Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Help me! Cant logon to WindowsXP

  • Please log in to reply
2 replies to this topic

#1 vemaybay


  • Members
  • 1 posts
  • Gender:Male
  • Local time:06:45 AM

Posted 03 July 2017 - 08:53 AM

I use Malwarebytes Antimalware regularly <a href="http://www.malwarebytes.org/mbam.php" target="_blank" rel="nofollow">

http://www.malwarebytes.org/mba</a> ve may bay
 and havent had an infection found 

in about a year.
Yesterday i scanned after about a month and i saw 12 infections !

MBAM said it could not clean a few infections:

Malwarebytes' Anti-Malware 1.44 
Database version: 3510 
Windows 5.1.2600 Service Pack 2 
Internet Explorer Unknown 

9/11/2010 11:19:49 PM 
mbam-log-2010-09-11 (23-19-49).txt 

Scan type: Quick Scan 
Objects scanned: 94917 
Time elapsed: 2 minute(s), 49 second(s) 

Memory Processes Infected: 0 
Memory Modules Infected: 0 
Registry Keys Infected: 2 
Registry Values Infected: 2 
Registry Data Items Infected: 3 
Folders Infected: 1 
Files Infected: 4 

Memory Processes Infected: 
(No malicious items detected) 

Memory Modules Infected: 
(No malicious items detected) 

Registry Keys Infected: 

(Backdoor.Bot) -> Quarantined and deleted successfully. 

(Backdoor.Bot) -> Quarantined and deleted successfully. 

Registry Values Infected: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mp3_audio_codec (Spyware.Zbot) -> Quarantined and 

deleted successfully. 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and 

deleted successfully. 

Registry Data Items Infected: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:

\windows\system32\sdra64.exe -> Delete on reboot. 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: 

system32\sdra64.exe -> Delete on reboot. 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:

\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted 


Folders Infected: 
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot. 

Files Infected: 
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot. 
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot. 
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully. 
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.

So i thought of manually removing the infected Registry keys. (Something i've done many times before)

While I was at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
I saw a key named 'Special Accounts', it looked fishy to my paranoid eyes. Had some 'strange' values in it, None 

corresponding to my Username (Administrator) or Guest. 3 were somewhat random letters with a ~, and one was ' 

search assistant'. Looked like malware remains of some kind, so, i deleted them all.

After that i rebooted, the welcome screen showed up (usually straightaway shows me desktop since there is just one 

user 'Administrator') with the only user 'Administrator'. When i click it, it shows 'loading your personal 

settings' for a second. Then it reads 'saving your settings' and stays at the logon screen. Repeated it for 10 

times. Restarted and repeated. Shut Down and repeated. Always same result.

Then i tried the 'Last Know good configuration' in statup options. Still same result.
Tried 'Safe Mode' starts loading then breaks at 'unable to load NTFS.dll'
'Safe mode with networking' same logon screen and same one second login and return to logon screen.

I dont know how to login. Can someone please help. Is there a way to remotely add the keys back to my registry. Or 

some way to correct this problem?

Thanks and Regards 

BC AdBot (Login to Remove)



#2 jwoods301


  • Members
  • 1,489 posts
  • Gender:Male
  • Local time:03:45 PM

Posted 03 July 2017 - 04:08 PM

Boot in Safe Mode and try using System Restore to roll back to a point before you made the deletions.


If that doesn't work and you don't have a disk image backup, you may be facing a total re-install of Windows.


That's why backing up the registry with tools like Registry Backup from Tweaking.com or creating a System Restore point before making changes to a system is constantly being stressed on this site.

#3 luongtu


  • Members
  • 1 posts
  • Gender:Male
  • Location:Viet Nam
  • Local time:06:45 AM

Posted 09 November 2017 - 10:38 PM

1. Enable safe mode. Read this https://www.cnet.com/forums/discussions/bsod-booting-into-safe-mode-323522/ and find what conflict?

2. Reboot

3. Try to logon agian.


And if you don't know every thing about Compuuter. Feel free to contact me.

Learn more about ototuan.com

Edited by luongtu, 09 November 2017 - 10:43 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users