Logon - Log off loop. when you login to Windows, the 'loading personal

settings" verbose will appear, but suddenly it will logoff



After reload ( repair ) XP, I could access once but the problem went back

I reload software again

find out wrong value in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu  rrentVersion\Winlogon

Name: Userinit

found: C:\WINNT\system32\userinit.exe, %SystemRoot%\iProtect.exe

change to Correct: C:\WINDOWS\system32\userinit.exe

System seens to be working fine



After login and log off  the problem went back

Find out that the file c:\winsecure.exe was changing the registry,

Some kind of malware, I think...

deleted file and found in the registry the following line:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr  entVersion\Run

Name:  Windows Security Manager   value:  c:\winsecure.exe





Question: can I delete this "Windows Security Manager" from regitry?



regards



--

Ronaldo Silva

I would certainly consider it.  You may also want to update your AV =

Software as well as run AdAware, www.lavasoftusa.com and SpyBot Search =

and Destroy, www.safer-networking.org.



--=20

Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display

Win 95/98/Me/XP Tweaks and Fixes

http://www.dougknox.com

--------------------------------

Per user Group Policy Restrictions for XP Home and XP Pro

http://www.dougknox.com/xp/utils/xp_securityconsole.htm

--------------------------------

Please reply only to the newsgroup so all may benefit.

Unsolicited e-mail is not answered.

=20

"Ronaldo" <Ronaldo@discussions.microsoft.com> wrote in message =

news:39D4C4A9-79EF-4794-A28A-58E3DD4C662A@microsoft.com...

> Logon - Log off loop. when you login to Windows, the 'loading personal =



> settings" verbose will appear, but suddenly it will logoff

>=20

> After reload ( repair ) XP, I could access once but the problem went =

back=20

> I reload software again

> find out wrong value in=20

> =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu  rrentVersion\Winlogon

> Name: Userinit

> found: C:\WINNT\system32\userinit.exe, %SystemRoot%\iProtect.exe

> change to Correct: C:\WINDOWS\system32\userinit.exe

> System seens to be working fine

>=20

> After login and log off  the problem went back

> Find out that the file c:\winsecure.exe was changing the registry,

> Some kind of malware, I think...

> deleted file and found in the registry the following line:

> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr  entVersion\Run

> Name:  Windows Security Manager   value:  c:\winsecure.exe=20

>=20

>=20

> Question: can I delete this "Windows Security Manager" from regitry?

>=20

> regards

>=20

> --=20

> Ronaldo Silva

got exactly the same problem as mentioned in the firt paragraf. please help resolve the problem



thanks






	
Quote:
	

	

		

			
				Originally posted by Ronaldo 

Logon - Log off loop. when you login to Windows, the 'loading personal

settings" verbose will appear, but suddenly it will logoff



After reload ( repair ) XP, I could access once but the problem went back

I reload software again

find out wrong value in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu  rrentVersion\Winlogon

Name: Userinit

found: C:\WINNT\system32\userinit.exe, %SystemRoot%\iProtect.exe

change to Correct: C:\WINDOWS\system32\userinit.exe

System seens to be working fine



After login and log off  the problem went back

Find out that the file c:\winsecure.exe was changing the registry,

Some kind of malware, I think...

deleted file and found in the registry the following line:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr  entVersion\Run

Name:  Windows Security Manager   value:  c:\winsecure.exe





Question: can I delete this "Windows Security Manager" from regitry?



regards



--

Ronaldo Silva 
			
		
	
	

gupr wrote:

[vbcol=seagreen]

>

> got exactly the same problem as mentioned in the firt paragraf. please

> help resolve the problem

>

> thanks

>

>

> Ronaldo wrote: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu  rrentVersion\Winlogon 

>

Please do not hijack other people's threads, even if you think the

problem is similar. It makes it difficult to give both posters good

advice. In this case, you should follow the advice I'm going to give

Mr. Silva:



Mr. Silva - Not only should you delete the winsecure, which is malware,

you should run through these malware removal steps to make sure your

computer is completely clean. It is crucial to do all steps with

updated tools in Safe Mode.



1) Scan in Safe Mode with current version (not earlier than 2003)

antivirus using updated definitions.



2) Remove spyware with Spybot Search & Destroy and Ad-aware. These

programs are free, so use them both since they complement each other.

There is a new version of CWShredder from Intermute. I would not

install the other Intermute programs, however. Alternately, there are

CoolWebSearch malware removal steps at SilentRunners.



Be sure to update these programs before running, and it is a good idea

to do virus/spyware scans in Safe Mode. Make sure you are able to see

all hidden files and extensions (View tab in Folder Options).



HijackThis is an excellent tool to discover and disable hijackers, but

it requires expert skill. See below for HijackThis links. A combination

of HijackThis and about:Buster works well in removing the about:Blank

homepage hijacker. Again, this is an expert tool and novices should get

help with it.



3) If you are running Windows ME or XP, you should disable/enable System

Restore because malware will be in the Restore Points. With ME, you

must disable System Restore completely. With XP, you can delete all but

the most recent (presumably clean) System Restore point from the More

Options section of Disk Cleanup (Run>cleanmgr).



4) Make sure you've visited Windows Update and applied all security

patches. Do not install driver updates from Windows Update.



5) Run a firewall.



