|
|
Rank: Rookie
Groups: Member
Joined: 7/23/2007
Posts: 4
|
Hi there,
An ST scan today revealed 'remnants of Trojan/W32.Phoney.WXP, which it then deleted. Unfortunately, with that it deleted some pretty major registry entry as I am now unable to log on (Windows XP SP2 Home). The welcome screen says it's searching for my profile (not sure of wording exactly, it's in French) when I click either on my name or administrator - and nothing happens.
I'm not even angry so much as worried and desperate to get my computer back (now using an old one). I don't have recovery disks for it, though I do have an illegal XP SP1 disk for this old computer (sorry, Microsoft). The copy of XP SP2 on the problem computer is genuine.
Surely there must be something I can do! Thanks for any help you can provide.
EDIT: sorry, wrong forum - this is not a problem with 2.0 beta, it's a problem with the regular program. Any chance of moving it? Apologies for the inconvenience.
|
|
 
Rank: General
Groups: Beta, Member
Joined: 3/6/2007
Posts: 3,318
Location: USA (State of Michigan)
|
Can you get into safe mode and do a system restore back a day or so?
http://www.spywareterminator.com/help/FAQ.aspx?faqid=1117&faqmod=SpyTerm_Help5
Knowledge gained should be used to help others.
( XP Home SP3, Antivir PE antivirus, Threatfire, ST 2.5.5.166,A-Squared 3.5 Free and SUPERantispyware Free , PCTools Free Firewall, Iobit Advanced Windowscare Free, Iobit Smart Defag and Auslogic Registry Defrag both Free) The World can be a bad place. Are you making it better or worse?
Check out the websites I built: www.cedarstreetchurch.org and www.lojope.com
|
|
Rank: Rookie
Groups: Member
Joined: 7/23/2007
Posts: 4
|
Hi,
No, sadly not. That's what I was hoping for. I tried that and last good configuration and the same thing happened at the welcome screen.
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 3/3/2007
Posts: 1,488
Location: UK
|
Well you should look really before taking action, you should gave quarantined it. You got a Windows XP Home CD?
Take a look here on how to do a repair. http://www.geekstogo.com/forum/How-to-repair-Windows-XP-t138.html
http://www.techos.co.uk - Free PC Tech Support
|
|
Rank: Rookie
Groups: Member
Joined: 7/23/2007
Posts: 4
|
You're right, of course, and I should really have been more careful about backing up data too.
There were no XP disks with the computer (new HP policy), and because of that I thought it might be game over. But looking over the HP documentation, I've just seen you can access their own recovery function by hitting F11 on startup. I'm doing that now and hopefully it'll work. I guess I should have looked into that earlier before panicking!
Thanks for your help and I'll let you know how this turns out when it's done - I don't want to jinx it by assuming I'm in the clear!
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 3/3/2007
Posts: 1,488
Location: UK
|
Yup I understand.
You've got an OEM key for your Windows then, preinstalled windows. Messes us all up, I got an ISO of the net.
http://www.techos.co.uk - Free PC Tech Support
|
|
Rank: Administration
Groups: Member
Joined: 7/10/2006
Posts: 2,907
Location: Philadelphia, PA
|
im moved the topic to the general ST problems forum.
this is some serious stuff...i would really like see what ST will detect for that trojan...if Winlogon.dll is actually part of the definition.
On a few side notes:
I have an HP laptop as well (dv9000). There is a tool that is included with the recovery partition which will let you create recovery disks. It let me create 3 Recovery DVDs. I have used them once before - it worked exactly like running the recovery off the recovery partition. The only problem is that the process from the DVD's is 4-5 hours long. It will first partition your drive, format the drive, then copy everything from the 3 DVD's onto the recovery partition, then install windows from the recovery partition.....it is one HELL of a long process.
My computer came with Windows XP MCE 2005 OEM. So using the i386 folder on the c:\ drive, i made a Windows XP MCE 2005 OEM cd, which works perfectly with my legit CDKEY on the bottom of my computer. I can teach you how to do this as well, if you want.
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 3/17/2007
Posts: 3,190
Location: Qatar
|
i have faced this a couple of times when there was one virus which infected winlogon.exe and would disable the logon function by itself. the pc would hang at welcome screen u wont be able to type at all. then in safe mode the virus was removed by symantec but winlogon.exe went missing
the solution is that u can find the winlogon.exe file in I386 or some other folder. Try using Linux live CD to locate and copy this file on to windows system folder. it worked for me.
Secret of success: Accepting failure, but as the next ladder step towards your goal.
I have opened up a forum for general software issues Visit my forums
|
|
Rank: Rookie
Groups: Member
Joined: 7/24/2007
Posts: 5
Location: Belgium
|
I have exactly the same problem as krisbke. ST quarantained the so called Trojan\W32.Phoney.WXP and now I am unable to login to Windows XP, so I cannot undo the quarantaine. I really would like to find a solution without having to reinstall XP. Can someone please tell me the exact name of the file ST has removed from my registry and where exactly I have to put it back, when found? Thanks.
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 3/17/2007
Posts: 3,190
Location: Qatar
|
ALERT !
This is gonna be serious , i will be flooded with calls tomorrow morning when people shutdown tonight and start tomorrow.
i just found one of the computers having 1.9.3.142 is detecting userinit.exe as phoney.WXP
i have enclosed the registry entry here for your reference. those who might have removed it already, please click on this entry and revert it before u would reboot, or else u are in the same position as them.
<edit>
checked it , i have it in my pc, i am running ST 2.0 - not detected..File Attachment(s):
 WinlogonUserInit.reg (30kb) downloaded 122 time(s).
Secret of success: Accepting failure, but as the next ladder step towards your goal.
