After running spyware - XP won't let me boot - keeps logging out

I have a dual boot XP and Win 7.  I was in XP at the time.

I had recently running spybot because of a virus/spyware in my system
that caused the little RED X to appear in the start up menu and caused
my desktop background to show "YOU HAVE A VIRUS" repair immediately
and then it puts a TRIAL of some software on my desktop.  Needless to
say, I did not bother with it.
So here is what I did :

1) Ran Hijack This and took out what I could.  Some things could not
be removed.

2) I rebooted and this did not fix the issue.

3) Tried restarting in safe mode, same issue.

4) Ran spybot and rebooted, this time it continues to log me off in
both safe and regular mode - it says "Loading user settings", and then
it logs me off.

Any ideas how to fix this?

daviddschool wrote:Reformat.

Reformat. Reinstall XP or spend weeks trying to chase down all the
malware. I trust you are backed up.

--
C

The looping issue is caused by a problem with the file userinit.exe.

The looping issue is caused by a problem with the file userinit.exe. To fix
it can be tedious. As C suggested, your machine is compromised and you
should save all your important files (including your EMail files!), then
re-install Windows on a freshly formatted disk. If you continue with your
current system then you are likely to have a never-ending string  of
problems.

You could reinstall without even trying to fix your system, or you cantry to

You could reinstall without even trying to fix your system, or you can
try to fix what you have.

A reinstall will require a genuine bootable XP installation CD.

You are certainly not the first person to have this problem.

You can probably fix what you have with a genuine bootable XP
installation CD or a bootable Recovery Console CD that you can make
yourself.

Here are some instructions to make a bootable Recovery Console CD:

http://www.bleepingcomputer.com/forums/topic276527.html

After you have successfully booted the afflicted computer on the
Recovery Console CD, then you can work on resolving your issue.

46-afd7-4f4a-9922-bfdb91c180cc@c22g2000vbb.googlegroups.com...

46-afd7-4f4a-9922-bfdb91c180cc@c22g2000vbb.googlegroups.com...
ix

Will the reinstall delete every?

Also, since I am running a DUAL BOOT system on two different drives,
is it safe to go to WIN 7, look at the drive and take what I need from
it before hand?  If it is malware, will it jump from drive to drive
even if I am not using it?  If I reinstall, does that delete
everything?

daviddschool wrote:Now you know why dual booting is not a good idea.

Now you know why dual booting is not a good idea. You should reinstall
both or just one.

--
C

If you read the text, HiJack This should only be run AFTER you haveexhausted

If you read the text, HiJack This should only be run AFTER you have
exhausted all other means of recovering your computer. It should not be the
first thing you do and will not often get you anyhelp if/when you post the
output as instructed.

It sounds like a clean install might be in order, actually. You may be
infested with several hard to chase down pieces of malware that AV is not
going to find. If you have backed up as you should, it is an easy process. If
not, well, it might take a day or two or more to do the reinstall.  Without
reinstalling you could spend months chasing things and never succeed.

HTH,

Twayne




--
--
Life is the only real counselor; wisdom unfiltered
through personal experience does not become a
part of the moral tissue.

efhoutI am just worried if it is a virus or malware that is might go to

e
f
hout
I am just worried if it is a virus or malware that is might go to the
other drive.  I have a USB flash drive that was plugged in at the time
-  and that is giving me issues now, so I did not want to infect the
other drive if it might do that.  But I do not know enough about this
to be sure.

I do not mind reinstalling, but I wonder if my drive is now off-limits
- ie; if I boot with Win7 and access the drive, am I at risk of
corrupting the other drive?
I do have a backup from about 3 weeks ago.  Nothing major has been
changed this then, so I am not too worried about it, but there are a
few files  I want to get - so that is why I was wondering if I could
boot to Win7 and then access those file from the bad drive - or is
this just causing more issue down the road?
-

What do you mean with "Will the reinstall delete every?

What do you mean with "Will the reinstall delete every?"

IMHO a decent dual-booting system should have complete separation between
the two OSs so that there is no traffic between them. The traditional
Windows boot loaders cannot hide partitions from each other but many
third-party boot loaders (e.g. XOSL) can.

