pc wont boot up after running malwarebytes

[chipstack]

I ran malware bytes on my girlfriends computer for the quick scan it found 280 objects after i removed them i cant log on to safe mode or normal mode it just goes like its going to boot up then logs off as soon as it does that and goes to the wecome screen where you click your username. what can i do to fix this? I tried restarting it a few times still cant load the desktop.

I also ran it on a friends computer he had vundo , it detected 12 objects removed them but now his desktop paper turns pure white and macafee comes up with A vundo file in windows/system/32/opnmJARi.dll and his task manager is still locked.

any help would be appriciated.

[AdvancedSetup]

I ran malware bytes on my girlfriends computer for the quick scan it found 280 objects after i removed them i cant log on to safe mode or normal mode it just goes like its going to boot up then logs off as soon as it does that and goes to the wecome screen where you click your username. what can i do to fix this? I tried restarting it a few times still cant load the desktop.

I also ran it on a friends computer he had vundo , it detected 12 objects removed them but now his desktop paper turns pure white and macafee comes up with A vundo file in windows/system/32/opnmJARi.dll and his task manager is still locked.

any help would be appriciated.

Hi Chip,

You will need to probably repair the Registry entry for

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
C:\WINDOWS\sytem32\userinit.exe,

This is a common error for some Malware. Do you have access to another computer to burn a CD or DVD with some tools to repair it?

I'll check with the programmers here and see if they have any other tool, but basically need to edit that registry entry and correct it would be my guess.

[chipstack]

yeah i have my computer right next to hers , I could burn a cd and am familiar with how to go into the bios to make a computer boot from a cd but repairing the registry is beyond what i have done in the past. would need to know what kind of tools to or what kind of cd to create to resolve this , thanks

Im less concerned about my friends hes currently working on it , I should also mention shes running windows xp

its out of date we cant find the number for it.

[AdvancedSetup]

Well let me see what I can come up with. So far unless I find another method you'll need to fix it probably via BartsPE or Ultimate Boot CD 4 Windows

There are a few Linux methods but they are rather flaky or difficult to use unless you have the experience.

[AdvancedSetup]

Well after scouring around the Web I've found a very easy solution to fix your computer.

It will require access to another computer where you can download a 30 day demo of Microsoft ERD (Emergency Recovery Disk)

You will need a program to burn the .ISO image it will install to the other system.

Download these programs to the other computer where you can burn a CD

• Microsoft Diagnostics and Recovery Toolset
• MagicISO
  

• Then install the downloaded Microsoft file (MSDaRT50Eval.msi) onto the computer
  
• It will copy a file named erd50.iso to this folder: C:\Program Files\Microsoft Diagnostics and Recovery Toolset
  
• Place a BLANK CD in the CD burner on the good system
  
• Then install MagicISO and then launch MagicISO and select from the menu Tools, Burn CD/DVD with ISO...
  
• In the middle of the form where it says "CD Image File" click the little folder icon and browse to the folder where the erd50.iso file is.
  
• C:\Program Files\Microsoft Diagnostics and Recovery Toolset\erd50.iso
  
• In the other drop down where it says "CD-R/RW Write Speed" choose like 4X or 8X and then click on Burn It !
  

This will create a bootable Windows CD that has some tools on it that will allow us to repair the Registry entry.

• Put the CD you just burned into the affected computer that is NOT booting properly and boot from CD.
  
• You may have to choose a key to select the CD boot option.
  
• Once the system starts to load FROM CD it will try to load up Network drivers, just cancel that
  
• Then once fully loaded click on the Start menu and find the Registry Editor and open that.
  
• On the left side click on the little + indicators and walk down the tree until you get to the location
  
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  
• Once there look on the right side and you'll see an entry for Userinit
  
• In that entry it has to say this EXACTLY including the comma at the end of the line
  
• C:\WINDOWS\sytem32\userinit.exe,
  
• If it does not say that, then double click on Userinit and change the entry to match the above EXACTLY
  
• If it already does match EXACTLY as above then STOP there is something else that is causing the issue.
  
• If the registry setting is ALREADY correct please post back and let us know.
  

Once you've made the change restart your computer and take out the CD and log on normally and it

should now let you log on to the system with your normal account.

This does not mean your system is completely clean though and will still require further review.

You should follow the instructions here and someone will help you to ensure the system is clean.

Pre- HJT Post Instructions, Please follow these instructions prior to posting a HJT log

Please follow the instructions and we'll be glad to assist you further.

.

[chipstack]

Well after scouring around the Web I've found a very easy solution to fix your computer.

It will require access to another computer where you can download a 30 day demo of Microsoft ERD (Emergency Recovery Disk)

You will need a program to burn the .ISO image it will install to the other system.

