Cannot logon after reboot

[armcchr]

I ran the malwarebytes program on Friday and it detected some issues. It requested a reboot that I performed. After the reboot, the system would not allow me to logon. It went from the logon screen to logging off and saving settings. I can get on in safe mode. I have contacted the Dell and they are suggesting that I rebuild the hard drive. Isn't there a better way?

Here are the results from the Malwarebytes run that asked for the reboot:

Malwarebytes' Anti-Malware 1.33

Database version: 1709

Windows 5.1.2600 Service Pack 3

01/30/09 14:16:44

mbam-log-2009-01-30 (14-16-44).txt

Scan type: Quick Scan

Objects scanned: 72763

Time elapsed: 6 minute(s), 18 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 1

Files Infected: 10

Memory Processes Infected:

C:\Documents and Settings\AMcChristian\Application Data\cogad\cogad.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cogad (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\AMcChristian\Application Data\cogad (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\AMcChristian\Application Data\cogad\cogad.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\chert5-998.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\senekabqlpbkvu.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\seneka.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\senekaqqnfmndw.sys (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\beep.sys (Trojan.Patched) -> Quarantined and deleted successfully.

C:\Documents and Settings\AMcChristian\Local Settings\Temp\winsinstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\AMcChristian\Local Settings\Temp\eocsrwxnma.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\senekaiecfytfa.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Below are the results of my HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:33:07, on 02/02/09

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18372)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CA\eTrust Antivirus\InocIT.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Office\OFFICE12\OUTLOOK.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig?hl=en

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O1 - Hosts: 88.116.99.249 office.pipelife.com #ADDED BY F5 NETWORKS SSL TUNNEL - ORIGINAL RECORD#

O1 - Hosts: 88.116.99.249 office #ADDED BY F5 NETWORKS SSL TUNNEL - ORIGINAL RECORD#

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {81B5D431-3B85-4683-A055-F7D717AA302B} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: Realtime Monitor.lnk = C:\Program Files\CA\eTrust Antivirus\Realmon.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://officebeta.iponet.net

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://office.pipelife.com/vdesk/terminal/...,2008,0404,2142

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://my-remote.johnsoncontrols.com/https...om/iNotes6W.cab

O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://office.pipelife.com/vdesk/terminal/...,2008,0404,2134

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D84C4D49-A63A-4432-B319-718ECA705773} - file://C:/Program Files/F5 VPN/F5_TMP/f5syschk.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://office.pipelife.com/vdesk/terminal/urxhost.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pipelife.local

O17 - HKLM\Software\..\Telephony: DomainName = pipelife.local

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

O20 - Winlogon Notify: xxywUkHX - xxywUkHX.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Demand Planner Collaborative Server - - c:\program files\microsoft business solutions\demand planner collaborative server\dpcserver.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe

O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe

O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel

[AdvancedSetup]

While on in SAFE MODE start MBAM and post back what files are currently in the quarantine tab please.

[AdvancedSetup]

Please post a status update on this.

[armcchr]

Got to a point where I could not log on even in Safe Mode. In the process of rebuilding computer.

[AdvancedSetup]

Okay, thank you for the follow-up feedback.

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

[AdvancedSetup]

Post re-opened at user request.

[edifyguy]

First let me say that I found this forum extremely helpful. I do not usually use MBAM, but this forum provided me with the information necessary to fix the same problem on my friend's computer.

Here's the key, straight from the log you posted:

---------------

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

---------------

The reason that you were unable to log on after your cleanup operation was that this file, which was infected, was deleted. This line is not reporting that a registry key was itself a problem, as SpyBot S&D would do, but is saying that the file this registry entry points to was infected. The problem arose because this file is a critical part of the Windows logon process, and it got deleted to clean up the system. (That is, of course, exactly why the virus infected it: to be certain that its viral code was activated every time the machine was used.) To successfully repair this infection, it is necessary to replace this file with a clean copy from a working machine or the XP CD. In my case, I used a copy from a working machine, and it booted right up and logged on properly.

I know it's probably too late for the original poster, but I can't imagine that this is an uncommon infection, since my friend that got it was not a risky surfer. Hopefully this will save someone a lot of unnecessary rebuilding.

Jason

[Nubermcnewsky]

JASON = AWESOME !!!!!

[edifyguy]

JASON = AWESOME !!!!!

Glad to be of help. I was sure someone would find that info useful.

[AdvancedSetup]

That file is marked and told that it is removed but is NOT removed by MBAM on purpose. It's basically a flag to Helpers to know that the file is infected.

If you look on the system using a bootup utility you should still see that file there. If this is not the case then I would like to get confirmation of that as that is not normal behavior.

[edifyguy]

That file is marked and told that it is removed but is NOT removed by MBAM on purpose. It's basically a flag to Helpers to know that the file is infected.

If you look on the system using a bootup utility you should still see that file there. If this is not the case then I would like to get confirmation of that as that is not normal behavior.

Well, like I said, I'm not a MBAM user, but if it didn't delete it, why does the log say "Successfully quarantined and deleted"? I do know that my friend's virus grabber quarantined it/deleted it, as it was already gone by the time I got the drive to rescue it. His anti-crap utility of choice loads as a service before logon, and caught the fact that userinit.exe was infected when Windows tried to use it as usual. He took the recommended action, and the file was annihilated, at which point Windoze initiated shutdown, which is all it would do at logon attempts until I cleaned it off and replaced the file.

It's really an easy fix, though. Just use a Linux boot CD with NTFS3G on it and put the file back where it belongs and you're back in business. Knoppix has a great LiveCD Distro that I've used to monkey around with things in cases where Windows wouldn't boot. Just use the context menu (right mouse button) to change the drive to full read-write. It even supports most USB flash drives, so you can get the file from a friend's computer with a thumb drive, then put it back with Knoppix, and reboot right into Windoze.

In my case, I simply attached his hard drive to my computer and cleaned the viruses off that way, so copying that file back in was easy. If you have the ability to do so, that is the best way to remove viruses: put the infected drive in another computer and scan it without booting from it. That way, the viruses aren't being loaded into memory during bootup, so they can't hide or lock themselves. I have an adapter that will convert IDE, Mini-IDE, and SATA drives to USB 2.0, and it's my best friend.

If you hadn't guessed, yes, I am a technician. 8^D

Jason

[AdvancedSetup]

Yes it is quite easy to do if you know what you're doing. As said the reason MBAM does that is due to the internal workings of the program. I wish it would say it's infected and needs attention but it is what it is and everyone that works on all these boards already knows that it did not touch the file.

So thank you and I'm assuming you've taken care of the issue so I'll close this post now.

I'll close your post so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
  
  
• Click the System Restore tab.
  
  
• Check Turn off System Restore.
  
  
• Click Apply, and then click OK.
  
  
• Reboot.
  
  

Turn ON System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
  
  
• Click the System Restore tab.
  
  
• UN-Check *Turn off System Restore*.
  
  
• Click Apply, and then click OK.
  
  

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from

here

Find here the tutorial on how to use Spyware Blaster

here

Install WinPatrol

Download it from

here

Here you can find information about how WinPatrol works

here

Install FireTrust SiteHound

You can find information and download it from

here

Install hpHosts

Download it from

here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1:

If you are running Windows XP

SP2

, you should upgrade to

SP3

.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend

Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you

Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting

Pre- HJT Post Instructions

Also don't forget that we offer

FREE

assistance with General PC questions and repair here

PC Help

If you're pleased with the product

Malwarebytes

and the service provided you, please let your friends, family, and co-workers know.

http://www.malwarebytes.org