I have a toshiba laptop that was infected with some downloader trojan.
Norton Internet Security caught and resolved the file. After reboot, when
typing in the password the desktop background picture comes up, I get a
"Loading your Settings" for about 5 seconds, then the screen flashes really
fast, then I get a "Logging off" and it takes me back to the log-in
screen....

This happens under local Administrator account and in All Safe modes,,,,, to
include safe mode with command prompt....

On Google search it pulled up a similar issue and suggested that it was a
missing file called userinit.exe or a wuaupdater.exe file that was
missing....

I slaved in the drive to my PC using a HD to USB adapter and was able to
access the whole drive. I replaced those files with known good ones (they
were both missing on the laptop HD) but the problem still exist.

I also took the c:\windows\system32\config files (registry files) and
renamed them, then took the repair files from c:\windows\repair and copied
them into the c:\windows\system32\config folder and was able to log into the
laptop then however all the applications were not functioning properly and
would have to be reinstalled.

I know the problem must exist in those registry files somewhere... but how
to fix it is at a loss...

I tried running Commander from CD but it won't run on that laptop... says
something like pci.sys fail with a blue screen.... but this is a seperate
problem than the one I post here....

I don't know what else to do short of reinstalling the laptop from scratch
again....

Any suggestions

Have you tried System Restore using a restore point created before the
problem started.

JS

"Tim_S" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a toshiba laptop that was infected with some downloader trojan.
>Norton Internet Security caught and resolved the file. After reboot,
>when typing in the password the desktop background picture comes up, I get
>a "Loading your Settings" for about 5 seconds, then the screen flashes
>really fast, then I get a "Logging off" and it takes me back to the log-in
>screen....
>
> This happens under local Administrator account and in All Safe modes,,,,,
> to include safe mode with command prompt....
>
> On Google search it pulled up a similar issue and suggested that it was a
> missing file called userinit.exe or a wuaupdater.exe file that was
> missing....
>
> I slaved in the drive to my PC using a HD to USB adapter and was able to
> access the whole drive. I replaced those files with known good ones
> (they were both missing on the laptop HD) but the problem still exist.
>
> I also took the c:\windows\system32\config files (registry files) and
> renamed them, then took the repair files from c:\windows\repair and copied
> them into the c:\windows\system32\config folder and was able to log into
> the laptop then however all the applications were not functioning properly
> and would have to be reinstalled.
>
> I know the problem must exist in those registry files somewhere... but how
> to fix it is at a loss...
>
> I tried running Commander from CD but it won't run on that laptop... says
> something like pci.sys fail with a blue screen.... but this is a seperate
> problem than the one I post here....
>
> I don't know what else to do short of reinstalling the laptop from scratch
> again....
>
> Any suggestions
>
>

"Tim_S" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a toshiba laptop that was infected with some downloader trojan.
>Norton Internet Security caught and resolved the file. After reboot,
>when typing in the password the desktop background picture comes up, I get
>a "Loading your Settings" for about 5 seconds, then the screen flashes
>really fast, then I get a "Logging off" and it takes me back to the log-in
>screen....
>
> This happens under local Administrator account and in All Safe modes,,,,,
> to include safe mode with command prompt....
>
> On Google search it pulled up a similar issue and suggested that it was a
> missing file called userinit.exe or a wuaupdater.exe file that was
> missing....
>
> I slaved in the drive to my PC using a HD to USB adapter and was able to
> access the whole drive. I replaced those files with known good ones
> (they were both missing on the laptop HD) but the problem still exist.
>
> I also took the c:\windows\system32\config files (registry files) and
> renamed them, then took the repair files from c:\windows\repair and copied
> them into the c:\windows\system32\config folder and was able to log into
> the laptop then however all the applications were not functioning properly
> and would have to be reinstalled.
>
> I know the problem must exist in those registry files somewhere... but how
> to fix it is at a loss...
>
> I tried running Commander from CD but it won't run on that laptop... says
> something like pci.sys fail with a blue screen.... but this is a seperate
> problem than the one I post here....
>
> I don't know what else to do short of reinstalling the laptop from scratch
> again....
>
> Any suggestions

Your suspicion is most likely correct: Windows is unable to locate
userinit.exe, probably because your system drive letter has changed.
Your first step should be to determine your current system drive letter.
You can do it like so:
- Start the problem machine but don't log on.
- Log on as administrator on a networked machine.
- Click Start / Run / cmd{OK}
- Type this command:
psexec \\xxx cmd.exe
(Replace xxx with the name or the IP address of the problem PC)
- Report the drive letter you see.

