Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Xp Home Logs in Then Immediately Logs Off


  • Please log in to reply
6 replies to this topic

#1 Kdrey4

Kdrey4

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX
  • Local time:02:50 AM

Posted 24 May 2009 - 11:13 AM

I am working on a Gateway, Windows Xp Home SP2 machine. The machine was infected with a Trojan. The trojan seemed to be removed and all was fine, but the trojan seems to have removed the "c:\windows\system32\userinit.exe" file. I can not access any windows profiles in the normal boot up or safe mode.

I have downloaded the Windows Xp Boot Disk from support.microsoft.com and burned the .exe to a CD to repair the windows installation as the machine does not have a floppy drive. I changed the Bios to select the CD Rom as the primary, but the message "Boot Failure, Insert system disk" appears when the machine boots up.

The drive seems to be functioning fine as the gateway has System Resotre by pressing F11, but the Windows XP disk is not the System Disk #1 the system is looking for.

I understand I need to get to the Recovery Console to either copy the userinit.exe file or modify the registry but can't get the console and can't get a windows profile to open.

Do you have any ideas, or another download that would allow me to access the Recovery Console to modify the registry key or copy the userinit.exe file?

Thanks

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 24 May 2009 - 06:37 PM

We will have to create a small 'fix CD' to solve this problem.
Please download RC.ISO and save it somewhere you can find it.
Also download MagicISO and install it.

Start MagicISO. You should see a window informing you about the full version of MagicISO.
In the bottom right select Try It! and the program will open.
Click on File and then on Open and navigate to the RC.ISO file you downloaded. Select it, and click Open.

First, we'll need to add a clean version of userinit.exe to the current RC.ISO
  • In the upper right pane, double click on the i386 folder.
  • Right click in the upper right pane and select Add Files...
  • Navigate to C:\Windows\System32 and select userinit.exe
  • Then click Open to add userinit.exe to the CD image.
  • Click File and select Save As...
  • Name the file RCplus and save it somewhere you can find it.
Next, we'll need to burn the newly created image to a disk that we can use to fix the problem.
  • Put a blank CD-R disk in your CD burner and close the tray. If an AutoPlay window opens, close it.
  • Click on Tools and select Burn CD/DVD with ISO.... A window will appear.
  • Click on the little folder to the right of CD/DVD Image File then navigate to the newly created RCplus.iso Image file and click Open.
  • In the CD/DVD Writing Speed drop-down menu choose the 8X setting.
  • Under Format make sure that Mode 1 is selected.
  • And finally, click on the Burn it! button to burn RCplus.iso to disk.
Once the disk is burned, put it in the machine you want to fix and restart it.
Boot to the CD just as you would with a Windows XP disk.
At the Welcome to Setup screen, press R to enter the Recovery Console.
Choose the installation to be repaired by number (usually 1) and press Enter.
When you are asked for the Administrator password, enter the password or leave it blank (default) and press Enter.

At the C:\Windows> prompt, type the following commands pressing Enter after each one. Note: Watch the spaces.

D:
cd i386
copy userinit.exe c:\windows\system32
exit

After putting in the third command, you should receive the message 1 file copied which will indicate that the operation succeeded.
Now take out the CD and reboot your computer to normal mode. Try to log in and it should let you back in.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Kdrey4

Kdrey4
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX
  • Local time:02:50 AM

Posted 25 May 2009 - 12:10 PM

Thanks I'll give that a try. I have to use my machine with the burner on it, will let you know how it goes tomorrow....

#4 Kdrey4

Kdrey4
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX
  • Local time:02:50 AM

Posted 26 May 2009 - 10:56 PM

I went through the steps to no avail. I checked c:\windows\system32\dllcache and the directory was corrupt. I ran the chkdisk on it and now the directory exist but and userinit.exe has been copied to no avail. I can assume at this point the registry key is either corrupt or does not exist.

Is there a way to access the registry without being logged in. I'm assuming a BartPe might do the trick but not certain. I've seen there is a comman that can be ran from the command prompt that allows access, but can't seem to get that to work.

Any ideas would be great

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 26 May 2009 - 11:00 PM

This might be what you need:

http://windowsxp.mvps.org/peboot.htm
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 Kdrey4

Kdrey4
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Houston, TX
  • Local time:02:50 AM

Posted 28 May 2009 - 01:13 PM

It was just as I suspected. The trojan removed the Userinit String from the winlogon key.
Added the string back and I was able to log back in using the Bart.

Thanks for all your help

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:50 PM

Posted 28 May 2009 - 04:22 PM

:thumbsup:
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users