This article saved my life today:
http://support.microsoft.com/kb/555648/en-us
The path to userinit.exe was doubled up with a path to an MS update as well. Luckily this only screwed up one account. Here are the notes:
Note: Don’t change the drive letter to X – Keep it whatever it is (most likely C:)
Edit these values and type the correct path of shell :
Shell = explorer.exe
Userinit=X:\windows\system32\userinit.exe
NOTE: These files may also be deleted by spywares. You may need to extract them using Windows CD.
Steps for rectifying this problem:
- Log on to a networked computer.
- Run Regedit.exe
- Point your cursor to HKEY_LOCAL_MACHINE
- Select File > Connect Remote Registry
- Type computer name (infected computer)
- Navigate to the following location in registry of destination or infected computer
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- Edit these two values in right pane:
Shell
Userinit
- Change these two values to
Shell=explorer.exe
Userinit = x:\windows\system32\userinit.exe
- Exit from Registry
- Restart Infected computer.
- You should be able to log on to computer.
Recent Activity