WinXP pro logs me out automatically after login

rjt76
rjt76 used Ask the Experts™
on
Hi,

I'm using XP pro SP1, after entering my user password the system flashes the desktop and then logs out. It does this also in Safe Mode and in safe mode with command prompt. I've searched the net and tried the Lavasoft AdAware fix but that's failed as the same thing keeps occuring.

I cant do a fresh install as I have way too much data (not backed up) on the machine.

Please help, I'm tearing out what little hair I have left.

Thanks in advance.

 
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Unable to logon to Windows after removing BlazeFind using a spyware removal utility?
http://www.winxptutor.com/wsaremove.htm

PAQs:

Windows XP: Whenever I try to log in windows XP, it automatically logs me off:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21101542.html

Windows XP: XP forces logout and restore possibly turned off:
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21110108.html

Author

Commented:
Thanks

but the lavasoft wsaupdater removal I've done and it said 1 file copied but the problem was still there after exiting and rebooting....Any idea why it seems to work for everybody else in other forums but not for me? Also the screen has gone into safe mode type colours and I dont know why...

I have the XP CD so I could try reinstallation as suggested in one of the PAQ's you referred me too, but I'm worried about losing data, is it safe?

Hi rjt76,

Not sure about the removal procedure that you've tried earlier. Copying the file via recovery console helps in most cases. Pls let us know how it works.
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Author

Commented:
Hi,

Sorry for not getting back to you just had trouble getting this rubbishy old laptop running to go online....

I tried the exact removal procedure from lavasoft's site...via the recovery console as stated on the link you provided and elsewhere, I've just doen it again as well and it isn't working

---CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)----

in this link it says log in will now work and you have to do something with registry but the login still doesn't work, I'm still in this loop...

I dont understand why it would be this spyware anyway as although I have adaware I haven't used it for a while so why would this problem have just suddenly occured...

Do you have any ideas as this cd system32 thing isn't working??

thanks again

Author

Commented:
hello again,

if it helps i've just run the recovery console again and looked at the dir / in system32 and bot userinit.exe and wsaupdater.exe are still present is this how it should be??

Hi,

It looks like the Userinit registry value has a blank string (neither wsaupdater, nor userinit.exe). So, please try this method, after connecting the drive to another working XP system.

http://groups.google.com/groups?hl=en&lr=&selm=efdpC9tVEHA.4048%40TK2MSFTNGP10.phx.gbl

If that is not feasible for you, consider a repair installation, but this will undo all the updates and hotfixes you've downloaded

Repair XP:
http://www.webtree.ca/windowsxp/repair_xp.htm

and http://www.michaelstevenstech.com for a detailed Repair installation guide.

Author

Commented:
again thanks....sorry to be a bit dim but are you suggesting taking the drive out completley and putting it in another machine?

this is possible for me as I have an old pc here with xp in it but sounds daunting

the repair install, sounds easier but I am terrified about data loss, is this likely?

Author

Commented:
a friend has just suggested ERD Commander, is this worth a shot??
Aland CoonsSystems Engineer

Commented:
I'm working on a computer right now with exactly the same symptoms.  It had five different trojans.

He had Norton AV installed but had let the signatures get out-of-date.

Author

Commented:
Hello Alan,

I think it must be a trojan or something myself because I haven't used AdAware in ages. I didn't have any antivirus software and was onlky using zonealarm as a firewall. How are you tackling this problem then?? the options appear to be repair install, take HD out and put in another machine or ERD commander?? I know very little about all this...All help is very much appreciated....


>>but are you suggesting taking the drive out completley and putting it in another machine?

Yup.

>> the repair install, sounds easier but I am terrified about data loss, is this likely?

No data loss would occur, but you lose all the windows updates and SP level (which you need to apply again)

OTOH, if Repair option is unavailable, read the section "Warning!! If the Repair Option is not Available " in the article : http://www.michaelstevenstech.com/XPrepairinstall.htm

Author

Commented:
Hiya Ramesh,

I'm another machine now, this has XP running and space for a second drive.....is it complicated to set up the problem HD as a slave to this one...I don't know very much about jumpers etc

just trying to weigh up these 2 options

I assume erd commander is a bad line to pursue then

Hi,

This link might give an idea how to connect the second hard drive:
http://www.perfectdrivers.com/howto/seconddrive.html

Author

Commented:
I just don't know what to do both options seem daunting...I guess the repair install is easiest if I definately wont loose data...what do you recommend:)

anyway thanks for your help, it's very much appreciated...how do I award these points then?
>> I guess the repair install is easiest if I definately wont loose data.

No problem with repair installed, except the Warning #2 as explained here:

http://www.michaelstevenstech.com/XPrepairinstall.htm

Author

Commented:
OK thanks but what about Warning #1 where he keeps reiterating about backing up data etc...is this just precautionary or a genuine risk?? I'm sorry to be such a pain but I have about 2 years worth of graphic design on that drive that I idiotically have no other copies of including projects with impending deadlines....

do I just hit the accept button to igve you the points then mate??

Warning 1 is an extract of this article (applies to OEM systems, as per MS note)

You May Lose Data or Program Settings After Reinstalling, Repairing, or Upgrading Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q312369

Personally, I've done repair installations quite a number of times and *never* experienced data loss. BUT, considering the valuable data in the hard drive, I would say backup and repair is safer IMHO. Again this would involve connecting the drive as Slave to another system :-) An onsite tech or your computer savvy neighbour may be required here.

