Question

Locked

Unable to logon

By Anqara05 ·
one of our users received the UPS_invoice.exe virus and clicked on it.
now after he restarted his computer, he logs on the background is blue and right after the logon audio is played the logoff audio follows and the sessions logsoff right away.

i tried chkdsk , scanned with Norton , nothing found.

anybody has any idea will be appreciated.

thanks.

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

turn off

by clarkd038 In reply to Unable to logon

turn off system restore then run norton antivirus, as it may be hiding in there. Or do a system restore to before the virus was recieved.

Collapse -

Kaspersky

by LoonIT In reply to Unable to logon

Try to log in as a different user and install the Kaspersky trial version AV software. Norton pretty much blows as does McCrapee. If you cant get onto it long enough to install anything, try to salvage your important files (connect drive to a sandbox or something)and just ****** the whole thing.

Collapse -

can't logon period!

by Anqara05 In reply to Kaspersky

let me add that i tried different logon accounts both on normal and safe mode.
it logs on long enough to play the logon audio, which is less than 10 secs and then logs off right after. the user logon files are messed up and i need to fix them remotely , the problem is accessing the registry remotely as well.

so i can't do a system restore, or install any Antivirus solution.

Collapse -

See if this will get you back in

by Jacky Howe In reply to Unable to logon

Enter the Recovery Console
<br><br>
Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console.

1: C:\WINDOWS
<br><br>
Which Windows Installation would you like to log on to
(To cancel, press ENTER)?
After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password.
<br><br>
Note If you use an incorrect password three times, the Windows Recovery Console closes. Also, if the Security Accounts Manager (SAM) database is missing or damaged, you cannot use the Windows Recovery Console because you cannot have correct authentication. After you enter your password and the Windows Recovery Console starts, type exit to restart the computer.
<br><br>
Type the following command and press Enter.
<br><br>
CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)
At the prompt type in
<b>COPY USERINIT.EXE WSAUPDATER.EXE</b>
<br><br>
Quit Recovery Console by typing EXIT and restart Windows.
<br><br>
You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)
<br><br>
<b>"WARNING MODIFYING REGISTRY INFORMATION IS DANGEROUS"</b>
Backup the Key before making changes.
<br><br>
Now, change the USERINIT value in the registry
Click Start, Run and type <b>Regedt32</b> and press Enter.
<br><br>
Navigate to:
<br><br>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
<br><br>
In the right pane you will see that the value of the Userinit key is incorrectly set to <b>"wsaupdater.exe,"</b>
<br><br>

In the right-pane, change the value of Userinit to C:\WINDOWS\system32\<b>userinit.exe,</b>
<br><br>
Type the above value exactly as given, including the comma. Also, change the path to userinit.exe appropriately if Windows is installed in a different drive.
<br><br>
Close Registry Editor and restart Windows.
<br><br>


<b>If you haven't access to an XP CD, here is an alternative.</b>
<br><br>
The Windows Vista Recovery CD can be used to Boot to a Command Prompt where you can run these Commands.
<br><br>
Boot from the CD and on the first screen click Next, click Repair your computer, click Next and select Command Prompt.
<br><br>
<i>It does'nt matter if the Default OS is XP it can still be used on XP PRO or Home.</i>
<br><br>
<b>Creating a Windows Vista Recovery CD</b>
<br><br>
http://blogs.techrepublic.com.com/window-on-windows/?p=622
<br><br>
<b>Download from here:</b>
http://coblitz.codeen.org/neosmart.net/downloads/guides/Vista_Repair/Vista_Recovery_Disc_x86.iso
<br><br>

Collapse -

No go

by Anqara05 In reply to See if this will get you ...

This didn't work either.
i copied the file over and then i rebooted and tried to logon, still the same issue.

any other ideas.

thanks.

Collapse -

Yup.

by cmiller5400 In reply to No go

take the hard drive out and plop it into a USB caddy. Then plug that into a working computer and then copy all your files off. (Make sure that the computer has an up to date antivirus program installed and working!!) Then put the drive back in the computer and run DBAN on it to wipe the drive and then reload the OS.

Collapse -

Best choice

by wehkingml In reply to Yup.

Yep, I agree. Pull off your files you need, DBan, and rebuild from scratch.

Also don't allow your users to be Admins or Power users. If this user had a regular user accounts they would not have been able to run the exe file. This will save you lots of headaches.

Collapse -

Yup

by Anqara05 In reply to Best choice

yeah i gave up on solving the issue, i tried many suggestions none of them worke.
I'm backing up the data now and will format the HD later.

thanks for all the help people. i really appreciate it.

Collapse -

Sometimes

by cmiller5400 In reply to Yup

Sometimes they are so FUBAR they can not be recovered. Much simpler to rebuild than to tinker with something that probably will be very unstable anyway.

Collapse -

I have to agree

by Jacky Howe In reply to Yup

with cmiller5400 here. Sometimes it just isn't worth the trouble. Get the Data off and Nuke the drive.

Back to Malware Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums