The fix I mentioned in my post above worked great. I suggest printing the page @ the link and then working through those steps. I got everything back up and running in about 10 minutes and then waited two Hours for their dialup to update Adaware and AVG.

After I follow those steps I can login then I
Run regedit

Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the right pane, you should see

C:\WINDOWS\System32\wsaupdater.exe,

Change it so that it reads:

C:\WINDOWS\System32\userinit.exe


Should it need a "," after "C:\WINDOWS\System32\userinit.exe" ????

Now it's going to login/logoff loop again

no....take out the " " after userinit.exe

Folks, I just ran into this problem at my company. We started using McAfee Anti-Spyware, and it looks like it was trying to clean Blazefind malware from a PC and ended up getting the PC stuck in a reboot loop. The loop worked exactly as described above. The only solution that worked was posted by gerryf above.

Boot with WinXP CD, run repair, rename file as gerryf describes, test OK.
I'd like to add that it is is good idea to re-run Spybot and Ad-Aware after the fix, to finish cleaning off whatever malware McAfee (or other anti-spyware tool) was trying to get when the system was hosed in the first place...

I have thie same login - logout problem, but follwing your instructions and other similar ones found on the net I still cannot login...

Does anyone know a more complete list of the .exe file that maybe the malware prog that is causing this?

I have copied "userinit.exe" and created a "wsaupdater.exe" file and looked for the "iProtect, spooler, winsecure..." files but they don't exist either...

Any ideas anyone?

just one at the moment

from within recovery console, type
dir > apps.txt c:\windows\system32\*.exe

this will create a file called apps.txt in whatever directory you are in listing ALL the executables in system32 directory.

copy that file to a floppy with the following

copy apps.txt a:\apps.txt

take the floppy to another machine then open and paste contents here and maybe we can figure it out

If I type in the following:
dir > apps.txt c:\windows\system32\*.exe

I get "The parameter is not valid..."
The dir command in recovery console appears to offer no switches or options!

Will try it another way (can get in using the repair registry settings as suggested here @ Microsoft but that doesn't actually solve the prob when I use any restore point afterwards!)
So i can get the list from logging in using those basic registry settings...

This post has been edited by Andy_Bee: Apr 28 2005, 03:33 PM

Ok, here it is...

