Hello Beyond,

I am experiencing a very bad problem on my computer. At first windows would log in and immediately log out a second later. It does this in regular mode as well as safe mode. I read up and found out that this is a combination of a virus and a removal that has deleted key system components.

When I log into my system recovery console and search under SYSTEM32 I do not have a USERINIT.EXE file!!!

i have tried renaming software to software.old and copying software of my windows XP CD but this did not work

I have tried chkdsk and it went to 50% and crashed



I am totally out of ideas here, any help would be greatly appreciated

Thanks.

you just need to find the userinit.exe file (online would work) and copy it over. Had this happen a few times at work. Once thats done you will login no problem. Althought if your computer is infected with something bad might as well start fresh

the computer will not go online

would this work?

"Boot from the Windows XP installation CD...after the first several screens load, you will be given a choice to choose R for Recovery Console. You will then be asked to log in. Choose the installation to be repaired by number (usually 1) and press "Enter". When you are asked for the Administrator password, leave it blank and press "Enter".

When you get to the recovery console prompt:

Type cd \ and press "Enter".
Type cd system~1\_resto~1 and press "Enter".
Type dir and press "Enter".
After you press enter you will see a list of folders (like rp1, rp2) If the list of restore points has more than one page then press the "Enter" key until you reach the end of the list

Type cd rp {number of the second to last folder in the list} and press "Enter". (Example: Type cd rp9 if rp10 is the last restore point.)
Type cd snapshot and press "Enter".
Type copy _registry_machine_system c:\windows\system32\config\system and press "Enter".
Type copy _registry_machine_software c:\windows\system32\config\software and press "Enter".
Type exit and press "Enter".
Your PC will reboot.

If you get an access denied error when doing the above, then do the following at the recovery console:

Type cd \ and press "Enter".
Type cd windows\system32\config and press "Enter".
Type ren system system.bak and press "Enter".
Type exit and press "Enter".
"

OK what i just posted did not work

How can i get userinit.exe onto a computer when i can't load windows?

From the google search of your exact question.



XP logon kick you out solution:

http://www.winxptutor.com/wsaremove.htm

Unable to logon to Windows after removing BlazeFind using a spyware removal utility?

Logon - Logoff loop, also caused by BlazeFind

Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the 'loading personal settings" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it's Lavahelp Knowledgebase.

Here is the solution to the logon - logoff issue in Windows XP.

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

It may be possible to restore the damaged system files using a Linux live CD with ntfs-3g support. But even if the system were bootable again, there would be no guarantee that the system is secure and free from viruses. Usually once a machine is compromised to this extent, reformatting is the best option.

If you do replace the userinit.exe file, and the system becomes bootable, I suggest running the command "SFC /scannow". This will check all of your system files for inconsistencies and unsigned modifications.

NVM

fixed! :D

Here is how i did it: (I am sure many others will benefit from this).
Please note that I did not have wsaupdater.exe which is supposedely the cause of the infection


I used the windows XP recovery CD
changed BIOS sequence to CD/DVD
got into system recovery console (typed R)
password left blank

then

it should start off with D:\ or whatever your drive with windows installed. you want to access the E:\ drive or whatever your CD/DVD drive is

cd \
E:

E: [ENTER]
CD I386 [ENTER]
EXPAND USERINIT.EX_ D:\WINDOWS\SYSTEM32 [ENTER]

type EXIT [ENTER]

Now, go back into the BIOS and change sequence back to your hard drive




Total time to fix, 2 1/2 hours of research 5 minute fix. Please note that the "FIX" has allowed me to boot up. But as the above poster has noted, the computer is still compromised and will need to be scanned.



Thanks for the help

Originally posted by SpireTECH
It may be possible to restore the damaged system files using a Linux live CD with ntfs-3g support. But even if the system were bootable again, there would be no guarantee that the system is secure and free from viruses. Usually once a machine is compromised to this extent, reformatting is the best option.

If you do replace the userinit.exe file, and the system becomes bootable, I suggest running the command "SFC /scannow". This will check all of your system files for inconsistencies and unsigned modifications.


Hi there, thanks for the help. How do I get to the SFC /scannow?
is that done through recovery console?
Can you give me the exact commands to scan? Thanks!

Originally posted by Oz-
From the google search of your exact question.



XP logon kick you out solution:

http://www.winxptutor.com/wsaremove.htm

Unable to logon to Windows after removing BlazeFind using a spyware removal utility?

Logon - Logoff loop, also caused by BlazeFind

Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the 'loading personal settings" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it's Lavahelp Knowledgebase.

Here is the solution to the logon - logoff issue in Windows XP.

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)


thanks for the help but this was the first thing i tried and many have said that this is fix is outdated.

Originally posted by canadian_hustla



Hi there, thanks for the help. How do I get to the SFC /scannow?
is that done through recovery console?
Can you give me the exact commands to scan? Thanks! Right in Windows.
Start -> Run -> sfc /scannow

I'd reiterate what Spire said about reformatting though. I highly recommend backing up whatever you need and wiping it.