Solved

Windows XP signs me back out right after logging in, any idea why?

Posted on 2009-04-10
47
474 Views
Last Modified: 2012-05-06
I have a laptop I'm working on and the child that owns it was part of a school domain at one point, however the school offers no free tech help with the laptops.  The odd thing here is that as soon as you login to the domain with the credentials (obviously cached because the laptop is used at home, away from the domain) the laptop automatically shows "closing network connections" and logs you right back off, you never get to the desktop, just the wallpaper loads and then it logs you right back off.  According to the user this loop continues for about 10 tries and eventually it allows you to login.  

Anyone have any idea why or how to troubleshoot?
0
Comment
Question by:Jsmply
  • 20
  • 11
  • 11
  • +2
47 Comments
 
LVL 8

Accepted Solution

by:
skywalker39 earned 400 total points
ID: 24116274
Insert the original Windows XP CD and reboot the computer. You may need to configure your computer to boot from the CD-ROM drive.

When the Windows XP Setup has started, press "R" to "repair the Windows XP installation using Recovery Console".

Select the Windows installation to repair (generally this is C:\Windows) by typing its number and then pressing ENTER.

Type the Administrator password and press ENTER.

 Type the following commands:

D:                               [ENTER]
CD I386                              [ENTER]
EXPAND USERINIT.EX_ C:\WINDOWS\SYSTEM32      [ENTER]

NOTE: If your CD-ROM drive has a different letter assigned to it, enter "X:" instead, where X is the appropriate drive letter.

After entering "EXPAND USERINIT.EX_ C:\WINDOWS\SYSTEM32" you should see the text "1 file(s) copied", in which case all went well.

Remove the Windows XP CD, type "EXIT" and press ENTER to restart your computer. You should now be able to log on.
0
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24116276
The laptop has been hit by some nasty virus. Try to boot the laptop in safe mode and use an anti-virus with the latest virus definitions to clean it
0
 
LVL 5

Expert Comment

by:wpathan
ID: 24116277
try loggin in using a local account to this laptop.
0
 

Author Comment

by:Jsmply
ID: 24116299
Well two things, one, the user does not know the admin password. Secondly, I can boot into safe mode no problem. I see whenever the machine boots up even in safe mode a program called "CrossTech SchoolVue Client" is always running, even on the bottom left before I login to windows. Could that be causing it?
0
 
LVL 5

Expert Comment

by:wpathan
ID: 24116316
It could be a remote control client also.
0
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24116353
I don't think it's the "CrossTech SchoolVue Client" program; If it were, it would still log you off in safe mode.

I have encountered a virus that has those characteristics before: logs you off in normal mode, but everything seems ok in safe mode
0
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24116369
Goto:

http://www.google.co.bw/search?q=windows+automatically+logs+off&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

and follow some of the links. You'll get information on how you can fix this issue
0
 

Author Comment

by:Jsmply
ID: 24116375
Well I checked and the CrossTec software seems to have an IP address to call home and always link the student to classes when online. Weird. Ill scan the machine with malwarebytes now.
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24116412
I would scan malwarebytes in Safe Mode Jsmply, also try some others as well,
http://www.superantispyware.com/
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
0
 

Author Comment

by:Jsmply
ID: 24116453
I'm running a full scan on Malwarebytes in safe mode right now.  Is there any definitive program that should be used for this kind of stuff?  I usually carry MalwareBytes around on my thumb stick with the latest definitions and I've very rarely found something it can't remove.  
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24116468
Malwarebytes is a great tool to use, Also Combofix is great as well.
0
 

Author Comment

by:Jsmply
ID: 24116498
Do you have a link to ComboFix?  What's generally the best cocktail for infected machines.  Is MalwareBytes and ComboFix sufficient?  Does a "true anti-virus" need to be in the mix?
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24116626
Combofix is similar to MalwareBytes, I would run a anti-virus to be safe as well. BitDefender is a good one, so is Spyware Doctor with AntiVirus, and so is Webroot Spy Sweeper with AntiVirus. Here's the links:
http://www.bitdefender.com/
http://www.pctools.com/spyware-doctor-antivirus/
http://www.pctools.com/free-antivirus/
http://www.webroot.com/En_US/consumer-products-antivirus.html
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24116638
You need to fix the userinit file if it is corrupt. You should be able to do it while booting with the XP CD OR you can do it by using the userinit.ex_ file in the C:\i386 folder. This is usually placed on the C drive during installation.

Boot into safe mode first to check if the folder and file is there. If so, reboot again to "Safe mode with cmd prompt" and follow the instructions above describing how to expand and replace the file. If it turns out that you do not have the C:\i386 folder on the pc, then do the following:

Download ERD Commander from here:
http://www.fullandfree.info/software/erd-commander-2005/
you will need the password to unrar it. The password is simply the website you downloaded it from, as follows:

www.fullandfree.info

After it is unrared (same as unzip), you will have an iso file. Burn the iso to a CD (do not just copy the iso. make sure you use an image burning tool). Boot with the CD and you will boot into a windows environment. The CD includes a utility to reset the admin password. This will allow you to now boot from a windows cd to get to the recovery console. Perform the repair as above.
0
 

Author Comment

by:Jsmply
ID: 24116809
Okay, I ran MalwareBytes and it removed 63 infections so that's good, but the bad news is I still can't get in.  I'm going to try what Flubbster said now.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24116910
Based on the fact that you found a considerable amount of malware, you should perform this full procedure to fix the logon problem. It goes a little beyond the above fix.

