edifyguy

Well, like I said, I'm not a MBAM user, but if it didn't delete it, why does the log say "Successfully quarantined and deleted"? I do know that my friend's virus grabber quarantined it/deleted it, as it was already gone by the time I got the drive to rescue it. His anti-crap utility of choice loads as a service before logon, and caught the fact that userinit.exe was infected when Windows tried to use it as usual. He took the recommended action, and the file was annihilated, at which point Windoze initiated shutdown, which is all it would do at logon attempts until I cleaned it off and replaced the file. It's really an easy fix, though. Just use a Linux boot CD with NTFS3G on it and put the file back where it belongs and you're back in business. Knoppix has a great LiveCD Distro that I've used to monkey around with things in cases where Windows wouldn't boot. Just use the context menu (right mouse button) to change the drive to full read-write. It even supports most USB flash drives, so you can get the file from a friend's computer with a thumb drive, then put it back with Knoppix, and reboot right into Windoze. In my case, I simply attached his hard drive to my computer and cleaned the viruses off that way, so copying that file back in was easy. If you have the ability to do so, that is the best way to remove viruses: put the infected drive in another computer and scan it without booting from it. That way, the viruses aren't being loaded into memory during bootup, so they can't hide or lock themselves. I have an adapter that will convert IDE, Mini-IDE, and SATA drives to USB 2.0, and it's my best friend. If you hadn't guessed, yes, I am a technician. 8^D Jason

Glad to be of help. I was sure someone would find that info useful.

First let me say that I found this forum extremely helpful. I do not usually use MBAM, but this forum provided me with the information necessary to fix the same problem on my friend's computer. Here's the key, straight from the log you posted: --------------- Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. --------------- The reason that you were unable to log on after your cleanup operation was that this file, which was infected, was deleted. This line is not reporting that a registry key was itself a problem, as SpyBot S&D would do, but is saying that the file this registry entry points to was infected. The problem arose because this file is a critical part of the Windows logon process, and it got deleted to clean up the system. (That is, of course, exactly why the virus infected it: to be certain that its viral code was activated every time the machine was used.) To successfully repair this infection, it is necessary to replace this file with a clean copy from a working machine or the XP CD. In my case, I used a copy from a working machine, and it booted right up and logged on properly. I know it's probably too late for the original poster, but I can't imagine that this is an uncommon infection, since my friend that got it was not a risky surfer. Hopefully this will save someone a lot of unnecessary rebuilding. Jason