jagoodie
asked on
Automatic logoff as soon as i logon
Can anyone help me?
When i logon to win xp pro. it automatically will logoff. Its a continuos loop - even in safe mode, under different user accounts.
I was installing some software (i just got this pc) like SQL server tools, Plus!, Money, Sonic Record Now!, PowerDVD, Office 2003.
Baffling... Any ideas?
I am in the recovery console as we speak...
When i logon to win xp pro. it automatically will logoff. Its a continuos loop - even in safe mode, under different user accounts.
I was installing some software (i just got this pc) like SQL server tools, Plus!, Money, Sonic Record Now!, PowerDVD, Office 2003.
Baffling... Any ideas?
I am in the recovery console as we speak...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is caused by a malware named BlazeFind. It adds an entry in the registry which is causing the problem.
From Recovery Console, make a copy of the file userinit.exe and name it WSAUPDATER.EXE
There was a KB article at Lavasoftusa and now been removed. So, look at the previous newsgroup posting:
news:e9u3RODdEHA.1656%40TK
(Type this in Start/Run box)
Once done, you should be able to login successfully. Next, correct the registry setting, as explained here:
news:ugqPAGVdEHA.1648@TK2M
(Type this in Start/Run box)
The Userinit value must be changed in the registry.
From Recovery Console, make a copy of the file userinit.exe and name it WSAUPDATER.EXE
There was a KB article at Lavasoftusa and now been removed. So, look at the previous newsgroup posting:
news:e9u3RODdEHA.1656%40TK
(Type this in Start/Run box)
Once done, you should be able to login successfully. Next, correct the registry setting, as explained here:
news:ugqPAGVdEHA.1648@TK2M
(Type this in Start/Run box)
The Userinit value must be changed in the registry.
Clearly documented at:
Quick Launch settings are not saved; Search Assistant Toolbar in Taskbar:
http://www.winxptutor.com/wsaremove.htm
Quick Launch settings are not saved; Search Assistant Toolbar in Taskbar:
http://www.winxptutor.com/wsaremove.htm
ASKER
after i did the in-place install it logged in successfully. i did a scan for blazefind, and it was not present. i never get spyware.
Hi - I solved my automatic LOGOFF problem that occurred everytime I LOGGED ON - even in SAFE Mode. The problem turned out to be that the Winlogon userinit entry was set to "wsupdater.exe," and not "userinit.exe,". I fixed the problem by 1) booting to a Repair Console (IBM provides this on their laptops), 2) changing directory to C:\WINDOWS\System32, and 3) copying userinit.exe to wsaupdater.exe (there was no wsaupdater.exe present). I then 4) rebooted into Safe mode and successfully logged-on as Adminstrator (for the first time in several days!) Next step was to 5) edit the registry and change userinit in HKEY_LOCAL_MACHINE\SOFTWAR
If this doesn't work, there are other things to try. See posting in microsoft.public.windowsxp
Good luck
--Rick Lewis--
If this doesn't work, there are other things to try. See posting in microsoft.public.windowsxp
Good luck
--Rick Lewis--
The problem seems to be that blazefind (malware) copies the userinit.exe file to wsaupdater.exe and refers to this file in the registry instead of userinit.exe. Anti virus programs (i noticed it with NAV myself in several cases) then delete this file which result in the problem as described.
This is easy to solve with the recovery console of windows xp. Copy (rename) the userinit.exe file to wsaupdater.exe in the recovery console. Now you're able to log on again and you can restore the original situation in the registry.
More information on how to use the revovery console us easy to find at microsoft's site.
This solution is actually the same as sramesh2k's.
This is easy to solve with the recovery console of windows xp. Copy (rename) the userinit.exe file to wsaupdater.exe in the recovery console. Now you're able to log on again and you can restore the original situation in the registry.
More information on how to use the revovery console us easy to find at microsoft's site.
This solution is actually the same as sramesh2k's.
ASKER
Yes, which didnt work.
Try the instructions listed below. The renaming the file thing mentioned above worked for me for about a week, then it seemed the malware updated itself to use a different malicious registry edit, one which I haven't figured out yet.
