Xp log-on then log-off

[Tim_S]

I have a toshiba laptop that was infected with some downloader trojan.
Norton Internet Security caught and resolved the file. After reboot, when
typing in the password the desktop background picture comes up, I get a
"Loading your Settings" for about 5 seconds, then the screen flashes really
fast, then I get a "Logging off" and it takes me back to the log-in
screen....

This happens under local Administrator account and in All Safe modes,,,,, to
include safe mode with command prompt....

On Google search it pulled up a similar issue and suggested that it was a
missing file called userinit.exe or a wuaupdater.exe file that was
missing....

I slaved in the drive to my PC using a HD to USB adapter and was able to
access the whole drive. I replaced those files with known good ones (they
were both missing on the laptop HD) but the problem still exist.

I also took the c:\windows\system32\config files (registry files) and
renamed them, then took the repair files from c:\windows\repair and copied
them into the c:\windows\system32\config folder and was able to log into the
laptop then however all the applications were not functioning properly and
would have to be reinstalled.

I know the problem must exist in those registry files somewhere... but how
to fix it is at a loss...

I tried running Commander from CD but it won't run on that laptop... says
something like pci.sys fail with a blue screen.... but this is a seperate
problem than the one I post here....

I don't know what else to do short of reinstalling the laptop from scratch
again....

Any suggestions

 

[JS]

Have you tried System Restore using a restore point created before the
problem started.

JS

 

[Pegasus \(MVP\)]

I have a toshiba laptop that was infected with some downloader trojan.
Norton Internet Security caught and resolved the file. After reboot,
when typing in the password the desktop background picture comes up, I get
a "Loading your Settings" for about 5 seconds, then the screen flashes
really fast, then I get a "Logging off" and it takes me back to the log-in
screen....

This happens under local Administrator account and in All Safe modes,,,,,
to include safe mode with command prompt....

On Google search it pulled up a similar issue and suggested that it was a
missing file called userinit.exe or a wuaupdater.exe file that was
missing....

I slaved in the drive to my PC using a HD to USB adapter and was able to
access the whole drive. I replaced those files with known good ones
(they were both missing on the laptop HD) but the problem still exist.

I also took the c:\windows\system32\config files (registry files) and
renamed them, then took the repair files from c:\windows\repair and copied
them into the c:\windows\system32\config folder and was able to log into
the laptop then however all the applications were not functioning properly
and would have to be reinstalled.

I know the problem must exist in those registry files somewhere... but how
to fix it is at a loss...

I tried running Commander from CD but it won't run on that laptop... says
something like pci.sys fail with a blue screen.... but this is a seperate
problem than the one I post here....

I don't know what else to do short of reinstalling the laptop from scratch
again....

Any suggestions

Your suspicion is most likely correct: Windows is unable to locate
userinit.exe, probably because your system drive letter has changed.
Your first step should be to determine your current system drive letter.
You can do it like so:
- Start the problem machine but don't log on.
- Log on as administrator on a networked machine.
- Click Start / Run / cmd{OK}
- Type this command:
psexec \\xxx cmd.exe
(Replace xxx with the name or the IP address of the problem PC)
- Report the drive letter you see.

You can download psexec.exe from www.sysinternals.com.

 

[Tim_S]

I tried a restore back to the point I told it to not save restore points...
due to the previous virus I told it to disable system restore... any way i
tried to restore to the last point but it too failed...

The drive is C that returns... it hasn't changed because the system boots
all the way to the log on screen...

I think that something has deleted the registry key that calls
userinit.exe....

hklm\software\microsoft\windowsnt\winlogon.... but getting to the key is
proving problematic...

I wish there was a registry tool that could read/edit the stand alone
registry files... i.e. system, user, config etc...

while the drive is slaved in on a USB port.... I can move them, copy them,
and even delete them but I can't read inside of them.... If you know of a
tool... please inform....

 

[John John (MVP)]

Use the Load Hive feature in Regedit. See here for easy to follow
instructions for remotely editing the registry:
http://www.rwin.ch/xp-live/regedit.htm

John

 

[Tim_S]

I was able to load the Hive... thanks for the tip John...!!!...

While I was looking at the default hive, the WindowsNT key only had 3
entries in the key...

