Pegasus
Sat Aug 23 23:25:00 PDT 2008
There are other places in the registry that you may need to
modify. Did you try my suggestion with psexec.exe?
"Tim_S" <NOSPAM@whereever.net> wrote in message
news:ereMJ0aBJHA.5468@TK2MSFTNGP04.phx.gbl...
>I was able to load the Hive... thanks for the tip John...!!!...
>
> While I was looking at the default hive, the WindowsNT key only had 3
> entries in the key...
>
> I used mine XP-Pro as an example and manually created the keys to match
> mine.... to include the userinit key and pointing to the userinit.exe
> file....
>
> The tricks that worked for others didn't work for this.. it is still
> logging on, flash, immediate log off back to log-in screen.
>
> Any other tricks?
>
> Tommorrow I will use the restore disk if no hits here....
>
>
>
> "John John (MVP)" <audetweld@nbnet.nb.ca> wrote in message
> news:ei7T74XAJHA.716@TK2MSFTNGP05.phx.gbl...
>> Use the Load Hive feature in Regedit. See here for easy to follow
>> instructions for remotely editing the registry:
>>
http://www.rwin.ch/xp-live/regedit.htm
>>
>> John
>>
>> Tim_S wrote:
>>
>>> I tried a restore back to the point I told it to not save restore
>>> points... due to the previous virus I told it to disable system
>>> restore... any way i tried to restore to the last point but it too
>>> failed... The drive is C that returns... it hasn't changed because the
>>> system boots all the way to the log on screen...
>>>
>>> I think that something has deleted the registry key that calls
>>> userinit.exe....
>>>
>>> hklm\software\microsoft\windowsnt\winlogon.... but getting to the key
>>> is proving problematic...
>>>
>>> I wish there was a registry tool that could read/edit the stand alone
>>> registry files... i.e. system, user, config etc...
>>>
>>> while the drive is slaved in on a USB port.... I can move them, copy
>>> them, and even delete them but I can't read inside of them.... If you
>>> know of a tool... please inform....
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> "Pegasus (MVP)" wrote:
>>>
>>>
>>>>"Tim_S" <NOSPAM@whereever.net> wrote in message
>>>>news:uy31TRHAJHA.2060@TK2MSFTNGP05.phx.gbl...
>>>>
>>>>>I have a toshiba laptop that was infected with some downloader trojan.
>>>>>Norton Internet Security caught and resolved the file. After reboot,
>>>>>when typing in the password the desktop background picture comes up, I
>>>>>get a "Loading your Settings" for about 5 seconds, then the screen
>>>>>flashes really fast, then I get a "Logging off" and it takes me back to
>>>>>the log-in screen....
>>>>>
>>>>>This happens under local Administrator account and in All Safe
>>>>>modes,,,,, to include safe mode with command prompt....
>>>>>
>>>>>On Google search it pulled up a similar issue and suggested that it was
>>>>>a missing file called userinit.exe or a wuaupdater.exe file that was
>>>>>missing....
>>>>>
>>>>>I slaved in the drive to my PC using a HD to USB adapter and was able
>>>>>to access the whole drive. I replaced those files with known good
>>>>>ones (they were both missing on the laptop HD) but the problem still
>>>>>exist.
>>>>>
>>>>>I also took the c:\windows\system32\config files (registry files) and
>>>>>renamed them, then took the repair files from c:\windows\repair and
>>>>>copied them into the c:\windows\system32\config folder and was able to
>>>>>log into the laptop then however all the applications were not
>>>>>functioning properly and would have to be reinstalled.
>>>>>
>>>>>I know the problem must exist in those registry files somewhere... but
>>>>>how to fix it is at a loss...
>>>>>
>>>>>I tried running Commander from CD but it won't run on that laptop...
>>>>>says something like pci.sys fail with a blue screen.... but this is a
>>>>>seperate problem than the one I post here....
>>>>>
>>>>>I don't know what else to do short of reinstalling the laptop from
>>>>>scratch again....
>>>>>
>>>>>Any suggestions
>>>>
>>>>Your suspicion is most likely correct: Windows is unable to locate
>>>>userinit.exe, probably because your system drive letter has changed.
>>>>Your first step should be to determine your current system drive letter.
>>>>You can do it like so:
>>>>- Start the problem machine but don't log on.
>>>>- Log on as administrator on a networked machine.
>>>>- Click Start / Run / cmd{OK}
>>>>- Type this command:
>>>> psexec \\xxx cmd.exe
>>>> (Replace xxx with the name or the IP address of the problem PC)
>>>>- Report the drive letter you see.
>>>>
>>>>You can download psexec.exe from www.sysinternals.com.
>>>>
>>>>
>
>
