PC Review


Reply
Thread Tools Rate Thread

Xp log-on then log-off

 
 
Tim_S
Guest
Posts: n/a
 
      17th Aug 2008
I have a toshiba laptop that was infected with some downloader trojan.
Norton Internet Security caught and resolved the file. After reboot, when
typing in the password the desktop background picture comes up, I get a
"Loading your Settings" for about 5 seconds, then the screen flashes really
fast, then I get a "Logging off" and it takes me back to the log-in
screen....

This happens under local Administrator account and in All Safe modes,,,,, to
include safe mode with command prompt....

On Google search it pulled up a similar issue and suggested that it was a
missing file called userinit.exe or a wuaupdater.exe file that was
missing....

I slaved in the drive to my PC using a HD to USB adapter and was able to
access the whole drive. I replaced those files with known good ones (they
were both missing on the laptop HD) but the problem still exist.

I also took the c:\windows\system32\config files (registry files) and
renamed them, then took the repair files from c:\windows\repair and copied
them into the c:\windows\system32\config folder and was able to log into the
laptop then however all the applications were not functioning properly and
would have to be reinstalled.

I know the problem must exist in those registry files somewhere... but how
to fix it is at a loss...

I tried running Commander from CD but it won't run on that laptop... says
something like pci.sys fail with a blue screen.... but this is a seperate
problem than the one I post here....

I don't know what else to do short of reinstalling the laptop from scratch
again....

Any suggestions


 
Reply With Quote
 
 
 
 
JS
Guest
Posts: n/a
 
      17th Aug 2008
Have you tried System Restore using a restore point created before the
problem started.

JS

"Tim_S" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a toshiba laptop that was infected with some downloader trojan.
>Norton Internet Security caught and resolved the file. After reboot,
>when typing in the password the desktop background picture comes up, I get
>a "Loading your Settings" for about 5 seconds, then the screen flashes
>really fast, then I get a "Logging off" and it takes me back to the log-in
>screen....
>
> This happens under local Administrator account and in All Safe modes,,,,,
> to include safe mode with command prompt....
>
> On Google search it pulled up a similar issue and suggested that it was a
> missing file called userinit.exe or a wuaupdater.exe file that was
> missing....
>
> I slaved in the drive to my PC using a HD to USB adapter and was able to
> access the whole drive. I replaced those files with known good ones
> (they were both missing on the laptop HD) but the problem still exist.
>
> I also took the c:\windows\system32\config files (registry files) and
> renamed them, then took the repair files from c:\windows\repair and copied
> them into the c:\windows\system32\config folder and was able to log into
> the laptop then however all the applications were not functioning properly
> and would have to be reinstalled.
>
> I know the problem must exist in those registry files somewhere... but how
> to fix it is at a loss...
>
> I tried running Commander from CD but it won't run on that laptop... says
> something like pci.sys fail with a blue screen.... but this is a seperate
> problem than the one I post here....
>
> I don't know what else to do short of reinstalling the laptop from scratch
> again....
>
> Any suggestions
>
>



 
Reply With Quote
 
 
 
 
Pegasus \(MVP\)
Guest
Posts: n/a
 
      17th Aug 2008

"Tim_S" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a toshiba laptop that was infected with some downloader trojan.
>Norton Internet Security caught and resolved the file. After reboot,
>when typing in the password the desktop background picture comes up, I get
>a "Loading your Settings" for about 5 seconds, then the screen flashes
>really fast, then I get a "Logging off" and it takes me back to the log-in
>screen....
>
> This happens under local Administrator account and in All Safe modes,,,,,
> to include safe mode with command prompt....
>
> On Google search it pulled up a similar issue and suggested that it was a
> missing file called userinit.exe or a wuaupdater.exe file that was
> missing....
>
> I slaved in the drive to my PC using a HD to USB adapter and was able to
> access the whole drive. I replaced those files with known good ones
> (they were both missing on the laptop HD) but the problem still exist.
>
> I also took the c:\windows\system32\config files (registry files) and
> renamed them, then took the repair files from c:\windows\repair and copied
> them into the c:\windows\system32\config folder and was able to log into
> the laptop then however all the applications were not functioning properly
> and would have to be reinstalled.
>
> I know the problem must exist in those registry files somewhere... but how
> to fix it is at a loss...
>
> I tried running Commander from CD but it won't run on that laptop... says
> something like pci.sys fail with a blue screen.... but this is a seperate
> problem than the one I post here....
>
> I don't know what else to do short of reinstalling the laptop from scratch
> again....
>
> Any suggestions


Your suspicion is most likely correct: Windows is unable to locate
userinit.exe, probably because your system drive letter has changed.
Your first step should be to determine your current system drive letter.
You can do it like so:
- Start the problem machine but don't log on.
- Log on as administrator on a networked machine.
- Click Start / Run / cmd{OK}
- Type this command:
psexec \\xxx cmd.exe
(Replace xxx with the name or the IP address of the problem PC)
- Report the drive letter you see.

