Malware·2,758 discussions

Unable to logon

Locked

one of our users received the UPS_invoice.exe virus and clicked on it.
now after he restarted his computer, he logs on the background is blue and right after the logon audio is played the logoff audio follows and the sessions logsoff right away.

i tried chkdsk , scanned with Norton , nothing found.

anybody has any idea will be appreciated.

thanks.

Topic

Clarifications

In reply to Unable to logon

Clarifications

turn off

In reply to Unable to logon

turn off system restore then run norton antivirus, as it may be hiding in there. Or do a system restore to before the virus was recieved.

Kaspersky

In reply to Unable to logon

Try to log in as a different user and install the Kaspersky trial version AV software. Norton pretty much blows as does McCrapee. If you cant get onto it long enough to install anything, try to salvage your important files (connect drive to a sandbox or something)and just douche the whole thing.

can’t logon period!

In reply to Kaspersky

let me add that i tried different logon accounts both on normal and safe mode.
it logs on long enough to play the logon audio, which is less than 10 secs and then logs off right after. the user logon files are messed up and i need to fix them remotely , the problem is accessing the registry remotely as well.

so i can’t do a system restore, or install any Antivirus solution.

See if this will get you back in

In reply to Unable to logon

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press “R” (in the first screen) enter the Recovery Console.

1: C:\WINDOWS

Which Windows Installation would you like to log on to
(To cancel, press ENTER)?
After you enter the number for the appropriate Windows installation, Windows will then prompt you to enter the Administrator account password.

Note If you use an incorrect password three times, the Windows Recovery Console closes. Also, if the Security Accounts Manager (SAM) database is missing or damaged, you cannot use the Windows Recovery Console because you cannot have correct authentication. After you enter your password and the Windows Recovery Console starts, type exit to restart the computer.

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)
At the prompt type in
COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You’ll be able to login successfully as you’ve created the wsaupdater.exe file (now, a copy of userinit.exe)

“WARNING MODIFYING REGISTRY INFORMATION IS DANGEROUS”
Backup the Key before making changes.

Now, change the USERINIT value in the registry
Click Start, Run and type Regedt32 and press Enter.

Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

In the right pane you will see that the value of the Userinit key is incorrectly set to “wsaupdater.exe,”

In the right-pane, change the value of Userinit to C:\WINDOWS\system32\userinit.exe,

Type the above value exactly as given, including the comma. Also, change the path to userinit.exe appropriately if Windows is installed in a different drive.

Close Registry Editor and restart Windows.

If you haven’t access to an XP CD, here is an alternative.

The Windows Vista Recovery CD can be used to Boot to a Command Prompt where you can run these Commands.

Boot from the CD and on the first screen click Next, click Repair your computer, click Next and select Command Prompt.

It does’nt matter if the Default OS is XP it can still be used on XP PRO or Home.

Creating a Windows Vista Recovery CD

http://blogs.techrepublic.com.com/window-on-windows/?p=622

Download from here:
http://coblitz.codeen.org/neosmart.net/downloads/guides/Vista_Repair/Vista_Recovery_Disc_x86.iso

No go

In reply to See if this will get you back in

This didn’t work either.
i copied the file over and then i rebooted and tried to logon, still the same issue.

any other ideas.

thanks.

Yup.

In reply to No go

take the hard drive out and plop it into a USB caddy. Then plug that into a working computer and then copy all your files off. (Make sure that the computer has an up to date antivirus program installed and working!!) Then put the drive back in the computer and run [url=http://dban.sourceforge.net]DBAN[/url] on it to wipe the drive and then reload the OS.

Best choice

In reply to Yup.

Yep, I agree. Pull off your files you need, DBan, and rebuild from scratch.

Also don’t allow your users to be Admins or Power users. If this user had a regular user accounts they would not have been able to run the exe file. This will save you lots of headaches.

Yup

In reply to Best choice

yeah i gave up on solving the issue, i tried many suggestions none of them worke.
I’m backing up the data now and will format the HD later.

thanks for all the help people. i really appreciate it.

Sometimes

In reply to Yup

Sometimes they are so FUBAR they can not be recovered. Much simpler to rebuild than to tinker with something that probably will be very unstable anyway.

I have to agree

In reply to Yup

with cmiller5400 here. Sometimes it just isn’t worth the trouble. Get the Data off and Nuke the drive.

Nuked it

In reply to I have to agree

that’s what i had to do. i tried BartPE utility it wouldn’t boot it goes to blue screen, so i took data off and wiped the drive.

thanks for your help.

[Author]

Replies