Can't log on

[Chris_com28]

I now can't log on to my XP computer. It's logs of within seconds of logging on. I think it may be Panda Internet Security because I just installed it today.

[Chris_com28]

Well at least my Fimble image is working ok for now.

[Chris_com28]

I've now got some more information about the virus that Norton detects just before logging me of.

Virus name: Backdoor Trojan

File: C:\windows\system32\ctlmfe.dll

Location: C:\windows\system32

Computer:D9KRRHOJ

User: System

Is there any way I can remove this while in a different mode like MS Dos?

[Fluffybunny]

Here is a link to the Norton site that describes the virus: hope this helps.

Link

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Disable System Restore (Windows Me/XP).

Update the virus definitions.

Restart the computer in Safe mode or VGA mode.

Run a full system scan and delete all the files detected as Backdoor.Trojan.

Reverse the changes made to the Windows registry.

Windows 95/98/Me only: Remove any references to the infected files that have been added to the Win.ini and System.ini files.

For specific details on each of these steps, read the following instructions.

--------------------------------------------------------------------------------

Note: The procedure described in this document is complex and assumes that you are familiar with basic Windows and DOS procedures. If you are not, then we suggest that you obtain the services of a qualified computer consultant.

--------------------------------------------------------------------------------

1. Disabling System Restore (Windows Me/XP)

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

"How to disable or enable Windows Me System Restore"

"How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions

Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).

Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.

For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."

For Windows NT 4 users, restart the computer in VGA mode.

4. Scanning for and deleting the infected files

Start your Symantec antivirus program and make sure that it is configured to scan all the files.

For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."

For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."

Run a full system scan.

If any files are detected as infected with Backdoor.Trojan, write down the path and file names, and then click Delete.

--------------------------------------------------------------------------------

Note: If your Symantec antivirus product reports that it cannot delete an infected file, shut down the computer, turn off the power, and then wait 30 seconds. Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) or VGA mode (Windows NT 4), and then run the scan again.

For instructions on restarting the computer in Safe mode, read the document, "How to start the computer in Safe Mode."

--------------------------------------------------------------------------------

5. Reversing the changes that were made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)

Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Refer to the list of infected files that you created while following the instructions in step c of the previous section, "Scanning for and deleting the infected files."

In the right pane, look at the entries in the Name and Data columns. If you find an entry that refers to a file that was detected as infected, select the entry, press Delete, and then click Yes to confirm.

Do one of the following:

Windows NT/2000/XP: Navigate to the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Windows 95/98/Me: Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Refer to the list of infected files that you created while following the instructions in the previous section. In the right pane, look at the entries in the Name and Data columns. If you find an entry that refers to a file that was detected as infected, select the entry, press Delete, and then click Yes to confirm.

Exit the Registry Editor.

6. Removing the references to the infected files from the Win.ini and System.ini files

If you are running Windows 95/98/Me, follow these steps:

The function you perform depends on your operating system:

Windows 95/98: Go to step B.

Windows Me: If you are running Windows Me, the Windows Me file-protection process may have made a backup copy of the Win.ini file that you need to edit. If this backup copy exists, it will be in the C:\Windows\Recent folder. Symantec recommends that you delete this file before continuing with the steps in this section. To do this:

Start Windows Explorer.

Browse to and select the C:\Windows\Recent folder.

In the right pane, select the Win.ini file and delete it. The Win.ini file will be regenerated when you save your changes to it in step F.

Click Start, and then click Run.

Type the following, and then click OK:

edit c:\windows\win.ini

The MS-DOS Editor opens.

NOTE: If Windows is installed in a different location, make the appropriate path substitution.

CAUTION: The following steps instruct you to remove text from the load= and run= lines of the Win.ini file. If you are using older programs, they may be loading at startup from one of these lines. The Trojan can add lines, such as load=c:\windows\temp\pkg2350.exe or run=hpfsched <blank spaces> msrexe.exe. (In this example, hpfsched is a legitimate program, but msrexe.exe is part of the Trojan.)

If you are sure that the text contained in these lines is for programs that you normally use, then we suggest that you do not remove it. If you are not sure, but the text does not refer to the file names you wrote down earlier, then you can prevent the lines from loading by placing a semicolon in the first character position of the line.

For example:

; run=accounts.exe

Locate the load= line within the [windows] section of the Win.ini file; it is usually located near the top of the file.

Position the cursor immediately to the right of the equal (=) sign.

Press Shift+End to select all the text to the right of the equal sign, and then press Delete.

Repeat the steps in sections 3 to 5 for the run= line, which is usually beneath the load= line.

Click File, click Exit, and then click Yes when you are prompted to save the changes.

Click Start, and then click Run.

