Link to home
Start Free TrialLog in
Avatar of kenabbott
kenabbottFlag for United Kingdom of Great Britain and Northern Ireland

asked on

usrinit removal problem

I have a laptop with Windows 2000 on it.  This morning Sophos detected a worm (I think it was w32/Maddis) but couldn't remove the file:


I then followed the removal instructions which were to start the laptop in safe mode and delete the file.  However now when I start the laptop it gets to the login screen, it accepts my login but after a few moments it returns to the login screen - thus it seems stuck in an endless loop.

All help gratefully received

Avatar of knoxj81


*** Turn off System Restore , if your infected***

1) Run a FREE online virus scan,   - Even though you hopefully already have a virus scanner, it’s always nice to get another opinion.

2) Adware Personal SE:  - be sure to run the update after you have completed the install.

3) CWSheddar -  - This is good to run just to make sure.

4) HiJackThis - which you’re already have, so just post log to site I gave you above to make sure the other products didn't miss anything.

If hijack this looks ok, reboot and move along to PREVENTION.


1) Virus software: If you have money buy, Kaspersky, , otherwise go with: AVG 7.0 FREE - . Kaspersky is extremely useful for it blocks malicious scripts from the web, which a large percent of spyware comes from, also has definitions for adware/riskware/malware/etc.

2) Software firewall: Sygate Personal Firewall: - both a Pro version for money, or use the free edition. This is user friendly and one of the only software firewalls that prevent .DLL injection, which is commonly used with trojans/keyloggers.

3) Run windows updates to make sure you are fully patched. Also might want to try: - great to to analyze your system. You'd want to run this as soon as you plug into the internet.

4) Spyware Blaster -
This is great for blocking dialers and other spyware form accessing your computer. Works with both IE & Mozilla and updates and free as well. Doesn't have to be running, just install, updated, "enable all protection" and follow those steps once a week or so.

5) Always a good idea to have a backup browser, these days tons of exploits are publically released against Internet Explorer. I'd check out Firefox:

Additonal clean up:
CCleaner -
This program will clean out, temp, temp internet files, all the other junk that sites around on the computer, will help performance.

RegCleaner -
This program will remove any missing or invalid registry entries as well as perform a complete backup of changes you made. Very nice addition to system maintainance.

With these programs I’m confident this resolve your issue. I use these same programs on a daily basis and have yet to be let down. Please don’t hesitate to reply with any questions or concerns. I’ll also provide you with a few link resources to keep up to date on daily threats!

SANS Institute:
This site has a daily diary that keeps on top of all the latest threats. I live by this site. If you a real security freak, you can get the system tray icon at:

McAfee Portal Site:
Great to see the latest virus/exploit threats on a daily level, which is the most active, etc.

Analyst's Diary (

Congrats and good luck,

Avatar of SheharyaarSaahil
hmmm i think that either you deleted the valid userinit.exe file OR the registry was containing this usrinit.exe file value and as the file is removed now...... the registry is blank! :-?

It normally happens in BlazeFind adware removal procedure, as described in these two links,
Unable to Log On To Windows XP After Removing wsaupdater.exe

Unable to logon to Windows after removing BlazeFind using a spyware removal utility?

So in your case, if you are having an ERD commander like CD which can be booted with to enter into the system, we can try to edit the registry to restore the correct values,,,,, OR try a repair install of Win2000, which will not delete your data and programs, and will restore all the windows files and registries :)

How to Perform an In-Place Upgrade of Windows 2000:;en-us;292175&Product=win2000
knox.... he cannot enter into the system even to try atleast one software from the list...... the problem here is that the Userinit registry key in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon is either have wrong value or blank...... its needed to be pointed to the correct file that is C:\Winnt\System32\Userinit.exe, :)
and btw he mentioned that he is having Win2000.... and Win2000 has no system restore to turn off! :)
Avatar of knoxj81

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Make a boot disk of:

This has a built in registry editor which will alow you to fix the key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

It should say something like:

I think you can get the original userinit.exe back by booting off your XP disk, going to recovery console, and using the EXPAND command. See: for EXPAND syntax.
If he can do all that, your bootdisk idea is a huge waste of time.

Good Luck,