Help rescuing a dell, can't open some files...

By babznme ·
I have a customer with a dell 1100. He doesn't know he shouldn't click on every pop up wanting to scan his computer for viruses. So of course he has a ton of trojans in there. It is stuck in the log on log off loop. I have a couple fixes for that IF it lets me in. And we may be restoring the whole system. The question I have is: How do I access his documents to save them on a cd? I hooked it up like an external hard drive and I have already found and saved a bunch of pictures. But when I tried to access his docs it said there was a security issue and then when I continued now it says the folder is empty? What?? Yeah, I know it should have been backed up already. But you know users...My plan was to pull off some files and then totally restore. How does that sound? Can you help???

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Some General Help

by willcomp In reply to Help rescuing a dell, can ...

You may need to take ownership of files to copy -- instructions are here: http://support.microsoft.com/kb/308421

The logon - logoff loop is probably caused by either a missing userinit.exe or an incorrect registry entry. You can use UBCD4Win or ERD Commander to copy userinit.exe from another XP PC to the c:\windows\system32 folder and/or edit the registry. Alternately, you can boot from an XP CD and use the Recovery Console to copy userinit.exe.

Verify the registry key HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftWindows\NTCurrentVersion\Winlogon\userinit contains the value "C:\WINDOWS\system32\userinit.exe,"

Logon - logoff loop was probably caused by malware or attempts to remove malware.

Once you can get into XP, run ComboFix. Disable all AV and malware scanners using msconfig prior to running ComboFix. Instructions and download link: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Then install and run Malware Bytes AntiMalware (MBAM) to remove additional malware. MBAM will not remove the root problem -- that's a job for ComboFix.

Collapse -

Yep :-bd

by seanferd In reply to Some General Help

Quite possibly a malware registry key attached to Winlogon at that registry location.

Using SysInternals Autoruns from ERD Commander or UBCD can work wonders.

Collapse -

This could also be a form of Hostage ware

by OH Smeg Moderator In reply to Help rescuing a dell, can ...

Like XP Antivirus 2009 or one of it's derivatives. At this stage things are pretty grim and before Malware Bytes was made available I used to just wipe the HDD and leave the user to their own devices as there was no easy way to recover their data.

If you can get this to start in Safe Mode with Networking you can scan with Malware Bytes available from here


The remainder of the destructions here would probably be easier to use than what I do so here is one of the recommended ways to attack this beast



Collapse -


by seanferd In reply to This could also be a form ...

The OP should check with the user to see if the hostageware announced itself. It does, otherwise it would be ineffective.

AFAIK the docs are usually encrypted, and you get a ransom note when trying to open them. (This would only occur running the installed OS, of course.)

Related Discussions

Related Forums