You can download psexec.exe from www.sysinternals.com.

I tried a restore back to the point I told it to not save restore points...
due to the previous virus I told it to disable system restore... any way i
tried to restore to the last point but it too failed...

The drive is C that returns... it hasn't changed because the system boots
all the way to the log on screen...

I think that something has deleted the registry key that calls
userinit.exe....

hklm\software\microsoft\windowsnt\winlogon.... but getting to the key is
proving problematic...

I wish there was a registry tool that could read/edit the stand alone
registry files... i.e. system, user, config etc...

while the drive is slaved in on a USB port.... I can move them, copy them,
and even delete them but I can't read inside of them.... If you know of a
tool... please inform....








"Pegasus (MVP)" wrote:

>
> "Tim_S" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I have a toshiba laptop that was infected with some downloader trojan.
> >Norton Internet Security caught and resolved the file. After reboot,
> >when typing in the password the desktop background picture comes up, I get
> >a "Loading your Settings" for about 5 seconds, then the screen flashes
> >really fast, then I get a "Logging off" and it takes me back to the log-in
> >screen....
> >
> > This happens under local Administrator account and in All Safe modes,,,,,
> > to include safe mode with command prompt....
> >
> > On Google search it pulled up a similar issue and suggested that it was a
> > missing file called userinit.exe or a wuaupdater.exe file that was
> > missing....
> >
> > I slaved in the drive to my PC using a HD to USB adapter and was able to
> > access the whole drive. I replaced those files with known good ones
> > (they were both missing on the laptop HD) but the problem still exist.
> >
> > I also took the c:\windows\system32\config files (registry files) and
> > renamed them, then took the repair files from c:\windows\repair and copied
> > them into the c:\windows\system32\config folder and was able to log into
> > the laptop then however all the applications were not functioning properly
> > and would have to be reinstalled.
> >
> > I know the problem must exist in those registry files somewhere... but how
> > to fix it is at a loss...
> >
> > I tried running Commander from CD but it won't run on that laptop... says
> > something like pci.sys fail with a blue screen.... but this is a seperate
> > problem than the one I post here....
> >
> > I don't know what else to do short of reinstalling the laptop from scratch
> > again....
> >
> > Any suggestions
>
> Your suspicion is most likely correct: Windows is unable to locate
> userinit.exe, probably because your system drive letter has changed.
> Your first step should be to determine your current system drive letter.
> You can do it like so:
> - Start the problem machine but don't log on.
> - Log on as administrator on a networked machine.
> - Click Start / Run / cmd{OK}
> - Type this command:
> psexec \\xxx cmd.exe
> (Replace xxx with the name or the IP address of the problem PC)
> - Report the drive letter you see.
>
> You can download psexec.exe from www.sysinternals.com.
>
>
>

Use the Load Hive feature in Regedit. See here for easy to follow
instructions for remotely editing the registry:
http://www.rwin.ch/xp-live/regedit.htm

John

Tim_S wrote:

