Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Little Help : XP Stuck After Login

Options
  • 01-02-2010 8:15pm
    #1
    viboy
    Registered Users Posts: 151 ✭✭


    Hi Folks,
    Apologies for the probably stupid question ... I've been asked to fix a friends PC.

    The problem is that after XP display the login prompt and a user account has been selected - windows will never display the desktop, a blue screen appears (a partial paint of the desktop, not the BSOD) - the remainder of the desktop will not load. My guess is that some system process has hung.

    To complicate things slightly - Ctrl-Alt-Delete brings up a message saying "Task Manager has been disabled by the Administrator" - that smells like a virus, but may not be - opinions ?

    Note: This also happens for all safe modes as well.

    Any ideas, how to gain some access to the PC to perhaps look in detail at msconfig.exe in case there are some obvious process starting after login ?

    Thanks,
    Sean


Comments

  • Options
    #2
    WIZE
    Closed Accounts Posts: 3,597 ✭✭✭WIZE


    Have you checked if there is any CDS, usb sticks , or SD cards in the PC . Also disconnect any hardware attached to the PC ( leave the keyboard , mouse and Monitor connected


  • Options
    #3
    ttm
    Closed Accounts Posts: 2,045 ✭✭✭ttm


    Google stuff like "Internet Security 2010 malware" without the quotes and see if you have similar symptoms.

    If thats what you have and you have problems getting rid of it PM me I've gotrid of it on a couple of systems and its an interesting logic problem to remove it as each time a new method of fixing it is posted the authors rewrite the Malware code and make it more difficult to et rid of.


  • Options
    #4
    woolymammoth
    Registered Users Posts: 1,772 ✭✭✭woolymammoth


    where did your friend buy the computer? And did he get the Windows discs?

    It may have some problems anyway, but it sounds to me like some things have been disabled by group policy.


  • Options
    #5
    ttm
    Closed Accounts Posts: 2,045 ✭✭✭ttm


    guys? its bloody Internet Security 2010!

    Read the OP's post, on a home computer how does this msg "Task Manager has been disabled by the Administrator" come out of the blue?

    And why does the problem occur in all modes?

    Answer userinit hijack"

    What I've experineced is as Internet Security 2010 gets hold Mcaffee (useless rubish) deletes the file that the Reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit now points to (should be C:\Windows\system32\userinit.exe and only that nothing should be appended). So the system can't fully load.

    http://www.malwarehelp.org/internet-security-2010-removal-2010.html gives an idea of what would happen if the Malware fully loaded up.

    Trick now is to get into the registry to put that key back, BartPE is one way I've used, but there are some others, you just need to probe around till you find them.

    Note also if it is Internet Security 2010 then the versions I've seen recently have had a rewrite and some of the filenames have changed and there is no complete method online for removal. You just have to get logged on somehow then run rkill (google it) then load update and run malwarebytes.


  • Options
    #6
    Bebop
    Registered Users Posts: 327 ✭✭Bebop


    TTM is on spot on; this sounds like one of the Fake AV's that are going around, this site has a list of the culprits; http://freeofvirus.blogspot.com/

    Generally these little gems will take over most of your executables and display the quoted error message, task manager will run for about a second before it vanishes, but you can remove them, you will need Malwarebytes;

    www.malwarebytes.org

    Download the free version on a working computer and put it on a memory stick,
    Boot the infected PC into safe mode [press F8 while booting, select safe mode]

    run regedit and delete the key;
    HKey Local machine\software\microsoft\windows\current version\run <name of fake AV>
    Delete the same item also from the %Userprofile% and all users start menu programs

    Delete the folder in C:\program files\

    delete temporary internet files

    Reboot normally and run Malwarebyes, do a quick scan, remove any trojans found and reboot again

    You should then be back to normal, run a full scan of MWB to check


  • Advertisement
  • Options
    #7
    viboy
    Registered Users Posts: 151 ✭✭viboy


    Thanks for all your help lads - looks like you got it spot on.

    But, in order to fix it - some of the suggestions require XP to boot sucessfully into safe mode. Currently it does not. Any suggestions / hints to work around this.

    Original windows disk has gone missing (natch) - and I'm more of a mac man.
    I do have a copy of windows 7 that I could boot from, but not install as my licence is tied up on my machine - will that help by any chance ?


  • Options
    #8
    ttm
    Closed Accounts Posts: 2,045 ✭✭✭ttm


    I use a BartPE disk, but to make one you need a genuine windows XP disk of some sort.

    If you can make one you boot from BartPE and then have to use regedit to load the relevant hive from your mates PC and save the changes.

    http://www.precisesecurity.com/rogue/internet-security-2010/ has a few answers in the replies.

    Google "BartPE regedit internet security 2010" without the quotes for lots more possible answers.


Advertisement