unable to login into WinXP HE

TheMSsForum.com: The Microsoft Software Forum

Hi, I don't relly know if I'm posting in the right area but anyway...I was
getting rid of viruses/sayware off my computer and MS GIANT found 3 viruses,
a trojan, a mediaticket and a 180 solutions. I was akedto reboot my PC due
because one of the viruses was running so I did. When I had rebooted I tryed
to log into my useer but it immediately logged me out...I have tried safe
mode and other users but all unsuccessful. Is there a way to open msconfig,
command prompt (safe mode with prompt doesn't work) without logging into a
user.

Yours,
Duggles
Top

Re: unable to login into WinXP HE by Malke

Malke
Sun Sep 18 13:16:13 CDT 2005

Duggles wrote:

> Hi, I don't relly know if I'm posting in the right area but anyway...I
> was getting rid of viruses/sayware off my computer and MS GIANT found
> 3 viruses, a trojan, a mediaticket and a 180 solutions. I was akedto
> reboot my PC due because one of the viruses was running so I did. When
> I had rebooted I tryed to log into my useer but it immediately logged
> me out...I have tried safe mode and other users but all unsuccessful.
> Is there a way to open msconfig, command prompt (safe mode with prompt
> doesn't work) without logging into a user.
>
> Yours,
> Duggles

You may have run afoul of the wsaupdater problem. Here is MVP Rick
Roger's summation (with solutions):

The userinit value may have been corrupted by the removal of Blazefind.
It adds wsaupdater.exe to the logon value in the system registry,
sometimes appending it, sometimes replacing it. Running Adaware or
other cleaners detects and removes wsaupdater.exe, but doesn't correct
the registry damage. If this is the case, then you may need to load the
registry hive from another installation and change it. This is the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit string value should be:

C:\WINDOWS\system32\userinit.exe,

On the damaged installations it's one of these:

C:\WINDOWS\system32\wsaupdater.exe,
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wsaupdater.exe,

Note the trailing comma, which should be there.

Another "quickie" method of resolution is to load the Recovery Console,
copy userinit.exe as wsaupdater.exe from the command prompt, then
restart normally. Once in, go and change the registry value back to
what it's supposed to be and delete the copied file by doing:

cd system32 [Enter]
copy userinit.exe wsaupdater.exe [Enter]
exit [Enter]

Then boot the system and edit the Registry and then rename the System32
wsaupdater.exe back to userinit.exe.

You can also put the affected hard drive as a slave in a working XP box
and put a good userinit.exe in the sick driver's System32 folder,
rename it to wsaupdater.exe and then put the sick drive back in its
box. Start the system and make the changes in the Registry and rename
wsaupdater back to userinit.exe.

HTH,

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"
Top

Re: unable to login into WinXP HE by PsychoNaut

PsychoNaut
Tue Sep 20 04:01:04 CDT 2005

Hi All,

There seems to be a new variant of this problem. This time ad-aware
deletes the trojan - Win32.TrojanClicker but also deletes the userinit
entry in the registry. The Ad-Aware log entries for it are below.

As the userinit entry has been removed the winlogon just loops. The
easiest solution I found somewhere without having to try the make up a
bootable CD method to access the registry was to use cmd.exe as the
logon screensaver.
So you need to access windows\system32 folder and backup logon.scr as
logon.bak, then delete logon.scr, then backup cmd.exe as cmd.bak. Then
rename cmd.exe as logon.scr
To do this use a win98 bootdisk if your hard drive is fat32 or Recovery
consol if NTFS or remove the drive and attatch to another PC and change
them there.

Now when the logon screen comes up just wait for about ten minutes and
the command prompt will open, usually already at the system32 folder.
Then type explorer.exe and enter and your windows desktop will
re-appear. Dont close the command prompt yet. Now run regedit and put
the missing userinit string back in the registry:

HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon
Value : Userinit
data : "C:\windows\system32\userinit.exe," (include comma and
quotations)

Make sure userinit.exe is still in your system32 folder. If not copy it
from the service pack files folder in windows folder or from XP CD.
Then you can change the logon.scr back to its correct file and close
the command prompt. Now you can log in normally.

Obviuosly change the path if your winxp is in different place.

Here is the part of the log of Ad-aware which shows the entries:
Win32.TrojanClicker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows
nt\currentversion\winlogon
Value : Userinit

Win32.TrojanClicker Object Recognized!
Type : RegData
Data : {54645654-2225-4455-44A1-9F4543D34545}
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object :
software\microsoft\windows\currentversion\shellserviceobjectdelayload
Value : SystemCheck2
Data : {54645654-2225-4455-44A1-9F4543D34545}

Malke wrote:
> Duggles wrote:
>
> > Hi, I don't relly know if I'm posting in the right area but anyway...I
> > was getting rid of viruses/sayware off my computer and MS GIANT found
> > 3 viruses, a trojan, a mediaticket and a 180 solutions. I was akedto
> > reboot my PC due because one of the viruses was running so I did. When
> > I had rebooted I tryed to log into my useer but it immediately logged
> > me out...I have tried safe mode and other users but all unsuccessful.
> > Is there a way to open msconfig, command prompt (safe mode with prompt
> > doesn't work) without logging into a user.
> >
> > Yours,
> > Duggles
>
> You may have run afoul of the wsaupdater problem. Here is MVP Rick
> Roger's summation (with solutions):
>
> The userinit value may have been corrupted by the removal of Blazefind.
> It adds wsaupdater.exe to the logon value in the system registry,
> sometimes appending it, sometimes replacing it. Running Adaware or
> other cleaners detects and removes wsaupdater.exe, but doesn't correct
> the registry damage. If this is the case, then you may need to load the
> registry hive from another installation and change it. This is the key:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
>
> Userinit string value should be:
>
> C:\WINDOWS\system32\userinit.exe,
>
> On the damaged installations it's one of these:
>
> C:\WINDOWS\system32\wsaupdater.exe,
> C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wsaupdater.exe,
>
> Note the trailing comma, which should be there.
>
> Another "quickie" method of resolution is to load the Recovery Console,
> copy userinit.exe as wsaupdater.exe from the command prompt, then
> restart normally. Once in, go and change the registry value back to
> what it's supposed to be and delete the copied file by doing:
>
> cd system32 [Enter]
> copy userinit.exe wsaupdater.exe [Enter]
> exit [Enter]
>
> Then boot the system and edit the Registry and then rename the System32
> wsaupdater.exe back to userinit.exe.
>
> You can also put the affected hard drive as a slave in a working XP box
> and put a good userinit.exe in the sick driver's System32 folder,
> rename it to wsaupdater.exe and then put the sick drive back in its
> box. Start the system and make the changes in the Registry and rename
> wsaupdater back to userinit.exe.
>
> HTH,
>
> Malke
> --
> MS-MVP Windows User/Shell
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic"

Top