|
So, my daughter has not been following the safe computing practices I taught her and has managed to get her machine hacked up. (I word it this way because with the degree to which I harp on this, she said she felt like she was doing something like telling me she was pregnant. :-))
Anyway ... Other than reinstalling the OS, I am stumped and want to solicit advice before I go to that extreme.
The problem is this. Something hijacked her registry and changed the Winlogon key so that it accesses an infected program instead of userinit.exe when executing a logon sequence. The anti-virus software she has detected the virus, but not before it had done this level of damage. It then deleted the infected program. Result: When you logon to Windows, it immediately logs back off because it can't find the program the registry is telling it to find. You can't login to anything, not in safe mode, not as a different user, not as admin ... nothing. It simply reverts back to the logon screen a couple seconds after entering your password.
One suggestion I found on the web noted that Ad-Aware can cause this problem by removing a hijacker program. It changes the key to look for a file called wsaupdater.exe. The solution they offer is to enter the Windows Recovery Console (which I can do) and copy userinit.exe to wsaupdater.exe. This only works, however, if the problem was in fact caused by this piece of malware. Apparently her problem wasn't, so doing this doesn't help. I also used a Linux Live boot disc to browse the drive and see if I could find clues, but I got frustrated and ended up here.
What I need is to be able to find the value of this registry key and either change, which as far as I know cannot be done unless you can boot into Windows, or mimic it, which I could do if I knew the name.
Does anyone have any suggestions at all regarding editing/viewing the Windows registry on a machine that doesn't allow you to login to Windows.
|