XP Pro logon disabled (by trojan horse?) - Logon - Logoff loop

Vamp9190
Vamp9190 used Ask the Experts™
on
I CANNOT logon Windows XP Pro - I have a very good idea of the problem - Ad Aware SE (not version 6) tried to remove a trojan horse - I'm not positive
it was Blazefind -- (the Troj is still on my sys) and now my registry points to a file that is not there -- bottom line is that winlogon.exe is compromised
and everytime I try to logon, it tries to 'load personal settings' and then the PC clicks off / reboots - I have already tried the XP Recovery console FIX
described below.

please HELP

the below solution is from this site link:
http://www.winxptutor.com/wsaremove.htm

[Unable to logon to Windows after removing BlazeFind using a spyware removal utility?
Logon - Logoff loop, also caused by BlazeFind
Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the 'loading personal settings" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it's Lavahelp Knowledgebase.
Here is the solution to the logon - logoff issue in Windows XP.
Enter the Recovery Console
Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)
Type the following command and press Enter.
CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)
COPY USERINIT.EXE WSAUPDATER.EXE
Quit Recovery Console by typing EXIT and restart Windows.
You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)
Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.]


I tried this fix -- IT DID NOT WORK -- I still get the LOGON / LOGOFF loop when XP is 'loading personal settings' forn the logon screen
I need to get back into Windows - and if I do - whats the best program that will remove this trojan horse - the program AVS found it,
(I have been able to get back in windows once and ran the virus scan - but then PC rebooted and same problem) but said 'not removable.'

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Craig SharpLead Enginneer - Unix Server Team

Commented:
Try to boot to safe mode and then rollback the system with system restore to a date prior to running Adaware.  Once you have this complete, then you can play with the system to try to clean it up.  I would reccomend that you try Spy Sweeper to remove the problem.
Expert of the Year 2004
Top Expert 2004

Commented:
Hello Vamp9190 =)

Try to get one of the CDs below, boot the system with them, you will be able to use the regedit to correct the wrong value, goto Start>run>regedit
and navigate to the following key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

look in the right pane for a key called Userinit
right click it and click Modify
u can see the value data as >> C:\Windows\System32\wsaupdater.exe,

chnage it to >> C:\Windows\System32\userinit.exe,
(Note the comma following the file path information)

save the file and restart ur machine
or check here >> http://www.mac-net.com/684480.page
===============================================
CDs....

Bart's PE Builder CD:
http://www.nu2.nu/pebuilder/

EBCD - Emergency Boot CD
http://ebcd.pcministry.com/

Knoppix - Linux Based CD
http://www.knoppix.org/
Expert of the Year 2004
Top Expert 2004

Commented:
BTW just thought of something,,,, have you tried this thing yet ??

HOW TO: Start the System Restore Tool from a Command Prompt in Windows XP:
http://support.microsoft.com/?kbid=304449

If this fails then goto with the above suggestion, and if the value is already corect and you still get the problem, then try a repair install.... it will not delete your data and programs and will just repair the windows system files and registries :)
How to Perform an In-Place Upgrade (Reinstallation) of Windows XP:
http://support.microsoft.com/?kbid=315341

How to Perform a Windows XP Repair Install:
http://www.michaelstevenstech.com/XPrepairinstall.htm

Click here on How To Run a Repair Install:
http://www.webtree.ca/windowsxp/repair_xp.htm
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

Author

Commented:
Thanks all -- there are like 5 possible fixes from a lot of people. Look at this thread that reall goes into a lot of detail.

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21192702.html

Now I am wondering about this suggestion --
from this link
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20972739.html


Comment from ndknightmare
Date: 06/16/2004 01:36AM PDT
Hi,
I had exactly the same problem after doing a repair on windows XP - i was going to copy the userinit.exe to  wsaupdater.exe, but it wasnt there.
I started the recovery console and then did expanded it from the windows xp cd

d:
cd i386
expand userinit.ex_ c:\windows\system32

i was then able to get in to windows.