What do you mean with "Will the reinstall delete every?

What do you mean with "Will the reinstall delete every?"

Sorry, I meant a fix or reinstall - will it delete everything or just
the corrupt and missing files?

Also, I am not sure about the USB flash drive.  Because I did access
it during the night when it happened, I am not sure about it.  I am
going to try and run an ONLINE virus scan to see what comes up
(hopefully it will show me something).  The iussue I have with the USB
flash drive is that if it is infected, will not every computer that comes
in contact with it become infect, in effect not really letting me be
able to check it?  Is there a way that that I can get XP or WIN7 not
to access the drive and do the 'auto run' thing when I plug it in?

IMHO, your best approach at this point would be to boot your computerfrom one

IMHO, your best approach at this point would be to boot your computer
from one of the free Live Linux CDs (such as Knoppix).  Since the OS
will be on a CD, it cannot be corrupted and since it is not Windows,
there is little chance of the virus moving over on its own unless you
explicitly copy it.  After you boot from the Linux CD, back up your
files to either a USB drive or a network drive.  Then you can reinstall
Windows on your hard drive.

Knoppix:  <http://knopper.net/knoppix/index-en.html>

HTH,
John

Thanks John, you advice is great. I am downloading now.

Thanks John, you advice is great.  I am downloading now.
Again, I guess my biggest worry is still my USB flash drive.  It has
important files on it and I do not know if they are infected or not.
Is there a way to use the Ontrack online checker with Knoppix?  Again,
maybe I am being paranoid, but I do not want the virus (if it is a
virus) to jump to my USB flash drive - OR - if it already has, for it
to reside there without me knowing and therefore using it on my
laptop, my work computer etc.  I am guessing the virus would not jump
to a drive I did not necessarily use at the time, but I just do not
know.

Also a question I forgot to ask, what is the admin password if youdo not set

Also a question I forgot to ask, what is the admin password if you
do not set one?  I tried REPAIR install and it asked me for an admin
password - I never set one in the first place, so what would I do in a
case like that?

You are safe to boot into win 7, operating systems do not talk back and

You are safe to boot into win 7, operating systems do not talk back and forth
like that, malware like you have seen, is only active once loaded into
memory, and your other OS should be safe, notice I said should, as I have no
idea what you have been doing or going with it. about the flash drive, get an
antivirus scanner that will scan the flash as soon as it is plugged in.

computerllI was just worried about virus scanning on a system that might

computer
ll

I was just worried about virus scanning on a system that might already
be infected.  Trying to dl Knoppix now.  I did already download a copy
and found out it was in German.  The menu system is weird as well - is
there a straight boot?  There was choices like WWW, CHAT, email etc.
I tried a few and nothing happened so I was not sure if it was the
German language that threw me or there is something special about
booting to Knoppix...

press enter as it is blank"daviddschool" wrote:

press enter as it is blank

daviddschool wrote:Don't put in a password and then hit Enter.--C

Don't put in a password and then hit Enter.

--
C

Tried and use ENTER - and it just reboots.

Tried and use ENTER - and it just reboots.  I am not getting the
command prompt for recovery like I should.  Sucks.  Why?

Ok, looks like I am going to buy a new HD tomorrow and recover
everything to it and use the other HD as a spare.  I have Ubuntu
running and I am going to use the online ONTRACK virus checker to
search the drives for issues.  Lastly, I am guessing there really
is not a fix for this and getting my XP back up and running that
does not involve reinstallation, right?

m:Most cases of viruses spreading from USB drives are a result of"Autoplay"

m:


Most cases of viruses spreading from USB drives are a result of
inserted.  In Windows, you can disable Autoplay with TweakUI or simply
hold down the shift key when you insert the drive (you have to hold it
down until after it is completely mounted).  Data files do not usually
carry infections.  Suspect .exe, .com, .bat, .pif, .vbs, .cpl, and
other executable-types of files.

