xp logs on then off after malware fake antivirus removal

[mancub72]

Greetings.

I have been dealing with a rash of computers with fake antivirus on them. My standard method of attack has been removing the hard drive and attaching it to another computer. Scan it with Malwarebytes and Symantec Endpoint. Remove any known files such as

[Firefox]

Hello mancub72, and welcome to Malwarebytes.org

Although this method may work on some computers, MBAM was really not designed to run this way.

Malwarebytes was really designed to run and do its best work on the computer that was infected. Best course of action to take would be to post in the HJT section for help by following the below instructions:

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

[ripley]

Hi, I have the same problem with the password welcome screen. Just wanted to know a fix, we are going to have to take the hard drive out anyway as no one has been able to help with the welcome screen or ability to safemode or anything for that matter. Once I do get it out I suppose I will one day try to get all of our stuff off it but I'm not sure how.Anyway for what it is worth you aren't alone..if you figure it out send me a message please.

dell sent us some disks so hopefully when we buy a new drive we will have an OP system.

Will the 10phtcrack method work? I can't see the machine recognizing cd/dvr drive so trying to put a malware bytes download onto the disc to place it on the infected computer probably wont work as it doesn't allow us past the f2 f12 welcome screen and password nonsense.

[noknojon]

Hi mancub and ripley -

Do either of you see Any error messages or other problem - Also ripley can you list your Anti virus program please -

Also read This item for easier removal methods - By one of our experts -

@ mancub - That is how to make money - We have several Free options on the forum - Please read the link below -

http://forums.malwarebytes.org/index.php?showforum=39

Thank You -

[YoKenny1]

@ ripley

Using cracks or keygens like 10phtcrack is a sure way to get your system infected.

Follow Firefox's instructions.

[marktreg]

This logging in and immediately logging off problem is usually caused by malware altering the Userinit value in the registry to point to a malware file instead of userinit.exe. The problem can be solved by using boot disks with offline/remote registry editing tools to point the Userinit value in the registry back to userinit.exe. But, unless you are a professional or an experienced user, it may not be easy to perform this repair. Making boot disks and performing offline registry editing etc is quite an involved process. So the best thing to do is follow Firefox's advice above and have an Expert guide you through fixing the problem.

[ripley]

This logging in and immediately logging off problem is usually caused by malware altering the Userinit value in the registry to point to a malware file instead of userinit.exe. The problem can be solved by using boot disks with offline/remote registry editing tools to point the Userinit value in the registry back to userinit.exe. But, unless you are a professional or an experienced user, it may not be easy to perform this repair. Making boot disks and performing offline registry editing etc is quite an involved process. So the best thing to do is follow Firefox's advice above and have an Expert guide you through fixing the problem.

Thank you all for your input and replies.

Noknojon: the infected system had new webroot antivirus with spysweeper they locked up in quarantine. I have the downloaded malwarebytes 1.44 on this borrowed laptop and I have it on a burned cd-rom.

The antivirus installed on this borrowed deal is trend micro, but this is a very old laptop and I am limited yet grateful to have anything.

Yokenny: thank you for the input, some guy was telling me about the crack...crack is bad anyway you write it.

Mark: that sounds like the deal. Last time I was infected with spyware 2009 I saved registry key files etc. removed it all by myself until it was gone at least I had a desk top and windows. This thing locked me out completely. Is bootdisk help by expert even an option for me? I really don't know if I can pay for help..unemployed here, so don't know how it works.

Perhaps there is a change I can make in the bootable device section of the computer, but that hasn't worked with driver disks or anything.

Firefox, I did read all of the pinned and the great quick help guides by miekimoes (thanks) just doesn't work from welcome screen and no safe boot or anyboot. I get a blue welcome to 'name of computer here' or admin prompt for password etc.

[marktreg]

Is bootdisk help by expert even an option for me?

Yes it is. The Experts will guide you through downloading/making a boot disk and using it to fix the problem. The Experts help is free. All you need is a blank CD and the use of another computer to download and burn the boot disk.

[ripley]

Okay, I have the discs and a laptop that burns them so I will wait for an expert to take me on in creating this/these boot discs as I have some time to deal with all that is necessary..and the expert I am granted to help me. Once I am walked through the boot disk aspect I will gladly go through all necessary steps to irradicate this virus and sweep it with the tips pinned, etc.

[marktreg]

Hi ripley,

From reading your thread in the HJT forum here:

http://forums.malwarebytes.org/index.php?showtopic=38445

I am a bit confused with what is going on. If you enter a correct password and Windows immediately logs you off again, then you probably have the userinit problem I talked about above. But, if you are stuck at a password screen and you don't have the correct password, that is a different problem altogether.

Hopefully an Expert will respond to your thread in the HJT forum soon.

[ripley]

The password issue is an ongoing problem alot of users are having due to infection. I've seen many posts about the problem. There was never an admin or user name and if there were we tried them and the reboot loops back to the welcome screen. Related to the other help you suggested: How can I acquire the Ultimate boot disc or UBCCDetc disk? I am willing to try that on the infected desktop. Thanks for your replies!

[marktreg]

Details about the UBCD4Win Boot Disk are here:

http://www.ubcd4win.com/

But I am not allowed to give you any actual malware REMOVAL advice because I have not finished my training yet. So I will leave it to the Experts in the HJT forum to advise you further.

[ripley]

Details about the UBCD4Win Boot Disk are here:

http://www.ubcd4win.com/

But I am not allowed to give you any actual malware REMOVAL advice because I have not finished my training yet. So I will leave it to the Experts in the HJT forum to advise you further.

Thank you Mark, I hope you finish in the top of your class and maybe when I get my family's computer back (prays) or at least get a desktop w/o welcome screen I'll find an expert to help with the darn virus that locked us out in the first place.

I need to be able to access windows/c: to do any malware removal...so hopefully your advice here in pc was, in fact pc! Haha

Edited February 8, 2010 by AdvancedSetup
Edited inappropriate language

[MBova]

Greetings.

I have been dealing with a rash of computers with fake antivirus on them. My standard method of attack has been removing the hard drive and attaching it to another computer. Scan it with Malwarebytes and Symantec Endpoint. Remove any known files such as