You can download psexec.exe from www.sysinternals.com.


 
Reply With Quote
 
Tim_S
Guest
Posts: n/a
 
      18th Aug 2008
I tried a restore back to the point I told it to not save restore points...
due to the previous virus I told it to disable system restore... any way i
tried to restore to the last point but it too failed...

The drive is C that returns... it hasn't changed because the system boots
all the way to the log on screen...

I think that something has deleted the registry key that calls
userinit.exe....

hklm\software\microsoft\windowsnt\winlogon.... but getting to the key is
proving problematic...

I wish there was a registry tool that could read/edit the stand alone
registry files... i.e. system, user, config etc...

while the drive is slaved in on a USB port.... I can move them, copy them,
and even delete them but I can't read inside of them.... If you know of a
tool... please inform....








"Pegasus (MVP)" wrote:

>
> "Tim_S" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I have a toshiba laptop that was infected with some downloader trojan.
> >Norton Internet Security caught and resolved the file. After reboot,
> >when typing in the password the desktop background picture comes up, I get
> >a "Loading your Settings" for about 5 seconds, then the screen flashes
> >really fast, then I get a "Logging off" and it takes me back to the log-in
> >screen....
> >
> > This happens under local Administrator account and in All Safe modes,,,,,
> > to include safe mode with command prompt....
> >
> > On Google search it pulled up a similar issue and suggested that it was a
> > missing file called userinit.exe or a wuaupdater.exe file that was
> > missing....
> >
> > I slaved in the drive to my PC using a HD to USB adapter and was able to
> > access the whole drive. I replaced those files with known good ones
> > (they were both missing on the laptop HD) but the problem still exist.
> >
> > I also took the c:\windows\system32\config files (registry files) and
> > renamed them, then took the repair files from c:\windows\repair and copied
> > them into the c:\windows\system32\config folder and was able to log into
> > the laptop then however all the applications were not functioning properly
> > and would have to be reinstalled.
> >
> > I know the problem must exist in those registry files somewhere... but how
> > to fix it is at a loss...
> >
> > I tried running Commander from CD but it won't run on that laptop... says
> > something like pci.sys fail with a blue screen.... but this is a seperate
> > problem than the one I post here....
> >
> > I don't know what else to do short of reinstalling the laptop from scratch
> > again....
> >
> > Any suggestions

>
> Your suspicion is most likely correct: Windows is unable to locate
> userinit.exe, probably because your system drive letter has changed.
> Your first step should be to determine your current system drive letter.
> You can do it like so:
> - Start the problem machine but don't log on.
> - Log on as administrator on a networked machine.
> - Click Start / Run / cmd{OK}
> - Type this command:
> psexec \\xxx cmd.exe
> (Replace xxx with the name or the IP address of the problem PC)
> - Report the drive letter you see.
>
> You can download psexec.exe from www.sysinternals.com.
>
>
>

 
Reply With Quote
 
John John (MVP)
Guest
Posts: n/a
 
      18th Aug 2008
Use the Load Hive feature in Regedit. See here for easy to follow
instructions for remotely editing the registry:
http://www.rwin.ch/xp-live/regedit.htm

John

Tim_S wrote:

