the malware was the one that caused the issue.





Another Method:

either copy boot.ini from another computer copy over boot.ini on infected computer via copy command

or copy boot.ini from the recovery disc... copy d:boot.ini c:


After you log on to XP go to your registry ( regedit from run)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Look in the right pane for a value under name called Userinit. The value
should read:

C:\WINDOWS\system32\userinit.exe,

Including the trailing comma. If it reads anything other then the above,
double click
the Userinit value and change it to the value above.


Personally I have tried the Barts CD to repair the registry on a virus infected pc and often it will give you an error that the file is locked and will pervent you from making any changes. I will post this anyway for future references


Scenario - Incorrect registry value preventing you from logging on to your user account in Windows XP ?

In this example, a basic BartPE CD without any Plugins, has been used for illustration purposes. You may add as many Plugins as you want, depending upon your needs.
Verifying and fixing the Userinit value in the registry

If your PC is a victim of the Malware discussed in this article, and unable to login to your profile, then you'll need to fix the registry as discussed there. As you're unable to login, registry modification can only be done from a remote system, or via offline registry editing. This article discusses about offline registry editing.

1. Insert the BartPE CD into the drive, and boot the system from the CD. Once the file loading phase is over, the Bart PE desktop will be visible, as shown in Figure 1.
2. Type Regedit.exe in the prompt, and press Enter. Select the HKEY_USERS hive
3. From the File menu, choose the Load Hive option. Browse to your Windows installation drive, for example the following location:

C:\Windows\System32\Config\

4. Select the file named SOFTWARE (the file without any extensions), and click Open
5. Type a name for the hive that you've loaded now. (Example: MyXPHive)
6. Now the SOFTWARE hive is loaded, and present under the HKEY_USERS base hive.
7. In order to fix the Userinit value in the loaded hive, navigate to the following location:

HKEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon

8. Double-click Userinit and set it's value correctly. Example: Set it's data as follows:

C:\Windows\System32\Userinit.exe,

(Include the trailing comma also. The above assumes that Windows is installed in C:\Windows, and Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.)

9. After entering the correct data, you MUST unload the Hive. To do so, select MyXPHive branch, and then in the File menu, choose Unload Hive. It's important to note that you'll need to select the MyXPHive branch first, before unloading it.
10. Quit BartPE and restart Windows. See if you're able to logon to your profile

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:30 PM

Posted 19 August 2010 - 09:52 AM

Well...moving the .dbx files is rather easy.

Attach the hard drive to a known good, protected system...and either move the email store to CD or a drive/partition on the system.

Inside Outlook Express - Files and Settings - The OE Store Folder - http://www.insideoe.com/files/store.htm

Be sure to move the entire store, not just individual files or folders.

Louis

#4 FranTic64

FranTic64
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:04:30 PM

Posted 20 August 2010 - 06:29 AM

Thank you both for all of the suggestions. I'm going to work on it today and see what happens.

Fran

#5 FranTic64

FranTic64
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina
  • Local time:04:30 PM

Posted 20 August 2010 - 12:25 PM

JoeC - The problem wasn't with the userid, it was spontaneously rebooting. I could log in, but then after it loaded a couple of items in startup it shutdown and restarted.

I finally got it to boot with a CD, ran the recovery console, bootcfg /rebuild and fixboot. Still keeps rebooting by itself. Tried to run the HP recovery and it gets most of the way thru before I get a blue screen that says the process was stopped to keep from damaging my hardware.

I'm completely stuck. I have backed up all of the data to another drive.

When it gets to the Windows XP spash screen the moving rectangles underneath are green, not blue...is this a sign that the virus is still affecting it?

I don't know what to do next.

Thanks for all of your help.

#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:04:30 PM

Posted 20 August 2010 - 01:55 PM

If you think it's a malware problem...I suggest treating it as such.

I will report it as an unbootable system (due to possible malware) and ask one of our Malware Team to take a look at this thread. They deal with situations like this with more knowledge and experience than most.