Links to help with malware:



Software/Methods:

http://www.safer-networking.org - Spybot Search & Destroy

http://www.lavasoftusa.com - Ad-aware

http://www.majorgeeks.com - good download site

http://www.intermute.com/spysubtract..._download.html

http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners



HijackThis:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim

Eshelman

http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis

forum

http://www.wilderssecurity.com/

http://forums.tomcoyote.org/

http://www.spywareinfo.com/forums/



General:

http://forum.aumha.org/ - look under "Security" for various forums

http://rgharper.mvps.org/cleanit.htm

http://mvps.org/winhelp2002/unwanted.htm

http://www.aumha.org/a/parasite.htm - The Parasite Fight

http://www.spywarewarrior.com/rogue_anti-spyware.htm



Malke

--

MS MVP - Windows Shell/User

Elephant Boy Computers

www.elephantboycomputers.com

"Don't Panic!"

Well it looks nice, but there is NO WAY I can change anything on the

harddrive because after logon is a logoff,

also in savemode you cannot intercept, it just keeps on going to logon.



The computer has a up to date (16 dec) virusscanner and firewall, ad-aware

and hyjack this.



Help is badly needed  ;)    Rolphe

	
Quote:
	

	

		

			
				Originally posted by splashy 

Well it looks nice, but there is NO WAY I can change anything on the

harddrive because after logon is a logoff,

also in savemode you cannot intercept, it just keeps on going to logon.



The computer has a up to date (16 dec) virusscanner and firewall, ad-aware

and hyjack this.



Help is badly needed  ;)    Rolphe 
			
		
	
	


Hi there,



my solution to your problem:

I used a boot CD made with Barts PE Builder (http://nu2.nu/pebuilder/) from my WIN XP Prof Installation CD with soem extra tools:

The McAffee Command line Scanner and the Registry Editor from J. Mazlovsky mentioned on Barts PE site.

Also the Total Commander as "Explorer".



- Boot from CD

- Start a Virus Scan with McAffee and clean found files

- Start Registry editor and load the ntuser.dat out of your Profile.

- Look for the key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu  rrentVersion\Winlogon and correct it like Ronaldo did.



In my case, McAffee found the adclicker.AU virus in several files named 

- C:\WINDOWS\system32\iProtect.exe

- C:\WINDOWS\system32\axe.exe

- C:\WINDOWS\system32\winsecure.exe

- C:\WINDOWS\system32\memorymanager.pif

- C:\WINDOWS\system32\ins32.dll

- C:\spooler.exe

- C:\WINDOWS\msupdate.exe

- C:\cab.exe

It even changed the "hosts" file in - C:\WINDOWS\system32\drivers\etc



The Virus was originally located in an executable ebook , which has been scanned with AntiVirPE (UptoDate Vir.def of course) and NO Virus was detected!!!



Changing the userinit part without removing the infected files had the same effect Roberto got.


	
Quote:
	

	

		

			
				After login and log off the problem went back

Find out that the file c:\winsecure.exe was changing the registry,

Some kind of malware, I think...

deleted file and found in the registry the following line:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr  entVersion\Run

Name: Windows Security Manager value: c:\winsecure.exe
			
		
	
	


ATTENTION: Please look for the correct Windows-PATH (e.g. C:\WINDOWS or C:\WINNT or maybe your own choice), I got it wrong and the System hung in the logn loggoff loop again!



Greetz, Joe

	
Quote:
	

	

		

			
				Originally posted by earulez 

Hi there,



my solution to your problem:

I used a boot CD made with Barts PE Builder (http://nu2.nu/pebuilder/) from my WIN XP Prof Installation CD with soem extra tools:

The McAffee Command line Scanner and the Registry Editor from J. Mazlovsky mentioned on Barts PE site.

Also the Total Commander as "Explorer".



- Boot from CD

- Start a Virus Scan with McAffee and clean found files

- Start Registry editor and load the ntuser.dat out of your Profile.

- Look for the key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu  rrentVersion\Winlogon and correct it like Ronaldo did.



In my case, McAffee found the adclicker.AU virus in several files named 

- C:\WINDOWS\system32\iProtect.exe

- C:\WINDOWS\system32\axe.exe

- C:\WINDOWS\system32\winsecure.exe

- C:\WINDOWS\system32\memorymanager.pif

- C:\WINDOWS\system32\ins32.dll

- C:\spooler.exe

- C:\WINDOWS\msupdate.exe

- C:\cab.exe

It even changed the "hosts" file in - C:\WINDOWS\system32\drivers\etc



The Virus was originally located in an executable ebook , which has been scanned with AntiVirPE (UptoDate Vir.def of course) and NO Virus was detected!!!



Changing the userinit part without removing the infected files had the same effect Roberto got.

 





ATTENTION: Please look for the correct Windows-PATH (e.g. C:\WINDOWS or C:\WINNT or maybe your own choice), I got it wrong and the System hung in the logn loggoff loop again!



Greetz, Joe 
			
		
	
	
If you guys want to know a simpler solution to the log in log off loop..  check out this link..  it worked for me..  



http://www.winxptutor.com/wsaremove.htm



btw, if your using a raid controller.. when u go into the recovery console, u need to get ur raid controller disk and load the drivers on there so it will recognize ur hard drives..