> I tried a restore back to the point I told it to not save restore points...
> due to the previous virus I told it to disable system restore... any way i
> tried to restore to the last point but it too failed...
>
> The drive is C that returns... it hasn't changed because the system boots
> all the way to the log on screen...
>
> I think that something has deleted the registry key that calls
> userinit.exe....
>
> hklm\software\microsoft\windowsnt\winlogon.... but getting to the key is
> proving problematic...
>
> I wish there was a registry tool that could read/edit the stand alone
> registry files... i.e. system, user, config etc...
>
> while the drive is slaved in on a USB port.... I can move them, copy them,
> and even delete them but I can't read inside of them.... If you know of a
> tool... please inform....
>
>
>
>
>
>
>
>
> "Pegasus (MVP)" wrote:
>
>
>>"Tim_S" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed)...
>>
>>>I have a toshiba laptop that was infected with some downloader trojan.
>>>Norton Internet Security caught and resolved the file. After reboot,
>>>when typing in the password the desktop background picture comes up, I get
>>>a "Loading your Settings" for about 5 seconds, then the screen flashes
>>>really fast, then I get a "Logging off" and it takes me back to the log-in
>>>screen....
>>>
>>>This happens under local Administrator account and in All Safe modes,,,,,
>>>to include safe mode with command prompt....
>>>
>>>On Google search it pulled up a similar issue and suggested that it was a
>>>missing file called userinit.exe or a wuaupdater.exe file that was
>>>missing....
>>>
>>>I slaved in the drive to my PC using a HD to USB adapter and was able to
>>>access the whole drive. I replaced those files with known good ones
>>>(they were both missing on the laptop HD) but the problem still exist.
>>>
>>>I also took the c:\windows\system32\config files (registry files) and
>>>renamed them, then took the repair files from c:\windows\repair and copied
>>>them into the c:\windows\system32\config folder and was able to log into
>>>the laptop then however all the applications were not functioning properly
>>>and would have to be reinstalled.
>>>
>>>I know the problem must exist in those registry files somewhere... but how
>>>to fix it is at a loss...
>>>
>>>I tried running Commander from CD but it won't run on that laptop... says
>>>something like pci.sys fail with a blue screen.... but this is a seperate
>>>problem than the one I post here....
>>>
>>>I don't know what else to do short of reinstalling the laptop from scratch
>>>again....
>>>
>>>Any suggestions
>>
>>Your suspicion is most likely correct: Windows is unable to locate
>>userinit.exe, probably because your system drive letter has changed.
>>Your first step should be to determine your current system drive letter.
>>You can do it like so:
>>- Start the problem machine but don't log on.
>>- Log on as administrator on a networked machine.
>>- Click Start / Run / cmd{OK}
>>- Type this command:
>> psexec \\xxx cmd.exe
>> (Replace xxx with the name or the IP address of the problem PC)
>>- Report the drive letter you see.
>>
>>You can download psexec.exe from www.sysinternals.com.
>>
>>
>>

I was able to load the Hive... thanks for the tip John...!!!...

While I was looking at the default hive, the WindowsNT key only had 3
entries in the key...

I used mine XP-Pro as an example and manually created the keys to match
mine.... to include the userinit key and pointing to the userinit.exe
file....

The tricks that worked for others didn't work for this.. it is still logging
on, flash, immediate log off back to log-in screen.

Any other tricks?

Tommorrow I will use the restore disk if no hits here....