Directory of c:\windows\system32

04/08/2004 08:56 183,808 accwiz.exe
04/08/2004 08:56 4,096 actmovie.exe
04/08/2004 08:56 98,304 ahui.exe
04/08/2004 08:56 44,544 alg.exe
29/08/2002 05:00 12,498 APPEND.EXE
29/08/2002 05:00 19,456 ARP.EXE
04/08/2004 08:56 25,088 at.exe
04/08/2004 08:56 11,264 atmadm.exe
29/08/2002 05:00 11,264 ATTRIB.EXE
04/08/2004 08:56 14,336 auditusr.exe
04/08/2004 08:56 588,800 autochk.exe
04/08/2004 08:56 602,624 autoconv.exe
04/08/2004 08:56 580,608 autofmt.exe
04/08/2004 08:56 11,264 autolfn.exe
08/05/2003 19:15 98,304 BacsTray.exe
04/08/2004 08:56 71,680 blastcln.exe
29/08/2002 05:00 4,608 BOOTOK.EXE
29/08/2002 05:00 5,120 BOOTVRFY.EXE
29/08/2002 05:00 18,432 CACLS.EXE
29/08/2002 05:00 114,688 CALC.EXE
29/08/2002 05:00 80,384 CHARMAP.EXE
29/08/2002 05:00 11,776 CHKDSK.EXE
29/08/2002 05:00 11,264 CHKNTFS.EXE
29/08/2002 05:00 8,192 CIDAEMON.EXE
04/08/2004 08:56 5,632 cisvc.exe
29/08/2002 05:00 7,680 CKCNV.EXE
04/08/2004 08:56 64,000 cleanmgr.exe
04/08/2004 08:56 20,480 cliconfg.exe
04/08/2004 08:56 102,912 clipbrd.exe
04/08/2004 08:56 33,280 clipsrv.exe
04/08/2004 08:56 388,608 cmd.exe
04/08/2004 08:56 47,104 cmdl32.exe
04/08/2004 08:56 39,936 cmmon32.exe
04/08/2004 08:56 63,488 cmstp.exe
17/03/2003 18:39 73,728 CNMCP58.exe
29/08/2002 05:00 15,872 COMP.EXE
29/08/2002 05:00 17,408 COMPACT.EXE
04/08/2004 08:56 27,648 conime.exe
29/08/2002 05:00 8,192 CONTROL.EXE
08/05/2003 19:16 20,480 ControlSuite.exe
29/08/2002 05:00 13,824 CONVERT.EXE
04/08/2004 08:56 98,304 cscript.exe
04/08/2004 08:56 6,144 csrss.exe
04/08/2004 08:56 15,360 ctfmon.exe
29/08/2002 05:00 5,120 DCOMCNFG.EXE
04/08/2004 08:56 30,208 ddeshare.exe
29/08/2002 05:00 20,634 DEBUG.EXE
04/08/2004 08:56 25,088 defrag.exe
04/08/2004 08:56 82,432 dfrgfat.exe
04/08/2004 08:56 104,960 dfrgntfs.exe
04/08/2004 08:56 85,504 diantz.exe
04/08/2004 08:56 163,840 diskpart.exe
29/08/2002 05:00 17,920 DISKPERF.EXE
04/08/2004 08:56 5,120 dllhost.exe
29/08/2002 05:00 4,608 DLLHST3G.EXE
04/08/2004 08:56 224,768 dmadmin.exe
04/08/2004 08:56 15,872 dmremote.exe
29/08/2002 05:00 10,752 DOSKEY.EXE
04/08/2004 06:51 53,840 dosx.exe
04/08/2004 08:56 30,208 dplaysvr.exe
04/08/2004 08:56 18,432 dpnsvr.exe
04/08/2004 08:56 83,456 dpvsetup.exe
29/08/2002 05:00 28,112 DRWATSON.EXE
29/08/2002 05:00 45,568 DRWTSN32.EXE
04/08/2004 08:56 10,752 dumprep.exe
29/08/2002 05:00 55,296 DVDPLAY.EXE
04/08/2004 08:56 17,920 dvdupgrd.exe
04/08/2004 08:56 180,224 dwwin.exe
04/08/2004 08:56 1,298,432 dxdiag.exe
12/12/2002 00:14 44,544 dxdllreg.exe
29/08/2002 05:00 12,642 EDLIN.EXE
29/08/2002 05:00 39,424 ESENTUTL.EXE
04/08/2004 08:56 193,024 eudcedit.exe
29/08/2002 05:00 8,704 EVENTVWR.EXE
29/08/2002 05:00 8,424 EXE2BIN.EXE
29/08/2002 05:00 15,872 EXPAND.EXE
04/08/2004 08:56 45,568 extrac32.exe
