Windows automatically logs out when I attempt to log in...

  • Thread starter Thread starter Caeanis
  • Start date Start date
C

Caeanis

Not sure but I believe this may be the result of a virus. I got an an alert
from Norton 2009 that it had detected and resolved an attack, but that I
needed to reboot to complete what it started. When windows came back up, I
logged into my profile. The desktop wallpaper appeared and that was as far
as I got. The Logging off message appeared followed by the "saving your
settings" message and it logged me out! So I tried my wife's profile, same
thing. I then rebooted into safe mode (in retrospect if I was infected not a
smart thing, but who knew?) and tried the administrator account and mine in
safe mode, same behavior. I have a couple of questions, this is basically a
clean install, I do know that a windows update had been installed in that
session so, could this be a result of that? While it's possible that it was
a virus of some sort that did this, I've never seen one with this behavior.
I called support and they indicated that this was NOT a result of an install
past activation (I've seen this behavior on computers that had a bootleg copy
or didn't have a product id do this before). My second question is I had just
transferred my files into this profile from a earlier install and I really
want to get all of it back if possible. To avoid losing my data I did a
parallel install on the same drive but the profile is now inaccessible. Is
there ANY way to access it? I have the password and user name but it seems
that that doesn't matter. I don't mine wiping the drive and reinstalling,
I'd only had it up for 2 or 3 days anyway, but I'd like to get my data back
if possible. Oh and sorry for the novelette...
 
<snip interesting novel> :-)

So you login to Windows and it logs you straight off again?

This sounds like it might be caused by the corruption of userinit.exe.
A piece of spyware replaces the C:\Windows\system32\userinit.exe file with
a file called wsaupdater.exe (or other madeup name). It then modifies the
registry so that when
you logon the wsaupdater.exe file is executed. After removing the spyware,
(via Adaware, SpyBot S&D,
or another spyware detection tool), the wsaupdater.exe is removed, but the
registry still points to it and tries to
execute it during login.

The best procedure to correct this is:

1. Boot into recovery console. (Use you XP System / Restore disc to
accomplish this)

2. Navigate to the c:\windows\system32 folder and type (without the
quotes) "copy userinit.exe wsaupdater.exe". This will trick the system
into booting by copying the legitimate XP userinit.exe file to the
wsaupdater.exe file and allow the system to boot.

Alternatively, if userinit.exe does not exist in C:\Windows\system32, then
you need to
copy it off the XP disc.

expand D:\i386\userinit.ex_ C:\Windows\system32\userinit.exe

3. Reboot the system and logon.

4. Open regedit (from start->run type regedit)

5. Navigate to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and modify the value of Userinit to
C:\WINDOWS\system32\userinit.exe

6. Next in Windows Explorer delete the c:\windows\system32\wsaupdater.exe
file.

You should now have a working system.

Alister
 
Worked like a charm. I loaded the HKLM hive in my existing installation in
regedit, and found that the string pointing to Userinit had a comma at the
end. I also copied a new copy of the file into Windows\System32 and I was
able to log in with no problem. You're a life saver, thanks!
 
Caeanis said:
Worked like a charm. I loaded the HKLM hive in my existing installation
in
regedit, and found that the string pointing to Userinit had a comma at the
end. I also copied a new copy of the file into Windows\System32 and I was
able to log in with no problem. You're a life saver, thanks!
Click to expand...

Your welcome, glad to help.

Alister
 
Worked like a charm.  I loaded the HKLM hive in my existing installation in
regedit, and found that the string pointing to Userinit had a comma at the
end.  I also copied a new copy of the file into Windows\System32 and I was
able to log in with no problem.  You're a life saver, thanks!
Click to expand...

Glad it is working - you fixed the problem the malicious software may
have inflicted, but have you removed the malicious software itself or
just fixed one of the problems it caused?

You should still use some reputable scanning tools to be sure you are
rid of this malicious code and any others - if you had this one, you
may have more!

Don't just fix the symptom - fix the problem while you're at it.
 
Back
Top