Note I got these instructions from a google cache of an lavasoft forum page. The latter seems unavailable and I can't find the link to the the former right now, but below is a possible alternative solution if copying the userinit.exe into wsaupdater.exe:. This gives you instructions on how to recover from a previously known good software registry hive (if I said that right). It should allow you to repair your newest registry using an old registry then go back to the newest regisry after it has been repaired.
My problem is that I don't know yet what the new malicious registry edit is to repair it. I am gonna try a text comparison tool on export of the 2 registries, but I will save that for another night.
Hope this helps,
Neil
__________________________
RESOLUTION
First it is necessary to go to the recovery console. If you are unsure of how to get to recovery console please see http://www.lavasofthelp.com/articles/v6/04/06/0901.html .
At the recovery console, it is necessary to replace the software hive with a previous good backup. Please type in each of the following bold lines, pressing ENTER after each one.
C:\windows>cd %windir%\system32\config
C:\windows\system32\config
This renames the current software hive to software.old
C:\windows\system32\config
It should indicate: "1 file(s) copied"
NOTE: After the next step, remove the CD, then boot into safe mode. If you do not boot into safe mode in Windows XP, it may prompt you to reactivate and you may not be able to get into Windows.
C:\windows\system32\config
Now hit the F8 key and boot into safe mode. Logon to the administrator account when you reach the Welcome screen.
The next step is to edit the old registry to change the path to the userinit.exe file:
open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this the next step will not work)
goto file - load hive...
Select your old registry file which should be in C:\windows\system32\config
It will ask you what to name it, if you don't understand, just type "test".
Navigate to the following:
HKEY_LOCAL_MACHINE\<what your named this in the previous step>\microsoft\windows nt\currentversion\winlogon
Look at what the userinit value is. It is likely something like %system32%\userinit.exe which is invalid.
Next change the value to read C:\windows\system32\userin
Now close the registry editor, and go back to recovery console to put your original registry back. It should look like this:
C:\windows>cd system32\config
C:\windows\system32\config
C:\windows\system32\config
C:\windows\system32\config
MORE INFORMATION
This issue is resolved with Definition File SE1R10 28.09.2004.
Special thanks to Lavasoft Member dorkfish for his assistance in this matter.
Note I got these instructions from a google cache of an lavasoft forum page. The latter seems unavailable and I can't find the link to the the former right now, but below is a possible alternative solution if copying the userinit.exe into wsaupdater.exe:. This gives you instructions on how to recover from a previously known good software registry hive (if I said that right). It should allow you to repair your newest registry using an old registry then go back to the newest regisry after it has been repaired.
My problem is that I don't know yet what the new malicious registry edit is to repair it. I am gonna try a text comparison tool on export of the 2 registries, but I will save that for another night.
Hope this helps,
Neil
__________________________
RESOLUTION
First it is necessary to go to the recovery console. If you are unsure of how to get to recovery console please see http://www.lavasofthelp.com/articles/v6/04/06/0901.html .
At the recovery console, it is necessary to replace the software hive with a previous good backup. Please type in each of the following bold lines, pressing ENTER after each one.
C:\windows>cd %windir%\system32\config
C:\windows\system32\config
This renames the current software hive to software.old
C:\windows\system32\config
It should indicate: "1 file(s) copied"
NOTE: After the next step, remove the CD, then boot into safe mode. If you do not boot into safe mode in Windows XP, it may prompt you to reactivate and you may not be able to get into Windows.
C:\windows\system32\config
Now hit the F8 key and boot into safe mode. Logon to the administrator account when you reach the Welcome screen.
The next step is to edit the old registry to change the path to the userinit.exe file:
open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this the next step will not work)
goto file - load hive...
Select your old registry file which should be in C:\windows\system32\config
It will ask you what to name it, if you don't understand, just type "test".
Navigate to the following:
HKEY_LOCAL_MACHINE\<what your named this in the previous step>\microsoft\windows nt\currentversion\winlogon
Look at what the userinit value is. It is likely something like %system32%\userinit.exe which is invalid.
Next change the value to read C:\windows\system32\userin
Now close the registry editor, and go back to recovery console to put your original registry back. It should look like this:
C:\windows>cd system32\config
C:\windows\system32\config
C:\windows\system32\config
C:\windows\system32\config
MORE INFORMATION
This issue is resolved with Definition File SE1R10 28.09.2004.