"John John (MVP)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Use the Load Hive feature in Regedit. See here for easy to follow
> instructions for remotely editing the registry:
> http://www.rwin.ch/xp-live/regedit.htm
>
> John
>
> Tim_S wrote:
>
>> I tried a restore back to the point I told it to not save restore
>> points... due to the previous virus I told it to disable system
>> restore... any way i tried to restore to the last point but it too
>> failed... The drive is C that returns... it hasn't changed because the
>> system boots all the way to the log on screen...
>>
>> I think that something has deleted the registry key that calls
>> userinit.exe....
>>
>> hklm\software\microsoft\windowsnt\winlogon.... but getting to the key is
>> proving problematic...
>>
>> I wish there was a registry tool that could read/edit the stand alone
>> registry files... i.e. system, user, config etc...
>>
>> while the drive is slaved in on a USB port.... I can move them, copy
>> them, and even delete them but I can't read inside of them.... If you
>> know of a tool... please inform....
>>
>>
>>
>>
>>
>>
>>
>>
>> "Pegasus (MVP)" wrote:
>>
>>
>>>"Tim_S" <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed)...
>>>
>>>>I have a toshiba laptop that was infected with some downloader trojan.
>>>>Norton Internet Security caught and resolved the file. After reboot,
>>>>when typing in the password the desktop background picture comes up, I
>>>>get a "Loading your Settings" for about 5 seconds, then the screen
>>>>flashes really fast, then I get a "Logging off" and it takes me back to
>>>>the log-in screen....
>>>>
>>>>This happens under local Administrator account and in All Safe
>>>>modes,,,,, to include safe mode with command prompt....
>>>>
>>>>On Google search it pulled up a similar issue and suggested that it was
>>>>a missing file called userinit.exe or a wuaupdater.exe file that was
>>>>missing....
>>>>
>>>>I slaved in the drive to my PC using a HD to USB adapter and was able to
>>>>access the whole drive. I replaced those files with known good ones
>>>>(they were both missing on the laptop HD) but the problem still exist.
>>>>
>>>>I also took the c:\windows\system32\config files (registry files) and
>>>>renamed them, then took the repair files from c:\windows\repair and
>>>>copied them into the c:\windows\system32\config folder and was able to
>>>>log into the laptop then however all the applications were not
>>>>functioning properly and would have to be reinstalled.
>>>>
>>>>I know the problem must exist in those registry files somewhere... but
>>>>how to fix it is at a loss...
>>>>
>>>>I tried running Commander from CD but it won't run on that laptop...
>>>>says something like pci.sys fail with a blue screen.... but this is a
>>>>seperate problem than the one I post here....
>>>>
>>>>I don't know what else to do short of reinstalling the laptop from
>>>>scratch again....
>>>>
>>>>Any suggestions
>>>
>>>Your suspicion is most likely correct: Windows is unable to locate
>>>userinit.exe, probably because your system drive letter has changed.
>>>Your first step should be to determine your current system drive letter.
>>>You can do it like so:
>>>- Start the problem machine but don't log on.
>>>- Log on as administrator on a networked machine.
>>>- Click Start / Run / cmd{OK}
>>>- Type this command:
>>> psexec \\xxx cmd.exe
>>> (Replace xxx with the name or the IP address of the problem PC)
>>>- Report the drive letter you see.
>>>
>>>You can download psexec.exe from www.sysinternals.com.
>>>
>>>

There are other places in the registry that you may need to
modify. Did you try my suggestion with psexec.exe?


"Tim_S" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I was able to load the Hive... thanks for the tip John...!!!...
>
> While I was looking at the default hive, the WindowsNT key only had 3
> entries in the key...
>
> I used mine XP-Pro as an example and manually created the keys to match
> mine.... to include the userinit key and pointing to the userinit.exe
> file....
>
> The tricks that worked for others didn't work for this.. it is still
> logging on, flash, immediate log off back to log-in screen.
>
> Any other tricks?
>
> Tommorrow I will use the restore disk if no hits here....
>
>
>
> "John John (MVP)" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Use the Load Hive feature in Regedit. See here for easy to follow
>> instructions for remotely editing the registry:
>> http://www.rwin.ch/xp-live/regedit.htm
>>
>> John
>>
>> Tim_S wrote:
>>
>>> I tried a restore back to the point I told it to not save restore
>>> points... due to the previous virus I told it to disable system
>>> restore... any way i tried to restore to the last point but it too
>>> failed... The drive is C that returns... it hasn't changed because the
>>> system boots all the way to the log on screen...
>>>
>>> I think that something has deleted the registry key that calls
>>> userinit.exe....
>>>
>>> hklm\software\microsoft\windowsnt\winlogon.... but getting to the key
>>> is proving problematic...
>>>
>>> I wish there was a registry tool that could read/edit the stand alone
>>> registry files... i.e. system, user, config etc...
>>>
>>> while the drive is slaved in on a USB port.... I can move them, copy
>>> them, and even delete them but I can't read inside of them.... If you
>>> know of a tool... please inform....
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> "Pegasus (MVP)" wrote:
>>>
>>>
>>>>"Tim_S" <(E-Mail Removed)> wrote in message
>>>>news:(E-Mail Removed)...
>>>>
>>>>>I have a toshiba laptop that was infected with some downloader trojan.
>>>>>Norton Internet Security caught and resolved the file. After reboot,
>>>>>when typing in the password the desktop background picture comes up, I
>>>>>get a "Loading your Settings" for about 5 seconds, then the screen
>>>>>flashes really fast, then I get a "Logging off" and it takes me back to
>>>>>the log-in screen....
>>>>>
>>>>>This happens under local Administrator account and in All Safe
>>>>>modes,,,,, to include safe mode with command prompt....
>>>>>
>>>>>On Google search it pulled up a similar issue and suggested that it was
>>>>>a missing file called userinit.exe or a wuaupdater.exe file that was
>>>>>missing....
>>>>>
>>>>>I slaved in the drive to my PC using a HD to USB adapter and was able
>>>>>to access the whole drive. I replaced those files with known good
>>>>>ones (they were both missing on the laptop HD) but the problem still
>>>>>exist.
>>>>>
>>>>>I also took the c:\windows\system32\config files (registry files) and
>>>>>renamed them, then took the repair files from c:\windows\repair and
>>>>>copied them into the c:\windows\system32\config folder and was able to
>>>>>log into the laptop then however all the applications were not
>>>>>functioning properly and would have to be reinstalled.
>>>>>
>>>>>I know the problem must exist in those registry files somewhere... but
>>>>>how to fix it is at a loss...
>>>>>
>>>>>I tried running Commander from CD but it won't run on that laptop...
>>>>>says something like pci.sys fail with a blue screen.... but this is a
>>>>>seperate problem than the one I post here....
>>>>>
>>>>>I don't know what else to do short of reinstalling the laptop from
>>>>>scratch again....
>>>>>
>>>>>Any suggestions
>>>>
>>>>Your suspicion is most likely correct: Windows is unable to locate
>>>>userinit.exe, probably because your system drive letter has changed.
>>>>Your first step should be to determine your current system drive letter.
>>>>You can do it like so:
>>>>- Start the problem machine but don't log on.
>>>>- Log on as administrator on a networked machine.
>>>>- Click Start / Run / cmd{OK}
>>>>- Type this command:
>>>> psexec \\xxx cmd.exe
>>>> (Replace xxx with the name or the IP address of the problem PC)
>>>>- Report the drive letter you see.
>>>>
>>>>You can download psexec.exe from www.sysinternals.com.
>>>>
>>>>
>
>