29/08/2002 05:00 882 FASTOPEN.EXE
04/08/2004 08:56 20,992 faxpatch.exe
29/08/2002 05:00 14,848 FC.EXE
29/08/2002 05:00 9,216 FIND.EXE
04/08/2004 08:56 27,136 findstr.exe
29/08/2002 05:00 9,216 FINGER.EXE
29/08/2002 05:00 3,072 FIXMAPI.EXE
04/08/2004 08:56 22,528 fltmc.exe
04/08/2004 08:56 20,992 fontview.exe
29/08/2002 05:00 7,168 FORCEDOS.EXE
29/08/2002 05:00 55,296 FREECELL.EXE
04/08/2004 08:56 193,024 fsquirt.exe
29/08/2002 05:00 56,320 FSUTIL.EXE
04/08/2004 08:56 42,496 ftp.exe
04/08/2004 08:56 143,360 fxsclnt.exe
04/08/2004 08:56 229,376 fxscover.exe
29/08/2002 05:00 11,264 fxssend.exe
04/08/2004 08:56 267,776 fxssvc.exe
29/08/2002 05:00 24,576 GDI.EXE
04/08/2004 08:56 39,424 grpconv.exe
29/08/2002 05:00 14,848 HELP.EXE
10/02/2004 11:51 118,784 hkcmd.exe
29/08/2002 05:00 7,680 HOSTNAME.EXE
04/08/2004 08:56 34,304 ie4uinit.exe
04/08/2004 08:56 114,688 iexpress.exe
10/02/2004 11:53 462,848 igfxcfg.exe
10/02/2004 11:53 151,552 igfxdiag.exe
10/02/2004 11:55 94,208 igfxext.exe
10/02/2004 11:55 155,648 igfxtray.exe
10/02/2004 11:55 90,112 igfxzoom.exe
04/08/2004 08:56 150,016 imapi.exe
31/10/2001 16:15 32,768 instlsp.exe
04/08/2004 08:56 55,808 ipconfig.exe
29/08/2002 05:00 44,032 IPSEC6.EXE
04/08/2004 08:56 53,248 ipv6.exe
04/08/2004 08:56 23,552 ipxroute.exe
19/11/2003 16:36 24,681 java.exe
19/11/2003 16:36 28,779 javaw.exe
04/08/2004 06:49 92,224 krnl386.exe
29/08/2002 05:00 9,728 LABEL.EXE
29/08/2002 05:00 29,696 LIGHTS.EXE
29/08/2002 05:00 25,088 LNKSTUB.EXE
04/08/2004 08:56 75,264 locator.exe
29/08/2002 05:00 5,120 LODCTR.EXE
11/08/2004 01:45 96,768 logagent.exe
04/08/2004 08:56 59,392 logman.exe
29/08/2002 05:00 15,360 LOGOFF.EXE
04/08/2004 08:56 514,560 logonui.exe
29/08/2002 05:00 6,144 LPQ.EXE
29/08/2002 05:00 8,192 LPR.EXE
04/08/2004 08:56 13,312 lsass.exe
04/08/2004 08:56 72,704 magnify.exe
04/08/2004 08:56 85,504 makecab.exe
29/08/2002 05:00 39,274 MEM.EXE
29/08/2002 05:00 51,712 MIGPWD.EXE
04/08/2004 08:56 815,104 mmc.exe
04/08/2004 08:56 32,768 mnmsrvc.exe
04/08/2004 08:56 143,360 mobsync.exe
29/08/2002 05:00 8,192 MOUNTVOL.EXE
04/08/2004 08:56 123,392 mplay32.exe
29/08/2002 05:00 22,016 MPNOTIFY.EXE
29/08/2002 05:00 12,800 MRINFO.EXE
29/08/2002 05:00 817 MSCDEXNT.EXE
04/08/2004 08:56 6,144 msdtc.exe
29/08/2002 05:00 20,992 MSG.EXE
29/08/2002 05:00 126,976 MSHEARTS.EXE
04/08/2004 08:56 29,184 mshta.exe
04/08/2004 08:56 77,312 msiexec.exe
04/08/2004 08:56 343,040 mspaint.exe
29/08/2002 05:00 6,656 MSSWCHX.EXE
04/08/2004 08:56 12,288 mstinit.exe
04/08/2004 06:59 407,552 mstsc.exe
04/08/2004 08:56 53,760 narrator.exe
29/08/2002 05:00 20,480 NBTSTAT.EXE
04/08/2004 08:56 4,096 nddeapir.exe
04/08/2004 08:56 42,496 net.exe
04/08/2004 08:56 124,928 net1.exe
04/08/2004 08:56 111,104 netdde.exe
04/08/2004 09:02 329,728 netsetup.exe
