Symptom:
Recently, a client of mine couldn’t login to Windows XP after removing malware with Spybot S&D.
As the computer started, it would pass the welcome screen, display the wallpaper, and then suddenly jump back to the login screen. If he clicked on a username, Windows would say loading settings… and return once again to the login screen.
Cause:
A Google search revealed that this is a common problem that occurs after removing spyware. In this case, Spybot caused the problem by removing a critical (infected) file.
Normally after a user logs in, Windows will execute the file in this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
The value of the Userinit key is normally C:\Windows\System32\userinit.exe, a file that is crucial to the logon process.
Certain pieces of spyware will modify this registry key to point to their own infected version of the file. If you remove the infected file with Spybot, the registry then points to a file that doesn’t exist. Without the original file in place, you cannot login to Windows.
Solution:
You need to have access to the computer’s registry to identify the value of the Userinit registry key.
You need to use a boot CD like BartPE or UBCD (Ultimate Boot CD) that includes a registry editor.
The following steps assume you have a UBCD:
1. Boot from the CD, and select Launch “The Ultimate Boot CD” from the menu.
2. Open the remote registry editor. Click Start -> Programs -> Registry Tools -> RegEdit (Remote)
You will be presented with the message “Do you wish to load remote user profile(s) for scanning”. Just click NO and the registry of the local machine should load.
3. Navigate to the Winlogon folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
4. Double-click the Userinit key. Change its value to C:\Windows\System32\userinit.exe.
5. Try rebooting. If you can logon, you have finished.
If not, userinit.exe is missing or corrupt. Follow the remaining steps to copy userinit.exe from the boot CD to the System32 directory.
6. Reboot the computer with the UBCD still in the drive.
7. This time, select to enter the Windows Recovery Console.You will see a blue screen as files are loaded into memory.
8. At the Welcome to Setup screen press the ‘R’ key to enter the Recovery Console.
*** Note: If you get an error message stating “Setup did not find any hard disk drives installed in your computer”, you will have to recreate a new UBCD with SATA drive support. To learn how to do this, click here.
9. Once you are at the recovery console, issue the following command:
copy X:I386\System32\userinit.exe C:\Windows\System32
“X” being the drive letter of the CD-ROM that the UBCD is in (typically D, E or F).
10. After the file has been copied, restart the computer and you should now be able to login to Windows.