Solved

windows stuck in login loop

Posted on 2006-06-27
13
1,387 Views
Last Modified: 2012-06-27
I have customer running Windows XP Home, upgraded to SP2. He recently went to a web site and got a trojan cusing his computer to get stuck in a login loop. The computer boots to the login screen and when he selects any user login, the computer acts like it is loading the user settings, but it returns back to the login screen.

I have run Xoftspy to detect any spyware but it did not detect anyting. Unfortunately I cannot update the trojan adatabase file since I cannot login in ruinning full windows.

I can boot into safe mode OK. I checked to see if the registery entry for userinit.exe is pointing to wsaupdater.exe. It is not. There is no file wsaupdater.exe on the computer. The registry entry is c:\windows\system32\userinit.exe. The userinit.exe file is a 24K file dated 8/4/2004.

I am reluctant to perform a windows reinstallation since I have had problems in the past with some applications not running properly after the reinstall.

What recommendations do you have? Thanks in advance.

Kevin Becker

0
Comment
Question by:kcbecker
  • 4
  • 3
  • 2
  • +4
13 Comments
 
LVL 19

Expert Comment

by:simpswr
ID: 16992550
Did you try a system restore while in safe mode?
0
 
LVL 13

Assisted Solution

by:rhickmott
rhickmott earned 50 total points
ID: 16992662
The userinit.exe file sounds ok and is in the correct place. Mine is XP PRO sp2 and is the same size and dated 4 days prior to that.

Can you run userinit.exe from safe mode? because if its not working, or corrupted then the desktop will fail to load the system will just logout again as your experiancing.
0
 

Author Comment

by:kcbecker
ID: 16992817
I did a system restore to a point approximately 1 month before the problem occured.

As for running userinit.exe; I assume it is running since I can get into safe mode and the destop appears to be intact. I can enter safemode via any user on the login screen.
0
 
LVL 6

Expert Comment

by:javeedabdul
ID: 16993427
what virus software have you tried

try this

download.com

free edition avg antivirus
ad-aware (lavasoft)

microsoft
window defender
Control Spy 2.0
 
 jut try this

to not to occur this kind of issue  try to make an image of OS+program image

this way even something  happen(like virus attact) you can resotre the image  back and  you up running  in 5 min .just likek fresh installation

try
nortonghost 7.5 or8 or 9

let me know the out come

cheers





window defender

ad-aware

0
 
LVL 2

Expert Comment

by:fruitloopy
ID: 16993931
I have heard of an issue where because the security event log is full and wont allow users to logon. Apparantly the administrator can though. The fix is to disable the welcome screen and clear the event logs.
See if that fixes it.
You can get to the event viewer by right clicking My Computer and choosing Manage from the menu.
0
 

Author Comment

by:kcbecker
ID: 16994234
Ran Ad-Aware using latest definitions in safe mode. Found win32.trojan.downloader and topmoxie. Clean both ojects off computer but still login loops.
Have not yet installed AVG.

How do you disable welcome screen?
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 9

Accepted Solution

by:
DrAske earned 100 total points
ID: 16995118
take a look at this PAQ :
http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20972739.html
I guess it has a good suggestions
0
 
LVL 2

Expert Comment

by:fruitloopy
ID: 16999138
Disabling welcome screen:
http://www.petri.co.il/disable_the_welcome_screen_in_xp_pro.htm

Here's more details of the full security log bug in Windows, straight from MS themselves:
http://support.microsoft.com/default.aspx?scid=kb;en-us;313322

This is an activated version of XP home isnt it? I have read that if you didnt activate after 30 days you cant login, when you do it just returns to the login screen. It is supposed to prompt you to activate but sometimes it doesnt.
0
 

Author Comment

by:kcbecker
ID: 17003032
I have tried Fruitloopy's suggestion. I turned off the welcome screen and cleared the security log. This did not help.

I tried some of Javeedabdul"s suggestions. I ran Ad-aware and Norton Antivirus in safe mode. I found 2 ojects. Win32.trojan.download land topmoxie. These where removed. Still stuck in login loop.

I had some success with the PAQ from DrAske. I changed the userinit string in HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON from C:\WINDOWS\SYSTEM32\USERINIT.EXE, to C:\WINDOWS\EXPLORER.EXE, . I was able to login under normal windows. I ran AD-AWARE and NAV again and no oblects where found.
I changed the userinit string back to C:\WINDOWS\SYSTEM32\USERINIT.EXE, and rebooted. Stuck in the login loop.

I expaned userinit.ex_ from the windows CD that came with the computer to the system32 directory. Still stuck in the login loop.

Any ideas on what to ttry next?
0
 
LVL 6

Assisted Solution

by:javeedabdul
javeedabdul earned 50 total points
ID: 17007597
it means you have virus. whic blocking to start the computer  

u might need to run few more.
note if the virus is new or too old it might not get detected. who you trust when you have too many software.

the way i do to my customer is running some good software

try this in safemode as well its a good one  
www.bullguard.com

they have list of virus and utilty to go trhough

check this site as well. its my favourite. which might help  y ou
lot of information in it
http://www.kellys-korner-xp.com/xp.htm

i
here are few free and trial antivirus you can check them out and run them

All the big antivirus manfacturers offer free trials, some offer free for private use licenses as well:
http://nct.symantecstore.com/fulfill/0001.105
http://download.mcafee.com/us/eval/evaluate2.asp
http://www.bullguard.com
http://www.f-prot.com/download/

free ones
http://www.grisoft.com/us/us_index.php
http://www.free-av.com/
http://store.ca.com/dr/v2/ec_main.entry25?
page=pyocantiarmor&client=ComputerAssociates&sid=35715&CID=183869
http://www.rushhohol.com/software/antivirus.htm
http://reviews-zdnet.com.com/4520-7297_16-4208073.html
http://www.gladiator-antivirus.com/
http://www.avast.com/eng/free_software.html
http://www.bitdefender.com/index.php
http://www.thefreecountry.com/security/antivirus.shtml

should fix your problem
0
 
LVL 2

Assisted Solution

by:fruitloopy
fruitloopy earned 50 total points
ID: 17007811
There is a virus according to Sophos which replaces the MSGINA.DLL file (which is an essential file for logon authentication) with its own version. Even if the virus is detected and deleted the registry entries remain the same.

Open the registry editor and look for this entry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL = "C:\windows\system32\MS_GINA.DLL"

If its not there then dont worry.
If it is then change the entry to read:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL = "C:\windows\system32\MSGINA.DLL" (NOTE the underscore between MS and GINA.DLL, thats the difference)

You can read the Sophos report on the virus here:
http://www.sophos.com/security/analyses/trojginac.html

One thing that couldnt hurt is to replace the msgina.dll file with a working version from another similar computer. The file can be found in C;\Windows\System32.
0
 

Author Comment

by:kcbecker
ID: 17017317
I have to terminate this job. The cost to the customer is climbing. I will reformat the hard drive. Thanks for all your help
0
 

Expert Comment

by:waypointsupport
ID: 22661679
Its two years later and I would lovea resoultion on this issue, i have tried everything mentioned in this article, and I am having the same problems. PLS HLP!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Hyper V vm 4 120
Backup Window XP mode 6 112
Windows Web Server Permissions question ... 1 62
HP PC Hardware Diagnostics UEFI 11 81
There are 2 things you must have in order to connect to the internet behind a router, The "Gateway IP" of the router, which is usually something like 192.168.xxx.1, I've seen routers with default values of: 192.168.0.1, 192.168.1.1, 192.168.11.1, …
Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now