system config. utility problem
Marcy
virus/malware clean up, I went into the system config utility > boot.ini>
then placed a check in the safemode box.
I rebooted. It still wont go into safe mode and wont even reboot normally to
reg windows mode.
It trys to reboot on its own after 30 seconds. But the blue screen flashes,
then it tries to reboot over and over again. No matter which option I pick
(last known config, safe mode networking, safe mode, etc), it just tries to
reboot over and over again like a broken record.
I can get into BIOS by pushing F10 (or F12 I think), but I dont know what I
can do there.
At this point, i just want my pc to be able to boot normally and I will see
what I can do in reg windows mode as far as cleaning.
Please help in easy terms.
Thanks for your help in advance...
Jose
This is a common symptom of a malware infection.
Troubleshooters will sometimes (too often) use msconfig to change
boot.ini settings (like add the /SAFEBOOT option) and once that is
done, the malicious software will prevent the system from booting in
any kind of mode every again to undo the changes. This is the
malware's lame effort to keep you from removing it, so you must
outsmart it.
The easiest method of resolution is to boot into the XP Recovery
Console using either a genuine bootable XP installation CD or a
bootable Recovery Console CD you can create yourself (no XP media is
required). Any system recovery or system restore CDs that may have
come with a store bought system will not help you.
A lot of people don't have or don't know of they have a genuine
bootable XP installation CD, so to be 100% sure of what you have, make
your own bootable Recovery Console CD. It is a good thing to have for
days when you need it - like today.
Once you boot into the Recovery Console, you can rebuild you boot.ini
file without the extra option, or simply rename the afflicted boot.ini
file to something like boot.ini.bak and reboot. The boot.ini file is
not required to boot a typical XP installation. XP will complain
about the missing file, but it will still boot.
Once the system boots, rename the boot.ini.bak file back to boot.ini,
run msconfig and undo the changes you made which is usually to remove
the /SAFEBOOT option.
Once the system boots successfully, you know now not to add options to
your boot.ini file, use other methods to detect and remove the malware
from your system. Adding the /SAFEBOOT option is not on the list.
Marcy
sp2 IE7 Home edition OEM LAPTOP, since it was bought new. But I would like
to make a "bootable Recovery Console CD that I can create yourself", as you
said.
I hope you can show me step by step instructions how to 'make' this copy.
Right now I am using my desktop computer that have the same OS as Laptop.
Can I use the desktop to make this 'copy'??
ALso, the steps that you gave me below on how to do the recovery.....are
they step by step? Because I will be following it step by step.
Thanks for your reply
--
Thanks so very much for your help-! ! ! !
"Jose" <jose...@yahoo.com> wrote in message
news:5a3d5ff3-1c41-48e6...@z41g2000yqz.googlegroups.com...
Jose
> Hi Jose, I DO have the original discs that came with my infected Windows Xp
> sp2 IE7 Home edition OEM LAPTOP, since it was bought new. But I would like
> to make a "bootable Recovery Console CD that I can create yourself", as you
> said.
> I hope you can show me step by step instructions how to 'make' this copy.
> Right now I am using my desktop computer that have the same OS as Laptop.
> Can I use the desktop to make this 'copy'??
>
> ALso, the steps that you gave me below on how to do the recovery.....are
> they step by step? Because I will be following it step by step.
> Thanks for your reply
>
> --
The bootable ISO image file you need to download is called:
xp_rec_con.iso
Download the ISO file from here:
http://www.mediafire.com/?ueyyzfymmig
Use this free and easy program to create your bootable CD:
Instructions for how to burn:
http://forum.imgburn.com/index.php?showtopic=61
It would be a good idea to test your bootable CD on a computer that is
working.
You may need to adjust the computer BIOS settings to use the CD ROM
drive as the first boot device instead of the hard disk. These
adjustments are made before Windows tries to load. If you miss it,
you will have to reboot the system again.
When you boot on the CD, follow the prompts:
Press any key to boot from CD...
The Windows Setup... will proceed.
Press 'R' to enter the Recovery Console.
Select the installation you want to access (usually 1: C:\WINDOWS)
You may be asked to enter the Administrator password (usually empty).
You should be in the C:\WINDOWS folder. This is the same as the C:
\WINDOWS folder you see in explorer.
RC allows basic file commands - copy, rename, replace, delete, cd,
chkdsk, fixboot, fixmbr, etc.