Download these programs to the other computer where you can burn a CD

• Microsoft Diagnostics and Recovery Toolset

• MagicISO

• Then install the downloaded Microsoft file (MSDaRT50Eval.msi) onto the computer

• It will copy a file named erd50.iso to this folder: C:\Program Files\Microsoft Diagnostics and Recovery Toolset

• Place a BLANK CD in the CD burner on the good system

• Then install MagicISO and then launch MagicISO and select from the menu Tools, Burn CD/DVD with ISO...

• In the middle of the form where it says "CD Image File" click the little folder icon and browse to the folder where the erd50.iso file is.

• C:\Program Files\Microsoft Diagnostics and Recovery Toolset\erd50.iso

• In the other drop down where it says "CD-R/RW Write Speed" choose like 4X or 8X and then click on Burn It !

This will create a bootable Windows CD that has some tools on it that will allow us to repair the Registry entry.

• Put the CD you just burned into the affected computer that is NOT booting properly and boot from CD.

• You may have to choose a key to select the CD boot option.

• Once the system starts to load FROM CD it will try to load up Network drivers, just cancel that

• Then once fully loaded click on the Start menu and find the Registry Editor and open that.

• On the left side click on the little + indicators and walk down the tree until you get to the location

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

• Once there look on the right side and you'll see an entry for Userinit

• In that entry it has to say this EXACTLY including the comma at the end of the line

• C:\WINDOWS\sytem32\userinit.exe,

• If it does not say that, then double click on Userinit and change the entry to match the above EXACTLY

• If it already does match EXACTLY as above then STOP there is something else that is causing the issue.

• If the registry setting is ALREADY correct please post back and let us know.

Once you've made the change restart your computer and take out the CD and log on normally and it

should now let you log on to the system with your normal account.

This does not mean your system is completely clean though and will still require further review.

You should follow the instructions here and someone will help you to ensure the system is clean.

Pre- HJT Post Instructions, Please follow these instructions prior to posting a HJT log

Please follow the instructions and we'll be glad to assist you further.

.

I downloaded the mentionned programs and burnt erd 50 onto a cd as instructed , it looked like an iso but the actual properties said "a magic iso document" so it was just "erd50"

after inspecting the cd in the drive the new format was RAW I popped it into the broken computer and had no luck, I checked the boot devices they were in this order 1 cd rom 2 floppy 3 hd

I tried both cd roms and tried it several times its still looping, any ideas?

her computer does not have a dvd drive I dont know if that makes a differance since it was on a cd anyway and in RAW format.

I located a bootable floppy for it too and decided to try it it worked and went top the dos screen and said something like a:/> so i suspect the disc is not working as intended.

[AdvancedSetup]

No if it was burned properly it would boot up and look a little like Windows XP but without all the icons.

Do you have a bootable Windows XP CD ?

If you do let me know and we can do a file copy to get the system going again probably.

If not, then you need to try the .ISO image burn again, take it slow and follow the directions.

You may need to go into Folder options under the Tools menu in My Computer and under the VIEW tab

and set it like below to quit hiding files and folder.

Then it is a File Open to burn the ISO image. Did you install the application from Microsoft ?

You can also try this free program if you like or you're having trouble with MagicISO

ImageBurn

If the file is burned properly you can see files and folders on the CD and it's bootable.

[chipstack]

No if it was burned properly it would boot up and look a little like Windows XP but without all the icons.

Do you have a bootable Windows XP CD ?

If you do let me know and we can do a file copy to get the system going again probably.

If not, then you need to try the .ISO image burn again, take it slow and follow the directions.

You may need to go into Folder options under the Tools menu in My Computer and under the VIEW tab

and set it like below to quit hiding files and folder.

Then it is a File Open to burn the ISO image. Did you install the application from Microsoft ?

You can also try this free program if you like or you're having trouble with MagicISO

ImageBurn

If the file is burned properly you can see files and folders on the CD and it's bootable.

got it going now , ill backtrack n try to fix the registry . Yea I ended up getting it done with dvd decryptor

[chipstack]

the registry was not the same it had some other executable attatched to it "ndos.exe" I deleted it but its still caught in the loop , i rechecked it and it now reads what it is supposed to

[AdvancedSetup]

the registry was not the same it had some other executable attatched to it "ndos.exe" I deleted it but its still caught in the loop , i rechecked it and it now reads what it is supposed to

Yeah the system is still infected if that has something else. So when you boot up it will probably change it on the fly.

You may need to remove the drive and scan it from another system but be careful if you do that as some of the new malware is good at attacking the host as well.

So can you boot up and logon to your box right now or is it still starting then logging out?

[chipstack]

Yeah the system is still infected if that has something else. So when you boot up it will probably change it on the fly.

You may need to remove the drive and scan it from another system but be careful if you do that as some of the new malware is good at attacking the host as well.

So can you boot up and logon to your box right now or is it still starting then logging out?

still logging out , ill get back to it tomorrow