XP user Account logs in then logs off

[BP]

I recently ran super spyware removal because I had the Internet Security 2010
virus. It cleaned several files and had me reboot. The Compaq Presario V2000
laptop now only boots to the User Accounts screen in either safe mode or
normal and lets me click on either of the 2 accounts I have Admin and myname.
As it starts logging in it then says Log off saving desktop then returns to
the accout sign on window. I have searched the internet and tried the
recovery console and replaced the userinit.exe but it did not work. I see
lots of listings for this issue but few fixes that do not work. Any other
fixes I can try?

 

[Pegasus [MVP]]

I recently ran super spyware removal because I had the Internet Security
2010
virus. It cleaned several files and had me reboot. The Compaq Presario
V2000
laptop now only boots to the User Accounts screen in either safe mode or
normal and lets me click on either of the 2 accounts I have Admin and
myname.
As it starts logging in it then says Log off saving desktop then returns
to
the accout sign on window. I have searched the internet and tried the
recovery console and replaced the userinit.exe but it did not work. I see
lots of listings for this issue but few fixes that do not work. Any other
fixes I can try?

As you already found out, the problem is caused by userinit.exe, either
a) because the file is not where it should be; or
b) because its registry reference points at the wrong place; or
c) because you have an incorrect system drive letter.

The cure is easy if you can reach the problem machine with a networked
machine under the Administrator's account, harder if you can remove its disk
and connect it as a slave or USB disk to some other WinXP PC and harder
again if neither of these applies. What applies in your case?

 

[R. McCarty]

Boot the computer to Safe Mode with networking. Once booted use
your browser to download the Super AntiSpyware online scan module.
http://www.superantispyware.com/sassaferun.php
This will download a .Com file. After downloading use Explorer to
the download location and invoke the .Com file. SAS will start and do
a full system scan.

Sometimes you can download/update & run Malwarebytes but there
are several infectors that are coded to block it from being run. You
can get the latest version 1.44 at:
http://www.malwarebytes.org/mbam.php
*Click the blue Download free version link

 

[BP]

I can do either with good instructions, but I can easily put the hard drive
in a usb enclosure?

 

[Pegasus [MVP]]

OK, let's do it the easy way. Let's assume that PCbad is the problem PC.

1. Get a copy of psexec.exe from www.sysinternals.com.
2. Turn on PCbad. Do not log on.
3. Log on to PCgood.
4. Open a Command Prompt.
5. Type these commands:
psexec \\PCbad -u Administrator -p xxxx cmd
(Replace xxxx with the Administrator's password on PCbad)
set system

What is the value of %SystemDrive%?

 

[BP]

Does not matter if i boot into Normal or Safe Mode log on does not go past
User Account Log on window. It logs off right after log on. Never gets to the
desktop.

 

[BP]

Bad PC has C:\Windows
My good desktop is same.

OK, let's do it the easy way. Let's assume that PCbad is the problem PC.

1. Get a copy of psexec.exe from www.sysinternals.com.
2. Turn on PCbad. Do not log on.
3. Log on to PCgood.
4. Open a Command Prompt.
5. Type these commands:
psexec \\PCbad -u Administrator -p xxxx cmd
(Replace xxxx with the Administrator's password on PCbad)
set system

What is the value of %SystemDrive%?



.

 

[Pegasus [MVP]]

Excellent. This means that your system drive letter is still correct
(assuming that you originally installed Windows in c:\Windows).

You now need to check on PCbad that the registry key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit points
at C:\Windows\system32\userinit.exe and that the file
C:\Windows\system32\userinit.exe does indeed exist. You can open the
registry of PCbad from within regedit on PCgood.

While you have an active psexec session, you might as well check the access
rights for userinit.exe like so:
cacls C:\Windows\system32\userinit.exe.
The file must be readable by everyone.

 

[BP]

When I try this command it just scrolls with the aruments list. Does not
appear to do anything. Also the bad pc does not have any password how do I
change the command for that?

 

[Pegasus [MVP]]

If the command

cacls C:\Windows\system32\userinit.exe

scrolls through the arguments list then you must have mistyped it. Best to
check it on PCgood.

Why do you want to set or change passwords at this stage? It would be better
not to introduce new variables at this stage.

 

[BP]

Sorry for confusion, I meant the Badpc does not have an Administrator
password I just hit enter at password. So do I leave off the -p xxxx cmd or
do I type the command line like this on the Goodpc c:\PSTools\psexec \\PCbad
-u Administrator cmd?

Also I have the PCbad on my home network booted to the user account sign on
screen. Is this were it should be?

 

[Pegasus [MVP]]

Now you're confusing me. Previously, in response to me suggestion to run
psexec.exe, you reported this:

Bad PC has C:\Windows
My good desktop is same.

Your reply led me to believe that you had successfully established a psexec
session on PCbad, which in turn caused me to conclude that the drive letter
assignment on PCbad was correct. Your most recent post implies that you
never got a psexec session running. If this is so then I must ask for more
careful reporting. If you report things that do not exist then I am unable
to solve your problem.

A quick test with psexec.exe will show you that you can omit the -p prompt.
It is optional. How can you find out? By typing this at the command prompt:

psexec /?

See the word "optional" against theb -p parameter? Now let's go back a few
steps, run the psexec command I propose, then report accurately what you got
in response to the "set system" command.

 

[BP]

Ok,
I get the below message when I run the following command.
c:\pstools\psexec \\PCbad -u Administrator cmd

PsExec v1.97 - Execute process remotely
Copyright 2001-2009 Mark Russinovich
Sysinternals

Password: "" I just hit enter here""
Couldnt access PCbad:
The network path was not found.
Make sure the default admin share is enabled on PCbad
-------------------------------------
I know the PCbad is on and attached to the network sitting at the user
account sign on screen when I ran this command from my PC Good.
thanks for the help!

 

[Pegasus [MVP]]

"PCbad" is a pseudonym for the real name of the problem PC (which you never
posted). You must, of course, use the real name. Alternatively you can use
its IP address:

c:\pstools\psexec \\192.168.0.11 -u Administrator cmd

If you do not know its ip address then this command may show you the various
IP addresses in your network:

net view

 

[BP]

Ok,
I tried the net view and the PCbad does not show in the list? is this b/c it
was not on the same workgroup name as the rest of my computers on my home
network?

I think this it my issue it is not seeing the PCbad.

 

[Pegasus [MVP]]

Ok,
I tried the net view and the PCbad does not show in the list? is this b/c
it
was not on the same workgroup name as the rest of my computers on my home
network?

I think this it my issue it is not seeing the PCbad.

No, the workgroup name is irrelevant for this exercise. Get yourself a copy
of AngryIPScanner (http://www.angryziber.com/ipscan/), then use it to find
all valid IP addresses in your own subnet. Your subnet consists of the first
three numbers in the IP address of PCGood, e.g. 192.168.0. What are these
addresses?

Note that some virus scanners treat the above program as malware. It isn't.