For you, it should go something like this:
cd \
attrib -shr boot.ini
ren boot.ini boot.ini.bak
Remove the CD, type exit to reboot the system, ignore the complaining.
In Windows Explorer, browse to c:\ and rename boot.ini.bak (or copy
it) back to boot.ini, run msconfig, undo the /SAFEBOOT.
Download, install, update and do a full scan with these free malware
detection programs:
Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/
They can be uninstalled later if desired.
Marcy
Jose I decided to use the CD that came with my WIndows XP Home Edition
Laptop so that I can avoid more steps & messing up more...
I started the CD....
Windows did the set up in blue background. Then it stopped and went to
Welcome to setup.
I Pressed 'R' to enter the Recovery Console.
Then it says, Which Windows installation would you like to log onto ( 1:
C:\WINDOWS), I clicked on the number "1" then enter. Then it asked for the
Admin password, I just clicked enter cause there was never a pw made.
THen this came up C:\WINDOWS>
So I typed " ren boot.ini boot.ini.bak " after the C:\WINDOWS>.... to look
like this
C:\WINDOWS>ren boot.ini boot.ini.bak
I clicked enter. The message came up " The parameter is not valid. Try /?
for help.
I retyped it without a space after "ren". This came up: "The command is not
recognized.Type help for a list of supported commands."
I also typed it cd \attrib -shr boot.ini ren boot.ini boot.ini.bak
I also got the same error , "The command is not recognized.Type help for a
list of supported commands."
I dont know if placing or removing spaces between the words makes a
difference but I did try it with or without spaces...... Anyways....
I remember you said to ignore windows complaining, so I figured that THIS
must be the part where Windows is complaining. So, I removed the disc, typed
EXIT. And the machine rebooted. But, it instantly went back to the Black
screen page with the safemode options and the countdown began again of the
cycle of rebooting endlessly after 30 seconds. So I assumed that the
Boot.ini file infact did NOT get re-named sucessfully.
What is going wrong here? ANy ideas what I might have missed or why the
renaming thing did not work?
I really appreciate your help. Thanks
******************************************************
--
Thanks so very much for your help-! ! ! !
"Jose" <jose...@yahoo.com> wrote in message
news:e3b41f60-a4ff-4529...@m16g2000yqc.googlegroups.com...
DanielBlackmore
Does it work if you use the Advanced Menu option?
When the PC is starting up (When you see Press F12 to enter BIOS) if
you tap F8 a few times you should enter the Windows Advanced Options
menu.
Scroll down to "Safe Mode" and hit enter and it should boot into Safe
Mode
Marcy
do, I cant get out of the area the windows adv options OR the other one that
other one that looks like that one ( both have black background and white
letters with options like: Safe mode, S-mode with networking, S-mode with
Command prompt, Last known, etc.) No matter which of these I select, it trys
to reboot and ends up back to this screen.
Getting into the Phoenix Bios (pressing F10) is the only thing that I have
been able to do that is different (not inc when using the CD)-And that area
is not black background with white letters, but rather bluish old fashioned
looking text and boxes.
I tried what you said (F12 then F8) >took me to the advanced screen again.
Tried normal and safe mode start up. It did the same thing its been
doing>>>>>the reboot pattern that takes me back to this screen.
Like I told Jose, I have the CD that came with my Laptop and I can not
rename the boot.ini file so that I can reboot in norm mode so that I can
UNCHECK the box in Msconfig.......Once I do that,I can start cleaning up the
malware and get my laptop scanned.
Any other things I can try???
Luckly I have a desktop pc I can use to read all this .
Thanks
--
Thanks so very much for your help-! ! ! !
"DanielBlackmore" <DanielBlack...@no.email.invalid> wrote in message
news:DanielBlack...@no.email.invalid...
Marcy
file from boot.ini.bak to boot.ini OR boot.ini file>>>> And now I am stuck
on the following: When I go to run>msconfig>system config utility, the
boot.ini tab is not showing. So I am unable to UNCHECK the 'safeboot' box
becasue that tab is not there.
TAsk manager has been disabled by the malware. ugh
_____________
--
Thanks so very much for your help-! ! ! !
"Marcy" <nos...@nospam.net> wrote in message
news:eDIvHqYf...@TK2MSFTNGP06.phx.gbl...
John John - MVP
boot.ini file is not in its proper location, the file has to be in the
root of the system drive, usually C:\, alongside the NTDETECT.COM &
ntldr files.
