[paulmo]

Hello,

Rorschach112 recommended that I come to the Windows XP forum for help with suspected userinit.exe file damage.

Rorschach112 has been helping to rid my system of an infestation by Trojan Alureon.gen!U & Alureon.CT amongst other baddies which my antivirus programmes couldn't prevent or remove. Related correspondence from the Virus, Spyware and Trojan Removal thread is here:

http://www.geekstogo...CT-t259060.html

In brief, we ran Combofix a couple of times, then TFC. The computer rebooted after TFC and I haven't been able to get back into it since.

On starting up again, a blue error screen came up with the following message:

" A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check from hard drive corruption, and then restart your computer.

Technical information:

*** STOP: 0x0000007B (0xF7B86528, 0XC0000034, 0x00000000, 0x00000000) "

When I restart, the same screen comes up.

Safe mode leads to the same screen

We attempted to insert a userinit.exe file from cd, which seemed to copy ok (replacing a file), but the computer still returns to the same blue screen error message.

I'm borrowing a laptop to access the forum as I can't get past the blue screen on my computer.

I'm just a regular computer user & my understanding of all this is limited. If you're reading this Rorschach112, then please correct anything that I've misrepresented.

Any help would be much appreciated!

[Advertisements]

Hello paulmo...

Is the laptop you're borrowing also running XP?

wannabe1

[wannabe1]

Hello paulmo...

Is the laptop you're borrowing also running XP?

wannabe1

[rshaffer61]

If you have your Windows XP disk

• Insert your Windows XP disk into your computer and reboot
• Make sure the PC is set to run from the CD as the primary boot device.
  NOTE: You do this by setting your PC to boot to the CD-ROM in BIOS (enter bios by pressing f1, f2 or del key during memory count up, then search for boot order, and set the CD as the first boot device)
• When the PC boots, it will boot from the CD...after the first several screens load, you will be given a choice to choose R for Recovery Console. You will be asked to log in.
  NOTE: For Windows XP Home, there is not password, just hit ENTER. For Windows XP pro, ask whomever set up the machine what password they used.

When you see the Recovery console C:\WINDOWS prompt continue to section 3 (Running "ChkDsk")

If you DO NOT have your Windows XP disk

• Download RC.ISO from Here.
• Now burn this ISO image to a CD and boot your computer with it.
  NOTE: Keep in mind that this is different than burning a file to a CD-ROM. If you do not know how to burn an ISO image, then download CDBurnerXP Pro to another Windows machine and install it. Then go Here for instructions for burning the ISO image
• Once the CD is created, place it in the defunct computer
• Then reboot your broken PC with that CD in the CD-ROM drive.
• Make sure the PC is set to run from the CD as the primary boot device.
  NOTE: You do this by setting your PC to boot to the CD-ROM in BIOS (enter bios by pressing f1, f2 or del key during memory count up, then search for boot order, and set the CD as the first boot device)
• When the PC boots, it will boot from the CD...after the first several screens load, you will be given a choice to choose R for Recovery Console. You will be asked to log in.
  NOTE: For Windows XP Home, there is not password, just hit ENTER. For Windows XP pro, ask whomever set up the machine what password they used.

Running "ChkDsk"

• At the Recovery console C:\WINDOWS prompt, type
  

  chkdsk /r

• Press ENTER
• Let this scan run UNINTERUPTED until completed (30 min or so depending on the drive)
• Report any errors in your next reply
• Once the scan is complete, Type exit, and then press ENTER to quit Recovery Console.
• Your computer will now restart, boot from the CD again and continue with the next steps.

Using "BootCfg /Rebuild" to fix the "Boot.ini" file

• At the Recovery console C:\WINDOWS prompt, type
  

  bootcfg /rebuild

• Press ENTER
  Note: The bootcfg /rebuild command scans the hard disks of the computer for Windows NT 4.0, Windows 2000, or Windows XP installations, and then displays the results. You can add the detected Windows installations.
• When you receive a message that is similar to the following message, press Y:
  

  
  Total Identified Windows Installs: 1
  
  [1] C:\Windows
  Add installation to boot list? (Yes/No/All)
  

  NOTE: You may see more than one entry here if you have a dual boot windows system. If this is the case follow this procedure for ALL installations to make sure that all OS's are added correctly
• You receive a message that is similar to the following message:
  

  Enter Load Identifier

  NOTE: This is the name of the operating system. This is either Microsoft Windows XP Professional or Microsoft Windows XP Home Edition.
• Type the name of your operating system, and then press ENTER
• You receive a message that is similar to the following:
  

  Enter OS Load options

• Type /fastdetect, and then press ENTER.
• Type exit, and then press ENTER to quit Recovery Console.
• Your computer will restart, and the updated boot list may appear when you receive the "Please select the operating system to start" message.
• If you see a Boot list with multiple entries choose the XP Home option to boot to windows.

[rshaffer61]

Uh oh spoke to soon
If the instructions I posted conflict with what you were thinking Wannabe1 please feel free to dock my pay.

[wannabe1]

Consider it docked...

None of those instructions will address the problem.

[paulmo]

Hello wannabe1,

Thanks for the quick response.

The laptop indicates Windows XP Professional (at least, that is written under 'Help and Support Centre' when I click on that).

Best wishes / Paul

[wannabe1]

Hello user,

We will have to create a small 'fix CD' using the laptop to solve this problem.
Please download RC.ISO and save it somewhere you can find it.
Also download MagicISO and install it.

Start MagicISO. You should see a window informing you about the full version of MagicISO.
In the bottom right select Try It! and the program will open.
Click on File and then on Open and navigate to the RC.ISO file you downloaded. Select it, and click Open.

