Server Login ok but No desktop, cnt alt del ok but no taskmanager

A Strange one.
Windows 2003 Standard SP1.
Running as a simple share with terminal server. No Domains or AD just local users and groups.
The server rebooted due to a power outage.
Clean shutdown.
On reboot, system starts up ok One message a service failed to start. On cnt alt del, you can login but you do not get a desktop, just a mouse pointer. If you hit cnt alt del, you can shutdown, logoff etc but if you click on taksmanager nothing happens.
After much mucking about, we decided to image the drives and move to new hardware using aconis.
Once the image was completed, we started up windows and the logon worked and the system showed desktop. It then went on to install the various missing hardwared drivers and all appeared ok.
Then we rebooted and have the same issue.
Using barts boot cd, we accesed the dirves and scanned for virus - nothing.
Tried copying registry hives from repair to system32 config - same.
Safe mode reboots.
Directory Rstore mode - give us a safe windows layout but when you login, you get the same no desktop, cnt alt del behavior.

LVL 4
ZombiteAsked:
Who is Participating?
 
ZombiteConnect With a Mentor Author Commented:
JapyDooge: Can you enter this as a solution

This is a nasty virus via a js script on a web page.

http://www.threatexpert.com/report.aspx?uid=82cc0907-16ed-4868-88a9-cebdbdc8cff4

Drops some beasts into winlogon notify

QUOTE: Speaking of Malware, the Drive-By's are getting worse. First Whitepages and other websites were hacking us and now the UNICEF website got hacked. This getting ridiculous. There is one particular that I am seeing more and more.
The symptoms (At least on a domain) are excruciatingly long log offs, dodgy internet and even as the administrator, you can't RWW to the machine or RDP to it internally. If you go to the file system through the network (Connect to \\workstation\c$) you can see some hidden files in C:\Windows\System32. They are rotr.sys or rotw.sys. If the user logs off, you can delete these files remotely or do it in safe mode. As the files are a part of a rootkit, you can't actually see them as the user. Once deleted and the system is rebooted, everything is back to normal.


0
 
supportsCommented:
have u tried with another user loggin... and i am not sure if ur facing the issue in safe mode as well..ie. it reboots itself
0
 
exhaustCommented:
What if you tried another copy of C:\Windows\Explorer.exe from a working server?
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
ZombiteAuthor Commented:
Was able to grab the event log remotely.

[14508] Application Popup   Type:     INFORMATION
Computer: SERVER01   Time:     18/06/2008 2:09:22 PM   ID:       26
userinit.exe - Application Error The application failed to initialize properly (0xc0000005). Click on OK to terminate the application

Same error for taskmgr.

The server doesnt start in any mode. Safe mode reboots.

Have checked the file versions and sizes.
While in the "first time booted" running version, ran sp2 on the sever which replaces mode of these files. Same result when booted second time.

This is what gets me - the thing will boot first time after image via acronis - then second boot - dead.


0
 
JapyDoogeCommented:
0
 
JapyDoogeCommented:
Microsoft's workaround:

To work around this issue, delete the invalid registry value: 1. Start Registry Editor (Regedt32.exe).
2. Locate the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\IniFile Times  
3. Locate the invalid value (this is usually a value with no name).
4. Click the invalid value.
5. On the Edit menu, click Delete, and then click Yes.
6. Quit Registry Editor.
0
 
ZombiteAuthor Commented:
Seemed like a good bet but no go.
Checked the entries - all ok
Deleted all the shadow registy inf times - no effect.
Still get the same error or lack of response
0
 
JapyDoogeCommented:
Hmm, running "sfc / scannow" would maybe work but you don't have that access to the system except...

You can edit the registery, so you can add "sfc /scannow" to the Run or RunOnce keys in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (runonce will be even better)

There create a new key of the type String named 'Run' or something like that and give it the following value:
C:\\Windows\\System32\\sfc.exe /scannow

At boot the computer will run sfc /scannow to check all windows system files and restore damaged ones. (I hope the reg keys are loaded, maybe they load after userinit...)

Good luck again
0
 
ZombiteAuthor Commented:
Got it up and booted with the "first time run after imaging"
sfc - no results - same on reboot.
sp1 and sp2 - same
As terminal services doesnt run on first boot, I am investigating regisry and profile.
There is much about inituser.exe and time stamps in shadow registry for termial server.
I notice that the usercmd doesnt run wither.
Will report back findings - thanks for suggestions.
0
 
JapyDoogeCommented:
That's not nice. Ah well you can click the 'Accept as a solution' button on the bottom of your own post to close the question becouse you fixed it yourself.

Good luck man.
0
 
ZombiteAuthor Commented:
Thanks -
By using barts boot disk and getting rid of the registry entries, and the files in system32 the server now lives.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.