Sometimes, a virus or malware will modify the registry so that when you log in, a malicious file is processed instead of the standard windows file. There are several types of viruses that do this. Fortunately, the fix for all is the same. This is different than when Windows immediately restarts in Safe Mode. If that happens, you have malware that you will need to remove without Windows running.

When Windows logs in, a file listed in the registry is processed first. (More on this in the fix.) If that file is not there or is corrupt, then Windows logs out right away. What happens is a virus changes the file which Windows looks for when logging in, and then something else deletes or renames that file. The result is the log in, log out routine. The file that should be loaded is the userinit.exe file. However, even that file may be replaced with a malicious one.

So how do you fix it? Short answer, copy the userinit.exe from the Windows CD for the version and Service Pack you are using and then modify the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\userinit and make sure it only contains C:\Windows\system32\userinit.exe, (note the comma at the end). The file that contains this registry hive is %windir%\system32\config\SOFTWARE. You should also check the registry hive HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon and make sure the Userinit key, if it is there, is also correct.

Now the detailed answer. You should copy a non-corrupt userinit.exe file into the %windir%\system32\ directory. Just make sure the disc you are using is the same version and service pack of the Windows currently installed. Once you start the repair tools for the corresponding disc, you need to copy the file from the disc. Just type “expand d:\i386\userinit.ex_ c:\windows\system32\userinit.exe” where c: is the drive with Windows and d: is your CD/DVD drive.

Next you need to load the registry hive. You will need a Windows Vistaor later DVD. If you do not have access to a Vista based disc, then try the Ultimate Boot CD for Windows. It has programs that you can get access to your registry. Assuming you have a Windows Vista based disc, just type “regedit” at the command prompt. That loads the registry editor. Expand the HKEY_LOCAL_MACHINE key. Then click at the top of the window File -> Load Hive. Browse to %windir%\system32\config and open the SOFTWARE file. You will be prompted to give it a name, make it short so you do not confuse it with anything else. Lets say you called it “LOADED”. Then keep expanding that registry key, LOADED, and keep expanding along this path HKEY_LOCAL_MACHINE\LOADED\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon . Then on the right, look for the entry named “userinit”. If it does not say “C:\Windows\system32\userinit.exe” (or “C:\WINNT\system32\userinit.exe” for Windows NT and 2000) then change it to that entry. After that, click on the LOADED key name and then click File -> Unload Hive. Then you reboot the computer.

If you get back into to Windows, the first thing you do is scan for viruses and malware. Chances are, your computer is filled with them.

Advertisements