I have opened up a forum for general software issues Visit my forums
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 3/3/2007
Posts: 1,488
Location: UK
|
I think we've got a very very big false positive. SWT flagging winlogon.exe as infected.
Well done rajesh, you probably will save alot of PCs.
http://www.techos.co.uk - Free PC Tech Support
|
|
Rank: Rookie
Groups: Member
Joined: 7/24/2007
Posts: 5
Location: Belgium
|
Thanks for the answers.
Can someone please tell me how I can repair my registry and solve the problem, being unable tot reach my Windows settings?
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 3/3/2007
Posts: 1,488
Location: UK
|
With extreme difficulty, I have one suggestion for you which requires an answer?
Have you got a Windows CD to hand?
http://www.techos.co.uk - Free PC Tech Support
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 3/17/2007
Posts: 3,190
Location: Qatar
|
sorry i should have been clearer in my answer
!) download and run knoppix live CD (burn the iso contents to a CD and then use it to boot your pc)
2) once linux is loaded, then locate the userinit.exe this should exist in c:\windows\system32\
if u cant file the file there, (if ST deletes this file, ) then copy it from system32\dllcache folder.
3) restart your pc, it should run smoothly.
if u cant find userinit.exe, then locate I386 folder in your computer which will contain a file USERINIT.EX_ take this file and use a windows based computer, run dos prompt and type this command extract c:\i386\USERINIT.EX_ c:\Userinit.exe
c:\i386 to be replaced with the location of ur I386 folder,
then u will see c:\ to contain userinit.exe move this file to c:\windows\system32 and ur pc should boot up.
get back here if u find the userinit.exe still in place and cant boot still. (we might have to tamper the registry if ST has removed only the registry key and not the file itself which will be a bit tough without windows CD.
I WOULD ADD, THIS IS ONE BIG REASON I PREFER QUARANTINE BUTTON AVAILABLE ALONG SIDE REMOVAL BUTTON! so that i can ask people to quarantine threats and not remove them till an expert / admin can analyse it and remove it (see suggestions for ST 2.0)
Secret of success: Accepting failure, but as the next ladder step towards your goal.
I have opened up a forum for general software issues Visit my forums
|
|
Rank: Rookie
Groups: Member
Joined: 7/24/2007
Posts: 5
Location: Belgium
|
Thank you for answers.
Using Linux I was able to open C:/Windows/system32 and the userinit.exe is there, so this cannot be the cause of the problem. I have a Windows CD so I would like to hear from you what to do next to solve the problem. Thanks in advance.
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 3/17/2007
Posts: 3,190
Location: Qatar
|
hmm, then it is really the problem with the registry entry being deleted.
is there any way u can boot up ur pc in safe mode or debug mode or from the windows CD? if u can that would be very easy to sort it out, other wise i will try to find out if there is any other way than doing a reinstall of windows XP
also, just check booting with ur Windows recovery disc and see what it says, if it will erase ur harddrive (format it) before reinstallation of windows xp . If at all ur Boot CD allows u to reinstall windows XP , u can go ahead and do it (beware if it says FORMAT anywhere, dont do it.) and it will be sorted out in minutes if not, i will find out if we can edit regisry of windows from linux shell.
<EDIT>
GOT IT , editing registry from linux kernel is hell of ajob it is onlyuseful in file copying cases, but for ur case, if u cant boot from windows cd, try creating aboot disc using BartPE builder or visit this forum for dot solution http://forum.sysinternals.com/forum_posts.asp?TID=7672&PN=1
this addressses ur issue .
Secret of success: Accepting failure, but as the next ladder step towards your goal.
I have opened up a forum for general software issues Visit my forums
|
|
Rank: Rookie
Groups: Member
Joined: 7/24/2007
Posts: 5
Location: Belgium
|
For many hours now I have tried solving the problem, using every possible way of booting up and always getting the logon screen before anything else. Windows XP starts up fine, but I cannot logon, making it impossible to reach ST or even my Windows System Repair. I'll wait a bit longer, to see if no solution comes up. If not I'll have to use my Recovery CD, though I really have no mind to do so.
For all that, thanks for your answers and your help.
|
|
Rank: Administration
Groups: Member
Joined: 7/10/2006
Posts: 2,907
Location: Philadelphia, PA
|
Do you use System Restore?
|
|
Rank: General
Groups: Beta, Member, Threat Analyzer
Joined: 3/3/2007
Posts: 1,488
Location: UK
|
SmilingCobra wrote:For many hours now I have tried solving the problem, using every possible way of booting up and always getting the logon screen before anything else. Windows XP starts up fine, but I cannot logon, making it impossible to reach ST or even my Windows System Repair. I'll wait a bit longer, to see if no solution comes up. If not I'll have to use my Recovery CD, though I really have no mind to do so.<br />
For all that, thanks for your answers and your help.
I think you're a little messed at the moment, do you have a spare Windows CD? This might be the only way around this, to do a OS Repair. Making a fresh copy of winlogon and you'll be fine.
Then you're PC will run much faster, and have all your data on.
http://www.techos.co.uk - Free PC Tech Support
|
|
Rank: Rookie
Groups: Member
Joined: 7/23/2007
Posts: 4
|
I'm sorry to hear other people have had the same problem - I just hope it has a happier ending for you than it did for me!
The HP PC Recovery utility turned out not to be as efficient as advertised and I lost all my data. It kept my programs, but most were unworkable and needed to be reinstalled. I've used an open-source program called Photorec to try and recover some of what I've lost and it's been pretty good, but so much is gone. Not to mention the two days I've wasted trying to get operational again.
I saw someone on the Avira forum who'd quarantined the thing, and I pointed them here - hopefully, they'll read your ideas in time. Good luck to everyone!
|
|
|
Guest |