winlogon.exe startup registry deleted, cant log on

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

supasave

Thread Starter
Joined
Sep 17, 2008
Messages
6
Well, I recently had the trojan win32.agent.pz on my computer, which infected ntos.exe on my computer and created a registry that starts it up along with winlogon.exe
After 2 days of trying everything I was able to delete the trojan off my computer, but I also had to delete the startup registry of winlogon.exe/ntos.exe (I tried editing out the ntos.exe from the binary, but it wouldnt accept the changes)

So now, I can boot my computer but as soon as I sign on to any account, it logs me out instantly, only showing the desktop for a split second.

I'm almost 98% sure its the winlogon.exe that isn't being executed at startup which means the accounts do not log on right.
I have checked my files on the recovery console and found out that winlogon.exe is still there and the trojans I deleted arent.
If I boot on Safe Mode(F8) the same login/instant logout happens with the admistrator account.

Is there any way I can change the startup programs so winlogon.exe is back on the list without having to log onto any accounts?

Right now I am considering buying an extra harddrive and restoring the new one to factory default and transfering the old data into the new one, seeing as this would be the cheapest option. Would this work to restore winlogon?
 
Joined
Jul 28, 2008
Messages
1,092
Have you tried this?
http://www.kellys-korner-xp.com/xp_wel_screen.htm
http://support.microsoft.com/?kbid=313322

Next have you tried these?
First try this;
CHKDSK
How to perform disk error checking in Windows XP
http://support.microsoft.com/kb/315265

Then try this;
System File Check
http://www.pchomecall.org.uk/support/sfc.htm
Make sure you read the whole tutorial first OK.

Right now I am considering buying an extra harddrive and restoring the new one to factory default and transfering the old data into the new one, seeing as this would be the cheapest option. Would this work to restore winlogon?
Great idea, and I would use a cloning ghosting imaging software to do this.
I use the oldy but goody Ghost 8.3 :)
 

supasave

Thread Starter
Joined
Sep 17, 2008
Messages
6
Well, all of the links you sent me I cannot do because I can't access any accounts (even administrator), which they all ask to "press start, run, etc etc etc"
I wasn't clear on my first post I guess, but, when pressing F8 and going into safe mode I went into the Recovery console and ran CHKDSK through that. Just searching found nothing wrong, and I ran it again allowing it to restore (/R or whichever the command was) any problems, which it did not find any.
I also did a bit of searching on my own (on microsoft's site), and possibly userinit.exe might of been affected at startup, I'm not sure, but userinit never came up in any antivirus/spyware scans

What I basically need is a way to check if userinit/winlogon are running at startup, or if I have a totally different mess that I need to take care of.

As for the harddrive switch, my friend said he could do it no problem, if I can find an IDE (don't know about HD's but he said they stopped making them?). I'm probably going to do this in 3days or so if I cannot find the info I need.
 
Joined
Jul 28, 2008
Messages
1,092
After 2 days of trying everything I was able to delete the Trojan off my computer,
I wonder if it is really gone ?
you should go here;
http://forums.techguy.org/54-malware-removal-hijackthis-logs/
and read all the sticky posts and then ask an admin or moderator to look at your HJT log for sure...

**Rules;
Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield
next to their name and authorized malware removal trainees have a blue shield
next to their names. Anyone wishing to participate in a training program should contact a Moderator for more information.

IDE HD's alive and kicking;
http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&N=2000150014%201035907788&name=IDE%20Ultra%20ATA133
SATA HD's are taking over though;
http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&N=2000150014 1035915133&name=SATA 3.0Gb/s
 

supasave

Thread Starter
Joined
Sep 17, 2008
Messages
6
Good news is my mom has some connections which led to some computer programmer coming to check my computer out. I am going to post results (Good or bad) by Monday.

Anyways, the problem is, I can't run Hijackthis seeing as how I can't log on, although I do have (and can find in recovery console, but I have no idea how to transfer it from there to somewhere I can use it) the old HJT log.txt before all of this happened.

I was following instructions (from a forum, this one or similar one not sure) from someone who had the same trojan. (Spybot detected as win32.agent.pz, norton security scan detected as trojan.--------- [don't remember the name])
Seeing as how the instructions eventually worked for him, I did the same.
The last action I did before this stupid login problem was:
I downloaded a program called "Avenger.exe" (Site I believe is "http://swandog46.geekstogo.com/avenger.zip")
On my HJT log I had similar results to
Main problem (I always keep track of which programs I should be running so it wasn't hard to pick these out)
F2 - REG:system.ini: UserInit=E:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\ntos.exe, (Both scans found plenty of similar registries, such as in Local_Machine, all inside software\microsoft\windowsNT\Run, I believe about 5 different scripts were found all with the same :\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\ntos.exe)
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
I tried multiple programs and none of them worked to delete them at startup
After downloading Avenger.exe I executed scripts to delete those 3 files and the registry at startup and rebooted. Since then I couldn't log in but searching in recovery console I could not find the files anymore (so I think they have been deleted)

Note: Also when I found out that I downloaded the trojan. for some reason svchost.exe kept acting weird (windows error, the files were in temp internet folder) and also recieved an error that WMI(not sure what this is, but in the technical report the files were all in a temp internet folder).

Edit: The trojan itself in the description of symantec roughly (from memory) said
"Creates a folder named wsnpoem in system32.
Encrypts data and prompts user to purchase a program to decrypt
Video.dll -stores all encryption data including of the trojan-
Audio.dll -Gathers information and stores it-"
 
Joined
Jul 28, 2008
Messages
1,092
Supasave, I will be glad to help you restore your PC to it's original state if you want.
Or we can contact an Expert, Admin or Moderator and have them help you try and get rid of the Trojan and get your system back up.

there is nothing like your system restored back to original it runs so nice and clean...
and trying to clean and kill the bug may be long and tedious and your system may never run right.
So you need to decide which one....
Think about it, hopefully you have a backup of your personal files and then you should be good to go.
 

supasave

Thread Starter
Joined
Sep 17, 2008
Messages
6
Well, the guy who came and looked at my computer said a few things, which were pretty much my guesses too.
He said I could run windows xp from the original CD (Probably lost) which would allow me to log on my accounts.
Or he said the new HD would be a good idea too, which he would transfer data for me.
I asked him about finding if userinit/winlogon were good, but he couldn't tell without logging on, so he just stated blindly "they are corrupt". Also, he didn't know a way to check which programs started up (such as running regedit without logging on).

Today I'm going to call around town and find out if any have an 80-110gig IDE HD, since I really need more space (my hd is probably 90% full anyways)

Since that is my decision I'm wondering, how would you transfer settings (such as a firewall or internet explorer) to the new harddrive (seeing as how I litterally have 10,000 sites blocked for cookies/javascripts/xactives [stupid ads lol] both on my firewall (norton) and IE.)
-Is there like a settings.file or something similar?
 

supasave

Thread Starter
Joined
Sep 17, 2008
Messages
6
Well I got my hard drive, 160gigs for $67 ($63+tax) score!
Problem is I don't have any xp install cds so it isn't formatted at the moment.
Is there any way I can use the D:(recovery) sector from the old hard drive or am I going to have to keep asking around for the xp cd?
 

supasave

Thread Starter
Joined
Sep 17, 2008
Messages
6
Well
So far I still havn't done much to fix my computer
I have the extra hard drive
and copied a version of XP sp2.iso onto a blank cd
not sure what to really do now
I'm going to contact my friend also see if he can work with the .iso and format my HD
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top