Thanks for all the helpful suggestions above.

ndk

Also this seems to explain the problem --
Comment from quintoncomputers
Date: 06/08/2004 12:31PM PDT
Comment  
The value of 'userinit.exe' runs a program that does start-up tasks, THEN is SUPPOSED to execute c:\windows\explorer.exe, - viruses, worms, and plain poor programming can cause userinit.exe to not call explorer.exe , which is the actual windows user interface - that's why you see the desktop flash, then logout - there isn't anything specified to run as a user interface - My mistake on an earlier post was to specify 'c:\WINDOWS\system32\explorer.exe' - explorer.exe actually resides in c:\WINDOWS on XP - change the registry entry to 'C:\windows\explorer.exe,' and try that out. You may have other problems, but if you see the desktop flash then logout, this should at least get you in to where you can run antivirus and ad/malware detection software.
Hope this helps,
Andrew
 
Anyway - seems like I need to use either:
Offline NT Password & Registry Editor (v040818) -- http://home.eunet.no/~pnordahl/ntpasswd/
EBCD -- http://ebcd.pcministry.com/
or
Bart's PE -- http://www.nu2.nu/pebuilder/#download

Any ideas of which one is easiest / best?

Then edit the registery -- so may suggestions of what to change -- although it looks like wsaupdater.exe, is the overall
culprit and getting userinit.exe back to nornal is the key.

Now - any ideas of what virus program will actually kill this trojan -- Sophos looks awesome, but is for businesses and expensive
I have McAfee at home - but it didn't do the job....


Top Expert 2004

Commented:
Only problem with <<HOW TO: Start the System Restore Tool from a Command Prompt in Windows XP:>> is that it has to be safe mode w/ command prompt. It will not work from the recovery console as I have tried recently :(

If possible I would take the HD out and scan it on another PC that has virus protection. That should remove the trojan. (That also I had done recently) a customers PC had that problem and I had to remove the virus by that method then it logged on ok. So do that if you can it should work , If not do what's said above with the repair install.

Also while hooked up to another PC (if you can) you should backup your data that is important to you incase of any other issues or problems.
Expert of the Year 2004
Top Expert 2004

Commented:
>> Offline NT Password & Registry Editor (v040818) -- http://home.eunet.no/~pnordahl/ntpasswd/
This is for password recovery only. you cannot do anything else with it :)

Use either Bart's PE or Ebcd coz these cds can give you a GUI environment like windows where you can do the operations like you do in windows.... :)

Author

Commented:
Thanks all.

I used the XP REPAIR install and that WORKED! (I didn’t think it would) I can now logon to XP and was able to run virus scans, etc. Although there is still a Trojan on somewhere – more on that later.

Strange that nothing else I tried worked – I did the ‘copy userinit.exe wsuaupdate.exe’ ;
I tried expanding from the XP CD i386 userinit.ex_ to c:\windows\windows32 ;

I tried using BARTS PE boot CD – it let me go in and edit the registry, but seemed like I was editing a registry on the BARTS CD, not on my physical hard drive. Here is the registry key that was in there:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows NT
CurrentVersion
Winlogon

Userinit value column was  --    X:\i386\system32\userinit.exe
I changed the registry entry to:  C:\windows\system32\userinit.exe,
                              and I tried
                           C:\windows\explorer.exe      
                        
Everytime I edited it and exited (there is no ‘save’ in regedit ?) my sys did the same ‘blue screen flash’ reboot. I booted back into BARTS PE and ran regedit again & the value was back to the X:\i386…

Is this X: a virtual drive that BARTS PE created ?– it seemed like I was not editing the actual Registry on my physical hard drive C: , but a registry on the boot CD.

Then I ran Emergency Boot CD (EBCD) by Mikhail Kupchik – I was able to boot off the CD to the main options menu – but my CD just gave the option to edit the registry of a 9x/ME system – there was no XP registry option. I had the # 1-10 menu so I played around with some of the choices but never got to the XP registry. Not sure if I had the wrong version or what, but at this point I was frustrated so I quit. Oh, EBCD did detect that I had a boot virus – maybe that explains why some previous things didn’t work – not sure.

That’s when I tried XP REPAIR install – it actually worked. Once into XP I ran McAfee and various other programs – CW Shredder send to find and fix the boot virus.

Now my problem is that IE home page resets to about:blank but it’s a Trojan or spyware controlling it – if I reset it to www.google.com in the options, save, and the restart IE, it is back to about:blank with a search directory on the page…..I have run McAfee, CWShredder, Spybot Search & Destroy and Spyware Blaster. Any ideas?
 
