Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Logon Issues


  • This topic is locked This topic is locked
68 replies to this topic

#1 redcat145

redcat145

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 03 June 2011 - 06:04 AM

Have Windows Vista Home Premium SP2 installed on my home PC. Tuesday morning woke up to find system had rebooted. Anti-virus (Malwarebytes the full paid-for edition) was apparently defeated. The “Protection Mode” is now “off” and cannot be turned “on”. Subsequent scans with Malwarebytes and MS-Security Essentials find no viruses. rkill does not seem to find any issues as the log is blank.

Current problem is when logging in, the system logs me out when in non-Admin account. In Admin, the system just hangs with a black screen after password is entered. Not a password issue per se because if I type in the wrong password, it gives me the standard wrong password warning. Even new accounts without passwords are being logged off when selected.

Interestingly when I boot up in safe mode, I can log onto my Admin Account, but still have the same issue with non-Admin accounts. Unfortunately in Safe mode many of the other Windows diagnostic as well as Explorer don’t seem to work. I will also get a logon.scr error dialogue box occasionally.

Finally, seems my files are all there, just can’t get the system to boot normally and log on.

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:01 AM

Posted 04 June 2011 - 02:25 AM

Hello and :welcome: to the BC forums.

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 05 June 2011 - 02:17 AM

Hello, do you have your Vista DVD at hand? If not, tap F8 when you start your computer and let me know if you see the "Repair Windows" option.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 redcat145

redcat145
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 05 June 2011 - 09:07 AM

Hi, thanks for the reply.

I do not have the DVD. Yes, I do see the repair options.

Just to update the original post with what else I've tried. I have done the "Repair Your Computer" option, and then both "Startup Repair" and "System Restore" to a date a week and a half ago. Neither of these options have worked. Also turned off all of the non-MS items in the start menu by going the msconfig.exe route. That did not work either. I'm currently out of guesses myself.

Bob

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 05 June 2011 - 09:14 AM

Hi again, in that case, lets have a deeper look. I'll move this topic to a more appropriate forum.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 redcat145

redcat145
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 05 June 2011 - 12:47 PM

I produced the mbr.bin file (it's only a KB). When I tried to upload, got the error "You aren't permitted to upload this kind of file". If I open with word pad, it's a mess.

Bob

Edited by redcat145, 05 June 2011 - 12:48 PM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 05 June 2011 - 01:12 PM

You need to zip the file first (right click it and select Send to > Compressed (zipped) file).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 redcat145

redcat145
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 05 June 2011 - 02:18 PM

I should've known that.

Attached Files

  • Attached File  mbir.zip   568bytes   4 downloads


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 05 June 2011 - 02:50 PM

That looks okay. If you can run tools using Safe mode in the admin account, please run the following scan.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 redcat145

redcat145
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 05 June 2011 - 04:38 PM

Here they are.

Attached Files



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 06 June 2011 - 06:29 AM

Hi again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 redcat145

redcat145
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 06 June 2011 - 05:04 PM

Here is the log. I did not get the second screen in your prior e-mail.

Attached Files

  • Attached File  log.txt   13.06KB   7 downloads

Edited by redcat145, 06 June 2011 - 05:05 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 07 June 2011 - 02:22 AM

Can you see now how the logon problems are?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 redcat145

redcat145
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 07 June 2011 - 05:47 AM

No change. I can only boot and login my Admin account in Safe Mode. With normal boots my Admin account just hangs in a black screen after entering password, all other accounts are immediately logged out after I type in the password. It is the same in Safe Mode for non-Admin account - immediate logoff after typing password (and the system does still recognize an incorrect password).

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,204 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:01 PM

Posted 07 June 2011 - 08:33 AM

Can you create a new Test account and see if that works (you can create a new account by clicking Start > Control Panel > User accounts).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users