Stuck in logoff loop

[Gregg Cattanach]

My WindowsXP system (SP1) is stuck in a logoff loop. What happens is when I
reboot (with the button), it gets to 'loading your personal settings', it
then displays the background. Then it goes to the 'Logging Off' screen,
briefly flashes 'Saving Personal Settings' and 'Loading your Personal
Settings', then it goes to 'Logging Off' again. It stays in this last 3
part loop continuously.

I've tried the various Safe Modes, try last known good setting, etc, and
they all have this same problem. I've also rebooted from a WindowsXP boot
disc, but the same problem occurs.

The only thing I was doing prevously was clearing out some spyware with
Ad-Aware. Ad-Aware said it needed to reboot to clear out some last spyware
elements. That's when this problem occurred. I also had some notices that
there was a virus on the system today, but Avast allowed me to delete them.

My system is not useable. I have a recent backup, but I can't get the
system up and running to reinstall that backup.

How can I get going again? Any help is appreciated.

Gregg C.

 

[roger]

Hi Greg,

Windows XP logs on then logs off
http://www.mcse.ms/message616432.html

HTH

 

[Locke Nash Cole]

Whats probably happend is the Winlogon.exe has been deleted from running.
I've seen this before...

My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon

There has be a string value under there "Userinit" and it should be
C:\WINDOWS\system32\userinit.exe

I dont know if you can fire up XP's recovery console via the CD and use
regedit or not to fix it.. I use a tool called ERD Commander which is
basically Win XP on a cd you can boot from to fix non-working systems...
good luck!

-L

 

[Gregg Cattanach]

Where can I get this ERD Commander? I'm still stuck. The XP recovery
console doesn't seem to give me access to regedit.exe .

Gregg C.

 

[roger]

Hi

Where can I get this ERD Commander? I'm still stuck. The XP recovery
console doesn't seem to give me access to regedit.exe .

Gregg C.

From a recent post:

"Blazefind changes the following registry-key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\userinit.exe,"

in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\wsaupdater.exe,"



Used Lavasoft Adaware to get rid of the pest ----> removed blazefind
and
with it the wsaupdater.exe

==> next time i tried to logon my computer the system tries to run
wsaupdater.exe which it couldn't find ! FAILED LOGON -> LOGOFF

I first tried to find ways to change the registry from within the
recovery console but i did not succeed (ERD commander will probably
work, but since i wasn't sure that this was the problem i thought it a
little bit too expensive)...
Then i thought of this:
just copy userinit.exe as wsaupdater.exe !! It's as simple as that....

YES!! it works again... and blazefind is gone (it seems.... )"

Using the recovery console employ the command

copy C:\Windows\System32\userinit.exe
C:\Windows\System32\wsaupdater.exe

(this is one line separated by a space, supposing the partition where
windows is installed is C, and supposing blazefind caused this)

Good luck

 

[Old Boozer]

My WindowsXP system (SP1) is stuck in a logoff loop. What happens is when
I
reboot (with the button), it gets to 'loading your personal settings', it
then displays the background. Then it goes to the 'Logging Off' screen,
briefly flashes 'Saving Personal Settings' and 'Loading your Personal
Settings', then it goes to 'Logging Off' again. It stays in this last 3
part loop continuously.

I've tried the various Safe Modes, try last known good setting, etc, and
they all have this same problem. I've also rebooted from a WindowsXP boot
disc, but the same problem occurs.

The only thing I was doing prevously was clearing out some spyware with
Ad-Aware. Ad-Aware said it needed to reboot to clear out some last
spyware
elements. That's when this problem occurred. I also had some notices
that
there was a virus on the system today, but Avast allowed me to delete
them.

My system is not useable. I have a recent backup, but I can't get the
system up and running to reinstall that backup.

How can I get going again? Any help is appreciated.

Gregg C.

Do you have Symantec Corporation's pcAnywhere on it?
If you do try here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;318018&Product=winxp

OB.

 

[Diogenes]

Where can I get this ERD Commander? I'm still stuck. The XP recovery
console doesn't seem to give me access to regedit.exe .

No, it doesn't. It's not a Recovery Console command. Maybe the instructions
in "Part One" of this link to repair the registry will help.

