I’m writing this post with the hope that it will be helpful to people who face the same computer predicament that I did a few days ago. Here’s a little bit of background information: Last Tuesday I met John Chol Daau, who is from Sudan. He grew up as one of the Lost Boys of Sudan, forced to leave his home and wander hundreds of miles through Africa to survive. If you don’t know much about this particular humanitarian issue, I suggest spending a small amount of time reading up on it. Anyway, John told me that his PC was experiencing a debilitating virus, and asked if I would look at it. I said that I would. After spending quite a bit of time reading through various website forums, here’s a short description of the problem and its solution:
Problem: The PC (which runs Windows XP with SP2) starts normally. The Windows splash screen appears correctly and then the login prompt correctly loads. You can then enter your user name and password like normal, but as soon as you try to login you are IMMEDIATELY logged back out again. The desktop doesn’t even load. It moves immediately back to the login window where you can then enter your user name and password again. No matter how many times you try to login you always experience this immediate logout. Even if you try to login to the computer in safe mode you still experience the same problem. This problem is documented on Microsoft’s website here.
Solution: I’m sure this behavior can be caused by many different problems, but the most common cause is a virus. If you’re familiar with the Windows registry, this virus changes a few registry key values that makes it impossible to login to your computer. If you’re not familiar with the registry, don’t panic. I’ll post links to a few articles that very clearly explain how to fix this problem. Basically, the virus makes two very simple changes to your computer that render it useless. In order to fix the problem, you have to change these two things back to the way they were while your computer was working.
Easy Fix: The “easy” solution to this problem can be found here. In order to use this fix you have to have your Windows XP install CD. This is the CD that contains the files necessary to install the operating system on your computer. You probably have this disk stashed in a drawer somewhere. You should note that there’s a difference between the Windows XP install CD and the recovery CD that may have shipped with your computer. It’s actually possible that when you bought your computer that it didn’t actually come with a Windows XP install CD. Sometimes computer manufacturers will only ship you a recovery disk, which is altogether different. You need your Windows XP install CD so that you can run an application called the Recovery Console. The link above should provide documentation on how to use the Recovery Console. Unfortunately, this fix didn’t work for John’s computer, but it may work for yours.
Slightly Harder Fix: This fix is the one that ended up working to fix John’s computer. A detailed explanation of this fix can be found here. It requires you to have access to another Windows PC with a CD burner (even if it’s a friend’s computer). You have to download a program called BartPE, which is one of the greatest recovery tools that exists. For this particular problem, BartPE will enable you to quickly change the two settings that the virus messed up. You may need a Windows XP install CD for this method as well. But it may be possible for the program to find what it needs from your friend’s computer without having to have access to this disk.
If you have any questions, please feel free to contact me. The above links should give you the tutorials you need to fix the problem. And if you use a PC you should use a virus protection program! If you don’t, you’re asking for trouble! Good luck!
Tags: Virus, Windows XP
Licensing
graphics into the blog. I’d like to thank Steve…
19 comments
Comments feed for this article
Trackback link
http://www.logicnest.com/archives/90/trackback
April 18, 2007 at 9:37 pm
jdhtwo
you are the man.
dan
April 27, 2007 at 8:24 am
Chris Barker
That does sound quite debilitating!
As I sit here no my PowerMac G5, though not perfect, I feel a sadness for all Windows users. Since my computer is the one of only two Macs on our church network, the abundance of PCs provide great job security, as there are issues that arise every week.
Have you had any experience with Vista yet?
April 27, 2007 at 8:35 am
Ian Luke Kane
No, I haven’t really played with Vista as of yet. My MS program currently requires XP more or less, so I don’t feel like installing it under Boot Camp only to find that there’s going to be weird issues with it. I’ve already run into some of the Office 2007 backward compatibility issues, which was enough to make me cringe. Once Leopard comes out in October (or whatever it ends up being) I’m sure that I’ll finally install Vista on my own machine.
May 5, 2007 at 9:20 am
Chiara
I’m working in Macalle’, Ethiopia. Here there are some computers with the same behaviour, but your solution didn’t work
At least i found how here:
http://www.dotnethell.it/forum/messages.aspx?ThreadID=7796
(sorry italian only!).
