Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
fergynm said:Running W2K SP4 on a domain network; after typing in network password the
window pops up indicating it is loading local settings, but then the screen
reverts back to the CTRL-ALT-DEL login prompt. I suspect malware, but has
anyone else seen this?
Phillip Windell said:This happed right after you cleaned the machine with Ad-aware correct?
If you are lucky and are using the FAT or FAT32 file system instead of NTFS
you can boot the machine with a floppy. Find the file
Phillip Windell said:This happed right after you cleaned the machine with Ad-aware correct?
If you are lucky and are using the FAT or FAT32 file system instead of NTFS
you can boot the machine with a floppy. Find the file
"C:\WINDOWS\system32\userinit.exe" and make a second copy of it called
"wsaupdater.exe". Now try to log into the machine. If it works you have to
then correct the registry to point back to the proper "userinit.exe", then
when that works you can delete the "wsaupdater.exe". there may also be an
entry in the "system.ini" that needs fixed as well in some cases.
I believe the registry entry is found in:
HKLM/System\CurrentControlSet\Services\Eventlog\Application\Userinit
HKLM/System\CurrentControl001\Services\Eventlog\Application\Userinit
HKLM/System\CurrentControl002\Services\Eventlog\Application\Userinit
The correct value for all three is "%SystemRoot%\System32\userinit.exe"
The fourth location, and the *most* important is:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The correct value for Userinit should be "C:\WINDOWS\system32\userinit.exe"
If you run NTFS then you may have to put the drive temporarily into another
machine as a slave drive to make the copy of the file as described above.
The RConsol might let you do that too if you use it instead. If the RConsole
insta installed it can be run by booting from the original CD and going into
"Repair using Recovery Console".
What happens is that Spyware called WSA Updater copies itself into the
System32 folder and alters the registry to point to it during the login
process instead of the original "userinit.exe". When you run Ad-Aware it
removes the file but does not correct the registry entry that goes with
it,....since the machine can no longer find the file directed by the
registry during logon, the logon process aborts and returns to the
Crtl-Alt-Del prompt.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
fergynm said:Running W2K SP4 on a domain network; after typing in network password the
window pops up indicating it is loading local settings, but then the screen
reverts back to the CTRL-ALT-DEL login prompt. I suspect malware, but has
anyone else seen this?
Herb Martin said:If that will do it then perhaps (likely), Safe Mode,
Command Prompt only will also. (It's quick to
try before worry about booting from a floppy etc.)
If the system is NTFS (which it should be) then
there are a variety of ways to boot from a CDROM
with true NTFS support AND free, including a copy
of Linux or BartPE (just Google.)
disk and choose Repair, then Recovery Console,...unless the disk is lost and
a BartPE disk is already made and ready. For some reason I always loose the
BartPE disk and have to burn a new one all the time.
Actually on my own personal stuff I just install the Recovery Console to
begin with and it is always a boot option during start up.
Phillip Windell said:We never heard back from him. I wonder if this was even his real problem to
begin with. I hate making wild guesses and then never knowing if that was it
or not.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.