Sign In
Create Account
0
First time user of MBAM software, appears to be great product.
One problem: I have an XP laptop that had the userinit.exe file hijacked by what Mcafee called new malware.j but it was unable to clean it. I loaded MBAM and it detected but said it would have to delete it during the next reboot. When I rebooted the computer the I get the XP login screen after clicking Ctrl-Alt-Del, put in the password and Windows starts to load for about 1 second then immediate logs off and goes back to the Press Ctrl-Alt-Del to login screen. If needed I'm able to pull the hard drive out and hook it up to another computer via a USB connector.
Thanks for any and all assistance
Back to top
#2
Posted 10 July 2008 - 10:09 PM
-
- Root Admin
-
- 4,049 posts
Marcin
- Gender:Male
Can you please post a Malwarebytes' Anti-Malware log.
#3
Posted 10 July 2008 - 10:16 PM
-
- Members
-
- 6 posts
New Member
RubbeR DuckY, on Jul 10 2008, 05:09 PM, said:
Can you please post a Malwarebytes' Anti-Malware log.
Attached Files
-
mbam_log_7_10_2008__14_39_14_.txt 1.03K
58 downloads
#4
Posted 10 July 2008 - 10:20 PM
-
- Members
-
- 6 posts
New Member
The userinit that was detect in the c:\Windows folder is no longer there. So appears to have been successfully deleted.
#5
Posted 10 July 2008 - 10:26 PM
-
- Root Admin
-
- 4,049 posts
Marcin
- Gender:Male
Does C:\Windows\System32\Userinit.exe exist?
#6
Posted 11 July 2008 - 01:30 PM
-
- Members
-
- 6 posts
New Member
yes. I also tried replacing it with a copy from another XP machine but it continued doing the same thing.
#7
Posted 11 July 2008 - 03:01 PM
-
- Administrators
-
- 5,158 posts
Forum Deity
- Location:Northampton, MA USA
It is likely that the key that points to this is not correct .
Do you have the skills to slave the problem drive to a working XP system ?
If you do follow these instructions .
With the problem drive slaved to the working system boot up as you would normally would .
The install of the drive will be automatic but might ask for a reboot .
Open my computer and note the letter the problem drive was assigned . In these instructions Z: refers to this drive .
Click start , run , type regedit .
If the reg keys in the left pane are expanded use the "-" to contract them .
Hightlight HKEY_LOCAL_MACHINE .
Click file , load hive .
Navigate to Z:\WINDOWS\system32\config\software and open it .
Give this hive the name TEMP_HIVE and click OK .
Expand the following key tree :
HKEY_LOCAL_MACHINE
TEMP_HIVE
Microsoft
Windows NT
CurrentVersion
Winlogon
With Winlogon highlifgted in the left pane find Userinit in the right pane and double click it .
Erase what is in the box and replace it with :
C:\WINDOWS\System32\userinit.exe
and click OK .
Navigate to and highlight TEMP_HIVE .
Click file , unload hive , yes and then shut down the system .
Return the problem drive to the problem system and try to log in .
Do you have the skills to slave the problem drive to a working XP system ?
If you do follow these instructions .
With the problem drive slaved to the working system boot up as you would normally would .
The install of the drive will be automatic but might ask for a reboot .
Open my computer and note the letter the problem drive was assigned . In these instructions Z: refers to this drive .
Click start , run , type regedit .
If the reg keys in the left pane are expanded use the "-" to contract them .
Hightlight HKEY_LOCAL_MACHINE .
Click file , load hive .
Navigate to Z:\WINDOWS\system32\config\software and open it .
Give this hive the name TEMP_HIVE and click OK .
Expand the following key tree :
HKEY_LOCAL_MACHINE
TEMP_HIVE
Microsoft
Windows NT
CurrentVersion
Winlogon
With Winlogon highlifgted in the left pane find Userinit in the right pane and double click it .
Erase what is in the box and replace it with :
C:\WINDOWS\System32\userinit.exe
and click OK .