For the future I am going to install Windows on my slave HD so that if anything happens to my master, I can boot off of the slave (change boot device in BIOS) and then run clean-up on the master (same idea that others use about taking the messed up drive out and hooking up to another PC to fix). Right now I have (2) 120 GB drives – one is partitioned into C (30 GB) and D (90 GB). The second is just one – E (120 GB). Currently XP is loaded on C.

Keep in mind that once back into XP after the repair install I had to re-load my motherboard drivers, promise card driver (I have a 3RD CD-RW drive) and assorted other stuff – way better than a format though.

Oh, BTW – along the way after the problem started, but before final fix, I was able to get into windows for 30 min or so (before a reboot) and I ran AVG (free edition virus scan) and it found these:
                  TROJ Multidrop.Z (lots of little .dat files – like 20)
                  TROJ Agent.AE (C:\windows\nixor.exe)
                  TROJ Agent.AE (C:\windows\180ax.exe)
                  TROJ DLoader.JU (C:\counter.cab *counter.exe*)
                  TROJ Small.IA (C:\hooks.dll)
                  TROJ Small.IB (C:\inst.exe)
                  TROJ Small.IB (C:\ldr.exe)

AVG said they were ‘Not Cleanable’ – what program will work here?

Sorry for such a long post, but I have been through so many possible fixes and failed attempts I wanted to document the process.

Expert of the Year 2004
Top Expert 2004

Commented:
Did you run AVG in safemode ??
and before suggesting anythign else, Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de
hit analyse, scroll down, hit Save Analyse, a new page will open, post here the address of that page..... let me check what is the infection on your system :-?

Author

Commented:
http://www.hijackthis.de/logfiles/119c233a8c24fe85924e86b49d7cb68e.html

Yeah - I see there is stuff to clean -- Looks like  O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe   is probably the IE home page changer that
is not letting me change my home page and staying on a spyware directory page.
Expert of the Year 2004
Top Expert 2004

Commented:
not only that Bakra..... you have all type of junks present on the system..... i must tell you that i have never seen so many pests at one place before :-P

Now do this, get these tools, install and update them,

AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
HSRemove ==> http://downloads.subratam.org/PeperFix.exe
CWShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
AboutBuster ==> http://www.snapfiles.com/get/aboutbuster.html
PeperFix ==> http://downloads.subratam.org/PeperFix.exe
New.net uninstaller program >> http://www.new.net/support/uninstall5_48.exe
LSPFix ==> http://www.spychecker.com/program/lspfix.html&e=747
Stinger ==> http://vil.nai.com/vil/stinger

After that use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msconfig/
Turn off System Restore >> http://www.pchell.com/virus/systemrestore.shtml
Then Disable Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
Then Follow the instructions from here >> http://www.pchell.com/support/onlythebest.shtml
After doing that, Follow these instructions,

1. Restart your machine in safemode and Login as Administrator
2. Run your AntiVirus Scan and Stinger and delete any viruses it finds
3. Run the Spyware Removal tools(Adaware,Spybot,CWShredder,HSRemove,AboutBuster,Peperfix,New.net uninstaller) and delete everything they detect
4. Run LSPFix and remove the files of those New.Net hijacker
5. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
6. Goto C:\Documents and Settings\your username\Local Settings\Temp and delete all files present here
7. Goto C:\Documents and Settings\your username\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
8. Goto C:\Documents and Settings\your username\Cookies, and delete all cookies present here
(ofcourse im assuming that you have already saved all the login passwords for your websites :)
9. Goto C:\Windows\Temp and delete all files present here
10. Delete these files manually if they are still present,

C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\Igmg4N.exe
C:\WINDOWS\System32\ibskwb.exe
C:\WINDOWS\System32\tss.exe
C:\WINDOWS\system32\crol32.exe
C:\WINDOWS\system32\ntbx32.exe
C:\WINDOWS\system32\adddw32.exe
C:\Documents and Settings\Mark\Application Data\nuel.exe
C:\Documents and Settings\Mark\Application Data\huta.exe
C:\WINDOWS\winji32.exe

Now Reboot back in Normal Mode and check if problems are gone or not and post a fresh log from hijackthis
** the procedure is lenghty and needs time and pateince..... so dont get frustrated and plzz follow each step in order to clean the system completely from the trojans!

Author

Commented:
OK SheharyaarSaahil -- thanks a lot.

I will do that.