Louis

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:30 AM

Posted 22 August 2010 - 03:51 AM

Hi FranTic64,

it sounds like things are really messed up here. In order to have a closer look, please follow the steps below. I will move the topic to a more appropriate forum. Lets hope things will be fixed soon. smile.gif


Let's try to boot your computer using the Ultimate Boot CD for Windows (UBCD4win).

Please print this guide for future reference!

You will need a blank CD, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. If you were unable to create the UBCD4win, please tell me what error messages you got and/or what steps you got hung up on.

1. Download and Run Ultimate Boot CD for Windows
  • Save it to your Desktop.
  • Double-Click on the UBCD4Win.EXE that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
    NOTES:
    • Do not install to a folder with spaces in it's name.
    • Your Anti-Virus may report viruses or trojans when you extract UBCD4Win, these are "False-Positives." Read HERE for information regarding the files that normally trigger AV software.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on UBCD4WinBuilder.exe located in your C:\ubcd4win folder.
  • Click "I agree" to the Builders License.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
      • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.
      • Custom: (include files and folders from this directory)
        • No information is necessary, leave blank.
      • Output: (C:\ubcd4win\BartPE)
        • Keep the default BartPE
    • Media output
      • Choose Create ISO image
      • Do not choose Burn to CD/DVD


        Please note: If your XP install disc is SP1 then please .....
        1. Disable- DComLaunch Service
        2. Enable- LargeIDE Fix

          This can be done by pressing the "Plugin" button and checking or unchecking the appropriate selections

      Also note: If you have a Dell XP install disc you will need to follow the instructions here
      http://www.ubcd4win.com/faq.htm#dell

    3. Click on the "Build" button
    • You will see the Windows EULA message. Click on I Agree
    • You will now see the Build Screen. Let it run it's course
    • When the Build is finished you can click close, then exit


    4. Burn your ISO file to CD
    • Please see HERE on how to burn an ISO to CD.

    ==========

    Next........

    From your clean computer..

    Please download OTLPE.zip and save it to a flash drive.
    http://oldtimer.geekstogo.com/OTLPE.zip
    http://www.itxassociates.com/OT-Tools/OTLPE.zip

    Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

    ==========

    Plug your flash drive into your sick computer now and do as instructed below..

    ==========

    1. Restart Your sick Computer Using the UBCD4Win Disc That You Have Created
    • Insert the UBCD4Win disc in to one of your CD/DVD drives.
    • Restart your computer.
      • The computer should choose to boot from the UBCD4Win CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
    • In the window that pops up select Launch The Ultimate Boot CD For Windows and press Enter.
      • It may take a little longer for the Desktop to appear than it does when you start your computer normally. Just let the process run itself until the desktop appears.
    • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
      • Click on Yes if you want to use the PE environment to get online post your log and reply by way of an Ethernet connection.
    • You should now have a desktop that looks like this:

    ==========

    Single click My computer from your UBCD4W desktop to navigate to the OTLPE folder that you saved to your flash drive.

    Open the OTLPE folder and double click Start.cmd.
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTLPE should now start

      Change the following settings
      • Change Services, Drivers, Standard and Extra Registry to All

    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      [codex]netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      userinit.exe
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\system32\drivers\*.sys /90
      CREATERESTOREPOINT[/codex]
    • Push
    • A report will open. Save that log to your flash drive. Copy and Paste that report in your next reply.

    =========

    With your next post please provide:

    * OTLPE.txt

    regards, Elise


    "Now faith is the substance of things hoped for, the evidence of things not seen."

     

    Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

     

    Malware analyst @ Emsisoft


    #8 Elise

    Elise

      Bleepin' Blonde


    • Malware Study Hall Admin
    • 60,820 posts
    • OFFLINE
    •  
    • Gender:Female
    • Location:Romania
    • Local time:12:30 AM

    Posted 30 August 2010 - 08:10 AM

    Due to lack of feedback, this topic will now be closed.

    If you are the original topic starter and you need this topic reopened, please send me a PM.

    Everyone else, please start a new topic.

    regards, Elise


    "Now faith is the substance of things hoped for, the evidence of things not seen."

     

    Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

     

    Malware analyst @ Emsisoft





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users