Linux disks do not fix Windows problems very well, so you might
consider checking into freeware "Ultimate Boot CD for Windows" at


Where you can create a "Live Windows" CD which is very helpful for
recovering from situations like you are in.  It is more work to
generate than the Live Linux CD because you have to create the .iso
yourself instead of simply just downloading it.  But once you make the
disk it is a very helpful thing to keep around.  I believe it even
includes some virus checkers.

HTH,
John

Most cases of viruses spreading from USB drives are a result ofThe file on the

Most cases of viruses spreading from USB drives are a result of

The file on the USB flash drive are mostly word docs, pdf, jpg and the
like.  Nothing exe, so I am hoping they are safe.


The  site is password protected?  Where can I sign up?  I just hit the
url and it asked me for a password and login....

That is great, if I can get into it, I will try the Live Windows CD
thing.  Again, thanks for your patience on this.

m:Look at the filenames when you download Knoppix.

m:


Look at the filenames when you download Knoppix.  The german versions
have a "-DE" in the name.  English versions have a "-EN" in the name.
The lastest english version is version 6.2:
KNOPPIX_V6.2DVD-2009-11-18-EN.iso

-- John

The file on the USB flash drive are mostly word docs, pdf, jpg and thelike.

The file on the USB flash drive are mostly word docs, pdf, jpg and the
like.  Nothing exe, so I am hoping they are safe.


The  site is password protected?  Where can I sign up?  I just hit the
url and it asked me for a password and login....

That is great, if I can get into it, I will try the Live Windows CD
thing.  Again, thanks for your patience on this.n

m:Not here. I get connected directly to the site.

m:


Not here.  I get connected directly to the site.  You might try
Googling for it.  Sometimes Google will cache the page and you can
get to it that way.


Another site that has roughly the equivalent is "Bart PE".  Try that
site:

HTH,
John

How are you getting to the repair console?

How are you getting to the repair console? hopefully by booting to the
install cd and stating repair when asked?

yOU DO HAVE, "Hide extension for known file types" turned off, do notyou?

yOU DO HAVE, "Hide extension for known file types" turned off, do not
you?  For some idiotic reason no one has explained to me, up to and
including Windows Vista, the way it comes from Microsoft, the default,
is to have that "feature" turned on.  Maybe windows 7 also.

IF you have it turned on, then manual.doc.exe appears in windows
Explorer as manual.doc .   Same for whatever other extension it
considers for "known file types", which might include .jpg and .pdr.

YOu'll find the setting in Folder Options, iirc.


If you back up all your files now, after the problem has started, it
will be good that you have any particular file you need, but if you
reinstall windows and then copy back every file from the backup, will not
you have your original problem back?

I am not sure about this.IS this the file I want to get rid of?

I am not sure about this.


IS this the file I want to get rid of?


Ok, will do, I will turn on the extensions.


I have some success with this.  I used the repair module and it still
did not work when booting - but it does NOW boot in Safe mode.  I am
hoping that is a very good sign.
I tried to run the Trendmicro Online virus checker using Ubuntu, but
it will not let me open the file.  I have not tried it using Knoppix yet
as I am still downloading the english version.  I can see all the
files and ran a Virus check last night in Safemode, but I went to bed
before it finished.  I will leave it on today and see what happens.  I
have not yet tried booting to REGULAR mode yet since I found out that
Safe mode works.

daviddschool wrote:Try this page:http://www.ubcd4win.

Try this page:

http://www.ubcd4win.com/

Also, you can create a bootable AV checking CD:

http://www.techmixer.com/bitdefender-rescue-cd-with-auto-update-virus-definition-features/

More info:

http://www.bitdefender.com/KB417-en--Using-the-BitDefender-Rescue-CD.html

Others:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

mm wrote:I agree 100%.

I agree 100%. When working on a PC, one of the first things I do is show
the extensions. I hate the default of having them hidden!

I am trying to Bart Windows live cd as well, although I cannot seem toget it

I am trying to Bart Windows live cd as well, although I cannot seem to
get it to be an ISO using Nero Essentials.  I have created the ISO and
when I burned it, it did not boot properly.  I think I will ahve to
download a freeware version of ISO maker.

The AV checking Cd is key.  I will do that right away on my other
computer.