#1 -- can I log-on to my account in Safe Mode (it has administrator privledges) or does it have to be the actual 'administrator'
choice

#2 -- I already have Ad Aware SE pro - but I am afraid to run it because the reason my XP would not boot in the first place
was caused by AdAware changing userinit.exe to wsuaupdater.exe (at least that's what everyone said) - on the Lavasoft site
it says that Adaware 6 causes that, not SE, but I do not want to have the same problem happen again.....should I run Ad Aware?
What are the chances that the 'logon/logoff blue screen reboot' will happen again?

#3  -- I want to accept your original solution to give you the points, but will that close the thread? Just let me know and I will though.

#4 -- I have already used these programs:  Spybot Search & Destroy ;  Spyware Blaster ; CW Shredder ; Anti Vir personal addition -- should
I keep all or uninstall some -- plus with all the ones you listed, that's a lot -- once I get this sys clean, should I just use a few? Oh, and I downloaded
PREVEX anti-virus but have not installed.

I will probably start this late today - Sunday 12/5 EST USA, but if I can not get to it, then tomorrow. Thanks again.

Expert of the Year 2004
Top Expert 2004

Commented:
1. Its better to have original Administrator.... coz we normally dont use it and thus this user is not considered as infected

2. Blazefind removal creates the logon\logoff problem..... you log doesn't show Blazefind symptoms..... can you find these symptoms >> http://sarc.com/avcenter/venc/data/adware.blazefind.html

3. You are not required to accept an answer if the problem is not solved yet... and yes accepting a comment as an answer will close this thread

4. I listed those tools coz you have the trojans and malwares which needs those tools..... like res:// hijacker needs about:buster and HSremove.... New.Net needs uninstaller program and LSPFix, you have Peper trojan so Peperfix is required, Adaware, Spybot and CWShredder are must to run in case of an infected system..... and Stinger is for possible virus or trojan threats...... i didn't mention any extra or un-needed tool :)

Author

Commented:
Wow, it took me all week to get all this done - I got very busy with stuff.

OK - I did everything and tried to follow all directions to the letter.

Here is the link of my newest HijackThis log file.
http://www.hijackthis.de/logfiles/119c233a8c24fe85924e86b49d7cb68e.html

it still shows this line - Trusted Zone: *.frame.crazywinnings.com -   I ran the fix in Hijack This & I already deleted the entry
from IE tools/internet options/security/trusted sites -- but it keeps coming back automatically - any idea how to get rid of it?

I did not run Ad-Aware SE professional at all, I was afraid of the blue screen log in/log out issue happening again.

I manually checked the registry in Safe Mode as described in this:
http://www.lavasofthelp.com/articles/v6/04/06/print/0901.html

I manually deleted wsaupdater.exe from C:, then Windows, then System32

Expert of the Year 2004
Top Expert 2004

Commented:
hmmmmm so except that one trusted zone problem.... what are the remaining other problems..... your log doesn't report any bigger problem :)

do you know what's this file >> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uifnhi.exe
if No then please fix it, then boot system in safemode, delete this file, and then in safemode, fix the Trusted Zone entry,
restart back in normal mode now and check if same issue still!! :)

Author

Commented:
OK thanks I will try that. No I don't know what that file (uifnhi.exe) is so I will try that fix you suggest.

Now I have another problem -- I think because of this spyware my:
Control Panel => Administrative Tools => Local Security Policy => debug programs   entry will NOT accept any user - even
when I change it to 'Administrator' it goes back to blank (empty) on reboot.

I tried the solution provided by this link:
http://www.evenbalance.com/index.php?page=faq-cod.php

I DL the VX2 Finder and when it runs it does NOT find anything - no dll files
[The VX2 adware edits your user rights when it infects your computer, and many programs do not repair this when they remove it.]
When I reboot and check the local security policy the 'debug programs' line is blank again.

