|
|
 Up |
|
|
  |
Author: Tim_STim_S Date: Aug 17, 2008 07:19
I have a toshiba laptop that was infected with some downloader trojan.
Norton Internet Security caught and resolved the file. After reboot, when
typing in the password the desktop background picture comes up, I get a
"Loading your Settings" for about 5 seconds, then the screen flashes really
fast, then I get a "Logging off" and it takes me back to the log-in
screen....
This happens under local Administrator account and in All Safe modes,,,,, to
include safe mode with command prompt....
On Google search it pulled up a similar issue and suggested that it was a
missing file called userinit.exe or a wuaupdater.exe file that was
missing....
I slaved in the drive to my PC using a HD to USB adapter and was able to
access the whole drive. I replaced those files with known good ones (they
were both missing on the laptop HD) but the problem still exist.
I also took the c:\windows\system32\config files (registry files) and
renamed them, then took the repair files from c:\windows\repair and copied
them into the c:\windows\system32\config folder and was able to log into the
laptop then however all the applications were not functioning properly and
would have to be reinstalled.
|
| Show full article (1.60Kb) |
|
| | 11 Comments |
|
|
Date: Aug 17, 2008 07:43
Have you tried System Restore using a restore point created before the
problem started.
JS
"Tim_S" whereever.net> wrote in message
news:uy31TRHAJHA.2060@TK2MSFTNGP05.phx.gbl...>I have a toshiba laptop that was infected with some downloader trojan.
>Norton Internet Security caught...
|
| Show full article (1.85Kb) |
|
| | no comments |
|
|
Author: Pegasus (MVP)Pegasus (MVP) Date: Aug 17, 2008 10:04
"Tim_S" whereever.net> wrote in message
news:uy31TRHAJHA.2060@TK2MSFTNGP05.phx.gbl...>I have a toshiba laptop that was infected with some downloader trojan.
>Norton Internet Security caught and resolved the file. After reboot,
>when typing in the password the desktop background picture comes up, I get
>a "Loading your Settings" for about 5 seconds, then the screen flashes
>really fast, then I get a "Logging off" and it takes me back to the log-in
>screen....
>
> This happens under local Administrator account and in All Safe modes,,,,,
> to include safe mode with command prompt....
>
> On Google search it pulled up a similar issue and suggested that it was a
> missing file called userinit.exe or a wuaupdater.exe file that was
> missing....
>
> I slaved in the drive to my PC using a HD to USB adapter and was able to
> access the whole drive. I replaced those files with known good ones
> (they were both missing on the laptop HD) but the problem still exist.
> ...
|
| Show full article (2.31Kb) |
| no comments |
|
|
Author: Tim_STim_S Date: Aug 18, 2008 14:50
I tried a restore back to the point I told it to not save restore points...
due to the previous virus I told it to disable system restore... any way i
tried to restore to the last point but it too failed...
The drive is C that returns... it hasn't changed because the system boots
all the way to the log on screen...
I think that something has deleted the registry key that calls
userinit.exe....
hklm\software\microsoft\windowsnt\winlogon.... but getting to the key is
proving problematic...
I wish there was a registry tool that could read/edit the stand alone
registry files... i.e. system, user, config etc...
while the drive is slaved in on a USB port.... I can move them, copy them,
and even delete them but I can't read inside of them.... If you know of a
tool... please inform....
"Pegasus (MVP)" wrote:
>
> "Tim_S" whereever.net> wrote in message
> news:uy31TRHAJHA.2060@TK2MSFTNGP05.phx.gbl...>>I have a toshiba laptop that was infected with some downloader trojan.
>>Norton Internet Security...
|
| Show full article (3.27Kb) |
| no comments |
|
|
Author: John John (MVP)John John (MVP) Date: Aug 18, 2008 15:03
> I tried a restore back to the point I told it to not save restore points...
> due to the previous virus I told it to disable system restore... any way i
> tried to restore to the last point but it...
|
| Show full article (3.49Kb) |
| no comments |
|
|
Author: Tim_STim_S Date: Aug 23, 2008 22:48
I was able to load the Hive... thanks for the tip John...!!!...
While I was looking at the default hive, the WindowsNT key only had 3
entries in the key...
I used mine XP-Pro as an example and manually created the keys to match
mine.... to include the userinit key and pointing to the userinit.exe
file....
The tricks that worked for others didn't work for this.. it is still logging
on, flash, immediate log off back to log-in screen.
Any other tricks?
Tommorrow I will use the restore disk if no hits here....
"John John (MVP)" wrote in message
news:ei7T74XAJHA.716@TK2MSFTNGP05.phx.gbl...> Use the Load Hive feature in Regedit. See here for easy to follow
> instructions for remotely...
|
| Show full article (4.20Kb) |
| no comments |
|
|
Author: Pegasus (MVP)Pegasus (MVP) Date: Aug 23, 2008 23:25
There are other places in the registry that you may need to
modify. Did you try my suggestion with psexec.exe?
"Tim_S" whereever.net> wrote in message
news:ereMJ0aBJHA.5468@TK2MSFTNGP04.phx.gbl...>I was able to load the Hive... thanks for the tip John...!!!...
>
> While I was looking at the default hive...
|
| Show full article (4.54Kb) |
| no comments |
|
|
Date: Aug 24, 2008 01:47
*Bonjour Tim_S * !
> I was able to load the Hive... thanks for the tip John...!!!...
> While I was looking at the default hive, the WindowsNT key only had 3 entries
> in the key...
> I used mine XP-Pro as an example and manually created the keys to match
> mine.... to include the userinit key and pointing to the userinit.exe
> file....
> The tricks that worked for others didn't work for this.. it is still logging
> on, flash, immediate log off back to log-in screen.
> Any other tricks?
|
| Show full article (0.88Kb) |
| no comments |
|
|
Author: John John (MVP)John John (MVP) Date: Aug 24, 2008 06:46
JF wrote:
> Try with no path
> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
> Userinit=userinit.exe
There is a comma missing in your registry edit, this will cause userinit
to fail. I don't know what removing the path will do, maybe you know
something that I don't.
Typically the value should be:
C:\WINDOWS\system32\userinit.exe,
There are other causes for this reboot loop or boot failure, Pegasus
will no doubt review the different causes and suggest appropriate
measures to fix things.
John
|
| |
| no comments |
|
|
|
|
|
Date: Aug 24, 2008 08:09
*Bonjour John John (MVP) * !
> JF wrote:
>> Try with no path
>> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
>> Userinit=userinit.exe
> There is a comma missing in your registry edit, this will cause userinit to
> fail.
It works without the comma but the use is to keep it.
So you can start other programs with :
userinit=userinit.exe, goodprogram.exe, badvirus.exe,
> I don't know what removing the path will do, maybe you know something
> that I don't.
Simply that it works without the path.
So you eliminate a possibly mistake as explained here
http://support.microsoft.com/kb/249321
Remember Pegasus said :
"Windows is unable to locate userinit.exe,
probably because your system drive letter has changed"
|
| Show full article (1.37Kb) |
| no comments |
|
RELATED THREADS |
|
|
|
|
|
|