Navigate to and highlight TEMP_HIVE .
Click file , unload hive , yes and then shut down the system .
Return the problem drive to the problem system and try to log in .
#8
Posted 11 July 2008 - 03:03 PM
-
- Experts
-
- 1,549 posts
Malware Researcher
- Gender:Male
- Location:United States
nosirrah, on Jul 11 2008, 11:01 AM, said:
It is likely that the key that points to this is not correct .
Do you have the skills to slave the problem drive to a working XP system ?
If you do follow these instructions .
With the problem drive slaved to the working system boot up as you would normally would .
The install of the drive will be automatic but might ask for a reboot .
Open my computer and note the letter the problem drive was assigned . In these instructions Z: refers to this drive .
Click start , run , type regedit .
If the reg keys in the left pane are expanded use the "-" to contract them .
Hightlight HKEY_LOCAL_MACHINE .
Click file , load hive .
Navigate to Z:\WINDOWS\system32\config\software and open it .
Give this hive the name TEMP_HIVE and click OK .
Expand the following key tree :
HKEY_LOCAL_MACHINE
TEMP_HIVE
Microsoft
Windows NT
CurrentVersion
Winlogon
With Winlogon highlifgted in the left pane find Userinit in the right pane and double click it .
Erase what is in the box and replace it with :
C:\WINDOWS\System32\userinit.exe
and click OK .
Navigate to and highlight TEMP_HIVE .
Click file , unload hive , yess and then shut down the system .
Return the problem drive to the working system and try to log in .
Do you have the skills to slave the problem drive to a working XP system ?
If you do follow these instructions .
With the problem drive slaved to the working system boot up as you would normally would .
The install of the drive will be automatic but might ask for a reboot .
Open my computer and note the letter the problem drive was assigned . In these instructions Z: refers to this drive .
Click start , run , type regedit .
If the reg keys in the left pane are expanded use the "-" to contract them .
Hightlight HKEY_LOCAL_MACHINE .
Click file , load hive .
Navigate to Z:\WINDOWS\system32\config\software and open it .
Give this hive the name TEMP_HIVE and click OK .
Expand the following key tree :
HKEY_LOCAL_MACHINE
TEMP_HIVE
Microsoft
Windows NT
CurrentVersion
Winlogon
With Winlogon highlifgted in the left pane find Userinit in the right pane and double click it .
Erase what is in the box and replace it with :
C:\WINDOWS\System32\userinit.exe
and click OK .
Navigate to and highlight TEMP_HIVE .
Click file , unload hive , yess and then shut down the system .
Return the problem drive to the working system and try to log in .
I knew there was a reason I liked you. Good techie skills.
#9
Posted 11 July 2008 - 03:29 PM
-
- Administrators
-
- 5,158 posts
Forum Deity
- Location:Northampton, MA USA
Quote
I knew there was a reason I liked you. Good techie skills
There is a second and likely easier option , put a clean copy of userinit into both windows and system32 .
While this wont "fix" the problem , it might let us work around it and make the fix easier to implement .
Looking into this further you might have a hijacked variable order and this trick will let us work around it .
#10
Posted 14 July 2008 - 06:08 PM
-
- Members
-
- 6 posts
New Member
nosirrah, on Jul 11 2008, 10:29 AM, said:
There is a second and likely easier option , put a clean copy of userinit into both windows and system32 .
While this wont "fix" the problem , it might let us work around it and make the fix easier to implement .
Looking into this further you might have a hijacked variable order and this trick will let us work around it .
THANKS
#11
Posted 14 July 2008 - 06:26 PM
-
- Members
-
- 6 posts
New Member
I just ran across these directions as an alternative for anyone who may not be able to remove their hard dirve and hook it up externally. The directions are for a similar virus that did the same thing.
http://www.tomshardware.com/forum/28295-45...ecovery-console
http://www.tomshardware.com/forum/28295-45...ecovery-console
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
