Solved

Automatic logoff as soon as i logon

Posted on 2004-08-04
22
41,804 Views
Last Modified: 2011-08-18
Can anyone help me?

When i logon to win xp pro. it automatically will logoff. Its a continuos loop - even in safe mode, under different user accounts.

I was installing some software (i just got this pc) like SQL server tools, Plus!, Money, Sonic Record Now!, PowerDVD, Office 2003.

Baffling... Any ideas?
I am in the recovery console as we speak...
0
Comment
Question by:jagoodie
  • 5
  • 4
  • 3
  • +9
22 Comments
 
LVL 18

Accepted Solution

by:
Crash2100 earned 250 total points
ID: 11722102
You could try doing a repair installation of windows.

How to Perform an In-Place Upgrade (Reinstallation) of Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;315341
0
 
LVL 2

Author Comment

by:jagoodie
ID: 11722245
trying that now..
0
 
LVL 34

Expert Comment

by:sramesh2k
ID: 11723250
This is caused by a malware named BlazeFind. It adds an entry in the registry which is causing the problem.

From Recovery Console, make a copy of the file userinit.exe and name it WSAUPDATER.EXE

There was a KB article at Lavasoftusa and now been removed. So, look at the previous newsgroup posting:

news:e9u3RODdEHA.1656%40TK2MSFTNGP09.phx.gbl

(Type this in Start/Run box)

Once done, you should be able to login successfully. Next, correct the registry setting, as explained here:

news:ugqPAGVdEHA.1648@TK2MSFTNGP11.phx.gbl
(Type this in Start/Run box)

The Userinit value must be changed in the registry.
0
 
LVL 34

Expert Comment

by:sramesh2k
ID: 11723513
Clearly documented at:

Quick Launch settings are not saved; Search Assistant Toolbar in Taskbar:
http://www.winxptutor.com/wsaremove.htm
0
 
LVL 2

Author Comment

by:jagoodie
ID: 11725635
after i did the in-place install it logged in successfully.  i did a scan for blazefind, and it was not present.  i never get spyware.
0
 

Expert Comment

by:lewisrw
ID: 11858437
Hi - I solved my automatic LOGOFF problem that occurred everytime I LOGGED ON - even in SAFE Mode. The problem turned out to be that the Winlogon userinit entry was set to "wsupdater.exe," and not "userinit.exe,".  I fixed the problem by 1) booting to a Repair Console (IBM provides this on their laptops), 2) changing directory to C:\WINDOWS\System32, and 3) copying userinit.exe to wsaupdater.exe (there was no wsaupdater.exe present). I then 4) rebooted into Safe mode and successfully logged-on as Adminstrator (for the first time in several days!)  Next step was to 5) edit the registry and change userinit in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon from "wsaupdater.exe," to "userinit.exe,"; 6)  final reboot and back to normal!  

If this doesn't work, there are other things to try.  See posting in microsoft.public.windowsxp.security_admin: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&safe=off&threadm=Fl2zc.336021%24M3.285711%40twister.nyroc.rr.com&rnum=21&prev=/groups%3Fq%3Dwindows%2Bxp%2Bautomatic%2Blogoff%26start%3D20%26hl%3Den%26lr%3D%26ie%3DUTF-8%26safe%3Doff%26selm%3DFl2zc.336021%2524M3.285711%2540twister.nyroc.rr.com%26rnum%3D21

Good luck
--Rick Lewis--
0
 

Expert Comment

by:kuvain
ID: 12132772
The problem seems to be that blazefind (malware) copies the userinit.exe file to wsaupdater.exe and refers to this file in the registry instead of userinit.exe. Anti virus programs (i noticed it with NAV myself in several cases) then delete this file which result in the problem as described.

This is easy to solve with the recovery console of windows xp. Copy (rename) the userinit.exe file to wsaupdater.exe in the recovery console. Now you're able to log on again and you can restore the original situation in the registry.

More information on how to use the revovery console us easy to find at microsoft's site.

This solution is actually the same as sramesh2k's.

0
 
LVL 2

Author Comment

by:jagoodie
ID: 12133032
Yes, which didnt work.
0
 

Expert Comment

by:nyashinsky
ID: 12234754
Try the instructions listed below.  The renaming the file thing mentioned above worked for me for about a week, then it seemed the malware updated itself to use a different malicious registry edit, one which I haven't figured out yet.