04/08/2004 08:56 86,016 netsh.exe
04/08/2004 08:56 36,864 netstat.exe
29/08/2002 05:00 7,052 NLSFUNC.EXE
04/08/2004 08:56 69,120 notepad.exe
04/08/2004 08:56 76,800 nslookup.exe
04/08/2004 06:58 2,056,832 ntkrnlpa.exe
04/08/2004 07:19 2,180,992 ntoskrnl.exe
29/08/2002 05:00 31,744 NTSD.EXE
04/08/2004 08:56 419,840 ntvdm.exe
04/08/2004 08:56 32,768 odbcad32.exe
04/08/2004 08:56 69,632 odbcconf.exe
04/08/2004 08:56 215,552 osk.exe
29/08/2002 05:00 40,448 OSUNINST.EXE
04/08/2004 08:56 58,368 packager.exe
29/08/2002 05:00 21,504 PATHPING.EXE
29/08/2002 05:00 15,360 PENTNT.EXE
04/08/2004 08:56 15,872 perfmon.exe
04/08/2004 08:56 17,920 ping.exe
29/08/2002 05:00 33,280 PING6.EXE
04/08/2004 08:56 49,152 powercfg.exe
29/08/2002 05:00 9,216 PRINT.EXE
04/08/2004 08:56 109,568 progman.exe
04/08/2004 08:56 50,176 proquota.exe
04/08/2004 08:56 9,216 proxycfg.exe
10/03/2004 17:21 406,016 PSDrvCheck.exe
28/10/2003 11:02 53,248 pxhpinst.exe
29/08/2002 05:00 16,896 QAPPSRV.EXE
04/08/2004 08:56 20,480 qprocess.exe
29/08/2002 05:00 22,016 QWINSTA.EXE
29/08/2002 05:00 11,776 RASAUTOU.EXE
29/08/2002 05:00 11,264 RASDIAL.EXE
04/08/2004 08:56 56,832 rasphone.exe
04/08/2004 08:56 35,840 rcimlby.exe
04/08/2004 08:56 21,504 rcp.exe
04/08/2004 08:56 62,464 rdpclip.exe
04/08/2004 08:56 13,824 rdsaddin.exe
04/08/2004 08:56 67,072 rdshost.exe
29/08/2002 05:00 7,168 RECOVER.EXE
04/08/2004 06:48 3,338 redir.exe
04/08/2004 08:56 50,176 reg.exe
29/08/2002 05:00 3,584 REGEDT32.EXE
29/08/2002 05:00 33,792 REGINI.EXE
04/08/2004 08:56 11,776 regsvr32.exe
29/08/2002 05:00 4,608 REGWIZ.EXE
29/08/2002 05:00 12,800 REPLACE.EXE
29/08/2002 05:00 9,728 RESET.EXE
04/08/2004 08:56 13,824 rexec.exe
08/05/2003 19:16 28,672 RmvBACST.exe
29/08/2002 05:00 19,968 ROUTE.EXE
29/08/2002 05:00 25,600 ROUTEMON.EXE
04/08/2004 08:56 14,848 rsh.exe
29/08/2002 05:00 49,152 RSM.EXE
29/08/2002 05:00 24,576 RSMSINK.EXE
29/08/2002 05:00 49,152 RSMUI.EXE
29/08/2002 05:00 132,608 RSVP.EXE
04/08/2004 08:56 77,312 rtcshare.exe
29/08/2002 05:00 16,384 RUNAS.EXE
04/08/2004 08:56 33,280 rundll32.exe
04/08/2004 08:56 14,336 runonce.exe
29/08/2002 05:00 15,872 RWINSTA.EXE
04/08/2004 08:56 13,312 savedump.exe
29/08/2002 05:00 31,232 SC.EXE
04/08/2004 08:56 95,744 scardsvr.exe
04/08/2004 08:56 77,312 sdbinst.exe
04/08/2004 08:56 108,032 services.exe
04/08/2004 08:56 140,800 sessmgr.exe
04/08/2004 08:56 31,232 sethc.exe
04/08/2004 08:56 23,040 setup.exe
29/08/2002 05:00 11,753 SETVER.EXE
29/08/2002 05:00 9,728 SFC.EXE
29/08/2002 05:00 14,848 SHADOW.EXE
29/08/2002 05:00 882 SHARE.EXE
04/08/2004 08:56 42,496 shmgrate.exe
04/08/2004 08:56 77,824 shrpubw.exe
04/08/2004 08:56 19,456 shutdown.exe
04/08/2004 08:56 70,144 sigverif.exe
04/08/2004 08:56 26,112 skeys.exe
04/08/2004 08:56 32,866 slrundll.exe