*Bonjour Tim_S * !
<news:(E-Mail Removed)>

> I was able to load the Hive... thanks for the tip John...!!!...

> While I was looking at the default hive, the WindowsNT key only had 3 entries
> in the key...

> I used mine XP-Pro as an example and manually created the keys to match
> mine.... to include the userinit key and pointing to the userinit.exe
> file....

> The tricks that worked for others didn't work for this.. it is still logging
> on, flash, immediate log off back to log-in screen.

> Any other tricks?

Try with no path
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=userinit.exe

Or try to copy recent hives from the SVI
http://fspsa.free.fr/images/cdr-svi/...i-snapshot.png

Part two ==>
http://support.microsoft.com/kb/307545
http://support.microsoft.com/kb/309531

--
Regards, Jean-François

JF wrote:

> Try with no path
> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
> Userinit=userinit.exe

There is a comma missing in your registry edit, this will cause userinit
to fail. I don't know what removing the path will do, maybe you know
something that I don't.

Typically the value should be:

C:\WINDOWS\system32\userinit.exe,

There are other causes for this reboot loop or boot failure, Pegasus
will no doubt review the different causes and suggest appropriate
measures to fix things.

John

*Bonjour John John (MVP) * !
<news:#StyM$(E-Mail Removed)>

> JF wrote:

> > Try with no path
>> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
>> Userinit=userinit.exe

> There is a comma missing in your registry edit, this will cause userinit to
> fail.

It works without the comma but the use is to keep it.
So you can start other programs with :
userinit=userinit.exe, goodprogram.exe, badvirus.exe,


> I don't know what removing the path will do, maybe you know something
> that I don't.

Simply that it works without the path.
So you eliminate a possibly mistake as explained here
http://support.microsoft.com/kb/249321


Remember Pegasus said :
"Windows is unable to locate userinit.exe,
probably because your system drive letter has changed"



> Typically the value should be:
> C:\WINDOWS\system32\userinit.exe,

Yes, typically Windows is on C:\ and is called Windows.


> There are other causes for this reboot loop or boot failure, Pegasus will no
> doubt review the different causes and suggest appropriate measures to fix
> things.

> John


Since Tim said "the 'Windows NT' key only had 3 entries in the key" the
only thing possible seems to get a better hive from the SVI, or repare
Windows.

Also a simply CHKDSK /R from the Recovery Console is not a bad idea.

--
Regards, Jean-François