Type the following, and then click OK:

edit c:\windows\system.ini

The MS-DOS Editor opens.

NOTE: If Windows is installed in a different location, make the appropriate substitution.

Locate the shell=explorer.exe line within the [boot] section of the System.ini file; it is usually located near the top of the file.

Position the cursor immediately to the right of explorer.exe.

Press Shift+End to select all the text to the right of explorer.exe, and then press Delete.

NOTE: Some computers may have an entry other than explorer.exe after shell=. If this is the case and you are running an alternate Windows shell, then change this line to shell=explorer.exe for now. You can change it back to your alternate shell after you have finished this procedure.

Click File, click Exit, and then click Yes when you are prompted to save the changes.

This completes the removal part of the process. Even though you did so previously, start your Symantec antivirus product and run another full system scan. Delete any files that are found to be infected with Backdoor.Trojan. When the scan is finished, restart the computer.

[Xenojjin]

If all else fails , install Linux .

[Chris_com28]

Did you even read my post? The key point is in the topic. I can't log on to my PC. I can't log on. I see my DESKTOP but it soon vanishes as I LOG OFF my PC. I can't do anything except boot up. I cannot install software so Xenojjin, no, I will not be installing Linux becuase I CAN'T. I can't even check my e-mail because some b****** won't let me! Got it now?

[Fluffybunny]

Geez decaf big guy. I was trying to help.

Have you had experience booting in safe mode?

[Chris_com28]

Well you didn't seem to help much. Sorry, but I'm very p***ed now and I've noticed that people don't read and understand my posts fully a lot of the time. They miss out whole sentences that are a very important part of my post.

I've tried it in safe mode but it still doesn't work. I think I've tried it in every mode available but it still doesn't work. I think all of those modes require logging on so I can't do much in that area really.

[fulltimekiller]

i understand that you can't log in.Are you having trouble logging into one just one account or to every account? Can you still log into admin?

If you still can't log in then the last option is reformat your computer.

I've now got some more information about the virus that Norton detects just before logging me of.

Virus name: Backdoor Trojan

File: C:\windows\system32\ctlmfe.dll

Location: C:\windows\system32

Computer:D9KRRHOJ

User: System

Is there any way I can remove this while in a different mode like MS Dos?

There is a program that it copy onto the floppy disk and while the computer is booting up it boots up the program in the disk.This program is actually a hacking program what it suppose to do is get around that windows security system.So you can put your own SAM file. The SAM file contains the password to all the account.

I'll tried and find that program but i think that program only deletes that SAM but i see if it be able to delete other things.

Im not exactly sure what that trojan suppose to do.Some virus is design to shutdown you computer like few minutes after you log on.(i know my school got that before)

Edited July 20, 2004 by fulltimekiller

[Fluffybunny]

Fine, Fix it yourself then. I don't care how upset you are with your computer, you don't need to get so damned testy about it.

How am I supposed to know how to help you if you don't describe exactly what is going on? I was trying to ask a simple question to find out of you could boot into safe mode without any drivers to make the file changes that need to be made...

Am I supposed to read your mind? Crimany kid, go post in the Psychic Phenomena forum and see if someone can help you there.

[fulltimekiller]

Fine, Fix it yourself then. I don't care how upset you are with your computer, you don't need to get so damned testy about it.

I sure he's just p***ed cause he's computer is not working.

[Chris_com28]

I've already decribed what's going on. How else can I make it clearer? None of my accounts worked, I've tried all three of them. Even admin wont work. So if I reformat my PC is there any way to save my files in my hard drive?

[fulltimekiller]

So if I reformat my PC is there any way to save my files in my hard drive?

Yea but you probably won't be able to get 100% of all of your file back.

After you reformat theres a few file recovery program that can recover some files but not 100% all of them.

Thats what happen if you don't back up important files

Don't do it yet unless your 100% sure that you going to do it.

Im not quite sure whats preventing you from logging on probably a virus like that i mention earlier but i can't be so sure.

Before you reformat i want to 100% know whats your situation

1.You can't log in like you enter your password and came with some error?

it its this one what error did it say?

2.you can log in but some stupid virus, program etc logs you back out?

if it is this one does it just logs you out straight away or some message pops up saying you will be logged out in 1:00min etc or it logs you out after a few minute you log on without saying anything?

[Chris_com28]

No, I don't think it even has a password. I just choose the account I want to use and it just logs on. It starts normally with my desktop image but then Norton notifies me of hte virus I just mentioned, sometimes Panda tells me of a virus or something and within seconds I'm logged of. Sometimes I don't even get to the desktop. Under my log on icon it tells me I'm logging on, then I just starts saving and logging me out. There's something else I thought I already mentioned. Ihave the Panda icon in the bottom right of the screen when I'm at the log on menu.

