the easiest way is to get a copy of ERD commander to check the registry. You can check the location of the file and rename it to what usually is in the registry due to spyware to get going using recovery console but if you are having problems login in under admin you can't do that.
If using ERD:
you can download it here
and then burn the image to a disk using nero or other burning software. When you boot it up go to start then admin tools and then regedit. When registry editor opens navigate to:
when you have winlogon selected on the right you should see a key called userinit and in the value of it should be C:\windows\system32\userinit.exe
If it points to different file you can change it or create it if it doesn't exist.
also check to make sure the key "shell" shows explorer.exe
also while you are there check the C:\windows\system32\ directory to make sure you have a file called userinit.exe.
You can also do similar with bartPE
EDIT:not sure on the policy on posting links to download soft. i deleted the link, pm me if you need it.
another way that might be more convenient. Straight from one of the microsoft articles:
Steps for rectifying this problem:
* Log on to a networked computer.
* Run Regedit.exe
* Point your cursor to HKEY_LOCAL_MACHINE
* Select File > Connect Remote Registry
* Type computer name (infected computer)
* Navigate to the following location in registry of destination or infected computer
* Edit these two values in right pane:
* Change these two values to
Userinit = x:\windows\system32\userinit.exe
* Exit from Registry
* Restart Infected computer.
* You should be able to log on to computer.
Edited by yevgenievich, 17 December 2008 - 11:55 PM.