 

[Diogenes]

No, it doesn't. It's not a Recovery Console command. Maybe the
instructions in "Part One" of this link to repair the registry will
help.

http://support.microsoft.com/default.aspx?scid=kb;en-us;307545

(Oops!)

 

[Gregg Cattanach]

Hi


From a recent post:

"Blazefind changes the following registry-key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\userinit.exe,"

in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\wsaupdater.exe,"



Used Lavasoft Adaware to get rid of the pest ----> removed blazefind
and
with it the wsaupdater.exe

==> next time i tried to logon my computer the system tries to run
wsaupdater.exe which it couldn't find ! FAILED LOGON -> LOGOFF

I first tried to find ways to change the registry from within the
recovery console but i did not succeed (ERD commander will probably
work, but since i wasn't sure that this was the problem i thought it a
little bit too expensive)...
Then i thought of this:
just copy userinit.exe as wsaupdater.exe !! It's as simple as that....

YES!! it works again... and blazefind is gone (it seems.... )"

Using the recovery console employ the command

copy C:\Windows\System32\userinit.exe
C:\Windows\System32\wsaupdater.exe

(this is one line separated by a space, supposing the partition where
windows is installed is C, and supposing blazefind caused this)

Good luck

This worked excellently!! Much easier than all that complicated stuff about
booting into Linux. It was the blazefind spyware that goofed up the
registry, so that let me get booted up then I could fix the registry from
there.

Ad-aware deletes the wsaupdater.exe file, but DOESN'T correct the registry
change made, so it tries to boot up with a nonexistant exe file.

Gregg C.

 

[rello]

Do you have Symantec Corporation's pcAnywhere on it?
If you do try here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;318018&Product=winxp

OB.

you could use knoppix 3.3 [linux based cd boot OS]...[free] to move
your data off your primary partition to another HD or usb
device....then format HD and reload winxp...once this sort of stuff
happens XP is a real pig to fix..usually easier to trash it and start
over
relloman

 

[Gregg Cattanach]

Do you have Symantec Corporation's pcAnywhere on it?
If you do try here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;318018&Product=winxp

OB.

you could use knoppix 3.3 [linux based cd boot OS]...[free] to move
your data off your primary partition to another HD or usb
device....then format HD and reload winxp...once this sort of stuff
happens XP is a real pig to fix..usually easier to trash it and start
over
relloman

Actually it was far easier to fix it (by copying userinit.exe to
wsaupdater.exe from the recovery console) than to trash XP. It worked just
fine as that was the only thing wrong with the system. After that, I could
get booted up and fix the registry entry manually.

No need to burn the house down just because there are some cobwebs in the
corner.

Gregg C .

 

[roger]

Hi,

This worked excellently!! Much easier than all that complicated stuff about
booting into Linux. It was the blazefind spyware that goofed up the
registry, so that let me get booted up then I could fix the registry from
there.

Ad-aware deletes the wsaupdater.exe file, but DOESN'T correct the registry
change made, so it tries to boot up with a nonexistant exe file.

Gregg C.

I'm glad it worked
Now you can use regedit to repair the registry entry so that it points
to the correct userinit.exe

HTH

 

[Locke Nash Cole]

Gregg,

Congrats on getting it up and going again... Interesting that one of the
spyware tools probably did this to your system, it probably saw that a piece
of spyware attached itself to winlogon or something simular and tried to
remove it but broke your system in the process... If you used Spybot or
Ad-Aware it'd be nice if you could look at the log and notify them if this
did infact happen.

-L

http://support.microsoft.com/default.aspx?scid=kb;en-us;318018&Product=winxp

OB.

you could use knoppix 3.3 [linux based cd boot OS]...[free] to move
your data off your primary partition to another HD or usb
device....then format HD and reload winxp...once this sort of stuff
happens XP is a real pig to fix..usually easier to trash it and start
over
relloman

Actually it was far easier to fix it (by copying userinit.exe to
wsaupdater.exe from the recovery console) than to trash XP. It worked just
fine as that was the only thing wrong with the system. After that, I could
get booted up and fix the registry entry manually.

No need to burn the house down just because there are some cobwebs in the
corner.

Gregg C .

