Is your Windows PC in a login – logout loop?

This week I ran across a Windows XP Home PC that was infected with a pernicious Trojan Horse.
 
Among its problems was that users couldn’t log into Windows. The Windows XP login screen had fallen back to VGA resolution, and regardless of who tried to login, their wallpaper flashed for an instant, and they were immediately logged out.
 
  • Background
    When a user logs in, Windows XP invokes a program called userinit.exe, which resides in the \WINDOWS\SYSTEM32\ directory. Somehow, userinit.exe had been overwritten by the Trojan Horse.
  •  
  • Cure
    Here’s what worked on this PC:

    • Start the PC and press F8 before the Windows logo appears. Choose Safe Mode
    • Once Safe Mode is running, Log in as Administrator.
    • Choose Start, Run, and enter CMD in the "Open:" box.
    • Enter these commands at the command prompt:
    • cd \windows\i386      <- Change to whatever directory contains Windows’ CAB files.
      expand userinit.ex_ c:\windows\system32   <- Grab a fresh copy of userinit.exe
      cd \windows\system32
      ren userinit.exe userinit.bad                  <- Rename the corrupted userinit.exe
      ren userinit.ex_ userinit.exe                  <- Replace it with the fresh copy
      exit
    • Restart the PC. You should now be able to log in.
    This is just the start of your virus removal odyssey. I found at least 6 infected files in the \WINDOWS\SYSTEM32\ directory, and a few scattered in \WINDOWS\ and Users’ documents directories. Sort these directories by date to see which files have been most recently written to and/or created — these are highly suspect. In some cases I had to note the infected file names and delete them manually with the PC in Safe Mode (Command Prompt Only), as Windows opened them in exclusive mode at startup — which prevents them from being deleted.
     
    This bad guy phones home
    This infection was especially nasty: Zone Alarm caught msauc.exe (which had been created in the \WINDOWS\ directory by the Trojan Horse dropper) trying to "phone home" with who knows what information (account names and passwords?). This was one time when Zone Alarm, with its whitelist of programs that are allowed to access the outside world, worked perfectly to protect the PC’s data.
     
    Visit my website: russbellew.com
     
    Advertisements

    2 thoughts on “Is your Windows PC in a login – logout loop?”

    1. I cannot log in period. I have rebooted my system under safe mode, from the installation cd via recovery mode, it will not let me get past the login. I am up a creek. I\’m writing this comment from a school laptop. I need help!!!!!!!!!!!!!!!

      Like

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s