First, we'll need to add a clean version of userinit.exe to the current RC.ISO

• In the upper right pane, double click on the i386 folder.
• Right click in the upper right pane and select Add Files...
• Navigate to C:\Windows\System32 and select userinit.exe
• Then click Open to add userinit.exe to the CD image.
• Click File and select Save As...
• Name the file RCplus and save it somewhere you can find it.

Next, we'll need to burn the newly created image to a disk that we can use to fix the problem.

• Put a blank CD-R disk in your CD burner and close the tray. If an AutoPlay window opens, close it.
• Click on Tools and select Burn CD/DVD with ISO.... A window will appear.
• Click on the little folder to the right of CD/DVD Image File then navigate to the newly created RCplus.iso Image file and click Open.
• In the CD/DVD Writing Speed drop-down menu choose the 8X setting.
• Under Format make sure that Mode 1 is selected.
• And finally, click on the Burn it! button to burn RCplus.iso to disk.

Once the disk is burned, put it in the machine you want to fix and restart it.
Boot to the CD just as you would with a Windows XP disk.
At the Welcome to Setup screen, press R to enter the Recovery Console.
Choose the installation to be repaired by number (usually 1) and press Enter.
When you are asked for the Administrator password, enter the password or leave it blank (default) and press Enter.

At the C:\Windows> prompt, type the following commands pressing Enter after each one. Note: Watch the spaces.

D:
cd i386
copy userinit.exe c:\windows\system32
exit

After putting in the third command, you should receive the message 1 file copied which will indicate that the operation succeeded.
Now take out the CD and reboot your computer to normal mode. Try to log in and it should let you back in.

[paulmo]

Hello again wannabe1,

I tried those 'MagicISO' instructions a couple of times under Rorschach112's direction, but they didn't seem to change anything.

The '1 file copied' message came up, but when I tried booting from hard drive again the same blue error screen comes up. (see end of http://www.geekstogo...CT-t259060.html )

I'm happy to try again if you think it would help, but I used up my last two blank cds trying this earlier so I'd have to get some more on Monday.

I found the box which came with the infected computer. It has a reinstallation cd for Windows XP Home Edition and other cds for drivers etc for a Dell Dimension computer if those are of any use.

Best wishes / Paul

[wannabe1]

No need to try it again. There must be more corruption aboard than just the userinit file.

Using the Dell operating system disk, see if you can run an XP Repair as outlined by admin.

Is the system restore feature turned on and have valid restore points on the non-starting machine?

[paulmo]

Hello,

I ran the XP repair as outlined by admin.

It seemed to go ok, copied all the files it needed, then said it would reboot and that the setup would continue when the computer restarted.

The computer seemed to start ok & got to the Windows XP loading screen, however then, horror-of-horrors, another Blue Screen came up.

This time, after the 'A problem has been detected' and 'If this is first time' paragraphs, the blue screen says:

"Check to be sure you have adequate disk space. If a driver is identified in the Stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe mode to remove or disable components, restart your computer, press F8 to select Adavanced Startup Options, and then select Safe Mode.

Technical information:

*** STOP: 0x0000007E (0xc0000005, 0xF75862B2, 0xF7A39460, 0xF7A39160)

*** FLTMGR.SYS - Address F75862B2 base at F756E000, DateStamp 480251da "


I tried running the XP repair a second time. It came to a screen saying:

"Windows XP Home Edition Setup. Setup has already attempted to upgrade the following Windows installation.

C:\WINDOWS "Microsoft Windows XP Home Edition"

Setup will try to complete the upgrade again. To retry upgrading to Windows XP, press ENTER.
To continue installing a fresh copy of Windows XP without repairing, press ESC. To quit Setup, press F3. "

I pressed ENTER and the process repeated itself, again rebooting after copying all the files and again returning to a blue screen. I noticed that individual digits in the technical information were slightly different the 2nd time around. Thus after the 2nd attempted repair, the end of the blue screen reads:

" Technical information:

*** STOP: 0x0000007E (0xc0000005, 0xF75852B2, 0xF7A38460, 0xF7A38160)

*** FLTMGR.SYS - Address F75852B2 base at F756D000, DateStamp 480251da "

Thank you for your help with this / Paul

[Rorschach112]

Just given some information by a friend, may help wannabe1 fix your problem

It seems this file got deleted by CF

c:\windows\system32\drivers\pciide.sys


Paul's problems definitely seemed to happen after that. I am pretty positive its not down to a borked userinit.exe now.


The machine should have a full ERUNT backup and fresh system restore point if that helps.

[wannabe1]

The repair should have replaced the pciide.sys file...it's a Windows core file.

How about the restore points? Is the system restore feature on?

I think we're definitely in need of a previously saved registry here...either from a restore point or from the ERUNT backup.

[Rorschach112]

System restore should definitely be on. The ERUNT backups should be at either of these locations for you

C:\Windows\ERDNT\hiv-backup\erdnt.exe
C:\Windows\ERDNT\sUBs\Erdnt.exe


Will let you guys get down to it

[paulmo]

Thanks Rorschach112 and wannabe1,

Early on in the infection I tried rolling back to an earlier restore point, but seemed unable to do this. The restore points were there, but I couldn't use them. System restore was subsequently turned off to enable some tests or installation at some point within the last week or two. I hadn't turned it back on since then.


ERUNT seemed to work ok though when that ran earlier in the week

Best wishes / Paul

[wannabe1]

Ok...let's use Recovery Console and see if we can restore to an ERUNT snapshot.

Boot to either the Dell operating system disk or one of the RC.ISO disks you made and log in to the existing Windows installation as you did when trying to replace the userinit file.

Once at the RC prompt, type the following, pressing Enter after each:

cd erdnt
dir

If you had the Autobackup feature in ERUNT turned on (default), this should return several entries by date. Please list those here for me.