Note I got these instructions from a google cache of an lavasoft forum page.  The latter seems unavailable and I can't find the link to the the former right now, but below is a possible alternative solution if copying the userinit.exe into wsaupdater.exe:.  This gives you instructions on how to recover from a previously known good software registry hive (if I said that right).  It should allow you to repair your newest registry using an old registry then go back to the newest regisry after it has been repaired.

My problem is that I don't know yet what the new malicious registry edit is to repair it.  I am gonna try a text comparison tool on export of the 2 registries, but I will save that for another night.

Hope this helps,

Neil


________________________________________________________________________
RESOLUTION

First it is necessary to go to the recovery console. If you are unsure of how to get to recovery console please see http://www.lavasofthelp.com/articles/v6/04/06/0901.html .

At the recovery console, it is necessary to replace the software hive with a previous good backup. Please type in each of the following bold lines, pressing ENTER after each one.

C:\windows>cd %windir%\system32\config
C:\windows\system32\config>ren software software.old
This renames the current software hive to software.old
C:\windows\system32\config>copy C:\%windir%\repair\software

It should indicate: "1 file(s) copied"

NOTE: After the next step, remove the CD, then boot into safe mode. If you do not boot into safe mode in Windows XP, it may prompt you to reactivate and you may not be able to get into Windows.

C:\windows\system32\config>exit

Now hit the F8 key and boot into safe mode. Logon to the administrator account when you reach the Welcome screen.

The next step is to edit the old registry to change the path to the userinit.exe file:

open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this the next step will not work)
goto file - load hive...

Select your old registry file which should be in C:\windows\system32\config\software.old
It will ask you what to name it, if you don't understand, just type "test".

Navigate to the following:
HKEY_LOCAL_MACHINE\<what your named this in the previous step>\microsoft\windows nt\currentversion\winlogon.
Look at what the userinit value is. It is likely something like %system32%\userinit.exe which is invalid.

Next change the value to read C:\windows\system32\userinit.exe

Now close the registry editor, and go back to recovery console to put your original registry back. It should look like this:
C:\windows>cd system32\config
C:\windows\system32\config>del software
C:\windows\system32\config>ren software.old software
C:\windows\system32\config>exit

MORE INFORMATION

This issue is resolved with Definition File SE1R10 28.09.2004.
Special thanks to Lavasoft Member dorkfish for his assistance in this matter.

0
 

Expert Comment

by:thomas101
ID: 12239671
Thank you very much for the instruction I have the same problem and follow this instruction it backup and working great
0
 

Expert Comment

by:andreni78
ID: 12572891
works for me too!! great thanks nyashinsky!! i've been doing every method out there in existence.. and yours work perfectly!!!! i've been looking for a solution for DAYS AND DAYS on END!!! WHEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEW!!!!!!!!!!!!!!!
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Expert Comment

by:bobert2
ID: 12575466
I want to thank everyone for their assistance on this frustrating problem.

I'm posting a bit of a followup!  I wasted a few hours because I thought I was following all of the instructions, but in fact I was not!  I see that a few others have indicated that they tried to follow the instructions and it didn't work.  It may be that they also did not follow the work around EXACTLY.

1)  I tried to do my file copies from the DOS PROMPT using a DOS BOOT DISK.  The files appear to copy and work, but IN FACT IT DOES NOT.  Once I finally went to the original Windows Install CD and entered using the Recovery Console, everything worked correctly.  From the DOS prompt using the Recovery Console, copy the userinit.exe to the wsauserupdater.exe file.
2) REBOOT INTO SAFE MODE and you should be able to logon as the administrator.
3) Correct your registry using REGEDIT.  NOTE: - one user commented to watch the case sensitivity of the entry.  I didn't take any chances, and made the changes to the WINLOGON entry as "C:WINDOWS\system32\userinit.exe," following it exactly for the upper and lower case, and to include the comma at the end, and everything worked for me!

I probably spent an hour or two researching this problem, and the fix should only have taken about 10 to 15 minutes.  I wasted several hours by not going to the Recovery Console the first time around!

Thanks everyone!

Bob
0
 

Expert Comment

by:nyashinsky
ID: 12577120
Dear bobert2,

I cannot speak for thomas101, and andreni78 directly on this regard, though I have every reason to believe them, but I can assure you that I did "follow the work around" _EXACTLY_.  As a matter of fact if you read my post carefully you'll see I followed those instructions exactly and succesfully, once.  The second time around it was exactly and unsuccessfully.  Both times I used the recovery console, the second time I was even told that the file in question already existed.

I can certainly sympathize with your plight having been in a similar situations where I nearly followed the directions and only recognized my mistake after nearly doing it until I did it exactly.  In the end, one truth (usually) prevails or so says Conan Edogawa, so I must thank you for your contribution to the discussion, but politely refute your suggestion that there are not variants out there that make the registry value in question simply unreadable, and the original work around, ineffective.  

While I am at it, I will happy to say to thomas101 and andreni78, You're Welcome!  Share and Share alike

I would also say, since I already on my soap box, that while the original answer by crash2100, would have solved the problem, it wasn't nearly as good as the one later posted by sramesh2k who I also like to Thank.  He provided much more insight on the problem and his solution was much lower risk to loose existing settings, and it didnt require reapplying MS Updates.  Without his posting I would have been unlikely to find the way to work around BlazeFind's, evolving evil ways.  
0
 

Expert Comment

by:andreni78
ID: 12582156
i fixed it.. but it came back.. then i fixed it again.. rescanned my computer with adaware.. and only found cookies... what's the deal? hmmm
0
 
LVL 2

Author Comment

by:jagoodie
ID: 12583402
Fun.  Windows can really bite sometimes.  By chance, is your PC a Dell?  Mine is.
0
 

Expert Comment

by:andreni78
ID: 12587221
yes my pc is a dell.. but that's irrelevant?
0
 

Expert Comment

by:andreni78
ID: 12587230
by the way.. this is my 3rd time fixing it...
0
 

Expert Comment

by:andreni78
ID: 12587316
every time.. it changes my setting to c:\winnt\system32\userinit.exe when my root NT folder is winxp.. and next to it.. is always: iprotect.exe... so what i did is.. made a folder winnt\system32 and copied userinit.exe in it.. and copied userinit.exe over iprotect.exe and gave it a read only attribute.. hopefully this solves the problem
0
 

Expert Comment

by:nyashinsky
ID: 12589228
andreni78,

Do you have a software wirewall running our your machine?  I found after installing zone alarms free version, updates/mutations to the spyware/malware were stopped.  This was a decisive turning point for me.


0
 

Expert Comment

by:pcplus1
ID: 21950693
Hey Guys,

thank you so much for your solutions.  I have tried all of them and I am not able to get rid of the problem.  Have there ever been a situation where none of solutions worked.  I have run out time and patience.  I thought about removing the hard drive from the desktop and making in a USB connection to another computer and try to scan and remove the virus.  Do you if this is a possible solutions?  If you guys have any other solutions, please let me know because if not I have no other choice but to wipe it.  

Godchild
0
 

Expert Comment

by:nuiphao
ID: 22297005
I have tried everything above.  It seems it is not related to adaware.

Could i get some advice on this?
0
 
LVL 1

Expert Comment

by:chrobi
ID: 33643044
I was like a lot of you and none of the above listed helped me, but everything i searched pointed me here.  What I did was follow an article about changing the boot drive letter....This is your only warning...Incorrectly following these instructions will more than likely cause a complete reload.... Now that you have been warned....

It came to me that something else was causing this issue besides a old virus..  So I ghosted the drive and set the image to cause the drive to chkdsk...  Well with only one drive connected to the machine, I booted the computer and the Blue Chkdsk screen that comes up said it wanted to check drive E:...Well it checked the drive and found a few things wrong, and went right back into to doing the same auto logout issue.  

The drive letter it wanted to check was E: and it should have been C: which leads to using a windows PE boot cd like hirens.   I booted into the mini-xp mode, and used regedit to load the system hive, and followed the instructions on this page :http://support.microsoft.com/kb/223

To change my boot drive letter back to C: from E:..  Unloaded the hive rebooted and I was in...

Hope this helps....
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now