0

Ok so I tried to rid my girlfriends comp of the billions of viruses, trojans, etc before checking my banking online. I downloaded Ewido and cleaned the system - Over 8000 objects out of 180000 were infected - then decided to clear up a few of the startup processes to speed up the start-up speed.

Then when returning to the computer after i remembered that I actually wanted to use it before I spent so long trying to sort it out, I found that when I tried to logon it logged me straight back off (happens in all options of safe mode too).

After some research on my own computer it seemed that the problem came from one of the trojans which was deleted but leaves the above problem as it replaces userint.exe with wsaupdater.exe. I can't get the infected PC to boot from the Xp CD, I presume this is from the many scratches!

I the set up the HDD as a slave in my PC but couldn't work out how to access the regedit for the slave drive rather than my own master HDD.

On closer inspection of my girlfriend's system32 folder however, the file userinit.exe is still there and there is no wsaupdater.exe anyway. So I now think I must have disabled the userinit when altering the startup processes.

Opinions and cures please!!! The faster the better, my girlfriends mum is not an 'appy chappy

PS - I tried msconfig and running ewido again once I hooked it up as slave but found the same probs as when I tried regedit - It simply uses the master drives settings

Thanks in anticipation

Ian

2
Contributors
7
Replies
8
Views
11 Years
Discussion Span
Last Post by TiJay
0

Note If the computer is networked but not part of a domain, you may need to map a connection to the machines IPC$ share using that computer's local administrator credentials before being able to attach using Regedit.exe or Regedt32.exe as described below to make changes.

To permit a logon and/or change the boot volume drive letter back to its originally assigned letter, use any of the following methods: net use \\remote_machine_name\IPC$ /user:administrator *
Use one of the following procedures to facilitate repairs:

Remove any cloned hard disks added to your computer since the time the logon failures occurred, restart your computer, and then try to log on.


If the computer is networked, run Regedit.exe on another computer to open and modify the registry of the computer that is experiencing the logon failure. Use the information in the following Microsoft Knowledge Base article to change the drive letter back to the original letter assigned to the boot partition:
223188 (http://support.microsoft.com/kb/223188/) How to restore the system/boot drive letter in Windows

If the computer is networked, run Regedt32.exe or Regedit.exe on another computer to open and modify the registry of the computer that is experiencing the logon failure. Change the following entry to remove the full path to the Userinit.exe entry as follows:

Change from:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit:Reg_SZ:C:\WINNT\system32\userinit.exe


Change to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit:Reg_SZ:userinit.exe


After you change the preceding registry entry and are able to logon, perform the steps in the following Microsoft Knowledge Base article to re-assign the proper drive letter to your boot partition and reboot:

223188 (http://support.microsoft.com/kb/223188/) How to restore the system/boot drive letter in Windows

Create a "fake" Winnt\System32 folder structure on the drive that is suspected as being assigned the original boot partition drive letter, and then expand and copy the Userinit.exe file from the Windows 2000 CD-ROM into the Winnt\System32 folder on that drive.

You can use the Recovery Console to perform this procedure provided the local security policy\security option "Recovery Console: Allow floppy copy and access to all drives and all folders" is enabled. This will permit the following Recovery Console command to work so you can gain unlimited access to all drives and paths: SET allowallpaths = TRUEThis can be implemented as a policy on a domain controller to be applied to the local computer by using the information contained in the following Microsoft Knowledge Base article:

235364 (http://support.microsoft.com/kb/235364/) Description of the SET Command in Recovery Console


After you perform the preceding procedure and you are able to log on, perform the steps in the following Microsoft Knowledge Base article to re-assign the proper drive letter to your boot partition and reboot:

223188 (http://support.microsoft.com/kb/223188/) How to restore the system/boot drive letter in Windows


With only the system/boot drive in the system, or powered on, boot to a DOS or Windows 9X Start-up diskette that contains fdisk.exe and run the following command:

FDISK /MBR


This re-writes the Master Boot Record and erase the disk signature associated with volume GUID. Windows 2000 should assign default drive letters and allow you logon. Click the article number below for more information about FDISK:

69013 (http://support.microsoft.com/kb/69013/) FDISK /MBR rewrites the Master Boot Record

0

Thanks for the quick response.

Unfortunately the computer isn't networked and my XP CD is faulty and so I cannot access the recovery module


When used as it was it is impossible to log on and therefore change anything.

Therefore I removed the HDD and placed it in another computer as a slave drive. I can now see everything on this drive but cannot work out a way to edit the startup processes or registry - am I supposed to manually rename??

Sorry to be a bother

More suggestions needed

0

Okay, another thing to try.

Have your old hdd as slave. Boot up XP as normal. Run regedit. Now the fun part. Click on HKLM (HKEY_LOCAL_MACHINE). On the menu, select File, Load Hive.

Navigate to your old hdd. Go to windows, then system32 then config. The file you want to open is either System or Software (neither has an extension). Then you need to enter in a name for this hive. Type in whatever you wish. I usually enter (blah).

Now, if you don't see any extensions, please click on "View Menu" button and select details. The file System and Software should be more than a meg a piece.

Hopefully, none of this is to confusing. Feel free to ask questions.

0

Further to two previous posts.

I now have the original XP CD (this one works fine)

I thought I could use Recovery Console to copy Userinit.exe to Wsaupdater.exe

BUT - - just before doing this ran a search (whilst faulty HDD was still hooked up as a slave) of the whole drive and it didn't find wsaupdater so I don't think the problem is what I originally assumed

0

If it isn't working how you have it set up in that screenie, take off the second instance. The only value you need in there is C:\WINDOWS\system32\userinit.exe. Let me know if that works for ya.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.