Expert of the Year 2004
Top Expert 2004

Commented:
VX2 Finder..... but i checked your log before..... there was not any sign of Vx2 infection.... :-?
or here is the Vx2 cleaner tool from Adaware >> http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml
scan with it to check if its picking anything...... and dont worry you dont need to run adaware scan to run this tool ;-)

Author

Commented:
OK I did what you suggested -- here are the results:

I am including 2 logs - one from safe mode, the other in normal. The Trusted Zone: *.frame.crazywinnings.com appears in
normal, but not in Safe

SAFE MODE -- http://www.hijackthis.de/logfiles/e91a408757afef4349b56afe60c19952.html

Normal -- http://www.hijackthis.de/logfiles/bc5331dbab9e4c07e83c8ef4113eeb1d.html

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uifnhi.exe -- I manually deleted the file in safemode - it did not
appear in my newest log.

here are screen shots of the trusted zones & an error message I NOW get when first I log on
http://community.webshots.com/user/vamp9190 
Look in the MAK 001 photo album (the only one right now :)

Author

Commented:
I DL and ran the Ad-Aware VX2 plug-in -- shows 'system clean' didn't find anything

is there a way to re-install the  Administrative Tools => Local Security Policy => debug programs  ??
Expert of the Year 2004
Top Expert 2004

Commented:
this seems like Look2Me infection.... just have a quick look here >> http://www.smartcomputing.com/techsupport/detail.aspx?guid=1c9a936d64734cce9c0d5f36df3e1d37&ErrorID=22761

So get the uninstaller from here >> http://www.look2me.com/cgi-bin/UnInstaller
and run it in safemode..... and please check in add remove programs also that nothing suspisious is present over there :-?

Author

Commented:
OK Ill try that, thanks.

Any idea about what is resetting the 'Administrative Tools => Local Security Policy => debug programs' to blank everytime?

I tried looking at the 'Services' directory in Admin tools - the 'security accounts manager' is enabled - I added a SS in my
photo album.
http://community.webshots.com/user/vamp9190

Could it be something else in there?
Expert of the Year 2004
Top Expert 2004

Commented:
its geting blank only after a restart..... means at startup something is loading..... eihter a process\service or something residing in registry which is initiating at startup and causing this..... now as Look2Me is present on the system.... you could be right about Vx2 effecting user rights thingie..... so let's get rid of Look2Me first.... and then we will check that if still same issue is happening or not.....!! :)

Author

Commented:

Nope -- the Look2Me would not install because it said that no application was found - I guess it's not a L2M bug.

But the newest thing is more serious - I lost my internet - in Control Panel -- Administrativs Tools/Services/ Remote Access Connection Manager is stopped - when I try to start it I get an Error box

I am at work now - but at home I have the PC in 'Safe mode' with network support & am running McAfee virus scan, Ad Aware SE Pro (yes i broke down and am trying it) I can get to the net in Safe mode, but not normal.

Ugh, seems like these Trojans are imbedded

Should I try another XP repair install?
Expert of the Year 2004
Top Expert 2004

Commented:
what error ??
when you open Control Panel>Network Connections.... can you see the connections listed here ??

Author

Commented:
I will take a SS of the error.

My Network LAN connection is there, but not the Internet one I used to have until 2 days ago.

I used to have one called Internet above the other one for LAN
Expert of the Year 2004
Top Expert 2004

Commented:
yes please check the error...... and then read here >> http://support.microsoft.com/default.aspx?scid=kb;en-us;329441
mostly such errors are covered by this article..... and if this error is not covered there then post it here and we will try to find out about it :)

Author

Commented:
OK look at the new Screenshots here:
http://community.webshots.com/user/vamp9190

I have the internet back -- I ran all the scans (McAfee, AdAware, Spybot, CWShredder, HijackThis, Stinger, VX2 fixes, LSP fix, Peper fix, AboutBuster, etc...)
and once I logged back on XP it was working.

Now I am wondering once and for all how to clean these Malwares & Trojans - they seem to come back by themselves....

Expert of the Year 2004
Top Expert 2004
Commented:
the problem is your system was BADLY infected..... not with one infection..... with all type of infection...... we can try to clean them..... but cleaning the system from each infected file and registry is like a mission itself :)

the system is stable now..... if the problems will come back..... dont run the tools yet and first post here the link to a fresh log file...... so that i can check that what "exactly" is coming back...... there were so many things whihc we removed you know! ;-)

Author

Commented:
OK thanks, do you want me to Accept this one and start another?
Expert of the Year 2004
Top Expert 2004

Commented:
no why will you Accept this..... i dont think so that the problems are solved yet :-?
but yeah one reason of closing this one and starting a new thread can be..... its only me here to help you and give my stupid ideas...... and if you will close this one and start a new one...... you will get some fresh help and ideas from other experts also..... and may be possible that the problem which im unable to solve yet.... can be solved by them :)

So you decide whether you want a fresh start or not...... your decision will be totally acceptable for me =)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial