Got rid of Braviax, now have Brastk.exe

[Fatboy_97]

Can't log on now; not even in "safe mode".

[Blender]

Sorry for delay.
For some reason I am not getting notified of replies.

What exactly happens when you try?
At which point does login fail please?

Did you run anything else before running combofix? If so -- what?

Did you allow install of the recovery console when you ran Combofix?

Don't try anything else yet please. ComboFix set us up with a couple options for recovery so we should be able to get things back in order.
I just need more info about what you are seeing etc to figure out our next step.

If you did not install recovery console -- do you have your XP CD?

Thanks

Blender

[Blender]

Also...
When CF was running... see any error messages?
CF reboot the machine then finish or was it at this point log-in failed so CF did not complete?

Try tell me as much details as you can please.

Thanks,

blender

[Fatboy_97]

Thanks for your time Blender. To answer several of your questions all at once, combofix did not run. I downloaded it, but when I double-clicked on the desktop icon I would get the error message as stated in my previous post.

As to the login problem, the system boots up just fine & I can click on my name, type in my password, then it will flash my wallpaper for just a millisecond, then say "logging out, saving your settings". It does the same thing on any sign in including my wife's login, guest, or even as administrator in safe mode.

Just about to head off to work, so I'll be back later this evening.

Thanks, Dennis.

[Blender]

Hi,

Thanks for the info

One of 2 things happend & both are recoverable.
1. Userinit.exe was deleted/replaced by something
2. Registry entry that loads userinit.exe is broken/missing.

Don't let anyone else try anything just yet.
First thing I want you to try is "last known good"
Restart system as if going to safe mode.
Instead of choosing safe mode choose "last known good configuration" then hit enter.

If good will be with us -- system will start.

If it starts -- please make another erunt backup.
Please also post a new set of logs from OTViewIt.

Don't do anything further yet.
And keep TeaTimer off till I get back to you please!

Can you also tell me what version is your Spybot?

If system still displays same symptoms when logging in -- do nothing further. but let me know.

Thanks.

[Fatboy_97]

Well poop, same symptoms even after starting from "last known good configuration". Thanks for your patience.

[Blender]

I think I see what happened.

When you saw all these changes happening that TeaTimer (TT) was warning you about (when ThreatFire (TF) was running) you denied alot of these changes. TF was making changes for the good fixing up stuff..
Alot of these changes that were denied were important to how the system boots and how it runs.
Your file associations all got borked, login got borked plus many other things.
I mean like 30 or more important registry keys/values got deleted.
It looks like TF deletes the bad registry value then rebuilds it when it fixes stuff so when you got the TT warnings... instead of any of them getting fixed all got deleted.

Now... remember that ERUNT backup I made you do before we started working? This is what we are after. Restoring that.
We made that backup before I had you download/run combofix or anything so It *should* work.
Yes it will restore some bad stuff but we should be able to finish up repairs after that.


You have your XP CD (the real deal not some restore cd thing from whoever made your computer) or do you have the recovery console (RC) installed?

How you can tell if recovery console is installed is if when you first boot up you see 2 OS choices.
One being Microsoft Windows XP and the other being Windows Recovery Console.

Let me know please.

Thanks

[Fatboy_97]

Threatfire was fixing stuff, but I denied it 'cause I thought TeaTimer was detecting bad stuff. Makes me feel kinda like Homer Simpson. DOH!

Anyway, I do have the original Windows XP disk so it should have a recovery mode on it? Thanks again for your patience.

[Blender]

OK. Good on the XP disk. Yes it does have RC on it. We're going to boot with it.
I'll be back in a few with further instructions.

[Blender]

Sorry.. uptown business took longer than expected.

Ok...

One thing to understand here is the recovery console is all commands. Kinda like "DOS". No pretty pics here & no mouse.

Insert XP CD & reboot the machine.
If you get onscreen message to "press any key to boot with cd..." just hit enter.
If it tries to boot right through to XP on system you will need to go into your BIOS and set it up to boot with CD first.
Usually there is onscreen message displayed how to enter "setup" or "boot order" (often f10, f2, del, f12)
Once in "setup/BIOS or boot order screen" there should be onscreen instructions how to move around in bios.
No mouse here .. usually only have access to arrow keys, few f keys, enter key and the tab key.

You are looking for "boot order"
You want to change it to boot with CD first, hard drive next & if you have floppy that be last.
Make no other changes.
Save changes & reboot again.
Hit "enter" when you see the "boot with cd" message.
You will see windows loading drivers and such on blue screen..
Then you get a screen with several choices.

Install XP
Repair XP
Exit

You want "repair". Type R & hit enter.

You should next get a black screen asking what OS to log into.
Normally only 1 listed.
1 Windows
Type 1 & hit enter.
You are next asked for admin password.
If no password on administrator account just hit enter. Otherwise type in the admin password & hit enter.
Next you see this prompt:

c:\Windows>

Now -- make sure you type in these commands exactly as you see em or there will be errors.
Note where I have spaces and so on. (commands to type are in bold)(hit enter after each line)

Type cd erdnt
dir

Now you should see at least 2 directories listed.
We want the one where I had you create the backup.
I am not sure if you did it the 28th ot the 29th. (I am assuming the 29th for illustration purposes. If it was the 28th then change accordingly)

autobackup <-- created automatically if you have this option set when you installed erunt.
10-29-08 <-- Our puter saver

type cd 10-29-08
ERDNT.con
You will see several "1 files copied" messages
Once done type exit and hit enter.
System reboots.
Don't hit any keys at the "boot with cd..."
XP Should start.

This will get us back before CF tried to run & before ThreatFire did anything.

Once you get in... please make sure to disable TeaTimer before doing anything else.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts. You MUST allow the change.
6. Restart your computer.

Make sure TeaTimer is not running.

Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

Assuming this went as expected....

Create a new ERUNT backup & please post a new set of logs from OTVIewIt.
Let me know at this point how things are.
Verify for me size of C:\ERDNT\11-01-08 <-- this folder (assuming you did it today)

If you had any problems above or still cannot boot -- post in detail what the problems are and what you see when you try to boot.

Thanks