When upon fixing a computer, I had trouble getting back into Windows after deleting the malware files.
The reason was that the malware had slipped itself into the login process by changing the file which Windows expects, redirecting the initialisation process to a dirty file.
When the file is removed, Windows doesn't know what to do with the login process and boots you back to the login screen.
copy userinit.exe wsaupdater.exe
Personally, I don't like this. Although it solves the problem, this solution will not work if Windows is expecting a file other than "wsaupdater.exe".
To fix it properly, boot up the computer using the Windows XP setup disc or BartPE. (See this guide)
Once you've got the Registry Editor open:
- Select "HKEY_USERS"
- Click File > Load Hive
- Open up "C:\Windows\System32\Config\SOFTWARE" (SOFTWARE is the filename)
- Give it a name. For this example I'll call it "LOGOUT"
- Now navigate to: HKEY_USERS\LOGOUT\Microsoft\Windows NT\CurrentVersion\Winlogon
- Now find "Userinit" on the right panel and double click to edit.
- It should point to: "C:\Windows\System32\userinit.exe,"
Note: that red comma it HAS to be there or else this fix wont work.
- Navigate back and select "HKEY_USERS\LOGOUT"
- Click on File > Unload Hive.
Now it is pointing back to "userinit.exe", the correct file.
[ Source ]