04/08/2004 08:56 73,796 slserv.exe
04/08/2004 08:56 8,192 smbinst.exe
04/08/2004 08:56 89,600 smlogsvc.exe
04/08/2004 08:56 50,688 smss.exe
04/08/2004 08:56 131,584 sndrec32.exe
29/08/2002 05:00 138,752 SNDVOL32.EXE
29/08/2002 05:00 56,832 SOL.EXE
29/08/2002 05:00 23,552 SORT.EXE
04/08/2004 08:56 8,192 spdwnwxp.exe
04/08/2004 08:56 538,624 spider.exe
04/08/2004 00:56 11,776 spnpinst.exe
04/08/2004 08:56 57,856 spoolsv.exe
29/08/2002 05:00 9,728 SPRESTRT.EXE
03/08/2004 22:42 15,872 spupdsvc.exe
04/08/2004 08:56 21,504 spupdwxp.exe
04/08/2004 08:56 14,848 stimon.exe
29/08/2002 05:00 9,216 SUBST.EXE
04/08/2004 08:56 14,336 svchost.exe
29/08/2002 05:00 51,200 SYNCAPP.EXE
25/11/2002 14:36 45,056 Synsopos.exe
29/08/2002 05:00 18,896 SYSEDIT.EXE
29/08/2002 05:00 36,864 SYSKEY.EXE
04/08/2004 08:56 105,984 sysocmgr.exe
29/08/2002 05:00 3,072 SYSTRAY.EXE
29/08/2002 05:00 15,360 TASKMAN.EXE
04/08/2004 08:56 135,680 taskmgr.exe
29/08/2002 05:00 12,288 TCMSETUP.EXE
29/08/2002 05:00 19,456 TCPSVCS.EXE
04/08/2004 08:56 75,264 telnet.exe
29/08/2002 05:00 16,896 TFTP.EXE
04/08/2004 08:56 347,136 tourstart.exe
04/08/2004 08:56 12,288 tracert.exe
29/08/2002 05:00 31,744 TRACERT6.EXE
29/08/2002 05:00 14,848 TSCON.EXE
04/08/2004 06:59 44,544 tscupgrd.exe
29/08/2002 05:00 14,848 TSDISCON.EXE
29/08/2002 05:00 16,384 TSKILL.EXE
29/08/2002 05:00 16,896 TSSHUTDN.EXE
29/08/2002 05:00 4,096 UNLODCTR.EXE
04/08/2004 08:56 16,896 upnpcont.exe
04/08/2004 08:56 18,432 ups.exe
29/08/2002 05:00 47,872 USER.EXE
04/08/2004 08:56 24,576 userinit.exe
29/08/2002 05:00 77,891 USRMLNKA.EXE
29/08/2002 05:00 61,508 USRPRBDA.EXE
29/08/2002 05:00 69,700 USRSHUTA.EXE
04/08/2004 08:56 50,176 utilman.exe
11/08/2004 01:45 47,104 uwdf.exe
29/08/2002 05:00 98,304 VERIFIER.EXE
29/08/2002 05:00 33,792 VSSADMIN.EXE
04/08/2004 08:56 289,792 vssvc.exe
29/08/2002 05:00 49,664 W32TM.EXE
22/09/2003 18:18 57,344 wcags51b.exe
11/08/2004 01:45 38,912 wdfmgr.exe
04/08/2004 08:56 65,536 wextract.exe
04/08/2004 08:56 433,664 wiaacmgr.exe
29/08/2002 05:00 35,328 WINCHAT.EXE
29/08/2002 05:00 8,192 WINHLP32.EXE
04/08/2004 08:56 502,272 winlogon.exe
29/08/2002 05:00 119,808 WINMINE.EXE
29/08/2002 05:00 11,776 WINMSD.EXE
29/08/2002 05:00 2,112 WINSPOOL.EXE
04/08/2004 08:56 5,632 winver.exe
29/08/2002 05:00 77,824 WMPSTUB.EXE
29/08/2002 05:00 2,736 WOWDEB.EXE
29/08/2002 05:00 10,368 WOWEXEC.EXE
04/08/2004 08:56 32,256 wpabaln.exe
04/08/2004 08:56 32,256 wpnpinst.exe
29/08/2002 05:00 5,632 WRITE.EXE
04/08/2004 08:56 24,576 wsaupdater.exe
04/08/2004 08:56 13,824 wscntfy.exe
04/08/2004 08:56 114,688 wscript.exe
03/08/2004 14:02 113,944 wuauclt.exe
03/08/2004 14:01 167,704 wuauclt1.exe
29/08/2002 05:00 32,256 WUPDMGR.EXE
04/08/2004 08:56 30,720 xcopy.exe
10/04/2004 12:24 26,112 xpsp1hfm.exe