I used mine XP-Pro as an example and manually created the keys to match
mine.... to include the userinit key and pointing to the userinit.exe
file....

The tricks that worked for others didn't work for this.. it is still logging
on, flash, immediate log off back to log-in screen.

Any other tricks?

Tommorrow I will use the restore disk if no hits here....

 

[Pegasus \(MVP\)]

There are other places in the registry that you may need to
modify. Did you try my suggestion with psexec.exe?

 

[JF]

*Bonjour Tim_S * !

I was able to load the Hive... thanks for the tip John...!!!...

While I was looking at the default hive, the WindowsNT key only had 3 entries
in the key...

I used mine XP-Pro as an example and manually created the keys to match
mine.... to include the userinit key and pointing to the userinit.exe
file....

The tricks that worked for others didn't work for this.. it is still logging
on, flash, immediate log off back to log-in screen.

Any other tricks?

Try with no path
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=userinit.exe

Or try to copy recent hives from the SVI
http://fspsa.free.fr/images/cdr-svi/cdr-svi-snapshot.png

Part two ==>
http://support.microsoft.com/kb/307545
http://support.microsoft.com/kb/309531

 

[John John (MVP)]

Try with no path
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=userinit.exe

There is a comma missing in your registry edit, this will cause userinit
to fail. I don't know what removing the path will do, maybe you know
something that I don't.

Typically the value should be:

C:\WINDOWS\system32\userinit.exe,

There are other causes for this reboot loop or boot failure, Pegasus
will no doubt review the different causes and suggest appropriate
measures to fix things.

John

 

[JF]

*Bonjour John John (MVP) * !

JF wrote:

There is a comma missing in your registry edit, this will cause userinit to
fail.

It works without the comma but the use is to keep it.
So you can start other programs with :
userinit=userinit.exe, goodprogram.exe, badvirus.exe,

I don't know what removing the path will do, maybe you know something
that I don't.

Simply that it works without the path.
So you eliminate a possibly mistake as explained here
http://support.microsoft.com/kb/249321


Remember Pegasus said :
"Windows is unable to locate userinit.exe,
probably because your system drive letter has changed"

Typically the value should be:
C:\WINDOWS\system32\userinit.exe,

Yes, typically Windows is on C:\ and is called Windows.

There are other causes for this reboot loop or boot failure, Pegasus will no
doubt review the different causes and suggest appropriate measures to fix
things.

John

Since Tim said "the 'Windows NT' key only had 3 entries in the key" the
only thing possible seems to get a better hive from the SVI, or repare
Windows.

Also a simply CHKDSK /R from the Recovery Console is not a bad idea.

 

[Tim_S]

I was able to fix the issue by using the Load Hive method ..

The problem was in the "Software" hive...

The userinit key was pointing to a file called xwushzh.exe which of course
no longer existed...

problem solved..

By the way the issue came from My Space web site

Just a note this little file deleted the userinit.exe file itself.. and
changed the key... when Norton stopped it, it had already done some damage.
After Norton deleted the file xwusuhzh.exe, the registry key remained...
thus when trying to log-on, it would immediately log off... even though the
file .exe was no longer there, replacing only the userinit.exe file with a
known good one it still wouldn't work... could not get into any repair
mode... had to slave drive into another PC using the USB-Sata adapter, then
open the hive on the bad drive and edit the line in the software key... as
mentioned...

Thanks for the help...

 

[JF]

*Bonjour Tim_S * !

I was able to fix the issue by using the Load Hive method ..

The problem was in the "Software" hive...

The userinit key was pointing to a file called xwushzh.exe which of course
no longer existed...

problem solved..

By the way the issue came from My Space web site

Just a note this little file deleted the userinit.exe file itself.. and
changed the key... when Norton stopped it, it had already done some damage.
After Norton deleted the file xwusuhzh.exe, the registry key remained... thus
when trying to log-on, it would immediately log off... even though the file
.exe was no longer there, replacing only the userinit.exe file with a known
good one it still wouldn't work... could not get into any repair mode... had
to slave drive into another PC using the USB-Sata adapter, then open the hive
on the bad drive and edit the line in the software key... as mentioned...

Thanks for the help...

Thanks for the feed back.
Bravo et Félicitations ! ^^