login then log out upon boot

[Guest]

inlaw just showed up with an e machine, (laptop) they constantly had a pop-up
indicating spyware. apparently someone (neighbour), could not remove the
spyware, and subsequently went into msconfig, and made a selective start-up,
turning off who knows what from starting. currently, the laptop boots to the
user id login (which it never did before), and when clicking the name, logs
the person in and then immediately logs the out. I have tried to do the
same in safe mode, reset to last known configuration that worked, etc. admin
etc, but same result each time. the recovery console is not installed on the
machine, and there are only 3 cd`s to which to re-install the os, which will
wipe the drive (very bad thing here). currently there is about 25gigs, of
family photos, and family tree that is desperatety. required to be saved.
when attempting to use the 3 finger salute (cntrl, alt delete), instead of
getting to the task manager, there was a pop-up indicating the the admin has
revoked those privledges,( which i am assuming was the spyware causing that)
this occurred before the msconfig situation happened.

windows xp home edition o.e.m. unsure if it is fully updated??

any help would be appreciated to atleast get into windows to back up the
data/photos before i nuke the drive.

 

[John John]

You will have to remotely edit the registry on the machine. It doesn't
sound like that machine is part of a network so you will have to use a
Bart's PE disk or similar boot cd to access the registry on the machine.
If you cannot create a PE disk you will have to take the hard disk out
of the laptop and mount it to another Windows XP installation. If
taking the disk out of the laptop is not an option you can do a parallel
installation of Windows to access the files, if you have a Windows
2000/XP cd you can just install it to a different folder or partition,
without doing a format. If the cd is XP there is no need to activate,
just install it, salvage the files then use the restore disks that came
with the machine to wipe the drive and reinstall the operating system.

If you wish to attempt the registry edit let us know and we will tell
you how to proceed, it takes an intermediate to advanced set of skills
to create a PE disk and remotely edit the registry.

John

 

[Pegasus \(MVP\)]

inlaw just showed up with an e machine, (laptop) they constantly had a
pop-up
indicating spyware. apparently someone (neighbour), could not remove the
spyware, and subsequently went into msconfig, and made a selective
start-up,
turning off who knows what from starting. currently, the laptop boots to
the
user id login (which it never did before), and when clicking the name,
logs
the person in and then immediately logs the out. I have tried to do the
same in safe mode, reset to last known configuration that worked, etc.
admin
etc, but same result each time. the recovery console is not installed on
the
machine, and there are only 3 cd`s to which to re-install the os, which
will
wipe the drive (very bad thing here). currently there is about 25gigs, of
family photos, and family tree that is desperatety. required to be saved.
when attempting to use the 3 finger salute (cntrl, alt delete), instead of
getting to the task manager, there was a pop-up indicating the the admin
has
revoked those privledges,( which i am assuming was the spyware causing
that)
this occurred before the msconfig situation happened.

windows xp home edition o.e.m. unsure if it is fully updated??

any help would be appreciated to atleast get into windows to back up the
data/photos before i nuke the drive.

You have three tasks to deal with, in this order:

1. Get the message across to your inlaws that not backing up 25 GBytes
worth of irreplaceable family photos borders on insanity. A 2.5"
backup disk in an external USB case costs around $100 - what's
keeping them?

2. Extract the irreplaceable files before you attempt to repair things.
With some laptops it's easy to remove the disk. Put it into the
external USB case I mentioned above, then save the files to
some other machine.

3. Fix the looping logon problem. If the machine is networked
then this link might help:
http://support.microsoft.com/default.aspx?scid=kb;[LN];249321
If not then editing the registry in off-line mode will be required,
as suggested by John John. Post again for more details if you
need to go down this path.

 

[Guest]

You will have to remotely edit the registry on the machine. It doesn't
sound like that machine is part of a network so you will have to use a
Bart's PE disk or similar boot cd to access the registry on the machine.
If you cannot create a PE disk you will have to take the hard disk out
of the laptop and mount it to another Windows XP installation. If
taking the disk out of the laptop is not an option you can do a parallel
installation of Windows to access the files, if you have a Windows
2000/XP cd you can just install it to a different folder or partition,
without doing a format. If the cd is XP there is no need to activate,
just install it, salvage the files then use the restore disks that came
with the machine to wipe the drive and reinstall the operating system.

If you wish to attempt the registry edit let us know and we will tell
you how to proceed, it takes an intermediate to advanced set of skills
to create a PE disk and remotely edit the registry.

