Techs-on-Call Computer Blog Keeping you informed about the world of computer issues

Sometimes, a virus or malware will modify the registry so that when you log in, a malicious file is processed instead of the standard windows file. There are several types of viruses that do this. Fortunately, the fix for all is the same.

When Windows logs in, a file listed in the registry is processed first. (More on this in the fix.) If that file is not there or is corrupt, then Windows logs out right away. What happens is a virus changes the file which Windows looks for when logging in, and then something else deletes or renames that file. The result is the log in, log out routine. This is something found on Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Home Server. The file that should be loaded is the userinit.exe file. However, even that file may be replaced with a malicious one.

So how do you fix it? Short answer, copy the userinit.exe from the Windows CD for the version and Service Pack you are using and then modify the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\userinit entry. The file that contains this registry hive is %windir%\system32\config\SOFTWARE .

Now here is the detailed explination. You must copy a non-corrupt userinit.exe file into the %windir%\system32\ directory. You can use the Windows NT/2000/XP/Server 2003 CD or DVD if you wish. But if you have the Windows Vista/7/Server 2008 DVD, you should use that instead. Once you start the repair tools for the corresponding disc, you need to copy the file from the disc. Just type "expand d:\i386\userinit.ex_ c:\windows\system32\userinit.exe" where c: is your hard drive and d: is your CD/DVD drive. If you are using the Windows Vista/7/Server 2008 disc, be sure to put the disc for the version of Windows you have installed into the CD/DVD drive. (i.e. If Windows XP Service Pack 3 is installed, put a Windows XP Service Pack 3 CD into the CD/DVD drive.)

Next you need to load the registry hive. You cannot do this in Windows NT/2000/XP/Server 2003 recovery tools. But you can with the Windows Vista/7/Server 2008 recovery tools. If you do not have access to a Vista based disc, then try the Ultimate Boot CD for Windows. It has programs that you can get access to your registry. Assuming you have a Windows Vista based disc, just type "regedit" at the command prompt. That loads the registry editor. Expand the HKEY_LOCAL_MACHINE key. Then click at the top of the window File -> Load Hive. Browse to %windir%\system32\config and open the SOFTWARE file. You will be prompted to give it a name, make it short so you do not confuse it with anything else. Lets say you called it "LOADED". Then keep expanding that registry key, LOADED, and keep expanding along this path HKEY_LOCAL_MACHINE\LOADED\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon . Then on the right, look for the entry named "userinit". If it does not say "C:\Windows\system32\userinit.exe" (or "C:\WINNT\system32\userinit.exe" for Windows NT and 2000) then change it to that entry. After that, click on the LOADED key name and then click File -> Unload Hive. Then you reboot the computer.

If you get back into to Windows, the first thing you do is scan for viruses and malware. Chances are, your computer is filled with them.