Folder AVG Forums » Other topics » How-Tos » How To Recover A Repeatedly Rebooting System After An Infection Has Been Removed
April 29, 2010 12:14 How To Recover A Repeatedly Rebooting System After An Infection Has Been Removed #85163
Top
jirka82

Avatar

Administrator
Join Date: 19.6.2009
Posts: 3892
How to recover a repeatedly rebooting system after an infection has been removed:

This issue is usually caused by an incorrect value in the Winlogon registry key (HKEY_LOCAL_MACHINE(HKLM)\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\). An infection removed the correct userinit.exe process and replaced it with its own file. The infected file then performs malicious tasks and runs the correct userinit.exe file. Infected systems startup correctly when infected, but after the infected file is detected and removed, the system will restart whenever you try to log in to Windows.

To resolve this issue, use the AVG Rescue CD and follow these steps:
1. Let the Rescue CD boot and perform an update (you can skip the update if not connected to network).
2. Use the Utilities -> Registry editor -> first mounted partition (For example: /mnt/sda1; screenshot).
3. Navigate to the HKEY_LOCAL_MACHINE\Software -> Microsoft -> WindowsNT -> CurrentVersion -> Winlogon -> Userinit hive (screenshot).
4. Edit the "Userinit" value to the "C:\\Windows\\System32\\userinit.exe," then hit the Save&Return (screenshot).
5. Now shutdown the system (using the AVG Rescue CD menu item).
6. Remove the CD from the optical drive before the Windows system starts booting (after exiting the AVG Rescue CD).

The system will start correctly unless userinit.exe is damaged or missing.
03.png01.png00.png