So, if you're hiring an onsite tech, let him inspect the Userinit value first. If that does not work, ask the tech to backup the data and then repair install.

Thanks.
Aland CoonsSystems Engineer
Commented:
I always slave the drive to another system and run an image backup before performing something like this but in my own experience a repair install is an unusually safe proposition.

Author

Commented:
unfortunately, I work for myself and current solvency doesn't allow me to bring in a tech. I think I'll just sleep on this and face it afresh tomorrow. Thanks a million for all your advice, I really cant express how much you've helped. Cheers.

Author

Commented:
oops I dunno if I did that point thing right I meant to split the points a little, sorry Alan, no offence meant just new here...

thanks to both of you

Author

Commented:
ramesh, what a star, cheers for sharing the points I stuffed up....thanks again.

Thanks Lee.

Author

Commented:
well I dunno what the status quo is here, I hope splitting it as I have done is appropriate and no-one  is aggreived

cheers
Aland CoonsSystems Engineer

Commented:
Thanks all!

BTW, my current problem PC is similar to this one and quite a bit worse because the client had installed Norton Systemworks GOBACK.
I currently have two open questions with very good feedback from my co-technicians. I'm linking them here to help future researchers.

http://www.experts-exchange.com/Q_21193155.html
http://www.experts-exchange.com/Q_21192531.html

Author

Commented:
Hi again,

I have fixed the problem, in the end I didn't do a repair install or take the drive out, I used ERD Commander 2003. Great software, boots from CD into the machine...it was the userinit.exe registry thing...with ERD you can get into the registry, it said:

C:Winnt\system32\userinit.exe, %systemroot%\iProtect.exe

I changed it to

C:Windows\system32\userinit.exe,

it is discussed in much more detail here
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20972739.html

In my case it's definately a trojan cos when I got in it was in vga colours and it said my "ATI driver was not installed"...looking at desktop props it only gave one resolution in 4bit colour, so reinstalled ATI stuff rebooted and hey presto problem returned, so had to go into ERD again...

also upon reboot a program ope5455.exe was trying to access the internet, just googled it but found nothing

also winsock.scr was coming up with an error, not sure what this is....

I'm running Stinger now and hope that finds it, I will post anything I find. I'm willing to bet if I reboot now, the same thing will happen again...mayeb I should just never turn it off again...

Any thoughts on ope5455 or winsock, I'd be grateful

Thanks again to all
Aland CoonsSystems Engineer

Commented:
Yes, my system had five trojans on it, too. I removed them with a virus checker but the registry entires are still there giving me the same errors. I may have to use ERD.
Aland CoonsSystems Engineer

Commented:
winsock.scr is an attempt to install an executable (possible virus or trojan or other malware) using a "screen saver" extension (.scr).

Scan for spyware not just viruses.  I suggest a trial version of webroot.com - spysweeper

Author

Commented:
Thanks

I've used TrojanHunter but after it rebooted I had the same problem and had to go into ERD again...then used trojan remover but haven't rebooted yet...but just looked at my registry and it still says

C:Winnt\system32\userinit.exe, %systemroot%\iProtect.exe

in hkeyLM\software\microsoft\winnt\currentversion\winlogon

so it seems to me that although I'm no expert, whatever is doing this hasn't been removed and just keeps changing my registry changes...unless I'm not changing it right....do I just click on the userinit and retypre the value???

I've run spybot which removed about 20 things and I'll try the one you suggested

some of things found by trojan software so far

coldfusion.112
dataspy.051
then a few other dataspy entries
wintask.exe was being using in soem malicíous way, winfah.exe

upon reboot I have error message from

cab.exe
dxsetu.exe

what are these???

Author

Commented:
Alan,

In the same tree in registry is Shell with a value "explorer.exe winsock.scr", can I just delete the winsock.scr from here?? Is this perhaps where the virus is hiding??

Author

Commented:
Hi Alan,

I've run AVG, AdAware, Spybot, TrojanRemover, TrojanHunter but this problem persists....I have to change the registry each time before rebooting in order to log back in. Winsock.scr is erroring every minute or so, explorer.exe is trying to connect to suspicious IP addresses, Trojanremover keeps finding wintask.exe in registry windows/currentVersion/runservices I remove it...reboot...it's still there..any ideas at all?

Thanks
Aland CoonsSystems Engineer

Commented:
I tried to repair a laptop in a similar condition and ended up formatting it after an 18 hour loosing battle. I slaved the drive to another system in order to removed viruses, trojans, and spyware but it still had problems. Following a failing repair install I even tried a FULL install over the top of the existing system and that too failed. Finally I used the installer CD to just format C: and restart.  Sorry this isn't more of an answer but I can say the system is running very nice again.
Aland CoonsSystems Engineer

Commented:
Oh .. to answer your question .. "I cant do a fresh install as I have way too much data (not backed up) on the machine."

I made an image backup using (Boot IT NG) onto another system and recovered ALL the data files (before formatting of course).

Author

Commented:
yep, I think that's what I'm going to have to do....My last resort was Norton AV but that hasn't fixed...TrojanRemover finds Navidad on boot up, removes but it's there again next time...gotta know when you're beaten I guess....if I could get my hands on one of these worm coders!!!!

cheers anyway Alan

I'm sorry I don't have any points to give you but when I have some I'll send em your way...dont fancy doing any online transactions at the moment:)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial