[Nebulousity]

Last night I took the recommendation of Jeruvy and Arctik at this post and ran my virus checker (AVG) and spyware program (Spybot) in Safe Mode. You can read about the erratic behavior I was trying to correct in that post, but it's not directly related to the problem at hand.

AVG found no problem, but Spybot found one malware program that it didn't find when not in Safe Mode: W32/GGDoor

I had Spybot correct it, which it said it did successfully. While I was in Safe Mode, I went ahead and cleaned up a bunch of temp files in each account's %temp% folder. I then rebooted.

Since the reboot, I cannot properly log in to Windows -- not in regular mode nor in Safe Mode. When I log into any of the accounts (this is XP Home with multiple accounts), Windows logs me in, but before much of anything else happens, it says it is logging me back out.

The data on my hard drive is VERY CRITICAL.

I did my research. Rollin' Rog mentioned my exact symptoms in a reply to zillah. I read the MS KB article RR pointed to. I have spent hours (with several setbacks) making it happen, but I finally was able to make a copy of userinit.exe and rename it wsaupdater.exe. I restarted but that didn't help. As RR said, it could be any of a number of malware programs other than that one. I don't know -- and haven't been able to find out -- if W32/GGDOOR does something similar. There seems to be very little out there in the ether about this malware.

I do have access to the Recovery Console from my XP CD, which is how I did the above.

I have another computer with WINXP and have been meaning to build it to replace the one I have been using anyway, so my next thing I tried was to use an IDE=>USB converter to connect that hard drive to the newer computer. I was able to see all the files and copy them over from all of the accounts except my own!! And mine are the ones that are very critical.

I think in WINXP there is a place to decide whether you want other people on that computer to be able to see your files and folders. Maybe the answer was YES for the other accounts and NO for mine, I'm not sure.

If someone can tell me how to complete either of those fixes -- see the registry and fix it and/or transfer the files from my account from the hard drive of my old computer to the hard drive on the new computer -- I would be greatly pleased.

Thank you,

Nebulousity

[Nebulousity]

I used Bart PE (Ultimate Boot Disk for Windows) and was able to edit the registry. WARNING - UBDW can take hours to create, but it's an awesome tool!!! Sorry, it's 1:45am and I've been up since 6am, no energy to find links, but their everywhere).

What I needed to change was the value in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The value should say "userinit.exe," (including the comma). Instead it said "userints.exe," (also including the comma). It must have been related to the W32/GGDoor malware, although I'm finding nearly nothing in a Google search about either W32.GGDoor or userints.exe.

Hmmm... Anyway, I'm off to bed!