Special thanks to Lavasoft Member dorkfish for his assistance in this matter.
Thank you very much for the instruction I have the same problem and follow this instruction it backup and working great
works for me too!! great thanks nyashinsky!! i've been doing every method out there in existence.. and yours work perfectly!!!! i've been looking for a solution for DAYS AND DAYS on END!!! WHEEEEEEEEEEEEEEEEEEEEEEEE
I want to thank everyone for their assistance on this frustrating problem.
I'm posting a bit of a followup! I wasted a few hours because I thought I was following all of the instructions, but in fact I was not! I see that a few others have indicated that they tried to follow the instructions and it didn't work. It may be that they also did not follow the work around EXACTLY.
1) I tried to do my file copies from the DOS PROMPT using a DOS BOOT DISK. The files appear to copy and work, but IN FACT IT DOES NOT. Once I finally went to the original Windows Install CD and entered using the Recovery Console, everything worked correctly. From the DOS prompt using the Recovery Console, copy the userinit.exe to the wsauserupdater.exe file.
2) REBOOT INTO SAFE MODE and you should be able to logon as the administrator.
3) Correct your registry using REGEDIT. NOTE: - one user commented to watch the case sensitivity of the entry. I didn't take any chances, and made the changes to the WINLOGON entry as "C:WINDOWS\system32\userin
I probably spent an hour or two researching this problem, and the fix should only have taken about 10 to 15 minutes. I wasted several hours by not going to the Recovery Console the first time around!
Thanks everyone!
Bob
I'm posting a bit of a followup! I wasted a few hours because I thought I was following all of the instructions, but in fact I was not! I see that a few others have indicated that they tried to follow the instructions and it didn't work. It may be that they also did not follow the work around EXACTLY.
1) I tried to do my file copies from the DOS PROMPT using a DOS BOOT DISK. The files appear to copy and work, but IN FACT IT DOES NOT. Once I finally went to the original Windows Install CD and entered using the Recovery Console, everything worked correctly. From the DOS prompt using the Recovery Console, copy the userinit.exe to the wsauserupdater.exe file.
2) REBOOT INTO SAFE MODE and you should be able to logon as the administrator.
3) Correct your registry using REGEDIT. NOTE: - one user commented to watch the case sensitivity of the entry. I didn't take any chances, and made the changes to the WINLOGON entry as "C:WINDOWS\system32\userin
I probably spent an hour or two researching this problem, and the fix should only have taken about 10 to 15 minutes. I wasted several hours by not going to the Recovery Console the first time around!
Thanks everyone!
Bob
Dear bobert2,
I cannot speak for thomas101, and andreni78 directly on this regard, though I have every reason to believe them, but I can assure you that I did "follow the work around" _EXACTLY_. As a matter of fact if you read my post carefully you'll see I followed those instructions exactly and succesfully, once. The second time around it was exactly and unsuccessfully. Both times I used the recovery console, the second time I was even told that the file in question already existed.
I can certainly sympathize with your plight having been in a similar situations where I nearly followed the directions and only recognized my mistake after nearly doing it until I did it exactly. In the end, one truth (usually) prevails or so says Conan Edogawa, so I must thank you for your contribution to the discussion, but politely refute your suggestion that there are not variants out there that make the registry value in question simply unreadable, and the original work around, ineffective.
While I am at it, I will happy to say to thomas101 and andreni78, You're Welcome! Share and Share alike
I would also say, since I already on my soap box, that while the original answer by crash2100, would have solved the problem, it wasn't nearly as good as the one later posted by sramesh2k who I also like to Thank. He provided much more insight on the problem and his solution was much lower risk to loose existing settings, and it didnt require reapplying MS Updates. Without his posting I would have been unlikely to find the way to work around BlazeFind's, evolving evil ways.
I cannot speak for thomas101, and andreni78 directly on this regard, though I have every reason to believe them, but I can assure you that I did "follow the work around" _EXACTLY_. As a matter of fact if you read my post carefully you'll see I followed those instructions exactly and succesfully, once. The second time around it was exactly and unsuccessfully. Both times I used the recovery console, the second time I was even told that the file in question already existed.