John

yes. i would like to attempt to edit the registry. as i am currently with
out additional hardware items (not at home), and would like to get this done
before the weekend if at all possible

 

[John John]

yes. i would like to attempt to edit the registry. as i am currently with

out additional hardware items (not at home), and would like to get this done
before the weekend if at all possible

Without additional harware? What are you now using to post to the
newsgroups? You need to create a boot cd to fix this, you need a
Windows XP cd and a cd burner. You can create a Bart's PE disk and
include a registry editor plug-in with it or you can use the Ultimate
Boot CD for Windows:

http://www.nu2.nu/pebuilder/
http://www.ubcd4win.com/

Let us know if you can create one of these live disks.

John

 

[Guest]

Without additional harware? What are you now using to post to the
newsgroups? You need to create a boot cd to fix this, you need a
Windows XP cd and a cd burner. You can create a Bart's PE disk and
include a registry editor plug-in with it or you can use the Ultimate
Boot CD for Windows:

http://www.nu2.nu/pebuilder/
http://www.ubcd4win.com/

Let us know if you can create one of these live disks.

John

yup downloaded and created..i`m currently in my office...corporate locked
hardware.. sux but i am unable to access any hardware resources, going to
pick up an aditional portable usb drive @ best buy..walmart tommorrow to
hopefully mount the drive extenally and borrow a laptop to safe the data.

 

[John John]

:





yup downloaded and created..i`m currently in my office...corporate locked
hardware.. sux but i am unable to access any hardware resources, going to
pick up an aditional portable usb drive @ best buy..walmart tommorrow to
hopefully mount the drive extenally and borrow a laptop to safe the data.

Now that you have created the boot cd just boot the computer with it and
use the registry plug-in utility to edit the offline registry. The
registry files are located in the following folder:

\WINDOWS\system32\config

The hive that you need to load and edit is the SOFTWARE hive, the one
without an extension.

Go to the following key and check the userinit value and make sure that
it contains only the information as shown below:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name: Userinit

Value data: C:\WINDOWS\system32\userinit.exe,


*Note the comma at the end of the value string*

The value at the userinit value is often changed by virus or other such
pests. Run virus and spyware scans on the machine to make sure that it
is free of pests.

Windows Log on and Log off immediately.
http://support.microsoft.com/kb/555648

http://groups.google.com/group/micr...b/adc14c8b577b2edb?lnk=st&q=#adc14c8b577b2edb

John

 

[Guest]

Now that you have created the boot cd just boot the computer with it and
use the registry plug-in utility to edit the offline registry. The
registry files are located in the following folder:

\WINDOWS\system32\config

The hive that you need to load and edit is the SOFTWARE hive, the one
without an extension.

Go to the following key and check the userinit value and make sure that
it contains only the information as shown below:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value name: Userinit

Value data: C:\WINDOWS\system32\userinit.exe,


*Note the comma at the end of the value string*

The value at the userinit value is often changed by virus or other such
pests. Run virus and spyware scans on the machine to make sure that it
is free of pests.

Windows Log on and Log off immediately.
http://support.microsoft.com/kb/555648

http://groups.google.com/group/micr...b/adc14c8b577b2edb?lnk=st&q=#adc14c8b577b2edb

John

i take it..?? that i remove the comma?? the string appears to be intack
when opened in the editor. i have removed the coma the saved the edit, and
rebooted, with no change to the start-up login/logout

 

[John John]

:




i take it..?? that i remove the comma?? the string appears to be intack
when opened in the editor. i have removed the coma the saved the edit, and
rebooted, with no change to the start-up login/logout

No, the comma *must* be present! If the userinit value is exactly as
shown then there is a possibility that the userinit.exe file itself
might have been removed by malware. Extract the file from the Windows
XP cd and place it in the \windows\system32\ folder.

If the user still cannot logon after ensuring that the file is present
and in its proper location and that the registry entry is correct, then
another possibility is that the boot partition drive letter has been
changed. See here for more information on how to go about fixing this
problem:

How to restore the system/boot drive letter in Windows
http://support.microsoft.com/kb/223188/

Unable to log on if the boot partition drive letter has changed
http://support.microsoft.com/kb/249321/

Note that KB249321 provides several solutions, only one need be
performed. With your PE disk you have already gained access to the
registry of the non booting installation so most of the steps there do
not need to be carried out. Using FDISK /MBR can be simple method to
use on computers with single disks and single partitions.

John