John
Jose
> > messagenews:DanielBlack...@no.email.invalid...
>
> >> Does it work if you use the Advanced Menu option?
>
> >> When the PC is starting up (When you see Press F12 to enter BIOS) if
> >> you tap F8 a few times you should enter the Windows Advanced Options
> >> menu.
>
> >> Scroll down to "Safe Mode" and hit enter and it should boot into Safe
> >> Mode
You need to be sure to use explorer after booting to rename
boot.ini.bak to boot.ini. msconfig can't find it...
If you cannot see the boot.ini file, in Explorer navigate to C:\,
click View, Folder Options, tick "Show hidden files and folders" and
UNtick Hide extensions for known file types.
The boot.ini needs to be in C:\
You almost got it!
Be sure to run those scans.
Marcy
I have long ago unhidden my files and folders (hence was able to see the
boot.ini.bak file and rename it) from the folder view tab-
What I can't do is UNCHECK the safeboot box in msconfig because its not
there to uncheck.
You said that " The boot.ini needs to be in C:\" .....well the boot.ini was
not in C:\ but rather this area: C:\windows.
While I await for some answers from you all, I am doing a AVG scan.
John:
you said: The boot.ini tab isn't showing in the Msconfig utility because the
boot.ini file is not in its proper location, the file has to be in the
root of the system drive, usually C:\, alongside the NTDETECT.COM &
ntldr files.
Me: How do I get it back to the Msconfig Utility OR do I really need to do
this. I need to UNCHECK the safeboot box in Msconfig or wherever I can do
this. If I were to shut down my pc before I do this, I will have to do all
these steps over again (recovery consel) and fear damage to my pc can
happen.
I thank you and all for your help and patience.
--
Thanks so very much for your help-! ! ! !
"Jose" <jose...@yahoo.com> wrote in message
news:36f9fb54-6e4f-4ae5...@m3g2000yqf.googlegroups.com...
John John - MVP
> John:
> you said: The boot.ini tab isn't showing in the Msconfig utility because the
> boot.ini file is not in its proper location, the file has to be in the
> root of the system drive, usually C:\, alongside the NTDETECT.COM &
> ntldr files.
>
> Me: How do I get it back to the Msconfig Utility OR do I really need to do
> this. I need to UNCHECK the safeboot box in Msconfig or wherever I can do
> this. If I were to shut down my pc before I do this, I will have to do all
> these steps over again (recovery consel) and fear damage to my pc can
> happen.
You said that you found a copy of it in C:\windows, copy it from there
to C:\. Msconfig looks for the boot.ini file in the root of the system
drive, if the file isn't there msconfig doesn't display the boot.ini tab.
John
Marcy
correct location but I did nt want to risk messing up. Thanks. Now I can
proceed with my malware cleanup.
Thanks to all.
--
Thanks so very much for your help-! ! ! !
"John John - MVP" <aude...@nbnot.nb.ca> wrote in message
news:%23GP%23pAbfK...@TK2MSFTNGP02.phx.gbl...
John John - MVP
> Horray. Simple enough. I actually thought of MOVING the boot.ini file to the
> correct location but I did nt want to risk messing up. Thanks. Now I can
> proceed with my malware cleanup.
> Thanks to all.
You're welcome.
John
Jose
> Jose:
> I have long ago unhidden my files and folders (hence was able to see the
> boot.ini.bak file and rename it) from the folder view tab-
> What I can't do is UNCHECK the safeboot box in msconfig because its not
> there to uncheck.
> You said that " The boot.ini needs to be in C:\" .....well the boot.ini was
> not in C:\ but rather this area: C:\windows.
> While I await for some answers from you all, I am doing a AVG scan.
>
Well, that is not where it is supposed to be of course.
What part of my instructions were incorrect - tell me what was wrong
so I can fix it so it is more clear the next time!
I think I said after you are sure you are in C:\WINDOWS (which you
were)...
Daave
> HI,
> Jose I decided to use the CD that came with my WIndows XP Home Edition
> Laptop so that I can avoid more steps & messing up more...
>
> I started the CD....
> Windows did the set up in blue background. Then it stopped and went to
> Welcome to setup.
>
> I Pressed 'R' to enter the Recovery Console.
>
> Then it says, Which Windows installation would you like to log onto (
> 1: C:\WINDOWS), I clicked on the number "1" then enter. Then it asked
> for the Admin password, I just clicked enter cause there was never a
> pw made.
> THen this came up C:\WINDOWS>
> So I typed " ren boot.ini boot.ini.bak " after the C:\WINDOWS>....
> to look like this
> C:\WINDOWS>ren boot.ini boot.ini.bak
You need to change C:\WINDOWS to C:\
So, when you see C:\WINDOWS>
... type "cd \" (including a space, but with no quotation marks), then
press enter
You will then see
C:\>
*Now* you can enter your rename command. :-)
John John - MVP
The commands run in the current folder, you need to cd to the root
folder or use a fully qualified path.
John
Jose
So you did not follow my steps even after using your own CD:
cd \
attrib -shr boot.ini
ren boot.ini boot.ini.bak
I will add a few sentences to my instructions to try to make them
better.
This has happened once before and I just don't understand it - cockpit
error!
I will fix it and thanks for the feedback.
Marcy
This is what I typed in order to get the boot.ini renamed sucessfully...
C:WINDOWS>ren C:\Boot.ini Boot.ini.bak
What was missing in your instructions was the C:\ in AFTER the "ren".
I tried and tried to make your instructions work. But that C:\ was missing.
DOint that worked & I was able to log into windows and went to the system
congif utility to UNCHECK the safeboot box. THat was accomplished.
Unfortunately, I did an AVG scan at that time and it found some malware. It
is possible that this scan or another I used days before, was
quaratined/removed a virus that attached itself to the winlogon.exe file...
ANyways, I rebooted after that AVG scan and now my machine wont let me go
past the windows welcome logon screen......(blue screen)
I read somewhere that I can use my recovery concole (on my cd) to install or
copy a clean winlogon.exe file or somethng, to fix this prob...
SO that is where I am now.....Stuck again and I dont know what command to
put in the C:\windows> to do this....
Do you know what to do, or anyone else?
Thanks
Please remember I need step by step instructions.
"Jose" <jose...@yahoo.com> wrote in message
news:b41268bd-26ad-411e...@m11g2000vbo.googlegroups.com...
Jose
> HI Jose,
> This is what I typed in order to get the boot.ini renamed sucessfully...
> C:WINDOWS>ren C:\Boot.ini Boot.ini.bak
>
> What was missing in your instructions was the C:\ in AFTER the "ren".
> I tried and tried to make your instructions work. But that C:\ was missing.
>
> DOint that worked & I was able to log into windows and went to the system
> congif utility to UNCHECK the safeboot box. THat was accomplished.
>
> Unfortunately, I did an AVG scan at that time and it found some malware. It
> is possible that this scan or another I used days before, was
> quaratined/removed a virus that attached itself to the winlogon.exe file...
>
> ANyways, I rebooted after that AVG scan and now my machine wont let me go
> past the windows welcome logon screen......(blue screen)
> I read somewhere that I can use my recovery concole (on my cd) to install or
> copy a clean winlogon.exe file or somethng, to fix this prob...
> SO that is where I am now.....Stuck again and I dont know what command to
> put in the C:\windows> to do this....
>
> Do you know what to do, or anyone else?
> Thanks
> Please remember I need step by step instructions.
>
You did not follow the directions and by enhancing the instructions by
adding the unnecessary c:\ created your issue by merely renaming (in
effect - moving) the c:\boot.ini to the c:\windows folder. It did
just what you told it!
If you would have typed the:
cd \
at the C:\WINDOWS prompt, all would have been well.
There is nothing missing from my instructions, I will try to make them
more clear. I just copy and paste from my list of how to fix these
common problems.
I am not trying to be an arse, I have used those instructions many,
many times and just want to figure out what part it not clear and
eliminate another message session if possible.
When you try to login to Windows now, do you enter your credentials
and it looks like it is starting to work and then see a "Saving your
settings" type message and just can't get past that with another logon
attempt?
You can fix that too, but now I am not so sure about my instructions
anymore!
Are you getting into Recovery Console using your Windows installation
CD or did you make the Recovery Console CD from the other instructions
(which also mentions the Administrator password thing).
Marcy
It was my lack of 'know how' that more likely keeps me from interpreting
your (or any ones instructions) the way it should be interpreted. This is
all new to me, so I thank you for your patience.
You asked this:
" When you try to login to Windows now, do you enter your credentials
and it looks like it is starting to work and then see a "Saving your
settings" type message and just can't get past that with another logon
password. My user acct is the only one on there.
I am in the recovery console because I used my original CD that came with my
system. At this point, I know I have the I386 and the "winlogon.exe" . My
computer is at that screen where the winlogon.exe thing is at......
I am just waiting for the next step...
thank you again
--
Thanks so very much for your help-! ! ! !
"Jose" <jose...@yahoo.com> wrote in message
news:5868d4de-36fe-41c8...@t42g2000vba.googlegroups.com...
cd \
Jose
> Hi Jose, You have been ery helpful and I appreciate that.
> It was my lack of 'know how' that more likely keeps me from interpreting
> your (or any ones instructions) the way it should be interpreted. This is
> all new to me, so I thank you for your patience.
> You asked this:
> " When you try to login to Windows now, do you enter your credentials
> and it looks like it is starting to work and then see a "Saving your
> settings" type message and just can't get past that with another logon
> attempt? "...answer is YES. I dont have my user acct where I type a
> password. My user acct is the only one on there.
>
> I am in the recovery console because I used my original CD that came with my
> system. At this point, I know I have the I386 and the "winlogon.exe" . My
> computer is at that screen where the winlogon.exe thing is at......
>
> I am just waiting for the next step...
> thank you again
Boot back into RC so you are back in the C:\WINDOWS folder.
There is a malware that deletes, corrupts or replaces the c:\windows
\system32\userinit.exe file.
The userinit.exe is the file that processes your login in regular mode
or any kind of Safe Mode,
so if it the mechanism is somehow broken it creates an endless cycle
of unsuccessful logon attempts in any mode for
any user.
When you type in your user name and password the system will report
that it is Loading your personal
settings, logging off and then unloading your personal settings. This
is the malware trying to prevent you from
finding and removing it.
It may also change your registry so instead of the registry pointing
to userinit.exe, it points
to another file called wsaupdater.exe. Sometimes scanning programs
can find and replace the wsaupdater.exe
file but will not fix the registry so you need to somehow get the
system to boot and fix the rest of the
problem by hand.
It is popular enough for Microsoft to create a KB that describes the
wsaupdater problem (read it later).
http://support.microsoft.com/kb/892893
The following directions will cover more situations than the article,
but you should read it to understand.
After booting on the Recovery Console successfully, you are in the C:
\WINDOWS folder, and the userinit.exe
file is in the SYSTEM32 folder so change to the system32 folder by
entering:
cd system32
The prompt should now be:
c:\windows\system32
Check for the presence of both userinit.exe and wsaupdater.exe. They
may be there or they may not,
but we need to know to completely fix the problem.
dir userinit.exe (post results - the file exists or it does not)
dir wsaupdater.exe (post results - the file exists or it does not)
No matter what you find, replace the userinit.exe from a copy
elsewhere on your system.
There is another copy of userinit.exe in the c:\windows
\system32\dllcache folder so copy it into
the c:\windows\system32 folder.
From the c:\windows\system32 folder enter:
copy c:\windows\system32\dllcache\userinit.exe
You will get a message that says 1 file(s) copied or to overwrite the
existing?, (choose (Y)es to
overwrite) and post back what happened - it either copied or it
replaced userinit.exe.
If the copy fails for some reason, we can get a userinit.exe from your
installation CD (if you made a
Recovery Console CD, userinit.exe is not on it).
The malware may have changed your registry to point to wsaupdater.exe,
but a malware scan may
remove only the wsaupdater.exe file but the registry is still wrong
and your system will still not boot
until you copy userinit.exe to wsaupdater.exe. We will check for and
fix this later.
In case the registry was also changed, in the c:\windows\system32
folder, copy userinit.exe to wsaupdater.exe. Do not delete the
wsaupdater.exe file if it exists - just copy the userinit.exe file
over the top of it.
From the c:\windows\system32 folder enter:
copy userinit.exe wsaupdater.exe
Answer (Y)es if there is an overwrite prompt. Post the results - it
either copied it or replaced it.
Make sure userinit.exe exists be entering:
dir userinit.exe (post results - it should exist)
Type exit to leave the Recovery Console, remove the CD and reboot.
If the wsaupdater.exe file existed, we need to check the registry to
make sure it is okay,
but scan for malware first, and check/fix the registry later.
Marcy
You asked:
(1)"dir userinit.exe (post results - the file exists or it does not)"
Answer:
The volume in drice C has no label
The volume Serial Number is 3136-db0e
Directory of C:\Windows\system32\userinit.exe
8/04/04 01:00a -a-------- 24576 userinit.exe
1 file<s> 24576 bytes
34952921088 bytes free
(2)dir wsaupdater.exe (post results - the file exists or it does not)
Answer:
The volume in drice C has no label
The volume Serial Number is 3136-db0e
Directory of C:\Windows\system32\wsaupdater.exe
No matching files were found
Then you said to do this:
"From the c:\windows\system32 folder enter:
copy c:\windows\system32\dllcache\userinit.exe"
Answer:
Just so I know I did this part correct, here is what that entire line looked
like when I typed it:
C:\Windows\system32>copy c:\windows\system32\dllcache\userinit.exe
Answer: It read, "The system cannot find the file specified."
So nothing got copied nor replaced/overwritten. *sigh*
You said,
"If the copy fails for some reason, we can get a userinit.exe from your
installation CD (if you made a Recovery Console CD, userinit.exe is not on
it)."
Great. I have the Windows original installation CD that came with my laptop,
which is what I am using now.
So, I guess I must stop for now until the next step, now that you know what
is going on thus far.
What a mess, huh!!!
I will await for the next steps. I really want to avoid a 'wipe the drive
and reinstall' if at all possible.
Thank you.
***************************************************
"Jose" <jose...@yahoo.com> wrote in message
news:2b2d3531-a52f-4ab2...@x15g2000vbr.googlegroups.com...
Jose
Your OEM system and my home grown system are not the same, so we
will get the userinit.exe another way.
Let me make sure I got this straight... You modified your boot.ini
using msconfig
and then could not boot in any mode. You used RC to rename your
boot.ini,
booted successfully, fixed the boot.ini issue, ran AVG and then got
stuck in the login
cycle?
I am trying to understand your reference to winlogon.exe. If
winlogon.exe is the problem child you
can also replace it from your XP CD if it got quarantined or messed up
by using these same instructions
for userinit.exe.
If winlogon.exe is suspicious or missing, replace it from your XP CD.
If this userinit.exe thing doesn't do it for you and winlogon.exe is
missing, etc, do the same thing
for winlogon.exe. The procedure is all the same - just a different
file. There is no harm in replacing
both files.
The objective it to replace the c:\windows\system32\userinit.exe with
the
compressed file on the CD. You may have to be intuitive and do some
poking
around since your system may not be just like mine but if you
understand the
principle, you can figure it out.
Most of the XP installation files on your CD are compressed and get
expanded
when you install XP. Any file you see on the CD that ends with an
underscore
character is compressed.
Assuming your CD drive is D, you can look in the D:\i386 folder and
find the
compressed file called userinit.ex_ and that is the file we need to
expand into
the c:\windows\system32 folder so lets make sure the suspicious one is
gone and
rename it.
Assume we are going to be doing all of this work from the c:\windows
\system32 folder
since this is where the userinit.exe file needs to be.
Rename your current userinit.exe file to something you can remember.
For me I would
just rename userinit.exe to userinit.joe
Reboot on the CD and check to be sure c:\windows\system32\userinit.exe
is really
gone now - it was there before, right?
Change to the c:\windows\system32 folder where the userinit.exe needs
to be.
To see the help for the expand command you can type:
expand /?
It takes a source file name and an optional destination folder and
will default
to the current folder which needs to be c:\windows\system32
While in the c:\windows\system32 folder, expand the d:
\i386\userinit.ex_ file into
the current c:\windows\system32 by typing:
expand d:\i386\userinit.ex_
or
expand d:\i386\userinit.ex_ c:\windows\system32
You should see a message that one file was expanded and when you look
in
c:\windows\system32 you should now see a new userinit.exe. This may
be all you
need to do for your problem. Remove the CD, reboot on the hard disk
and test.
If you have the wsaupdater problem, the registry has been modified to
point to
wsaupdater.exe instead of userinit.exe, so even a new copy of
userinit.exe will
not be looked at. From the Recovery Console back in the c:\windows
\system32
folder, copy the userinit.exe to wsaupdater.exe, remove the CD and
reboot on the
hard disk and test.
You will still need to do the malware scans.
Marcy
(1)To answer your first question in the last post, "Let me make sure I got
using msconfig and then could not boot in any mode. You used RC to rename
your
boot.ini, booted successfully, fixed the boot.ini issue, ran AVG and then
got
stuck in the login cycle?
cycle....
(2) While in the RC (from my cd), I do see, in C:\Windows\system32, both
the userinit.exe AND winlogon.exe.
I tried numerous ways to rename both of them. Here are ways I used and their
outcome:...
C:\>ren c:\userinit.exe userinit.old
"The system cannot find the file or directory specified"
C:\>cd\attrib -shr userinit.exe ren userinit.exe userinit.bak
"The command is not recognized. Type HELP...., etc"
I even did it like this (since I was not sure from which are to do the
renaming)..
C:\Windows>cd\attrib -shr userinit.exe ren userinit.exe userinit.bak
C:\Windows\System32>cd\attrib -shr userinit.exe ren userinit.exe
userinit.bak
***** and***
C:\Windows>ren c:\userinit.exe userinit.old
C:\Windows\System32>ren c:\userinit.exe userinit.old
I did the same using the winlogon.exe and got the exact same outcome..both
times.
So either I did something wrong in trying to rename or something. But I do
see both the userinit.exe and winlogon.exe in the
C:\Windows\System32>directory.
I am sorry I could not go further in your directions.....
I hope you want to continue with this. If not, I totally understand.
Thanks, Marcy
So, I could not go any further with your instructions...
-- __________________________________________
Thanks so very much for your help-! ! ! !
"Jose" <jose...@yahoo.com> wrote in message
news:f0bc8772-c1cc-4f29...@p8g2000yqb.googlegroups.com...
Jose
You are c: happy. Stop putting c: in front of everything - that is
what got you mixed up before!
When you start RC you are in the C:\WINDOWS folder which is correct.
You need to do your ALL your work in the C:\WINDOWS\SYSTEM32 folder.
The prompt should be something like:
C:\WINDOWS\SYSTEM32
First, rename the files you want to replace:
ren userinit.exe userinit.old
ren winlogon.exe winlogon.old
Reboot RC and get back into the c:\windows\system32 folder, make sure
the files you want to replace are really gone and then expand the
replacements from your installation CD (all this from within c:\windows
\system32)
expand d:\i386\userinit.ex_
expand d:\i386\winlogon.ex_
The messages should tell you the expand worked.
Now, see if there is a file in c:\windows\system32 called
wsaupdater.exe. If there is a wsaupdater.exe, copy userinit.exe over
the top of wsaupdater.exe and we'll fix the rest later.
Hopefully I made no typos. You get the idea though - in c:\windows
\system32 you want to replace the two suspicious files by renaming
them, rebooting, expanding the two replacements from your XP CD... Do
the appropriate dir commands to make sure the files get renames,
copied, expanded, etc as you go.
Remove the CD and see how rebooting/logging in on the HDD looks now.
Marcy
I did the rename of :
ren userinit.exe userinit.old
ren winlogon.exe winlogon.old
I rebooted back into RC and got back into the c:\windows\system32 folder.
The "exe" files I renamed were gone (only the newly renamed "old" were
there).
So I went on your next step-to expand. I did:
expand d:\i386\userinit.ex_
expand d:\i386\winlogon.ex_
The messaged stated it worked..
I went to see if there is a file in c:\windows\system32 called
wsaupdater.exe. Wsaupdater.exe was NOT there. I did see a
suspicious/malware file in there with a similar name, winupdate86.exe. But
no executable file that had exact letters of wsaupdater.exe
Ironically, I noticed when searching for the wsaupdater.exe that BOTH the
userinit.exe AND userinit.old, plus the winlogon.exe AND winlogon.old were
there. Was that supposed to happen?
I was not able to go further to this next step....
"If there is a wsaupdater.exe, copy userinit.exe over
the top of wsaupdater.exe" and we'll fix the rest later.
**Note that I would not know how to do this Copy part anyways, so when this
next step comes, unfortunetly i would need more step by step to avoid
messing up.
***Note that for some reason, when starting my pc this morning for the first
time, my machine did not want to read/start up the cd disk. I went to BIOS
and changed the boot order for now, and luckily I was able to get CD to let
me do all this RC stuff noted here.
Thanks Jose and will await yet another step.
-*********************************************************************-
"Jose" <jose...@yahoo.com> wrote in message
news:78ae1846-74b1-4bfd...@r24g2000yqd.googlegroups.com...
Daave
> I did see a
> suspicious/malware file in there with a similar name,
> winupdate86.exe.
FYI:
http://www.bleepingcomputer.com/startups/winupdate86.exe-25303.html
Jose
Still in the system32 folder :)...
You renamed the userinit and winlogon. Then you expanded replacements
from the CD to that gives you a .old (the old one) and a .exe (the
expanded one). You are doing fine.
Sounds good so far except for the winupdate86.exe. I somehow got
stuck on thinking winlogon - that indeed appears to be malware and so
rename it to something else, reboot... Thanks to Daave for the
reminder. It presents other symptoms while you are running, but it
should not be there. The Internet seems to tell you about it and what
it does, but not too much what to do about it. Check if you have
winlogon86.exe, and if so rename it too.
You could till have the wsaupdater issue so if the same symptoms, copy
the userinit.exe to wsaupdater.exe, reboot...
We need to know what happens on the two reboots.
We just need to get you running and back on the Internet so you can
run MBAM and SAS, then fix any residue.
Azy
Hi,
I did the rename of the malware file from "winupdate86.exe to
winupdate86.old". I rebooted using the HD to see if it fixed the login prob.
Nope. Still doing the same thing and staying stuck in Windows blue logon
part.
I rebooted then went on to do the copy thing: " copy userinit.exe
wsaupdater.exe "
I again rebooted and I am still stuck on the Welcome screen. It wont advance
after that.
*I rebooted back to RC once again and note the following.....
*Note: the winupdate86.old is there (not winupdate86.exe). ALSO,
wsaupdater.exe is showing now, finally.
Thanks and I will check back for next step.
*****************************************
"Jose" <jose...@yahoo.com> wrote in message
news:a317c145-df22-40ad...@m25g2000yqc.googlegroups.com...
Marcy
working/troubleshoot on my laptop and forgot to do the post from my other
pc.Here is my same reply under me, Marcy:
Next step:
Hi,
I did the rename of the malware file from "winupdate86.exe to
winupdate86.old". I rebooted using the HD to see if it fixed the login prob.
Nope. Still doing the same thing and staying stuck in Windows blue logon
part.
I rebooted then went on to do the copy thing: " copy userinit.exe
wsaupdater.exe "
I again rebooted and I am still stuck on the Welcome screen. It wont advance
after that.
*I rebooted back to RC once again and note the following.....
*Note: the winupdate86.old is there (not winupdate86.exe). ALSO,
wsaupdater.exe is showing now, finally.
Thanks and I will check back for next step.
*****************************************
--
Thanks so very much for your help-! ! ! !
"Jose" <jose...@yahoo.com> wrote in message
news:a317c145-df22-40ad...@m25g2000yqc.googlegroups.com...
thanatoid
news:#TD110Eg...@TK2MSFTNGP02.phx.gbl:
> Next step:
> Hi,
> I did the rename of the malware file from "winupdate86.exe
> to winupdate86.old". I rebooted using the HD to see if it
> fixed the login prob. Nope. Still doing the same thing and
> staying stuck in Windows blue logon part.
>
> I rebooted then went on to do the copy thing: " copy
> userinit.exe wsaupdater.exe "
> I again rebooted and I am still stuck on the Welcome
> screen. It wont advance after that.
>
> *I rebooted back to RC once again and note the
> following..... *Note: the winupdate86.old is there (not
> winupdate86.exe). ALSO, wsaupdater.exe is showing now,
> finally. Thanks and I will check back for next step.
> *****************************************
<SNIP>
Since this is not an XP-specific problem, I will dare to comment
even though I am new to the XP groups.
A lot of malware will not allow itself to be deleted or renamed
within Windows, or it will "come back" anyway.
The only solution I have found is to have DOS and/or
Win9x/whatever on another partition (I know that is somewhat
difficult to achieve if you have XP installed on your only
partition) and delete all the problematic stuff "from the
outside" using one of the other OS's.
I don't know if I would dare to do it myself, but you /probably/
have enough free space to create another partition with a third
party partition program and then move XP /as is/ (ie infected)
to D or E or whatever - if possible, it may not be - and put DOS
on C and then delete the malware as described above. You /might/
end up losing all your data, but you might end up losing all
your data ANYWAY.
/Only/ the system and progs should be on C. Partitions are VERY
useful. That's why /no/ new computers come with any except C.
The "hidden backup partition" and RC's are largely mythical and
highly vaporous beasts from what I have heard and read, and not
what I am talking about anyway.
I had 16 virtual drives on a 40GB drive once and I was happy
happy happy. NO partition ever took more than a minute to
defrag, in 95B, and restoring C from an Acronis image when
something went wrong took all of 5 minutes.