Aloha, please direct me to the correct thread or assist me with this one.

After loading a new copy of WinXP SP2 on to an existing computer and copying over files that I thought were clean (they had been scanned), I ran Spybot and there were still 9 malware. They were removed. When I restarted the computer, it sent me to the choose user screen and then signs off immediately when the user is selected. This occurs even in safe mode where the administrator is also a user option.

Any suggestions? Mahalo for the help! Aloha

I wish that I was able to reply with some help, but alas, I am here to join you. On Friday, I ran S&D only to end up dead in the water. Normally, my pc boots straigh to the desktop, but now to the logon screen...I attempt to log on, the pc starts the process, then logs off. Same results as yours in Safe Mode as well...mine and the Administrator IDs are displayed, and both fail to logon.

Maybe I can offer some more info that might help get us on the right track...I found a website that offered an image file to create a boot cd. I downloaded the file, created the cd, and attempted to boot-up...

"Windows could not start because the following file is missing or corrupt:
<Windows root>\system32\hal.dll.
Please re-install a a copy of the above file."

I'm not sure how to do that with a computer that won't boot...I suppose one might put the drive in another pc as a slave, and install the file, but I don't have that luxury (second pc).

Good luck, Cetaman.

Quick question, very important basic information for any support request: which version of Spybot-S&D were you running?

(the problem sounds a lot like you were trying to force 1.6 updates on a 1.3 version, that's why I'm asking)

Quick question, very important basic information for any support request: which version of Spybot-S&D were you running?

(the problem sounds a lot like you were trying to force 1.6 updates on a 1.3 version, that's why I'm asking)

I am not sure, and obviously can't check...however, I think it was the latest.

I am not sure, and obviously can't check...however, I think it was the latest.

I found the print-out from the last time I ran S&D...it is ver. 1.6, and I recall updating definitions, etc., before running the scan.

If you have the print-out from the last scan like you said, could you please post what exactly was found during that scan?

Can someone please help, I have the same problem as these guys!!!

I cannot log into my Administrator account, it logs out and goes back to logo screen again.

I hope someone may be able to help, I need to get my computer up and running ASAP.

I recently updated to Win XP SP3, updated Spybot search and destroy, and also installed the CS4 collection, all about 1 week ago. I have restarted my computer several times since, but today while working in Premiere CS4 I got a blue screen of death.

I restarted the computer, and a bunch of registry change notifications kept popping up under Spybot Search and Destroy, many more than the occasional registry changes that S&D informs me of. I hit deny on most of them because I didn't know why anything had to change at this point when everything was working last week. At somepoint it frooze again while reviewing the Spybot registry changes.

When I restarted again, the Login sceen comes up (It doesnt usually) and then after I type in the correct password on the Administrator account, it starts to load up my desktop but then logs off that account and restarts again. Over and over again, I can't log into my account for more than a second before it logs that one off again, and asks me to relogin.

I have tried to start in Safe MOde, but it doesnt get that far. I have done the restore last know configurations as well. It didnt work.

Any know how I might be able to get into my account without it logging me off and trying to restart?? I may be able to revert the changes by spybot.

In another forum I was suggested to do an XP repair with my XP cd-rom? But I didnt get the Repair option, only recovery.

It seems if I could just get in and change whatever settings Spybot made before this happened I could access my system again.

I had an old version of Spybot installed for a while and wasnt using it, but I recently updated and ran a scan, so it was freshly updated 1 week ago. I also use Comodo firewall, on Windows XP SP3.

Any help is appreciated.

Thanks in Advance

hello,

I am sorry for the inconvenience.
Please refer to this Blog (http://forums.spybot.info/blog.php?b=14)
for recovery of your system. These methods assume that the correct userinit.exe is still in place and will help you recover your registry.

Does the name "Win32.Agent.bzs" ring a bell?

Does the name "Win32.Agent.bzs" ring a bell?

Absolutely...or partially
Other than tracking cookies, the items found were:

Fraud.PCHealth
Fraud.XPAntivirus
MicroAntivirus
SpySheriff
Smitfraud-C
Win32.TDSS.rtk
Win32.Agent.pz
Win32.Agent.jg

S&D fixed everything but 2 items...requested to be allowed to run on start-up...which I of course allowed.

