Windows stuck at login screen

[Transform]

here is my HJT log for post#23:

----------

Moderator Edit:
Pasted HJT log removed, and then attached
Please attach your logs, do not paste them into a reply
.

This is the second time I have attached your pasted logs Transform, in any future posts any pasted logs will just be removed
You must ATTACH the logs, not paste them in

 

[Bobbye]

To the Moderator: thank you for removing the paste and attaching the log. It's very difficult to work through the log in the pasted format.

The only entry I see that needs to be removed is this:

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

I had asked

Verify that this is what is being used for the Remote Desktop overseas:
This program is running> TightVNC Software>> TightVNC is a free remote control software package derived from the popular VNC software. With TightVNC, you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer. It is not without risks. Please see it's features on http://www.tightvnc.com/

Otherwise the log is clean. Make sure the Java is showing as v6u10 in Add/Remove Programs. It appears it only displays as Jave v6 in the log.

What is the system status now? Have the original problems been resolved? If so, we can finish up:

* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

Please let us know if you need further help.

 

[gguerra]

It may be too late now but nobody mentioned it.. Boot in safe mode (or normal mode) and do a system restore to a point when the computer was working.. This is assuming you have it turned on. If you dont get start menu and icons you can run it from task manager here C:\Windows\System32\restore\rstrui.exe

 

[kimsland]

It may be too late now but nobody mentioned it.

Sadly it is too late to do this, as by doing this it will cause all the support fixes already done to be removed

Note also the System Restore points are usually the first part to be infected

 

[Transform]

Firstly I must apologise for pasting the log. I used to regularly use another forum where I would always be told to paste the logs. I will remember to attach them from now.

Secondly, VNC is what I use to control the computer with the problem. Unfortunately the problem is still there

I believe it happened at the beginning of the year when I installed Kaspersky onto the computer. I have spend a long time since trying to rectify the problem with no luck. Where do I go from here?

 

[Bobbye]

This thread has gone over a two week period. Replies have sent you in different directions and it appears you've gotten nowhere. I suggest we begin again, running MalwareBytes, SuperAmtispyware, then HIjackThis.

Please attach the logs from the programs. We will try to go in one direction. If you did a repair, what was done got undone. Let's try and go straight through and see if we can resolve the issue.

 

[Transform]

Before running the scans I noticed that the Windows Firewall was not on and so there is a large number of spyware in these logs. I have now turned on the firewall and re-ran the scans which came out clear 2nd time around. Here is all 3 scan files for you.

 

[Bobbye]

I can only work with what I'm seeing in the logs. From a malware point of view, you're in worse shape now that when you started! I can't chalk it all up to not having the Windows firewall on:

Your first Mbam log was clean. The current one shows multiple infections.

The current SAS log shows multiple tracking Cookies. Instructions were given to reset Cookies. Apparently that wasn't done as the current SAS log if full of them!
Have SAS remove all findings. These screen shots will help you find the features to check. Click on any of the screens to enlarge:
http://superantispyware.en.softonic.com/images

Reset Cookies:

Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:

This appears to be a registration page to purchase McAfee security Suite. Remove it.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk.mcafee.com/root/campaign.asp?cid=16318
Advised remove this in Post #27
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
Should be removed.Known vulnerabilities:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot.

Please advise system status, IT doesn't seem like any progress is being made and when you followed the repair instruction, what had been done previously was undone.

 

[Transform]

thanks for your reply.

I went into SAS and Manage Quarantined Items and deleted the tracking cookies. I then edited the cookie settings in IE as shown. HJT entries also removed.

I guess all the viruses have been deleted but the same problem on startup still occurs.

 

[Bobbye]

This is a system you're doing a remote on overseas, right? I don't know what's going on with it! Even from a malware issue alone, it's not under control and the original problem wasn't resolved. Honestly, I don't know what to suggest. I am very conservative with reformat suggestions, but the system doesn't sound like it's in good shape and that might be the answer.

 

[Transform]

the whole thing came about from installing kaspersky anti virus onto the machine. the computer seems to run perfectly fine except for having to manually start the explorer process on startup. reformatting really would be the last resort as there multiple users on the system.

i think the malware only came back because after the windows repair, it turned off the firewall. now the firewall is on, it seems that the malware issue has gone.

i dont know what to do next

 

[sent12b]

--> If we are able to bring up the Task Manager check if we correct registry
entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe" (REG_SZ)

"Userinit"="C:\WINDOWS\system32\userinit.exe,"

 

[Bobbye]

I am very reluctant to send someone into the Registry. There are dangers doing that and doing a backup first should be stressed. If this person is doing remote assistance, he should be aware of the Registry settings. Unfortunately, this person has been sent in too many directions- a Windows Repair to name a major one.

If you go back and read the posts, you will see that this is about doing a remote assist, where the 'helper' should have access to all the files on the system.

 

[Transform]

I am confident enough to edit the registry but what do I do next?

 

[Bobbye]

Too bad that the person who made the suggestion didn't give directions. I will leave it up to that person. But I will tell you to back up the Registry before making any changes.

 

[kimsland]

--> If we are able to bring up the Task Manager check if we correct registry
entries

Yes I would be interested to read sent12b's suggestions on this, and then him sticking with the thread and fully resolving the matter.

 

[Transform]

--> If we are able to bring up the Task Manager check if we correct registry
entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell"="Explorer.exe" (REG_SZ)

"Userinit"="C:\WINDOWS\system32\userinit.exe,"

Tried this but the registry values were the same as above...

 

[kimsland]

Yes well if you look back at Post#2 (the second post in this long thread) this was already covered fully. So the last few posts (7 of them!), resolved, well nothing!

You were being helped by Bobbye, who is probably one of the best (expert that is) on this. (you can tell this by any single one, of his posts)


I believe for you to get Explorer working again, you may need to do the following:
Un-install any live protecting software, this includes Antivirus; Firewall; Spyware monitoring programs.
Run a Repair on Windows, see h e r e on instructions
Once the repair is complete, please inform us of the outcome
Note: Running a repair will involve re-activating Windows, and then updating all Windows security updates again

Please try that
Note: No data is normally (ever) lost whilst doing a repair, but it is always stated to backup first.

 

[Transform]

I guess I should uninstall these things with the Internet disconnected to stop anything accessing the computer?

Do I need to uninstall all the spyware programs even if they are not running all the time?

The only thing always running is the AVG anti virus software.

 

[kimsland]

Yes.... All of them

 

[Bobbye]

You can use File> Work Offline for the security uninstalls.

Check one thing for me please: Control Panel>Folder options> View tab> CHECK 'do NOT show hidden files and folders'> Apply> OK. Some have noticed- myself included-that if 'show' is left, it can sometimes cause Explorer crashes.

 

[Transform]

Here are the results:

Tried 'do not show hidden files and folders' technique but didnt work.

Removed all antispyware/virus programs and also removed other programs not being used on the system.

Next I ran the XP repair however I still had to bring up task manager as the user profile stalled on the wallpaper screen.

Does this mean that the problem isn't with the operating system but some file(s) from a piece of software on the computer?

 

[Bobbye]

Do you understand that every time you run a repair you undo what we've done?! We're at Post #48 and getting nowhere! Maybe you should just reformat and be done with it.

 

[Transform]

Well excuse me but I am following kimsland's advice. Anyhow, I dont think I can reformat because I will lose all the extras that are given by dell.

 

[Bobbye]

Please review Post #5. It was NOT kimsland who told you to do the repair:

From: almcneil :
I'd try a Windows repair at this point. Do you have your Windows installation CD?

kimsland and I have both told you that doing this undoes all the previous work we have done.