Now, if I still have an issue booting to regular mode, will the
Ultimate Boot CD help?  I am just wondering what my next steps will be
(I am at work now and will try later).

Wow.

Wow.  I never knew that before, and I read whatever came with or on
the flashdrive.  Thanks a lot.

Also, you can create a bootable AV checking CD:I made a ISO for bitdefender

Also, you can create a bootable AV checking CD:

I made a ISO for bitdefender following the instructions.  When I
booted, the bitdefender (based on Knoppix) came up.  I tried to run it
and it said "Cannot find Knoppix on the system",  only a limited menu
available.  I went back to the links and read up again and cannot see
what I am doing wrong here.
I downloaded the 2008 with internet update. I am going to try the 2009
version next and see what happens, but why do you think this is
occurring?

daviddschool wrote:I have seen this problem before.

I have seen this problem before. Apparently the live CD does not work on
every system. Some people have reported success by pressing the Tab
button and entering dma (once the penguins are displayed). This forum
may help:

http://forum.bitdefender.com/index.php?s=95ccfb0cb46e6a95eb41e53160928e10&showforum=185

Also, you can try other live CDs. Avira is one.

daviddschool wrote:Bitdefender used a poor choice of colors for the background.

Bitdefender used a poor choice of colors for the background. The boot
command is black text on a dark background.

By using Isomaster in another Linux distro, I replaced "splash.png" with
an all-white background image, so I can see the text. When you press "tab",
the boot line should look like:

linux ramdisk_size=131072 init=/etc/init lang=us apm=power-off vga=791
initrd=minirt.gz nomce loglevel=0 quiet BOOT_IMAGE=knoppix

That text is virtually invisible, on the unmodified Bitdefender boot screen.

When the CD boots, normally the Knoppix image would be somewhere like

/cdrom/KNOPPIX/KNOPPIX

That is the thing the boot CD could be complaining about, not being
able to find the large "knoppix" file that holds the entire file
system in a compressed form.

On other, later versions of Knoppix, than the 5.0.1 that Bitdefender CD is
based on, you could use the "fromhd" command line option, to "help" the
booting process along. For example, my Knoppix 6.0.2 CD is brain-dead
and cannot find the CD once the booting process starts. A fix is to do

knoppix fromhd=/dev/sdd1

where the part on the end could be sdc1, sdd1, sde1 - it really
varies according to how many disks you have. My CD drive is addressed
in a similar way to my hard drives.

On older versions of Knoppix, it might even be /dev/sr or /dev/sr0
or /dev/cdrom or /dev/cdrom1 or the like.

I cannot say exactly what is busted in your situation right now,
but that is what my testing of the Bitdefender ISO file in
VPC2007 (Virtual PC) is showing me. (I use Virtual PC as a quick
test vehicle for ISO9660 files, before wasting an actual CD
on the download. That has saved me a few CDs, on things that
are not worth burning.)

The version of Isomaster I used, was in Knoppix 5.3.1, which is a
DVD sized download. Some people in Japan, managed to remaster the
5.3.1 DVD version, and make a CD out of it, and that may be a
better compromise version, than having to download a 4GB+ file for
the DVD version. If you have some other way to make modifications
to an ISO9660 file, that might be a more pragmatic option.

If you want to take a quick look at the files inside your downloaded
ISO9660 file, the 7zip program knows how to read an ISO9660. Using that
program, you can quickly explore the ISO9660 file, and see the
/boot/isolinux/splash.png file I am referring to. While you could take
the ISO9660 apart into its separate files, I do not know if that would
really help you at all. Isomaster is the tool I use, for quick surgery
jobs.

http://en.wikipedia.org/wiki/7zip

HTH,
Paul

It seems to boot ok, it does the test for RAM etc, I get the penguins(linux)

It seems to boot ok, it does the test for RAM etc, I get the penguins
(linux) but it says it cannot find the file structure for Knoppix.
BUT when I read the instructions, it  did not say to ADD Knoppix to
the ISO - is that something I should have done?
It never does give me a chance to PICK or choose from a MENU using the
Bitdefender ISO that I download (newest version 2009 and the 2008
version).
Both are iso and both burned, yet both cannot find the file structure
for Knoppix.  I assumed it was included with Bit Defender, but maybe
that is what I am wrong.


