Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit.exe blocked by Autoruns - Self Inflicted


  • Please log in to reply
39 replies to this topic

#1 trexmgd

trexmgd

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:SoCal
  • Local time:05:24 AM

Posted 13 February 2009 - 10:53 AM

Oh boy, how embarrassing...

I was following the Startup Guide to removing non-essential startup items and looking for malware. One of the items listed was userinit.exe and when I referenced it in the database, I saw a whole slew of "X"s indicating malware. Well I quickley unchecked it and rebooted (later, I saw one entry that said don't confuse with the needed windows app in sys32 folder).

Well now I can only get to the log in screen and when I select a user, I get a flash of the desktop wallpaper then it logs me off and saves settings. I have tried this under Administrator in Safe Mode as well and no luck. I can't ctrl-alt-delete or c-a-e to get to task manager or anything.

I've searched and come across many posts of people losing, or having a corrupt userinit.exe, but this is different in that I (oh, how that hurts) told Autoruns to block it from start up.

HELP!

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,296 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:24 AM

Posted 13 February 2009 - 11:16 AM

Can you boot into safe mode?

Can you access System Restore?

Louis

#3 trexmgd

trexmgd
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:SoCal
  • Local time:05:24 AM

Posted 13 February 2009 - 12:03 PM

No, I cannot boot into safe mode. The exact same thing happens, even when I try to log in as Administrator. Logs me right back out in a flash and I cannot stop it.

#4 trexmgd

trexmgd
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:SoCal
  • Local time:05:24 AM

Posted 13 February 2009 - 12:07 PM

I found this advice on CNET forums and it did NOT work. I get to the expand command and I get "Access Denied" when I try to execute it.





THE REAL WAY TO FIX THIS PROBLEM IS TO DO THE FOLLOWING:

1. Insert the original Windows XP CD (Windows XP with Service Pack 2 is preferred, but not required) and reboot the computer. You may need to configure your computer to boot from the CD-ROM drive.
2. When the Windows XP Setup has started, press "R" to "repair the Windows XP installation using Recovery Console".
3. Select the Windows installation to repair (generally this is C:\Windows) by typing its number and then pressing ENTER.
4. Type the Administrator password and press ENTER.
5. Type the following commands:

D: [ENTER]
CD I386 [ENTER]
EXPAND USERINIT.EX_ C:\WINDOWS\SYSTEM32 [ENTER]

NOTE: If your CD-ROM drive has a different letter assigned to it, enter "X:" instead, where X is the appropriate drive letter.

After entering "EXPAND USERINIT.EX_ C:\WINDOWS\SYSTEM32" you should see the text "1 file(s) copied", in which case all went well.

Remove the Windows XP CD, type "EXIT" and press ENTER to restart your computer. You should now be able to log on as normally.



#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:24 PM

Posted 13 February 2009 - 02:17 PM

Do you know the exact location of autoruns?

#6 trexmgd

trexmgd
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:SoCal
  • Local time:05:24 AM

Posted 13 February 2009 - 02:19 PM

I downloaded and ran Autoruns from my desktop.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:24 PM

Posted 13 February 2009 - 02:50 PM

Lets try this:

Enter the Recovery Console.

At the command prompt type the blue part:

cd \ [press Enter]
ren "c:\documents and settings\here type your user name\desktop\autoruns.exe" autoruns.exe.old [press Enter]
exit [press Enter]


You have to be precise in typing. Type your user name as it is, the one you log in with. Don't forget the quote marks.
There is space between cd and \
There is space between ren and "c:...
There is space between ...autoruns.exe" and autoruns.exe.old
If you do it right after pressing enter after the second line the computer gets back to c:\>


The computer should boot now.

#8 trexmgd

trexmgd
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:SoCal
  • Local time:05:24 AM

Posted 13 February 2009 - 03:06 PM

Lets try this:

Enter the Recovery Console.

At the command prompt type the blue part:

cd \ [press Enter]
ren "c:\documents and settings\here type your user name\desktop\autoruns.exe" autoruns.exe.old [press Enter]
exit [press Enter]


Thank you for the response.

I followed the instructions and upon hitting enter, I get the response "Access Denied".

I really appreciate everyone's efforts - keep the suggestions coming - I'm desperate!

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:24 PM

Posted 13 February 2009 - 03:22 PM

It would not work any way. I tried it myself with another startup entry. The fix you mentioned would not work either even if you could do it.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:24 PM

Posted 13 February 2009 - 05:43 PM

Let see if we can do something about it.

Tell me when you started in Recovery Console (from now on RC), did you started as administrative or not?
Then tell me if you have a flash drive.

#11 trexmgd

trexmgd
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:SoCal
  • Local time:05:24 AM

Posted 13 February 2009 - 06:20 PM

Let see if we can do something about it.

Tell me when you started in Recovery Console (from now on RC), did you started as administrative or not?

No, booted to RC via Windows XP disk and did not see that as an option. Just hit "R" and I was in

Then tell me if you have a flash drive.

Yes


Something else I figured out was that I was not looking at my true "C" drive that whole time... I have two drives in a RAID 0 array and RC doesn't recognize them unless I hit f6 and load the drivers. I did that, then tried all of our past steps but still got nothing. I also have a "one touch" back up drive (that's what my first attempt in RC saw as my C drive), but I can't seem to do anything with it either.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:24 PM

Posted 13 February 2009 - 07:36 PM

So you don't get access denied any more?

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:24 AM

Posted 13 February 2009 - 08:09 PM

http://forum.sysinternals.com/forum_posts....D=1374&PN=1

http://forum.sysinternals.com/forum_posts.asp?TID=11351

http://forum.sysinternals.com/forum_posts.asp?TID=7672

my favorite



http://forum.sysinternals.com/forum_posts....D=2847&PN=1
Chewy

No. Try not. Do... or do not. There is no try.

#14 trexmgd

trexmgd
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:SoCal
  • Local time:05:24 AM

Posted 14 February 2009 - 08:44 AM

So you don't get access denied any more?


Yes, Access Denied.

#15 trexmgd

trexmgd
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:SoCal
  • Local time:05:24 AM

Posted 14 February 2009 - 08:46 AM

http://forum.sysinternals.com/forum_posts....D=1374&PN=1

http://forum.sysinternals.com/forum_posts.asp?TID=11351

http://forum.sysinternals.com/forum_posts.asp?TID=7672

my favorite



http://forum.sysinternals.com/forum_posts....D=2847&PN=1


Yeah, I stumbled upon that site yesterday and have been trying to work with some of those fixes... However, TC's fix won't work for me because I have a RAID 0 array, not a single HD to pull and take to another computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users