I'm sorry for get a bit p***ed earlier, but my PC is always getting problems like this. Is there any way you can help?

[TheOracle]

1. Buy new Hard Drive...Bigger and Faster than old one if possible.

2. Install XP on new drive, or Linux in Xenojjin's case

3. Connect old Hardrive as a slave drive.

4. Copy desperately needed files from old drive to new drive that you just so happened to format with the NTFS file system

5. Format old drive and keep as a slave or give it to the kids next door to play with.

Problem solved

Edited July 21, 2004 by TheOracle

[Chris_com28]

Thanks, Oracle. So is that my only choice in the matter because it sounds kind of complicated? So is there any online guide that can help me with this? I haven't done anything like this before.

[Atlantis Rises]

How long does it take for your computer to log off? The time factor may help you here. Or, here's another choice. Disable your log on/off feature and just reboot like normal. Your computer won't log off. This will give you the chance to do a full virus scan and delete the virus. The worse this you can do at this point is reformat your computer because you will lose everything. Are you writing these posts from your computer or from another? If you have the time to write these posts from your computer, then that'll give you ample time to do a complete restore to say. . . two months ago when you didn't have this problem. Restore, then do a virus scan. That's my advise.

Edited July 21, 2004 by Atlantis Rises

[Mentalcase]

Chris, try being a bit more friendly mate. Xeno and Fluffy were merely trying to help and you blew up. Just cheer up, it isn't the end of the world. XP has is downfalls, trust that.

[Atlantis Rises]

Be glad you don't have Win ME, like me.

[Chris_com28]

I'm posting from another computer. I don't even have enough time for the desktop to load so doing anything on their would be impossible.

So how do I disable my log on/off feature? I doubt this will work though as I can do almost nothing. I have a host computer, is it possible to control my XP computer from there?

At the moment I think Oracle's idea might be the best and easiest solution.

[fulltimekiller]

1. Buy new Hard Drive...Bigger and Faster than old one if possible.

2. Install XP on new drive, or Linux in Xenojjin's case 

3. Connect old Hardrive as a slave drive.

4. Copy desperately needed files from old drive to new drive that you just so happened to format with the NTFS file system 

5. Format old drive and keep as a slave or give it to the kids next door to play with

Thats a good idea why didn't i thought of that?

Maybe i was trying to think of an solution without spending any $$$

You could just borrow a harddrive from someone that way you won't need to spend $$$.

If you need tutorial just go to google and type this in (installing hard drive) after you know how to put a second harddrive install win xp on the new hard drive.

I have a host computer, is it possible to control my XP computer from there?

Do you have like a windows server or something?

If you do you can create an admin account on the server and log in with the computer that had the problem.(i doubt it will work)

if you don't have the server are you talking about remote desktop?

if you are then the problem computer must use windows xp pro and use the admin account or an account that you allow remote access.(i doubt this will work i think the virus will do something.)

So how do I disable my log on/off feature?

I think you need to be able to log in with an admin in order to do this.

just go to control >user account and it should be there somewhere.

Edited July 22, 2004 by fulltimekiller

[TheOracle]

As Fulltimekiller suggested, if you don't have the money for a new HDD then borrow one if you can.

Follow what I said earlier (replacing new drive with borrowed drive) and once you have retrieved wanted information you can then format the problem drive, install windows on to it, put borrowed drive back in as a slave, transfer wanted information back to newly formatted old drive and take borrowed drive back to the good mate you borrowed it from.

Original plan is much better...you end up with new larger, faster Hard drive and a fresh new installation of windows XP

[Chris_com28]

Well I have a 20Gb hard drive in the loft but the files that I want to keep are about 26Gb and I don't think I know anyone who has a spare hard drive. I think I'll just learn to live without my PC and try so save enough money to by a bigger hard drive.

Now when I do manage to do this can anyone recomend some software that's best for blocking this kind of stuff? I heard that Norton Internet Security was good but the 2004 version is sh** and you can't use windows update with it. People even said that the whole Norton software is a waste of money.

[Fluffybunny]

You don't need to go to the hassle of doing all of that hd swapping.

Create a boot disk, or use the one that came with your antivirus software if you boot directly into command prompt mode you can use the utilities on the floppy to delete the offending files that are causing the problem.

Swapping hard drives in unneeded at this point. It will fix the problem, but will be far more work than is needed.

with a boot disk, you will be able to remove the files in command prompt mode before they get started by windows. It is simple, and quick.

[Atlantis Rises]

Nortan is crap, I agree. The product has gone downhill fast these last couple of years. It doesn't even catch most virus.

As for your computer, Chris... go to Safe Mode on your computer and shut off Log on/off mode. Then reboot normally, your problems should be fixed then.