I can certainly sympathize with your plight having been in a similar situations where I nearly followed the directions and only recognized my mistake after nearly doing it until I did it exactly. In the end, one truth (usually) prevails or so says Conan Edogawa, so I must thank you for your contribution to the discussion, but politely refute your suggestion that there are not variants out there that make the registry value in question simply unreadable, and the original work around, ineffective.
While I am at it, I will happy to say to thomas101 and andreni78, You're Welcome! Share and Share alike
I would also say, since I already on my soap box, that while the original answer by crash2100, would have solved the problem, it wasn't nearly as good as the one later posted by sramesh2k who I also like to Thank. He provided much more insight on the problem and his solution was much lower risk to loose existing settings, and it didnt require reapplying MS Updates. Without his posting I would have been unlikely to find the way to work around BlazeFind's, evolving evil ways.
i fixed it.. but it came back.. then i fixed it again.. rescanned my computer with adaware.. and only found cookies... what's the deal? hmmm
ASKER
Fun. Windows can really bite sometimes. By chance, is your PC a Dell? Mine is.
yes my pc is a dell.. but that's irrelevant?
by the way.. this is my 3rd time fixing it...
every time.. it changes my setting to c:\winnt\system32\userinit
andreni78,
Do you have a software wirewall running our your machine? I found after installing zone alarms free version, updates/mutations to the spyware/malware were stopped. This was a decisive turning point for me.
Do you have a software wirewall running our your machine? I found after installing zone alarms free version, updates/mutations to the spyware/malware were stopped. This was a decisive turning point for me.
Hey Guys,
thank you so much for your solutions. I have tried all of them and I am not able to get rid of the problem. Have there ever been a situation where none of solutions worked. I have run out time and patience. I thought about removing the hard drive from the desktop and making in a USB connection to another computer and try to scan and remove the virus. Do you if this is a possible solutions? If you guys have any other solutions, please let me know because if not I have no other choice but to wipe it.
Godchild
thank you so much for your solutions. I have tried all of them and I am not able to get rid of the problem. Have there ever been a situation where none of solutions worked. I have run out time and patience. I thought about removing the hard drive from the desktop and making in a USB connection to another computer and try to scan and remove the virus. Do you if this is a possible solutions? If you guys have any other solutions, please let me know because if not I have no other choice but to wipe it.
Godchild
I have tried everything above. It seems it is not related to adaware.
Could i get some advice on this?
Could i get some advice on this?
I was like a lot of you and none of the above listed helped me, but everything i searched pointed me here. What I did was follow an article about changing the boot drive letter....This is your only warning...Incorrectly following these instructions will more than likely cause a complete reload.... Now that you have been warned....
It came to me that something else was causing this issue besides a old virus.. So I ghosted the drive and set the image to cause the drive to chkdsk... Well with only one drive connected to the machine, I booted the computer and the Blue Chkdsk screen that comes up said it wanted to check drive E:...Well it checked the drive and found a few things wrong, and went right back into to doing the same auto logout issue.
The drive letter it wanted to check was E: and it should have been C: which leads to using a windows PE boot cd like hirens. I booted into the mini-xp mode, and used regedit to load the system hive, and followed the instructions on this page :http://support.microsoft.com/kb/223
To change my boot drive letter back to C: from E:.. Unloaded the hive rebooted and I was in...
Hope this helps....
It came to me that something else was causing this issue besides a old virus.. So I ghosted the drive and set the image to cause the drive to chkdsk... Well with only one drive connected to the machine, I booted the computer and the Blue Chkdsk screen that comes up said it wanted to check drive E:...Well it checked the drive and found a few things wrong, and went right back into to doing the same auto logout issue.
The drive letter it wanted to check was E: and it should have been C: which leads to using a windows PE boot cd like hirens. I booted into the mini-xp mode, and used regedit to load the system hive, and followed the instructions on this page :http://support.microsoft.com/kb/223
To change my boot drive letter back to C: from E:.. Unloaded the hive rebooted and I was in...
Hope this helps....
ASKER