Again, I took the information and the steps right from the Bitdefender
page, but I thought I might have missed something.  No where does it
say to include KNOPPIX in the ISO.  It just says to download the ISO
for bitdefender and burn to an ISO and it should be good to go, but it
is not.


I will look inside the ISO and see if there is a file structure for
Knoppix.  If not, how should I go about adding it?

daviddschool wrote:It is included. "KNOPPIX" is a file within the ISO.

It is included. "KNOPPIX" is a file within the ISO. That file
contains an entire compressed file system, and the boot loader
cannot go any further, unless the stuff that makes up the OS
is available to it.


My theory is, that the boot loader has become confused, and is looking
in the wrong place for the KNOPPIX file. My suggestion to try the
whatever problem is causing it.

If you look in this sample screenshot, of Knoppix 5.0.1 or similar starting,
you can see a line

Found primary KNOPPIX compressed image at /cdrom/KNOPPIX/KNOPPIX

and that would be an example of a successful attempt to find the
file system container. There are at least two mount operations
going on there - /dev/cdrom is mounted at mount point /cdrom, so that
the contents of the CD are visible to the OS. Then, the /cdrom/KNOPPIX/KNOPPIX
file is accessed, and the contents are mounted on /, to give /bin, /usr
and all the rest of a Linux environment. That "KNOPPIX" file remains
compressed, and only the sections needed at the moment are decompressed
and loaded into RAM. It allows a Knoppix CD to hold more than double
the normal size constraints of a CD - that is why they do it that way.

http://img.f.hatena.ne.jp/images/fotolife/l/lugia/20080723/20080723233739.png

I am only a Linux noob - I use Linux CDs mainly for maintenance, and
have learned a couple tricks for making my collection of CDs work.

Do you happen to have a partition on your hard drive, of type
EXT2 or EXT3 ? In one case, that was what was causing the boot
CD to latch onto the wrong partition and become confused. Whacking
the distro over the head with "fromhd=/dev/somedevice" gets it
looking in the right place again.

Paul

Paul wrote:There is another way to get a copy of Bitdefender.

There is another way to get a copy of Bitdefender. If you already
have a working Linux environment of some kind, you can run a particular
download from within Linux. (I.e. Use a web browser in Linux, download the .run
file and execute it. That should result in the files inside being installed.)

http://download.bitdefender.com/SMB/Workstation_Security_and_Management/BitDefender_Antivirus_Scanner_for_Unices/Unix/Current/EN_FR_BR_RO/

Since my collection of Knoppix CDs are based on Debian, I'd probably
download this file. Inside is a script plus inline binary data, which
represents a set of files for the install. If you were using a
Linux LiveCD, those files would be stored in RAM, and would disappear
when the computer reboots. So you would  want to save this file somewhere,
if you expect to use it a second time. (Perhaps why I have a copy
of this sitting in my downloads folder.)

BitDefender-Antivirus-Scanner-7.6-4.linux-gcc4x.i586.deb.run

The permissions on the file should be executable.

chmod 755 BitDefender-Antivirus-Scanner-7.6-4.linux-gcc4x.i586.deb.run

Then, execute it.

./BitDefender-Antivirus-Scanner-7.6-4.linux-gcc4x.i586.deb.run

One of the disadvantages of Linux LiveCDs for maintenance, is if
things are not "ready-to-go", you need to know your way around a
terminal window, to correct whatever is screwed up. Which is not very
convenient.

Paul

Ok, I am home now and wrote down everything it says when booting.

Ok, I am home now and wrote down everything it says when booting.  I
have win Xp running on an 80gig HD, that is it.  There are no
partitions.
I have another 250 gig drive, slave and a DVD writer that is running
the Bitdefender.