Hope you can find something I'm beginning to lose hair over this one! :S

Andy, if you are waiting, I have to go and won't be back for several hours......

A quick glance through has these standing out if you want to see if you can research them further

Synsopos.exe
pxhpinst.exe
instlsp.exe

ok, will look into them gerry, thanx for your help...

Speak to you upon your return

SynsoPos.exe - Syncrosoft Protected Object Server (Music Recording Software)
pxhpinst.exe - HP 9100i Printer Software OR something to do with RecordNow (some references to virus being found in it tho on the web)
instlsp.exe - something to do with Winsock 2.0 and lsp's

I've scanned all 3 with Norton and nothing found to be infected :S

Yeah, that kind of is what scares me....looks like install lsp...Layered Service Providers integrate themselves deeply into the OS...then I saw this:


http://support.rampellsoft.com/index.php?x=&mod_id=2&id=11

I don't think that's the problem though...

what was going on before this all went to heck in a handbasket

to amplify, you can quickly rule out most of those files because the dates equate with windos versions

these three are pretty obvious
dxdllreg.exe
java.exe
javaw.exe

here are two more that stand out
wcags51b.exe--this one appears to be some sort of usb driver
CNMCP58.exe--big unknown here....

It belongs to one of my customers (I run a computer/tech help business from home)
He said he installed BitRemover, some freebie virus/spware remover and then this happened the next day when he started up the PC again...
I've removed the proggie, and few spyware directories in the basic settings mode that I can get into...
There is another folder called Toolbar on there but I can't delete it as the files are in use when it boots up (even in safe mode) and I can't remove it in Recovery Console cos access is not allowed to the program files folder

I think I will rip the HDD out and slap it in here tomorrow morning and fiddle from there...

I'll narrow the problem down with a bit of removing stuff etc... Will post an update then to see if you can help me further )

did he have automatic update on for windows update?

Had a machine do a similar thing last week...had to drop into recovery console to remove the updates with the BATCH command to get it up and running.



that is darn odd....what error are you getting?

Got a Bart's PE? Very useful ... you seem pretty savvy from the way you write, so the old command line is no big deal for you, but it sure as heck speeds up the hunt...and with a registry editor plug in you can even edit the registry of the infected system