> I tried a restore back to the point I told it to not save restore points...
> due to the previous virus I told it to disable system restore... any way i
> tried to restore to the last point but it too failed...
>
> The drive is C that returns... it hasn't changed because the system boots
> all the way to the log on screen...
>
> I think that something has deleted the registry key that calls
> userinit.exe....
>
> hklm\software\microsoft\windowsnt\winlogon.... but getting to the key is
> proving problematic...
>
> I wish there was a registry tool that could read/edit the stand alone
> registry files... i.e. system, user, config etc...
>
> while the drive is slaved in on a USB port.... I can move them, copy them,
> and even delete them but I can't read inside of them.... If you know of a
> tool... please inform....
>
>
>
>
>
>
>
>
> "Pegasus (MVP)" wrote:
>
>
>>"Tim_S" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed)...
>>
>>>I have a toshiba laptop that was infected with some downloader trojan.
>>>Norton Internet Security caught and resolved the file. After reboot,
>>>when typing in the password the desktop background picture comes up, I get
>>>a "Loading your Settings" for about 5 seconds, then the screen flashes
>>>really fast, then I get a "Logging off" and it takes me back to the log-in
>>>screen....
>>>
>>>This happens under local Administrator account and in All Safe modes,,,,,
>>>to include safe mode with command prompt....
>>>
>>>On Google search it pulled up a similar issue and suggested that it was a
>>>missing file called userinit.exe or a wuaupdater.exe file that was
>>>missing....
>>>
>>>I slaved in the drive to my PC using a HD to USB adapter and was able to
>>>access the whole drive. I replaced those files with known good ones
>>>(they were both missing on the laptop HD) but the problem still exist.
>>>
>>>I also took the c:\windows\system32\config files (registry files) and
>>>renamed them, then took the repair files from c:\windows\repair and copied
>>>them into the c:\windows\system32\config folder and was able to log into
>>>the laptop then however all the applications were not functioning properly
>>>and would have to be reinstalled.
>>>
>>>I know the problem must exist in those registry files somewhere... but how
>>>to fix it is at a loss...
>>>
>>>I tried running Commander from CD but it won't run on that laptop... says
>>>something like pci.sys fail with a blue screen.... but this is a seperate
>>>problem than the one I post here....
>>>
>>>I don't know what else to do short of reinstalling the laptop from scratch
>>>again....
>>>
>>>Any suggestions

>>
>>Your suspicion is most likely correct: Windows is unable to locate
>>userinit.exe, probably because your system drive letter has changed.
>>Your first step should be to determine your current system drive letter.
>>You can do it like so:
>>- Start the problem machine but don't log on.
>>- Log on as administrator on a networked machine.
>>- Click Start / Run / cmd{OK}
>>- Type this command:
>> psexec \\xxx cmd.exe
>> (Replace xxx with the name or the IP address of the problem PC)
>>- Report the drive letter you see.
>>
>>You can download psexec.exe from www.sysinternals.com.
>>
>>
>>

 
Reply With Quote
 
Tim_S
Guest
Posts: n/a
 
      24th Aug 2008
I was able to load the Hive... thanks for the tip John...!!!...

While I was looking at the default hive, the WindowsNT key only had 3
entries in the key...

I used mine XP-Pro as an example and manually created the keys to match
mine.... to include the userinit key and pointing to the userinit.exe
file....

The tricks that worked for others didn't work for this.. it is still logging
on, flash, immediate log off back to log-in screen.

Any other tricks?

Tommorrow I will use the restore disk if no hits here....



"John John (MVP)" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Use the Load Hive feature in Regedit. See here for easy to follow
> instructions for remotely editing the registry:
> http://www.rwin.ch/xp-live/regedit.htm
>
> John
>
> Tim_S wrote:
>
>> I tried a restore back to the point I told it to not save restore
>> points... due to the previous virus I told it to disable system
>> restore... any way i tried to restore to the last point but it too
>> failed... The drive is C that returns... it hasn't changed because the
>> system boots all the way to the log on screen...
>>
>> I think that something has deleted the registry key that calls
>> userinit.exe....
>>
>> hklm\software\microsoft\windowsnt\winlogon.... but getting to the key is
>> proving problematic...
>>
>> I wish there was a registry tool that could read/edit the stand alone
>> registry files... i.e. system, user, config etc...
>>
>> while the drive is slaved in on a USB port.... I can move them, copy
>> them, and even delete them but I can't read inside of them.... If you
>> know of a tool... please inform....
>>
>>
>>
>>
>>
>>
>>
>>
>> "Pegasus (MVP)" wrote:
>>
>>
>>>"Tim_S" <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed)...
>>>
>>>>I have a toshiba laptop that was infected with some downloader trojan.
>>>>Norton Internet Security caught and resolved the file. After reboot,
>>>>when typing in the password the desktop background picture comes up, I
>>>>get a "Loading your Settings" for about 5 seconds, then the screen
>>>>flashes really fast, then I get a "Logging off" and it takes me back to
>>>>the log-in screen....
>>>>
>>>>This happens under local Administrator account and in All Safe
>>>>modes,,,,, to include safe mode with command prompt....
>>>>
>>>>On Google search it pulled up a similar issue and suggested that it was
>>>>a missing file called userinit.exe or a wuaupdater.exe file that was
>>>>missing....
>>>>
>>>>I slaved in the drive to my PC using a HD to USB adapter and was able to
>>>>access the whole drive. I replaced those files with known good ones
>>>>(they were both missing on the laptop HD) but the problem still exist.
>>>>
>>>>I also took the c:\windows\system32\config files (registry files) and
>>>>renamed them, then took the repair files from c:\windows\repair and
>>>>copied them into the c:\windows\system32\config folder and was able to
>>>>log into the laptop then however all the applications were not
>>>>functioning properly and would have to be reinstalled.
>>>>
>>>>I know the problem must exist in those registry files somewhere... but
>>>>how to fix it is at a loss...
>>>>
>>>>I tried running Commander from CD but it won't run on that laptop...
>>>>says something like pci.sys fail with a blue screen.... but this is a
>>>>seperate problem than the one I post here....
>>>>
>>>>I don't know what else to do short of reinstalling the laptop from
>>>>scratch again....
>>>>
>>>>Any suggestions
>>>
>>>Your suspicion is most likely correct: Windows is unable to locate
>>>userinit.exe, probably because your system drive letter has changed.
>>>Your first step should be to determine your current system drive letter.
>>>You can do it like so:
>>>- Start the problem machine but don't log on.
>>>- Log on as administrator on a networked machine.
>>>- Click Start / Run / cmd{OK}
>>>- Type this command:
>>> psexec \\xxx cmd.exe
>>> (Replace xxx with the name or the IP address of the problem PC)
>>>- Report the drive letter you see.
>>>
>>>You can download psexec.exe from www.sysinternals.com.
>>>
>>>



