Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Users (without passwords) logged out after login


  • Please log in to reply
1 reply to this topic

#1 mikb

mikb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:28 AM

Posted 10 November 2010 - 01:08 AM

I have a client's machine here, running xp pro 32-bit and the problem is that as soon as any user (including administrator in safe mode) clicks on their icon on the welcome screen, their profile starts to load, then they are immediately logged off.

The system is dual boot - it has an XP 64 pro instance on volume C:, but they don't use that because drivers for important bits of hardware aren't available. The 32 bit instance is on D:

They have some software installed for specific vertical applications that they're not sure they have the licence keys for still, so I'm trying to avoid wipe and reload.

I've pulled the drive out, plugged it into my machine, and run malwarebytes over it, removing 45 nasties from D:.

I've manually checked the registry by loading the software hive into regedit on the 64 bit instance, and confirmed that the HKLM\Software\Microsoft\Windows NT\Winlogin userinit points to D:\WINDOWS\System32\userinit.exe, (yes the comma is properly there!)

I can't find any instances of wsaupdater.exe in the file system, or referred to in the registry.

Does anyone have any suggestions as to what action I can take next?

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,317 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:28 AM

Posted 10 November 2010 - 07:29 AM

Hi, did the following file somehow get deleted? wincpack.exe

Try to create a copy of c:\windows\system32\userinit.exe, paste it in the Windows folder and rename it to wincpack.exe

See if the logon is successful afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users