N.B moreover i found corrupted also this registry value
HKey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell
the right value should be “explorer.exe”, the infection changed it in c:\recycled\svchost.exe
June 25, 2007 at 4:00 pm
Nath
Hi,
I encountered a problem while loading hive; after typing MyXPHive as you suggested, I clicked OK button and this message showed up “Cannot Load X:\i386\SYSTEM32\CONFIG\SOFTWARE: Access is denied.
Why this info and what could be the solution?
Thank you.
June 28, 2007 at 10:54 am
Ian Luke Kane
My first thought would be to make sure that you’re referencing the correct drive letter. Make sure that it’s X: on your system rather than something else. I vaguely remember this happening to me at first as well, but I realized that I was pointing at an incorrect location. You want to make sure that you’re searching for your Windows installation drive.
July 23, 2007 at 2:14 am
Yemane
It is not clear the answer for Nath
“X:\i386\SYSTEM32\CONFIG\SOFTWARE: Access is denied.
Why this info and what could be the solution?:”
August 14, 2007 at 12:11 pm
Dominik
Great solution!! Worked for me here too!! You’re great! Thanks for the information.
August 16, 2007 at 4:16 am
Mike
“You need your Windows XP install CD so that you can run an application called the Recovery Console. The link above should provide documentation on how to use the Recovery Console. ”
Sorry but I cant see that link above.
Thanks
August 16, 2007 at 4:18 am
Mike
Oh dear got it I must be blind…
August 27, 2007 at 3:34 am
vegnet
Im having the same problem as Nath anyone have a solution
September 15, 2007 at 10:47 pm
kapuligo
Hi i did follow the step until KEY_USERS \ MyXPHive \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon to edit userinit’s key but it doesn’t have userinit register in there. Please help me how i can do. thank you very much
September 29, 2007 at 11:54 pm
trei9n1
“X:\i386\SYSTEM32\CONFIG\SOFTWARE: Access is denied.
Can some1 please help me with this problem?
September 30, 2007 at 12:09 am
trei9n1
Must i use my windows folder under C:\ or the BartPE folder under X:\ when loading the MyXpHive file?
November 17, 2007 at 2:33 am
Gore
Funny… I’m browsing your site from Southern Sudan where I’ve been trying to fix the same issues with a couple of PC’s here. I say funny ‘cos the background of this posting was an issue with one of our lost boys from the beloved Southern sudan.
Thnx..
June 2, 2008 at 11:04 am
Dave
“X:\i386\SYSTEM32\CONFIG\SOFTWARE: Access is denied.
Did anyone solve this?
Thanks
Dave
June 26, 2008 at 9:59 am
Lynn
You have to map to your PC from another PC. Then do the following: Run regedit and then click file, connect network registry, put in the PC name of the affected PC
For Windows XP:
Navigate in the registry on the infected PC to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the right pane look for Userinit and the path should point to: C:\WINDOWS\system32\userinit.exe,
Make sure you add the “ , “ at the end.
For Windows 2000:
Navigate in the registry in the infected PC to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the right pane look for Userinit and the path should point to: C:\WINNT\system32\userinit.exe,
Make sure you add the “ , “ at the end.
July 4, 2008 at 3:25 pm
Troy Van Marter
Dear Ian Luke Kane,
Thank you for this well written article. It was of tremendous help. Though in
my case the Easy Fix did not work, the Slightly Harder Fix did work
beautifully.
I sent a note of gratitude to Bart and made a donation for the software he
developed.
For anyone confused about which Windows folder to use when loading the HIVE
file found in the instruction for the Slightly Harder Fix (suggested name
MyXPHive), the folder is directory on your PC where Windows XP is installed -
not from the BartPE CD or from any other folder. i.e.
“c:\windows\system32\config\software” or if you upgraded from NT, it could be
“c:\winnt\system32\config\software” (do not type quotes when entering into the
BartPE field).
For some reason BartPE could not display the deeper folder structure of my
Windows Directory, but this was not a problem, I simple typed the path in the
field and it loaded the software HIVE.
Hope this helps.
Thanks again Ian,
Troy
July 29, 2008 at 6:23 pm
Nathan
I have loaded the hive and navigated to the correct area however the userinit.exe did not exist, anyone know what to do from here???