Hi, while I've been trying to remove a nasty set of malware, I rebooted and now I cannot log onto the computer. TomK sent me to this forum to fix this issue that just developed. Here is my Hijackthis log from a few days earlier in this post before the oops occurred.

PC won't recognize my drive

As soon as I get to windows after the log on sound it pauses and I cannot perform any actions or see desktop or explorer, can't get to taskman via alt-ctrl-delete. shortly after, it plays the log off sound and sends me to the log on screen. I have only one user and I have tried every way to get on through F8, (Safe mode and such). So I can get to the HD from linux via the Ultimate boot CD.

Any ideas? Thanks!

Yem, boot to Safe Mode, but login as Administrator (no password), see if that works. If yes, then you have a corrupted account (user profile). Follow the directions here to create a new account and copy all your user data over to it:

http://support.microsoft.com/?kbid=811151

Or follow these directions posted in GeeksToGo.com

• Boot to Safe Mode, login as Administrator
• Show hidden files by opening My Computer, Tools menu, View tab, check Show Hidden Files/Folders and uncheck Hide extensions for known filetypes. Click Apply then OK.
• Create a new Administrator level account via Control Panel / User Accounts.. Pick a good name as you will be keeping it.
• Reboot the computer.
• Login with the new account so the folder structure under Documents and Settings gets created, then log off.
• Boot to Safe Mode, login as Administrator
• Browse to c:\documents and settings\OldUserAccount
• Select everything in that folder except the three files called ntuser.dat, ntuser.dat.log, and ntuser.ini.
• Copy all those files into c:\documents and settings\NewUserAccount. Reply Yes or Yes to all when duplicate folders or files are found.
• Reboot the computer and login with your New user account.

Once you confirm that everything has been copied and is okay, you can delete the old profile.

Thanks for the prompt response. i should have elaborated, I did try to long on as the administrator and I suffer the same problem in safe mode as administrator

would a file named mfdhidk.sys be something I should delete. its the last thing I saw before it loaded the gui.

This post has been edited by Yem: Jun 9 2009, 09:15 PM

Okay, it may be file system corruption then. You need to boot the Recovery Console and run chkdsk.

See here for instructions: http://forums.whatthetech.com/How_run_chkd...ole_t95574.html

Post back if you have any questions.

Good luck.

I tried the above fix twice. One repair was made but it didn't solve the login issue. Same conditions

You can try doing a manual System Restore (sort of). Read the instructions at this link:

You can also manually copy the data from various restore points to their correct locations from the Recovery Console. See here:

http://forums.cclonline.com/showthread.php?t=1183

I've used this many times with great success, if the problem is a corrupted registry, which this most likely is.

This post has been edited by Ztruker: Jun 11 2009, 05:50 PM

There are a couple registry keys destroyed by malware....

Unforunately if you can't login, I'm not sure how you will fix it.

If you can mount the hard drive in another computer, or if you have a utility that will allow you to edit the registry from the Ultimate Boot CD, you can fix those registry points.

If you can mount the hard drive in another computer, you can use a program called LoadHive that will allow you to mount a registry file as part of your local registry and edit it. You can use loadhive to open the registry file from the non-working computer's hard drive and modify the required registry points and then put the drive back in the computer it belongs in. You'll need to post back with further instructions if you need to go this route.

You want to verify that the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit key is set to "C:\windows\system32\userinit.exe,"

The file Userinit.exe also tends be corrupted by malware.. So, if the key is right in the registry, or if you would like to just try to replace that file first and see if it works, that is also the way to go.

From the recovery console you need to have the windows XP installation disc in the drive and then issue the command: expand D:\i386\userinit.ex_ C:\windows\system32\userinit.exe (Where D: is the drive letter of your CD-Rom),

Come to think of it, you might want to try this first seems how you are easily able to get to recovery console.

If you dont have the original windows XP disc to put in the drive, you can use this command: expand C:\windows\servicepackfiles\i386\userinit.ex_ C:\windows\system32\userinit.exe (This only works if you have installed a service pack on windows before)

YOu should get a confirmation saying file expanded successfully.

Then try booting normally again.

This post has been edited by appleoddity: Jun 11 2009, 06:44 PM

Ok I just copied the userinit.exe from the servicepackfiles folder to the system folder. That did it but as soon as I got on the malware changed the userinit file again. Thanks for your help!

Ok... Wait on anything else.. I am in contact with TomK for what to do next.

Ok.. I am assuming that after expanding the new userinit.exe file that you were able to successfully log in? Then, you were ok until you tried to reboot and login again?

If this is the case, please expand the userinit.exe file again, get logged back into your computer, and then follow up with TomK in your previous malware thread. He says you were not able to continue because of this problem. So, if you can get logged in, follow up over there, and do NOTHING until further instructions. Do not shutdown, do not reboot. Stay disconnected from the internet if you can for now and follow up in the thread until you receive definitive instructions from another computer.

Yem,

Please go back to the thread you posted originally. http://forums.whatthetech.com/PC_won_t_rec...424#entry566424 If you are able to run the CF program that I gave you directions for there, it will be able to tell us more about your userinit.exe file.

No, after I first did the copy I haven't logged off. If I do I'll be in trouble. I won't log off though I was just saw that spybot s&d noticed a reg change with userinit. I cut the machine off from the net tokeep the system from gettin more infected while I'm away. I started combofix and had to leave for a dinner engagement but will be back to post at the original thread when I return to the war room.