P
pmcnich
on windows xp pro, when log on it immediately logs me off.
any fixes?? thanks
any fixes?? thanks
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
C
Cheryl
pmcnich said:on windows xp pro, when log on it immediately logs me off.
any fixes?? thanks
The same thing happens to me. Is this a virus? Any fixes???
Help!
Cheryl
R
Rob Hoffman
This sounds like it might be caused by the removal of the wsaupdater.exe.
A piece of spyware replaces the C:\Windows\system32\userinit.exe file with
a file called wsaupdater.exe. It then modifies the registry so that when
you logon the wsaupdater.exe file is executed. After removing the spyware,
(via Adaware, SpyBot S&D, or another spyware detection tool), the
wsaupdater.exe is removed, but the registry still points to it and tries to
execute it during login.
The best procedure to correct this is:
1. Boot into recovery console. More info can be found at
http://support.microsoft.com/default.aspx?scid=KB;EN-US;307654
2. Navigate to the c:\windows\system32 folder and type (without the
quotes) "copy userinit.exe wsaupdater.exe". This will trick the system
into booting by copying the legitimate XP userinit.exe file to the
wsaupdater.exe file and allow the system to boot.
3. Reboot the system and logon.
4. Open regedit (from start->run type regedit)
5. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and modify the value of Userinit to
C:\WINDOWS\system32\userinit.exe
6. Next in Windows Explorer delete the c:\windows\system32\wsaupdater.exe
file.
At this point your system will be stable and allow you to logon
consistently. However, I would recommend following the guidlines in this
article
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BLAZEFI
ND.A to ensure the system is completely cleaned up.
Best Regards,
Rob Hoffman, MCSE
Microsoft Enterprise Support Engineer
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: (e-mail address removed) (Cheryl)
Newsgroups: microsoft.public.windowsxp.winlogo
Subject: Re: log on -log off
Date: 29 Sep 2004 17:09:31 -0700
Organization: http://groups.google.com
Lines: 7
Message-ID: <[email protected]>
References: <[email protected]>
NNTP-Posting-Host: 138.163.0.43
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1096502971 31994 127.0.0.1 (30 Sep 2004
00:09:31 GMT)
X-Complaints-To: (e-mail address removed)
NNTP-Posting-Date: Thu, 30 Sep 2004 00:09:31 +0000 (UTC)
Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!news.glorb.com!postnews1.google.com!not-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.windowsxp.winlogo:4276
X-Tomcat-NG: microsoft.public.windowsxp.winlogo
The same thing happens to me. Is this a virus? Any fixes???
Help!
Cheryl
A piece of spyware replaces the C:\Windows\system32\userinit.exe file with
a file called wsaupdater.exe. It then modifies the registry so that when
you logon the wsaupdater.exe file is executed. After removing the spyware,
(via Adaware, SpyBot S&D, or another spyware detection tool), the
wsaupdater.exe is removed, but the registry still points to it and tries to
execute it during login.
The best procedure to correct this is:
1. Boot into recovery console. More info can be found at
http://support.microsoft.com/default.aspx?scid=KB;EN-US;307654
2. Navigate to the c:\windows\system32 folder and type (without the
quotes) "copy userinit.exe wsaupdater.exe". This will trick the system
into booting by copying the legitimate XP userinit.exe file to the
wsaupdater.exe file and allow the system to boot.
3. Reboot the system and logon.
4. Open regedit (from start->run type regedit)
5. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and modify the value of Userinit to
C:\WINDOWS\system32\userinit.exe
6. Next in Windows Explorer delete the c:\windows\system32\wsaupdater.exe
file.
At this point your system will be stable and allow you to logon
consistently. However, I would recommend following the guidlines in this
article
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BLAZEFI
ND.A to ensure the system is completely cleaned up.
Best Regards,
Rob Hoffman, MCSE
Microsoft Enterprise Support Engineer
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: (e-mail address removed) (Cheryl)
Newsgroups: microsoft.public.windowsxp.winlogo
Subject: Re: log on -log off
Date: 29 Sep 2004 17:09:31 -0700
Organization: http://groups.google.com
Lines: 7
Message-ID: <[email protected]>
References: <[email protected]>
NNTP-Posting-Host: 138.163.0.43
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1096502971 31994 127.0.0.1 (30 Sep 2004
00:09:31 GMT)
X-Complaints-To: (e-mail address removed)
NNTP-Posting-Date: Thu, 30 Sep 2004 00:09:31 +0000 (UTC)
Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!news.glorb.com!postnews1.google.com!not-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.windowsxp.winlogo:4276
X-Tomcat-NG: microsoft.public.windowsxp.winlogo
pmcnich said:on windows xp pro, when log on it immediately logs me off.
any fixes?? thanks
The same thing happens to me. Is this a virus? Any fixes???
Help!
Cheryl
M
Matt
I've tried this. It doesn't work.
I even tried copying userinit.exe from another source. No
good. I've tried all sorts of combinations of copying,
deleting, and/or renaming those files. It does not work.
Once I've done this and rebooted, I try to login and I see
the desktop background for about 5-10 seconds and it logs
off immediately. I've even tried safe mode.
Any suggestions? I think I could fix this if I knew how to
edit the registry from the recovery console. How about that?
Thanks,
Matt
(e-mail address removed)
I even tried copying userinit.exe from another source. No
good. I've tried all sorts of combinations of copying,
deleting, and/or renaming those files. It does not work.
Once I've done this and rebooted, I try to login and I see
the desktop background for about 5-10 seconds and it logs
off immediately. I've even tried safe mode.
Any suggestions? I think I could fix this if I knew how to
edit the registry from the recovery console. How about that?
Thanks,
Matt
(e-mail address removed)
C:\Windows\system32\userinit.exe file with-----Original Message-----
This sounds like it might be caused by the removal of the wsaupdater.exe.
A piece of spyware replaces the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windowsa file called wsaupdater.exe. It then modifies the registry so that when
you logon the wsaupdater.exe file is executed. After removing the spyware,
(via Adaware, SpyBot S&D, or another spyware detection tool), the
wsaupdater.exe is removed, but the registry still points to it and tries to
execute it during login.
The best procedure to correct this is:
1. Boot into recovery console. More info can be found at
http://support.microsoft.com/default.aspx?scid=KB;EN-US;307654
2. Navigate to the c:\windows\system32 folder and type (without the
quotes) "copy userinit.exe wsaupdater.exe". This will trick the system
into booting by copying the legitimate XP userinit.exe file to the
wsaupdater.exe file and allow the system to boot.
3. Reboot the system and logon.
4. Open regedit (from start->run type regedit)
5. Navigate to the key
c:\windows\system32\wsaupdater.exeNT\CurrentVersion\Winlogon and modify the value of Userinit to
C:\WINDOWS\system32\userinit.exe
6. Next in Windows Explorer delete the
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.