 

[Gregg Cattanach]

Gregg,

Congrats on getting it up and going again... Interesting that one of
the spyware tools probably did this to your system, it probably saw
that a piece of spyware attached itself to winlogon or something
simular and tried to remove it but broke your system in the
process... If you used Spybot or Ad-Aware it'd be nice if you could
look at the log and notify them if this did infact happen.

-L

It's pretty clear to me that Ad-Aware sees the file wsaupdater.exe as an
element of the blazefind spyware and deletes it (which is the correct
process 99.9% of the time). It just doesn't recognize that blazefind has
also modified the registry to point my Winlogon entry to this wsaupdater.exe
instead of userinit.exe. Thus it can't log on.

It really is irritating to me that just by visiting a website my regsitry
can be modified at this 'deep' level without Windows even notifying me that
something is trying to do this.

Gregg C.

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on

It really is irritating to me that just by visiting a website my regsitry
can be modified at this 'deep' level without Windows even notifying me that
something is trying to do this.

You could remove the culprit subroutine [mshtml.dll] but then your IE
wouldn't work and you would have to get a safe alternative browser.

 

[Gregg Cattanach]

In Message-ID:<[email protected]> posted

It really is irritating to me that just by visiting a website my
regsitry can be modified at this 'deep' level without Windows even
notifying me that something is trying to do this.

You could remove the culprit subroutine [mshtml.dll] but then your IE
wouldn't work and you would have to get a safe alternative browser.

But how many legitimate processes (as far as viewing web pages goes) need to
make entries or changes to the registry at all?

Gregg C.

 

[roger]

Hi,

It's pretty clear to me that Ad-Aware sees the file wsaupdater.exe as an
element of the blazefind spyware and deletes it (which is the correct
process 99.9% of the time). It just doesn't recognize that blazefind has
also modified the registry to point my Winlogon entry to this wsaupdater.exe
instead of userinit.exe. Thus it can't log on.

It really is irritating to me that just by visiting a website my regsitry
can be modified at this 'deep' level without Windows even notifying me that
something is trying to do this.

Gregg C.

You could use Ad watch, from lavasoft, which locks the registry.

HTH

 

[Jim Berwick]

But how many legitimate processes (as far as viewing web pages goes)
need to make entries or changes to the registry at all?

NONE!

 

[Jay]

It's pretty clear to me that Ad-Aware sees the file wsaupdater.exe as an
element of the blazefind spyware and deletes it (which is the correct
process 99.9% of the time). It just doesn't recognize that blazefind has
also modified the registry to point my Winlogon entry to this wsaupdater.exe
instead of userinit.exe. Thus it can't log on.

It really is irritating to me that just by visiting a website my regsitry
can be modified at this 'deep' level without Windows even notifying me that
something is trying to do this.

Gregg C.

Gregg,

This look similair to the problem I have when I installed Ad-Aware on
my fiends PC. Can you tell me how you have corrected the problem. I
really do not know XP that well. I would appreciate it because I have
the same log off thing going on with her E-machine.
Thanks.

 

[roger]

Hi,

On 8 Jun 2004 12:44:47 -0700, (e-mail address removed) (Jay) wrote:

[...]

This look similair to the problem I have when I installed Ad-Aware on
my fiends PC. Can you tell me how you have corrected the problem. I
really do not know XP that well. I would appreciate it because I have
the same log off thing going on with her E-machine.
Thanks.

"Blazefind changes the following registry-key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\userinit.exe,"

in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\wsaupdater.exe,"



Used Lavasoft Adaware to get rid of the pest ----> removed blazefind
and
with it the wsaupdater.exe

==> next time i tried to logon my computer the system tries to run
wsaupdater.exe which it couldn't find ! FAILED LOGON -> LOGOFF

I first tried to find ways to change the registry from within the
recovery console but i did not succeed (ERD commander will probably
work, but since i wasn't sure that this was the problem i thought it a
little bit too expensive)...
Then i thought of this:
just copy userinit.exe as wsaupdater.exe !! It's as simple as that....

YES!! it works again... and blazefind is gone (it seems.... )"

Using the recovery console employ the command

copy C:\Windows\System32\userinit.exe
C:\Windows\System32\wsaupdater.exe

(this is one line separated by a space, supposing the partition where
windows is installed is C, and supposing blazefind caused this)

Good luck