 
Reply With Quote
 
Pegasus \(MVP\)
Guest
Posts: n/a
 
      24th Aug 2008
There are other places in the registry that you may need to
modify. Did you try my suggestion with psexec.exe?


"Tim_S" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I was able to load the Hive... thanks for the tip John...!!!...
>
> While I was looking at the default hive, the WindowsNT key only had 3
> entries in the key...
>
> I used mine XP-Pro as an example and manually created the keys to match
> mine.... to include the userinit key and pointing to the userinit.exe
> file....
>
> The tricks that worked for others didn't work for this.. it is still
> logging on, flash, immediate log off back to log-in screen.
>
> Any other tricks?
>
> Tommorrow I will use the restore disk if no hits here....
>
>
>
> "John John (MVP)" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Use the Load Hive feature in Regedit. See here for easy to follow
>> instructions for remotely editing the registry:
>> http://www.rwin.ch/xp-live/regedit.htm
>>
>> John
>>
>> Tim_S wrote:
>>
>>> I tried a restore back to the point I told it to not save restore
>>> points... due to the previous virus I told it to disable system
>>> restore... any way i tried to restore to the last point but it too
>>> failed... The drive is C that returns... it hasn't changed because the
>>> system boots all the way to the log on screen...
>>>
>>> I think that something has deleted the registry key that calls
>>> userinit.exe....
>>>
>>> hklm\software\microsoft\windowsnt\winlogon.... but getting to the key
>>> is proving problematic...
>>>
>>> I wish there was a registry tool that could read/edit the stand alone
>>> registry files... i.e. system, user, config etc...
>>>
>>> while the drive is slaved in on a USB port.... I can move them, copy
>>> them, and even delete them but I can't read inside of them.... If you
>>> know of a tool... please inform....
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> "Pegasus (MVP)" wrote:
>>>
>>>
>>>>"Tim_S" <(E-Mail Removed)> wrote in message
>>>>news:(E-Mail Removed)...
>>>>
>>>>>I have a toshiba laptop that was infected with some downloader trojan.
>>>>>Norton Internet Security caught and resolved the file. After reboot,
>>>>>when typing in the password the desktop background picture comes up, I
>>>>>get a "Loading your Settings" for about 5 seconds, then the screen
>>>>>flashes really fast, then I get a "Logging off" and it takes me back to
>>>>>the log-in screen....
>>>>>
>>>>>This happens under local Administrator account and in All Safe
>>>>>modes,,,,, to include safe mode with command prompt....
>>>>>
>>>>>On Google search it pulled up a similar issue and suggested that it was
>>>>>a missing file called userinit.exe or a wuaupdater.exe file that was
>>>>>missing....
>>>>>
>>>>>I slaved in the drive to my PC using a HD to USB adapter and was able
>>>>>to access the whole drive. I replaced those files with known good
>>>>>ones (they were both missing on the laptop HD) but the problem still
>>>>>exist.
>>>>>
>>>>>I also took the c:\windows\system32\config files (registry files) and
>>>>>renamed them, then took the repair files from c:\windows\repair and
>>>>>copied them into the c:\windows\system32\config folder and was able to
>>>>>log into the laptop then however all the applications were not
>>>>>functioning properly and would have to be reinstalled.
>>>>>
>>>>>I know the problem must exist in those registry files somewhere... but
>>>>>how to fix it is at a loss...
>>>>>
>>>>>I tried running Commander from CD but it won't run on that laptop...
>>>>>says something like pci.sys fail with a blue screen.... but this is a
>>>>>seperate problem than the one I post here....
>>>>>
>>>>>I don't know what else to do short of reinstalling the laptop from
>>>>>scratch again....
>>>>>
>>>>>Any suggestions
>>>>
>>>>Your suspicion is most likely correct: Windows is unable to locate
>>>>userinit.exe, probably because your system drive letter has changed.
>>>>Your first step should be to determine your current system drive letter.
>>>>You can do it like so:
>>>>- Start the problem machine but don't log on.
>>>>- Log on as administrator on a networked machine.
>>>>- Click Start / Run / cmd{OK}
>>>>- Type this command:
>>>> psexec \\xxx cmd.exe
>>>> (Replace xxx with the name or the IP address of the problem PC)
>>>>- Report the drive letter you see.
>>>>
>>>>You can download psexec.exe from www.sysinternals.com.
>>>>
>>>>

