This sounds like it might be caused by the removal of the wsaupdater.exe.
A piece of spyware replaces the C:\Windows\system32\userinit.exe file with
a file called wsaupdater.exe. It then modifies the registry so that when
you logon the wsaupdater.exe file is executed. After removing the spyware,
(via Adaware, SpyBot S&D, or another spyware detection tool), the
wsaupdater.exe is removed, but the registry still points to it and tries to
execute it during login.
The best procedure to correct this is:
1. Boot into recovery console. More info can be found at
http://support.microsoft.com/default.aspx?scid=KB;EN-US;307654
2. Navigate to the c:\windows\system32 folder and type (without the
quotes) "copy userinit.exe wsaupdater.exe". This will trick the system
into booting by copying the legitimate XP userinit.exe file to the
wsaupdater.exe file and allow the system to boot.
3. Reboot the system and logon.
4. Open regedit (from start->run type regedit)
5. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and modify the value of Userinit to
C:\WINDOWS\system32\userinit.exe
6. Next in Windows Explorer delete the c:\windows\system32\wsaupdater.exe
file.
At this point your system will be stable and allow you to logon
consistently. However, I would recommend following the guidlines in this
article
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BLAZEFI
ND.A to ensure the system is completely cleaned up.
Best Regards,
Rob Hoffman, MCSE
Microsoft Enterprise Support Engineer
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Editing Registry from Recovery Console
| thread-index: AcTYjFOuQbwteRJPR8+ZkwubtgTvzQ==
| X-WBNR-Posting-Host: 24.61.252.209
| From: =?Utf-8?B?Um9i?= <
[email protected]>
| Subject: Editing Registry from Recovery Console
| Date: Thu, 2 Dec 2004 08:31:08 -0800
| Lines: 12
| Message-ID: <
[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windowsxp.configuration_manage
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.1.29
| Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.windowsxp.configuration_manage:30434
| X-Tomcat-NG: microsoft.public.windowsxp.configuration_manage
|
| Hello,
|
| Whenever I logon into my system it goes thru the motions then immediately
| logs me out - not allowing me to do anything. I'm pretty sure this is the
| result of spyware and I need to edit my registry settings. I boot into
the
| recovery console, but none of the commands available after that allow me
to
| edit the registry.
|
| Is there a way to edit the registry from the recovery console?
|
| Thanks!
| - Rob
|