The items not fixed were-

Fraud.PCHealth: [SBI $6EF297C]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{22EA5610-39AA-4231-AD6C-5D2878D68704}

Win32.Agent.jg: [SBI $AFA60660] Program directory
C:\Windows\system32\twain_32\

I rebooted and the problem began.

Thank you all, by the way, for your support and interest...

Aloha,

In response to Mn8Mutimedia and anyone else looking for an end run. I reinstalled / repaired the XP operating system from the CD and everything works only I am not running Spybot until this issue is resolved.

During the reinstall / repair, recovery was offered at the first screen, but then repair was also offered at the next screen. Maybe you can try that if nothing else works. Good luck!

Aloha

...I am not running Spybot until this issue is resolved.


It may help if you answered PepiMK's query earlier in this thread

http://forums.spybot.info/showpost.php?p=267328&postcount=3

Does the name "Win32.Agent.bzs" ring a bell?

If I may ask...why do you ask? Have you seen a similar issue where Win32.Agent.bzs was involved?

The good news...I am up and running
The bad news...I am hesitant to run SS&D, at least for now

I got back up by purchasing Windows XP Home Edition and was able to affect a repair. I had to make the purchase because the PC I am using came with setup files on a partition, rather than disks, and when I tried to create disks (quite some time ago), the PC just sat there staring at me like I had 2 heads. I have my doubts that I would have been able to accomplish anything with them other than wiping the drive clean and loading all the stupid applications and trials that suck up space and irritate the crap out of me.

I would like to run SS&D again, as I know there are still items yet to be fixed, but since I was running 1.6 with current descriptions, etc., I fear the same thing would happen again.

Again, thanks everyone, for your help.

Aloha,

Mahalo for the suggestions. We are operating on the assumption now that there was an attempt "to force 1.6 updates on a 1.3 version". This is a distinct possibility but, as noted, there is no way to establish it as fact. Unfortunately, there are other issues and little time to resolve them at play here. I will post a follow-up when the information is available. Mahalo again!

Aloha


Quick question, very important basic information for any support request: which version of Spybot-S&D were you running?

(the problem sounds a lot like you were trying to force 1.6 updates on a 1.3 version, that's why I'm asking)

It seems the same thing happened to me guys. :sad: By the way, I have SSD version 1.5.2.

Today I'm surfing the net when up popped a firewall warning alerting me to a request to hijack my internet connection by a file called wjqs.exe or something similar. Of course I say deny. Next comes a SSD pop up asking me to verify the following change:


value "BootExecute" (new data: "autocheck autochk * ") changed in Session manager!
I have no clue what that is so I deny.

Next I notice my Internet pages taking longer loading. So I open Adaware to scan my system but it say Adaware can't connect to the server!!

Next I attempt to open SSD but it flashes quickly and disappears!! I try to Google these variants and when I click the Google results I am redirected to spyware sites!!

Notice I never try to install SSD 1.6.

So I install Malwarebytes and I reboot the computer to go into Safemode but guess what happens? My computer won't boot into safe mode!! It reboots normally but just hangs at the XP login screen after I input my password!!

After many attempts to log into safe mode, I finally get in and I choose Last Known Good Configuration.

Then I reboot normally and run Malwarebytes. Below is what it finds on my PC:


Two registry keys infected with tdssdata (Trojan.Agent)

Four dll files infected with Trojan.TDSS

One driver infected with Trojan.TDSS

Two temp files infected with Trojan.FakeAlert

One dll file infected with Rootkit.Agent

and various other files infected with downloader trojans!!


Once these were cleaned from my system I was able to open and run SSD successfully! :D:

LeapFrog, why are you cross posting the same post?

LeapFrog, why are you cross posting the same post?

Because it is relevant to the thread topic.

Well it doesn't really explain how your system was down.

:funny:
I thought it was fairly clear that my system was compromised by trojans and therefore I could not run SS&D or log into my computer until I chose the last known good configuration at which point I was able to log in and clean the buggers out of my computer and only then could I run SS&D.

:red: I guess it forgot about the "Last Known Configuration". You have my thanks. :oops: