Userinit Issue

This is about a serious issue that disables users from logging on to their computers.
The cause for this issue may be one of the following:

• Spybot S&D 1.3 with current detection rules without HellzSpy infection.
• Spybot S&D 1.4 with current detection rules and HellzLittleSpy infection

These are errors caused by dated versions of Spybot S&D in combination with detection rules designed for the current Spybot S&D 1.5.2.
Symptom:
Logoff will occur directly after login.

Now the important part: How to regain login to the computer without the need for a reinstall. Please note that there are more methods to do this, the following have been chosen by me because they do have some advantages over other approaches.

1.Method: Remote Registry
The fastest and easiest way is to remotely connect the Windows Registry and edit it.
Requirements:

• 2nd Computer in Network
• remote registry service must run (default)

First you will need to start regedit on the 2nd computer.

Then select "File" - "Connect Network Registry..."
You will see the next screen where you can enter the network name or the IP Adress of the computer affected by the userinit issue.
In this example the IP is 192.168.13.172, yours is usually a different one. You may be prompted for user name and password, enter a user with administrative rights.


The next step is to navigate to the required location within the registry.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The required default value and data:

for Windows XP
Userinit=c:\windows\system32\userinit.exe,

for Windows 2000
Userinit=c:\winnt\system32\userinit.exe,

Now edit the Value "Userinit"


As soon as the correct data has been entered the user can log on to the computer which had the userinit issue.

2. Method : Offline registry tools and password resetter
Requirements:
This tool requires a 2nd computer to download and create a bootcd, there are no further requirements.

The download can be found here
Download size is about 3 MB, which is quite small and makes this method recomendable

Once the CD is created the userinit affected computer needs to be started with this CD.

After the boot procedure has been completed, the system asks for the boot partition.
Usually the choice would be "1".
In my example it is "2".

Screenshot 1

After that the path to the registry is asked. By default the correct path is already given, so this can be accepted by pressing the enter key.

Screenshot 2

Next choose "2" : RecoveryConsole parameters [software]

Screenshot 3
On the next prompt choose "9" Registry editor

Screenshot 4
The system now enters a bash console like navigation for the Software key of the Registry.
Following commands may be helpful:

note that Names are case sensitive
ls - will list the current key contents
cd <$keyname> - will open the key given in <$keyname>
cd .. - will go up one layer of the key structure
ed <$valuename> - will open prompt to edit the value specified in <$valuename>

So entering:

cd Microsoft\Windows NT\CurrentVersion\Winlogon

Will lead you to the required location.
Screenshot 5
The command ls will list the contents.
Type

ed Userinit

Screenshot 6

Now enter the required Data for the Userinit Value:

for Windows XP
c:\windows\system32\userinit.exe,

for Windows 2000
c:\winnt\system32\userinit.exe,

Screenshot 7

With the following command the Data of the Userinint Value can be confirmed:

cat Userinit

Screenshot 8

If the data is correct you can now enter q to quit the registry editor mode.
Enter q again to exit the Software Hive.
You will now be prompted to save, enter y to save.

Screenshot 9

After that a prompt for a new run appears, enter n for no.
Screenshot 10
Reboot normally and log on to Windows.


Method 4:

This Method can be used in conjunction with Method 2 to restore login. The main issue with Method 2 is that it does not work if the NTFS file system is flagged as "dirty". Method 4 will remove this:
This option is valid for both Windows 2000 and Windows XP, only paths differ on both systems.

Requirements:

• NTFS capable boot disk like NTFS4Dos
• Offline Rcovery tool from Method 2
• both tools can be found on the Ultimate Boot CD: Filesystem tools - NTFS Tools

Overview of steps:

1. Start NTFS4Dos
2. Copy and Backup of Software registry key (note: it is possible to end here)
3. reboot and shut down properly
4. restore latest Software registry key
5. reboot directly to bootcd and apply method 2

Detailed description:

1. Start NTFS4Dos
If you start NTFS4Dos from the Ultimate BootCD (~115 MB download will require CD) you will find it in Filesystem Tools - NTFS Tools
Once started you will be required to enter "yes" to confirm that you use it for personal use only.

NTFS4Dos is owned by Avira and can also be downloaded from Aviras (~1.2 MB download, will require floppy disk)website.

2. Copy and Backup of Software registry key
What you need to do here is to backup the current software registry key and copy the backup software registry key.
Enter the lines in code according to your OS.

Windows 2000:

cd c:
or
c:


cd c:\Winnt\system32\config
rename software software.bak
copy c:\Winnt\repair\software software

Windows XP:

cd c:
or
c:


cd c:\Windows\system32\config
rename software software.bak
copy c:\Windows\repair\software software

3. reboot and shut down properly
At this point it is possible to get a proper login for Windows again. But since the Software key has been replaced by an old version most software is not properly registered anymore. If the latter does not matter to you, you may stop here otherwise follow the next steps.
You will need to properly shut down Windows, to make sure that the dirty flag is not set again. A safe way to ensure this, is to boot into safe mode twice and shut down using Windows functions namely "restart".

4. restore latest Software registry key
Now boot with NTFS4Dos again.
This time we will restore the file we renamed to software.bak earlier:

Windows 2000:

cd c:
or
c:

cd c:\Winnt\system32\config
rename software software.oldbackup
rename software.bak software

Windows XP:

cd c:
or
c:


cd c:\Windows\system32\config
rename software software.oldbackup
rename software.bak software

Remember that you now have a corrupted Registry again , so do not try to boot Windows now or the NTFS may get "dirty" again.


5. reboot directly to bootcd and apply method 2
Now follow the steps described in Method 2.
Changes should be writeable now.

edit3: corrected paths as reported by shame2
edit4: added Method 4 , removed Method 3 to save space
edit5: corrected wrong path for Windows XP
edit6: added further instructions for method 4

 

[walker]

Method #2....sir, how do you download the small file from that site?

 

[Yodama]

this is the direct download link to the bootdisc image.

Safe the file to disk, then extract it, then burn the extracted file with the burn iso option of your cd burning software.

 

[walker]

Yes, thank you all at Spybot (best virus in the world) for toasting my computer. I wonder if we can name a new virus...the hellzlittlespy Vers. 1.3 virus that wasn't a virus...but toasted more computers than any before? I have now spent 7 hours trying to fix the registry of my computers using all of the methods on this and other forums. Your "Solution #2" does not work. Guess what...it does not work. I burned the image onto cd and booted from that cd. Everything went as shown on the screen shots, but the registry was not changed from the one that is now defective.....due to your software...and only your software. In the beginning of trying to use the iso disk, it comes up with a statement that the computer has to be started in Safe Mode twice because no changes can be made without this. However, the computer cannot be started in Safe Mode due to your software removing the code it needs in the registry to start in Safe Mode. Why don't you screw up one of your computers.......and see that your solution does not work.....what now Sherlock?

 

[walker]

"Note: Windows AIK does not install with Windows 2000, creation of the CD requires Windoiws XP or higher. CD can also be used to fix affected Windows 2000 computers".

What does this mean? I know English isn't your primary language (nor mine)......but what are you trying to say...as the sentences make no sense.

 

[walker]

....can you address a fix to your iso file that will not require two "safe mode" starts to access the boot drive? After numerous bad starts to the password/desktop screens, method #2 won't work because the iso/boot disk is not able to write to the boot area of c:

 

[Steve_C]

I went with method 2. All went well with download of offline registry tool.
When I come to-- "On the next prompt choose "9" Registry editor" it changes pages and prompts "What to do" "Simple registry editor"

I enter: cd Microsoft\Windows NT\CurrentVersion\Winlogon--just like example.

It gives back: (...)\Windows NT\CurrentVersion\Winlogon
as though it can't read it.
I have repeated 4 times.

Has anyone used this method who could help.
Thanks for your help.

 

[walker]

...so I guess that's it...no answers and nothing works.....even the replacement lines of code are written wrong....great! What can you do about the "mounted" issue on using method #2. Thanks.

 

[neodvdhawk]

"Note: Windows AIK does not install with Windows 2000, creation of the CD requires Windoiws XP or higher. CD can also be used to fix affected Windows 2000 computers".

What does this mean? I know English isn't your primary language (nor mine)......but what are you trying to say...as the sentences make no sense.
--------------------------------

It makes perfect sense to me (as an english man from england).
The program can only be installed on windows XP.
Also the CD can only be created while using Windows XP. but the CD can be used to help fix windows 2000 systems.

secondly

 cd Microsoft\Windows NT\CurrentVersion\Winlogon

should be

cd Microsoft\Windows NT\CurrentVersion\Winlogon

(there should be no space before the "cd" part).

thirdly:

thank you all at Spybot (best virus in the world) for toasting my computer......

isn't the best way of get help at anytime, spybot is FREEWARE. The people who code Spybot are humans after all, and can and probably do make mistakes.
Ontop of which alot of problems with PC's are helped caused by the user (because of not knowing or lazyness), if you simply checked you had the correct version once a month then this could of been prevented.

 

[Yodama]

@ walker

....can you address a fix to your iso file that will not require two "safe mode" starts to access the boot drive? After numerous bad starts to the password/desktop screens, method #2 won't work because the iso/boot disk is not able to write to the boot area of c:

1. I am not the author of the boot disc, I am just presenting methods to deal with this issue.

2. If the boot disc tells you that you will have to reboot into windows safe mode twice so it can write, then you should follow that instruction.

To get into Windows safe mode you need to press F8 after the Bios screen and before the graphical Windows boot screen.
Choose to boot into safe mode, if it is not present press F8 again.
After Windows has booted into safe mode (do not try to login), restart the computer properly:
choose to "shut down" then "restart". If you do not see the option for shutting down click the options button.
repeat this procedure, then boot from the bootcd from method 2, it is now possible to write the changes.

 

[walker]

...that's the whole problem with this...you can't get into safe mode....the loop is before safe mode generates.

As to the English comment....what can I say....sorry......the explanation now makes sense.

I understand it is freeware and no one really has any responsibility here as far as spybot goes....but this particular issue is one that has some moral implications. If a company has freeware...and tells everyone that they are not going to support it.....and piss off...that is fine with me....but to have this error occur in this particular fashion is the root of the issue. It is highly unusual (to upgrade the software)...and to completely toast the computer. It has never happened to me before...and I have never heard of anything like this. Malfunctions, software error, complications...yes....registry removal...no. Also, I reiterate that there was no message to upgrade...and yes...I never checked the forum to see that upgrades were available. The software worked fine and I saw no reason to start looking for trouble. I don't think that this is the issue at this point though. Just getting that line edited is....but no one has the asnwer.

 

[shame2]

errata

Method 4:>section 4:

"Windows XP:
Code:
cd c:\Winnt\system32\config
rename software software.oldbackup
rename software.bak software "

first line of code should read:

cd c:\Windows\system32\config

for Windows XP

(delete this comment after correcting above. Don't want to add to the confusion here).

 

[walker]

OK...at method #4.....have you actually taken this boot disk from the Avira site and then booted to it? It has a bunch of stuff in German......which is the choice?......there was something in English...then it bypassed it as I was trying to decide what to do.

Can you set this up in a logical, non computer expert manner....like;
1. boot to floppy.
2. choose choice #2......blah, blah
3. At prompt type...blah, blah

You are assuming that the floppy does something that maybe it doesn't....I'm not sure...........so far all I have off this Avira Disk is "Defragmenter and Checkdisk".....nothing else.....but a bunch of questions.....in German...then back to Checkdisk. Did anyone there actually test this disk to see what is on it?

...as to Ultimate Boot Cd...where is it?...the site you show has no download.......

.....update..........

you guys are unbelievable...yeah, I know...it's my fault......complete hobbyist disk.....finally get to a:\.........after about 20 reboots.............now....

your commands above...wtf......cd...change directory......to C:\ in dos is not what you have.....it is a> C: (enter)......

What about the ren command?...I cannot follow what you are doing.

Then;

Windows 2000:

Code:
cd c:\Winnt\system32\config
rename software software.oldbackup
rename software.bak software

wtf?...........change directory of C:\winnt\system32\config

Then What??
rename software software.oldbackup
rename software.bak software


Why don't you try this again and give the commands as they are entered......with "return"

 

[walker]

rename software software.oldbackup
rename software.bak software

rename what...where...why not enter this as a proper command in dos.....?

 

[walker]

Windows 2000:

Code:
cd c:\Winnt\system32\config
rename software software.bak
copy c:\Winnt\repair\software software

I don't even know what i did now.......I got it to the given directory cd C: (return)
C:\winnt\repair\software.bak

You have to show this in the proper entry manner.......you are assunming some knowledge of programming in dos.

Also what to do on the second entry?

(this method will work as i tried ...I can get into a safe mode with a disasterous windows errors problem...but it does force past the password screen now)

I am not sure what the file is...something like software software.bak

What to do on the second string?

I am holding off until someone can help me.

I did try the bootable registry editor disk and the error message that it will not write because it is "dirty" is now gone....small miracle!!

 

[walker]

Goodbye to the children at Spybot...my farewell;



To Chi-Va
....it figures....don't take this the wrong way...I appreciate all you have tried to do and the time spent......the NTFS disk is also a quirky piece of shit. If you download the disk from the Avira site and boot to floppy in your Win 2000 machine, you will see what I mean. It does not go directly to the "yes" in reference to using for private use. It has a whole bunch of other stuff going on....prompts written in German......requiring what???...I don't know...it freezes....it asks over 20 bootup questions....all this is not mentioned by anyone...making me believe that no one actually looked at the disk from the download. When you try to change the directory, the original poster had a lot of mistakes in the coding......just the windows/winnt stuff was posted wrong......then we get to the A prompt and the difficulty in changing the directory in the first place. So, I probably did do something wrong........the original instructions posted were horrible...it implied that the user knows how to use dos commands....and again, the software is all f'ed up.

So, it figures that in the back-up folder of spybot nothing exists. I did get to the last folder by unchecking the boxes to see the hidden folders...nothing there.

We are both spending too much time on this......thank you for all you tried to do.

My feeling about Spybot have not changed.....nice hobbyist software for computer geeks who are into the computer as a hobby and as an educational "experience". I never should have used the software in the first place......freeware is not supported usually....it's a kid somewhere who writes some code and gets it onto the net. Spybot is a bit different because of their commercial enterprise, but the forum is not watched properly and the software is buggy to say the least.

This entire go around about going with a newer version is silly, stupid and childish. If I have working software that is continually updated...with no mention of upgrades in pop ups....why would i go out and try to get a newer version...which usually has a ton of bugs and problems and forums and questions and disasters?....I stay with what works.....v. 1.3 worked up until the update containing the malicious code......and it was malicious code, no matter what Pepi and the crew want to go with. For an update to toast a registry by removing a line that gets you into windows....that is malicious.

I am done....I will take my lumps and move on. The drive will be wiped clean and i will spend the hours necessary to get this going. No files are lost as I have access to the drive.....but Spybot you certainly Suck the big bannana!!

Chi-va...thanks for everything.....I really mean it.

 

[VaDave]

Help. I keep trying things and making progress, but I keep getting stuck.

I am trying to fix a computer running XP home edition. It is a remote computer and I tried to use Method 2 above. I created a bootcd and was able to follow all of the instructions, but I still have the log on/log off problem. I have repeated the procedure several times and the code:

c:\windows\system32\userinit.exe,

appears to be correct.

Then I read method four and I created the ubcd411. I boot this and go through all of the instructions and get and A:\> prompt I enter:

cd c:\Windows\system32\config

and I get a message:

CHDIR failed for 'c:\Windows\system32\config'

If I simply try cd c: the a C:\ appears in a line then the next line reverts back to A:\>


Any suggestions?

 

[walker]

....see VaDave above...same experience as me.....I was using Win 2000 Pro...but the NTFS disk acts the same with all the questions and having to fiddle arount to get to the "a" prompt.

Dave...if I can make any suggestion to you at all, I would stop using this method of trying to get out of this problem. If you make an entry wrong (and that's easy as the NTFS disk is no good).....your old registry (the one that got toasted)...can never be brought back, as it is overwritten. They didn't tell you that?

 

[walker]

Probably best to just delete the entire blog.......lesson learned......don't delete any files picked up by any software as they might have important registry code in them and might in fact be false positives for a virus, even though the virus is not there. Or, spend 10 hours a day on search engines trying to determine if others got hurt before you and posted to some forum or other web page describing what happened, so you can not do what they did when they deleted their registry or some other disaster occurred. Or maybe it is best if we all called each other after files are marked for deletion....then discussed the virtues of the deletions over some tea and apfelstrudel. After we arrive at a decision, then it would be up to each individual if he/she would like to make the deletion and hopefully a re-boot at some future date might be possible (or not!!).

 

[Yodama]

sorry boys may bad for forgetting one thing in method 4.

before you can do anything on drive c you need to switch to it first with:

cd c:

or 

c:

this actually depends on the command prompt you use
this has been added above