Win XP virus removal- pulling my hair out

[silvano]

Second virus removal this week thats just kicking my ass. This one is going better than the first, where a repair install was the only thing I could do to fix it, after repeatedly scanning, in computer, and in our scan machine.

So long story short, client brings in two machines, infected with a variant of Antivirus pro 2009. One he attempted to remove himeself, after googling. The other I'm pretty sure I've tamed. This one however, is stuck on a welcome screen login/logoff loop, safe mode disabled (assuming virus generated bluescreen). Pulled drive, scanned and removed all traces. Came up with AV Pro 2009, vundo.h, and a few other baddies. Stuck it back in the machine, same thing, blue screen on safe mode, endless login/ saving settings, log off loop on the welcome screen. Ctrl, Alt + del and trying to login as Administrator says something along the lines of restrictions. Removed limiting grp policies, same thing. Kinda at a loss here, going to decide soon whether a repair install is in order. Any ideas?

Silvano

 

[Mr I]

the fist step when cleaning machines with viruses is to use an external environment. Either make the drive a slave or use UBCD. It's more difficult to clean it directly from the OS. I know about Antivirus Pro 2009, I've cleaned 2 this week.

Once you clean everything, then get ready to repair what the virus caused.

Good luck

 

[silvano]

the fist step when cleaning machines with viruses is to use an external environment. Either make the drive a slave or use UBCD. It's more difficult to clean it directly from the OS. I know about Antivirus Pro 2009, I've cleaned 2 this week.

Once you clean everything, then get ready to repair what the virus caused.

Good luck

I've already removed the infected files by slaving the drive in our bench scanning system. I'm thinking its a corrupted userinit.exe file, or registry entry pointing towards it.

 

[ProTech Support]

I've already removed the infected files by slaving the drive in our bench scanning system. I'm thinking its a corrupted userinit.exe file, or registry entry pointing towards it.

I was thinking the same, copy them off the XP cd using the recovery console.

 

[silvano]

Replaced the userinit.exe with known good copy, still having issues. Any idea where in the registry its called from?

 

[trapped]

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon under the Userinit key. The value should be "%systemroot%\system32\userinit.exe,"

 

[silvano]

Edited the registry, got a desktop! Now let the games begin

Edit: Thanks Trapp! Found it online a few secs before you posted. Got a desktop now. Looks like theres quite a bit of damage though. At least I'm past the part that was stressing me out now.

 

[NYJimbo]

Edited the registry, got a desktop! Now let the games begin

Care to share what you did there ?

 

[silvano]

Care to share what you did there ?

Ran Ultimate boot cd for windows, loaded the remote registry. Found that the Userinit key wasn't even there. Added it where Trapp mentioned, and rebooted. Now I'm at a desktop, at trying to assess the damage. So far, I've noticed AVG is fubar, and so is their ethernet connection. Not sure if thats a hardware issue though. I'll keep updating as I proceed.

 

[Techno_Rave850]

Keep us posted on how you do, and what all you did to clean it.

Thanks,

 

[ProTech Support]

Ran Ultimate boot cd for windows, loaded the remote registry. Found that the Userinit key wasn't even there. Added it where Trapp mentioned, and rebooted. Now I'm at a desktop, at trying to assess the damage. So far, I've noticed AVG is fubar, and so is their ethernet connection. Not sure if thats a hardware issue though. I'll keep updating as I proceed.

This is starting to sound like an issue I had a few weeks back. I had to do the same thing with the userinit.exe - also got the desktop back with AVG screwed up and the network connections screwed. After tinkering for an hour I ended up doing a repair install and it fixed everything.

 

[THX 1138]

Ran Ultimate boot cd for windows, loaded the remote registry. Found that the Userinit key wasn't even there. Added it where Trapp mentioned, and rebooted. Now I'm at a desktop, at trying to assess the damage. So far, I've noticed AVG is fubar, and so is their ethernet connection. Not sure if thats a hardware issue though. I'll keep updating as I proceed.

Anything more to report on the virus removal? What about using FSTW to backup the user data, wiping out the partition, reinstalling Windows and applications, and restoring the user data. That way, you don't have to figure out what damage might have been caused by the virus. Unless the client doesn't have the installation discs or license key codes, which would be a bit of a problem.