Trojan removed, now XP Home wont boot.

  Diemmess 09:51 31 Mar 2011
Locked

Daughter and her adult sons have between them collected that awkward false popup "Windows XP Antivirus 2011"
At the same time AVG seems to have disappeared.

They have run both Superantispyware and Malwarebytes in safe mode from a stick drive and collected all sorts of potential mischief

The computer will still load in Safe mode but will not do so in Normal mode

The windows logo and 'bar-graph' are seen but when this goes they are left with a black screen.


I dare not assume anything and so dig a deeper hole.

Is this going to mean a repair of XP or some unseen unreported driver to be replaced?

  Taff™ 10:12 31 Mar 2011

I had a similar one with a client`s machine a couple of weeks ago and the infection replaced a specific driver in the system32 folder and corresponding dll folder - hence, as you suggest it won`t boot normally only into safe mode.

I`d first try booting from an XP disc and entering recovery console. Get to a command prompt and try the following commands:

chkdsk
bootcfg
fixmbr
fixboot

In that order and see after each one if you can get into normal mode. click here for info on these commands.

This may not work and unless you can get some idea of which driver was replaced (Check date stamps perhaps) and copy that from a working XP system onto yours using a linux distro perhaps, a repair install of XP looks to be the solution.

  Taff™ 10:46 31 Mar 2011

Just checked my previous job sheets and It might be the userinit.exe file which should be in c:windows/system32 folder. Check that file out. Is it there and what`s the size and date stamp? Post back and I`ll check with my XP Installation.

I may be out over lunchtime but I`m sure someone else could do the same. Drop me a PM if necessary Diemmess.

  Diemmess 12:19 31 Mar 2011

My own usrinit.exe (XP Pro) size is 26K dated April 08

The ailing computer wont be accessible until after 4.0pm today.

I'm a fish out of the water with this problem and have always unashamedly use Acronis for myself.

So trying think your advice through, I assume that usrinit.exe should be checked first?

If it is a peculiar size or a recent date, how do I deal with it?

"Repair" (without upsetting data) is the last hope, before re-installation, or is it a sensible procedure to use it earlier

  anchor 12:28 31 Mar 2011

userinit.exe on my XP computer is 26kb, dated 14/4/2008.

All working fine.

  Diemmess 13:32 31 Mar 2011

Anchor and I both have [externally] the same file.
Same size and date.

Therefore if I take a copy of my usrinit.exe and place it in Windows System32 instead of a file which is either absent or has different date or size, that might do the trick?

  Taff™ 14:05 31 Mar 2011

That file is correct and datestamp OK too. Check the other machine and if it is different in either resect, rename it to usrinit.OLD and copy yours to the same folder. If the file is intact refer to the Recovery Console commands I gave earlier before a repair of XP.

  Diemmess 14:45 31 Mar 2011

Thanks Taff™ and anchor.
I travel in hope in about half an hour!

Will post back whatever result I manage in limited time today.

  Diemmess 17:38 31 Mar 2011

Conflict of interest, only able to spend 1/2hour.
usrinit not different, but replaced anyway.
Started long list of things to do in revovery console as recommended.
Doesn't chkdsk take an age?

More tomorrow (I hope)

  ronalddonald 18:26 31 Mar 2011

you did backup data on an external drive?

if you did do clean install using xp disc if all these checks are going to be long

  Seadog 23:14 31 Mar 2011

For what it's worth, my son managed to get the same malware on his pc a year or so back, after trying to get rid of it we ended up with the same situation - no boot in normal mode.
I googled it and found several topics in web forums about it.
On one there were links to sorting the problem with step by step instructions for removing the infection - if it is not removed correctly files are damaged or corrupted.
There was also a small program that repairs the damaged files because most people would try to remove it the wrong way, I downloaded and ran this and all was sorted. (It was free!!)
I can't remember where I found the info, but 30 minutes surfing for the answer might be better than spending all that time on a re-install?

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

OnePlus 5 review

See the work of famous artists playing with toys

iPad Pro 10.5in (2017) review

Comment faire une capture d’écran sur un Mac ?