I am including this because maybe I left out something important.
Ok, burned the Bitdefender ISO on 2 different discs -
Disc 1 . 2008
Disc 2.  2009

Tried both and here is what comes up (I wrote this down from the
screen)
Menu options :

START KNOPPIX ENGLISH
START KNOPPIX FRENCH
START CONSOLE MODE
MEMORY TEST
BOOT FROM HD


t
ng,
OPPIX

Sorry I hit enter and did not finish the message, so here goes.

Sorry I hit enter and did not finish the message, so here goes.

I pick START KNOPPIX ENGLISH (I am guessing this is what I was
supposed to pick).

Next 4 penguins show up
Running linux kernel 2.6
Total memory
Scanning firewall/usb
Enabling DMA for 80gig
Enabling DMA for other 250gig

Then I get

CAN'T FIND KNOPPIX FILESYSTEM, SORRY, DROPPING YOU TO A VERY LIMITED
SHELL

Then I am presented with
Additional built in commands available:
-CAT
-INSMOD
-MOUNT
-UMOUNT
-LSMOD
-RMMOD

Restart by hitting the reset button.

That is it. Hopefully that is more descriptive and can show the way.

daviddschool wrote:This picture shows you what the sequence should have looked

This picture shows you what the sequence should have looked like.

http://img.f.hatena.ne.jp/images/fotolife/l/lugia/20080723/20080723233739.png

penguin(s)
Running linux kernel 2.6
Total memory
Scanning for USB/firewire
Enabling DMA for 80gig
Enabling DMA for other 250gig
Accessing KNOPPIX DVD at /dev/hdc    <--- what you appear to be missing
Reading cloop blocks
...
Found primary KNOPPIX compressed image at /cdrom/KNOPPIX/KNOPPIX

The Bitdefender ISO has a cheatcodes file. Cheat codes are
boot time options to work around problems. I have copied the
entire file below. The "fromhd=/dev/hda1" syntax is mentioned.

*******

CHEATCODES AND HINTS FOR BitDefender Rescue CD V2.0
==============================================================================
(last update: 02.13.2007)

This is an edit of the original KNOPPIX cheatcodes file. Please note that your
version might not have all these features.

These options (can be combined) work from the ISOLINUX bootprompt:

rescue lang=cn|de|da|es|fr|it|nl     specify language/keyboard
rescue lang=pl|ru|sk|tr|tw|us        specify language/keyboard
rescue gmt                           Use GMT-based time
rescue tz=Europe/Berlin              Use this timezone for TZ
rescue atapicd                       Do NOT use SCSI-Emulation for IDE CD-Roms
rescue alsa (or alsa=es1938)         Use ALSA sound driver (at your own risk)
rescue desktop=fluxbox|icewm         Use specified WM instead of KDE (1)
rescue desktop=kde|larswm|twm        Use specified WM instead of KDE (2)
rescue desktop=wmaker|xfce           Use specified WM instead of KDE (3)
rescue screen=1280x1024              Use specified Screen resolution for X

be missingRescue CD V2.

be missing
Rescue CD V2.0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
007)
your
sed time

On 2/10/10 8:58 PM, daviddschool wrote:After you are done with this train

After you are done with this train wreck, get a Mac.

--
http://www.vatican.va

daviddschool wrote:

daviddschool wrote:

b.runOk Paul.

b.run

Ok Paul.  I did manage to get Ubuntu running and opened up BitDefender-
Antivirus-Scanner-7.6-4.linux-gcc4x.i586.deb.run
I had to set the privileges like you said, but when I tried to run it
- it told me I had to be a SUPER USER.  Not sure what the heck that
means!?!?!

daviddschool wrote:The "sudo" command solves that problem, with some

The "sudo" command solves that problem, with some exceptions.

sudo ./Antivirus-Scanner-7.6-4.linux-gcc4x.i586.deb.run

Sudo is a thing that "root" or the administrator, sets up for ordinary
users. People in the "sudoers" group, are allowed to run certain
commands that need elevation. For example, granting a user the ability
to "mount" a partition with the mount command, is pretty handy for
day to day Unix usage.

On a "real" Unix box, you would  be prompted for a password, when using
sudo. On the LiveCD distros, usually that is not necessary.

Hope that fixes it.

Paul