ChrisB

Got an IBM NetVisa A40 running Win 2000 Pro. I applied SP2 a few weeks back to get it into line after it was infected with various viruses like Funlove.

It was running fine earlier in the week - I logged onto it once last weekend.

Now, when you hit CTRL+ALT+DEL to logon, you enter a username and password as normall. The logon process starts - "Applying your personal settings" is displayed. Almost immediately, "Saving your personal settings" appears and you are returned back to the C+A+D logon screen. No sign of the desktop.

You get the same result on various accounts on different domains AND for the local admin account.

Suggestions or seen before? Searching Deja.com shows only one person has seen this before but no replies.

TIA,
Chris.

super_si

i uninstalled that had problems getting online n yahoo java thingy

Si

ChrisB

Uninstalled what?

super_si

sp2

ChrisB

Hmmm. Has been working fine with SP2 for a couple of weeks.

Also, if you can't log on, how do you un-install SP2?

mega_stream

Emm, so basically log on and uninstall SP2

How's he gonna do that then!

mega_stream

Beat me to it

ChrisB

Stumped with it at the moment. Might try last known good I think.

HHxx

Sounds like I joke I once played on someone... Used the "Run" thingy (technical term ) to call rundll with the logout options But can't remember how to fix it.

Errr, off the top of my head, try, if you can, look though the registry using a remote computer.

H

ChrisB

Safe Mode and Last Known Good both suffer the same.

Will look at the Registry.

ChrisB

I can see a share off the PCs hard drive over the network. Hmmm!

super_si

hmmmmmmmm hard lol thats taxing

can you not wipe n reinstall?

David_Wallis

run regedt32 connect to the machine and have a look in:

Hkey localmachine\software\microsoft\windows\currentver sion\run

delete every value, just to be on the safe side...
remove anything from startup folder

check to see what hklm\software\microsoft\windows\currentversion\win logon\ginadll is set to..

CHeck no autologon stuff set.. shouldnt cause probs. but check it..

Hold down shift whilst logging on..

Copy a new copy of explorer.exe on... as it may not be able to load the shell... or maybe corrupt.

check to see if the shell has been changed... cant remember the key though...

David

[Edited by David_Wallis - 6/13/2002 1:23:55 PM]

nigelward

If it is possible to see the machine across the network check the registy remotely using regedt32.exe (being logged in to the remote PC as domain administrator is the easiest here).

Once in check:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx

and see if anything interesting has been added.

I don't believe the rundll32 log out will work on an NT based machine (the processes priviledges are insufficient to do this).

It could a piece of software that has been installed that requires a reboot at the end of the install but the author has not written the installer correctly (there are quite a few like this).

Or it could be another virus.

Nigel

ChrisB

Just remotely virus scanning the PC again.

Still riddled with FunLove. Time to FDISK I think.

ChrisB

Ahh, x-posted with David and Nigel. I'll check them first but vaping it is needed I think.

Mmc.exe, userinit.exe and tlntsvr.exe have been infected so far.

Andrewza

Was about to ask how exactly installin SP2 would remove a nice virus infestation

ChrisB

I'd virus scanned the PC several times and it looked clear. Didn't have the time to format and re-install that day.

The Windows Installer Service had been killed, so I SP2'd it to put it back so I could get Office 2000 back on (which was also AWOL thanks to the virus).

David_Wallis

copy these back of the cd using the expand util..

David

ChrisB

We've got a spare desktop to drop in, so we can take our time rebuilding this one.

David_Wallis

Does that mean that you cant be @ssed fixing it and your just going to rebuild?

david

ChrisB

Erm, yup

If we take the PC back to our office, I can get somebody else to do it