Ok so I tried to rid my girlfriends comp of the billions of viruses, trojans, etc before checking my banking online. I downloaded Ewido and cleaned the system - Over 8000 objects out of 180000 were infected - then decided to clear up a few of the startup processes to speed up the start-up speed.

Then when returning to the computer after i remembered that I actually wanted to use it before I spent so long trying to sort it out, I found that when I tried to logon it logged me straight back off (happens in all options of safe mode too).

After some research on my own computer it seemed that the problem came from one of the trojans which was deleted but leaves the above problem as it replaces userint.exe with wsaupdater.exe. I can't get the infected PC to boot from the Xp CD, I presume this is from the many scratches!

I the set up the HDD as a slave in my PC but couldn't work out how to access the regedit for the slave drive rather than my own master HDD.

On closer inspection of my girlfriend's system32 folder however, the file userinit.exe is still there and there is no wsaupdater.exe anyway. So I now think I must have disabled the userinit when altering the startup processes.

Opinions and cures please!!! The faster the better, my girlfriends mum is not an 'appy chappy

PS - I tried msconfig and running ewido again once I hooked it up as slave but found the same probs as when I tried regedit - It simply uses the master drives settings

Thanks in anticipation

Ian

HJT isn't perfect ;}

Note If the computer is networked but not part of a domain, you may need to map a connection to the machines IPC$ share using that computer's local administrator credentials before being able to attach using Regedit.exe or Regedt32.exe as described below to make changes.

To permit a logon and/or change the boot volume drive letter back to its originally assigned letter, use any of the following methods: net use \\remote_machine_name\IPC$ /user:administrator *
Use one of the following procedures to facilitate repairs:

Remove any cloned hard disks added to your computer since the time the logon failures occurred, restart your computer, and then try to log on.


If the computer is networked, run Regedit.exe on another computer to open and modify the registry of the computer that is experiencing the logon failure. Use the information in the following Microsoft Knowledge Base article to change the drive letter back to the original letter assigned to the boot partition:
223188 (http://support.microsoft.com/kb/223188/) How to restore the system/boot drive letter in Windows



If the computer is networked, run Regedt32.exe or Regedit.exe on another computer to open and modify the registry of the computer that is experiencing the logon failure. Change the following entry to remove the full path to the Userinit.exe entry as follows:

Change from:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit:Reg_SZ:C:\WINNT\system32\userinit.exe


Change to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit:Reg_SZ:userinit.exe


After you change the preceding registry entry and are able to logon, perform the steps in the following Microsoft Knowledge Base article to re-assign the proper drive letter to your boot partition and reboot:

223188 (http://support.microsoft.com/kb/223188/) How to restore the system/boot drive letter in Windows



Create a "fake" Winnt\System32 folder structure on the drive that is suspected as being assigned the original boot partition drive letter, and then expand and copy the Userinit.exe file from the Windows 2000 CD-ROM into the Winnt\System32 folder on that drive.

You can use the Recovery Console to perform this procedure provided the local security policy\security option "Recovery Console: Allow floppy copy and access to all drives and all folders" is enabled. This will permit the following Recovery Console command to work so you can gain unlimited access to all drives and paths: SET allowallpaths = TRUEThis can be implemented as a policy on a domain controller to be applied to the local computer by using the information contained in the following Microsoft Knowledge Base article:

235364 (http://support.microsoft.com/kb/235364/) Description of the SET Command in Recovery Console


After you perform the preceding procedure and you are able to log on, perform the steps in the following Microsoft Knowledge Base article to re-assign the proper drive letter to your boot partition and reboot:

223188 (http://support.microsoft.com/kb/223188/) How to restore the system/boot drive letter in Windows


With only the system/boot drive in the system, or powered on, boot to a DOS or Windows 9X Start-up diskette that contains fdisk.exe and run the following command:

FDISK /MBR


This re-writes the Master Boot Record and erase the disk signature associated with volume GUID. Windows 2000 should assign default drive letters and allow you logon. Click the article number below for more information about FDISK:

69013 (http://support.microsoft.com/kb/69013/) FDISK /MBR rewrites the Master Boot Record