>
>



 
Reply With Quote
 
JF
Guest
Posts: n/a
 
      24th Aug 2008
*Bonjour Tim_S * !
<news:(E-Mail Removed)>

> I was able to load the Hive... thanks for the tip John...!!!...


> While I was looking at the default hive, the WindowsNT key only had 3 entries
> in the key...


> I used mine XP-Pro as an example and manually created the keys to match
> mine.... to include the userinit key and pointing to the userinit.exe
> file....


> The tricks that worked for others didn't work for this.. it is still logging
> on, flash, immediate log off back to log-in screen.


> Any other tricks?


Try with no path
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=userinit.exe

Or try to copy recent hives from the SVI
http://fspsa.free.fr/images/cdr-svi/...i-snapshot.png

Part two ==>
http://support.microsoft.com/kb/307545
http://support.microsoft.com/kb/309531

--
Regards, Jean-François


 
Reply With Quote
 
John John (MVP)
Guest
Posts: n/a
 
      24th Aug 2008
JF wrote:

> Try with no path
> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
> Userinit=userinit.exe


There is a comma missing in your registry edit, this will cause userinit
to fail. I don't know what removing the path will do, maybe you know
something that I don't.

Typically the value should be:

C:\WINDOWS\system32\userinit.exe,

There are other causes for this reboot loop or boot failure, Pegasus
will no doubt review the different causes and suggest appropriate
measures to fix things.

John
 
Reply With Quote
 
JF
Guest
Posts: n/a
 
      24th Aug 2008
*Bonjour John John (MVP) * !
<news:#StyM$(E-Mail Removed)>

> JF wrote:


> > Try with no path
>> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
>> Userinit=userinit.exe


> There is a comma missing in your registry edit, this will cause userinit to
> fail.


It works without the comma but the use is to keep it.
So you can start other programs with :
userinit=userinit.exe, goodprogram.exe, badvirus.exe,


> I don't know what removing the path will do, maybe you know something
> that I don't.


Simply that it works without the path.
So you eliminate a possibly mistake as explained here
http://support.microsoft.com/kb/249321


Remember Pegasus said :
"Windows is unable to locate userinit.exe,
probably because your system drive letter has changed"



> Typically the value should be:
> C:\WINDOWS\system32\userinit.exe,


Yes, typically Windows is on C:\ and is called Windows.


> There are other causes for this reboot loop or boot failure, Pegasus will no
> doubt review the different causes and suggest appropriate measures to fix
> things.


> John



Since Tim said "the 'Windows NT' key only had 3 entries in the key" the
only thing possible seems to get a better hive from the SVI, or repare
Windows.

Also a simply CHKDSK /R from the Recovery Console is not a bad idea.

--
Regards, Jean-François


 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple - F9, then K9, then, P9, then U9, etc... Steve Microsoft Excel Worksheet Functions 18 14th Sep 2009 10:22 PM
If then, If then, If then..... Jackie Microsoft Excel Worksheet Functions 3 4th Feb 2009 02:49 PM
setup wrksht w/ column widths of 10 then 2 then 10 then 2 etc =?Utf-8?B?am1lZw==?= Microsoft Excel Misc 2 31st Dec 2005 05:17 PM
if greater then 99 then 1 if greater then 199 then two =?Utf-8?B?Ti5SLg==?= Microsoft Excel Worksheet Functions 2 23rd Jun 2005 06:14 PM
Need help with a log off/log on problem...can log off then log on dif. user and system will be slow loading user settings, then play start up music, then show wallpaper, then freeze. Ralph Malph Windows XP General 2 9th Feb 2005 07:05 AM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 10:58 AM.