ihasvirus
2008-08-27, 16:28
PC boots fine but at log in screen after entering password and beginning to load for about a second, it logs back out and returns to the log in screen. Hence I'm unable to get into windows and run any programs. Same thing also happens if I try to log in as admin or my normal user area in safe mode.
I've tried repairing Windows XP (MCE) from the CD but it didn't change anything.
I was considering re-formatting anyway so I will probably do that, however there's a lot of files on my hard drive that I'd like to keep, so advice on how to get files off the infected drive without infecting anything else would be appreciated. Also, an external drive was plugged in when I got the virus is there any chance that that will be infected?
Someone on another forum posted this link http://www.winxptutor.com/wsaremove.htm and this bit sounded like what was happening to me:
Logon - Logoff loop, also caused by BlazeFind
Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the 'loading personal settings" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it's Lavahelp Knowledgebase.
Here is the solution to the logon - logoff issue in Windows XP.
Enter the Recovery Console
Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)
Type the following command and press Enter.
CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)
COPY USERINIT.EXE WSAUPDATER.EXE
Quit Recovery Console by typing EXIT and restart Windows.
You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)
Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.
Unfortunately after entering the COPY line I got "The system cannot find the file specified."
Any help?
I've tried repairing Windows XP (MCE) from the CD but it didn't change anything.
I was considering re-formatting anyway so I will probably do that, however there's a lot of files on my hard drive that I'd like to keep, so advice on how to get files off the infected drive without infecting anything else would be appreciated. Also, an external drive was plugged in when I got the virus is there any chance that that will be infected?
Someone on another forum posted this link http://www.winxptutor.com/wsaremove.htm and this bit sounded like what was happening to me:
Logon - Logoff loop, also caused by BlazeFind
Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the 'loading personal settings" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it's Lavahelp Knowledgebase.
Here is the solution to the logon - logoff issue in Windows XP.
Enter the Recovery Console
Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)
Type the following command and press Enter.
CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)
COPY USERINIT.EXE WSAUPDATER.EXE
Quit Recovery Console by typing EXIT and restart Windows.
You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)
Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.
Unfortunately after entering the COPY line I got "The system cannot find the file specified."
Any help?