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry

Click Start, Run and type REGEDIT. Navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

In the right-pane, change the value of Userinit to "C:\WINDOWS\system32\userinit.exe,"

Type the above value exactly as given, including the comma - exclude the quotes. Also, change the path to userinit.exe appropriately, if Windows is installed in a different drive.

Close Registry Editor and restart Windows.
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24116963
I would recommend what flubbster suggests (as I mentioned something similar in my first post).
0
 

Author Comment

by:Jsmply
ID: 24116992
I'm working on that now.  The admin password was nothing I could guess so I'm burning the ISO for ERD Commander.  That's very useful if it can reset the admin password.  What OS'ses will it work for?
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24117032
Just Xp I believe. However, if you can boot properly to safe mode, you may not need to do the ERD thing. I would do it anyway just to reset the admin password. However, you might be able  make the required repairs in safe mode by accessing the registry and following the above procedure. The only thing I am not sure of is whether you will be able to copy the file while windows is running. You will be able to do it in safe mode with cmd prompt though. Copy the file, I mean. Then boot and make the registry edit.
0
 

Author Comment

by:Jsmply
ID: 24117050
Well it did not have an I386 folder on the C drive, so I'm going the ERD route and will then use the XP cd.  Out of curiousity, is there a similiar method for resetting the admin password on Vista?  This is a problem I've run into with several clients with no easy solution.  Now I have one for XP, thanks!  Is there any limitation on XP?  IE: Which service pack it needs, etc.  Thx!
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24117097
No, it is sp independent. It simply provides a windows environment and provides several tools for troubleshooting a non-booting system. As far as Vista goes, apparently it can be done by using a vista dvd to provide some required files. Take a look here:

http://www.windowsvistaplace.com/vista/erd-commander/
0
 

Author Comment

by:Jsmply
ID: 24117295
I just tried changing the admin password using the "Locksmith" program in ERD commander.  For some reason, when I booted up tp the XP SP3 CD and tried to go into the repair console, it would not take the password it changes the administator PW too.  I'm not sure why.  I'm going to try locksmith again.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24117344
just remove the password if you can instead of trying to change it to something else.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 30

Expert Comment

by:flubbster
ID: 24117349
basically, when it asks for the new password, just hit enter.
0
 

Author Comment

by:Jsmply
ID: 24117371
Strange, I booted back into ERD and ran locksmith and it said "you have a pending password change, you must restart your computer for it to take effect". I did that already since I had to restart to try the repair console. Could it want me to shutdown competely?  I don't see what that would do.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24117387
That is strange. I have not seen that message before. I guess it can't hurt though.
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 100 total points
ID: 24117466
If you continue to have trouble resetting the admin password, then use this instead. It is a linux based rest program. 99%+ of the time, just use the defaults as they are presented, selecting "1" to change the admin password. Leave new password blank! DO NOT select a new password, just hit enter.

The download is here:
http://home.eunet.no/pnordahl/ntpasswd/cd080802.zip  Agian, burn the image.

The website is here:
http://home.eunet.no/pnordahl/ntpasswd/

walkthrough here:
http://home.eunet.no/pnordahl/ntpasswd/walkthrough.html
0
 

Author Comment

by:Jsmply
ID: 24117568
I tried ERD till my head hurt, it won't do change the password.  Could it be because it's changing the domain password on the machine and not the local acccount?  i don't know, really weird.  

Either way, I'm trying your linux one now.
0
 

Author Comment

by:Jsmply
ID: 24117765
Ok. Good news and bad news. Good news is I was able to use your linux tool to reset admin pw and get into recovery console. I copied the files you told me and restarted. Same thing, immediatly upon logging it it says loading profile . . . Closing network connections . . . Logging off . . . And bam I'm back on the logon screen.
0
 

Author Comment

by:Jsmply
ID: 24117780
Its not the account either, I just tried to logon to the comp locally with the admin username now that I reset the pw. Same deal, logs on and logs off. Never get to the desktop.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24117813
so... you copied userinit.exe to wsaupdater.exe?
0
 

Author Comment

by:Jsmply
ID: 24117827
Yep. It said copied succesfully. Restarted, and same thing.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24117892
If you can boot to safe mode, look at the registry and make sure that the second part is ok... ensuring that userinit, is the correct entry.
0
 

Author Comment

by:Jsmply
ID: 24117932
Ok. Could it be more malware?  I left the machine at the logon prompt while I was typing on EE and came back and it still said press ctrl alt del to logon, but there was an empty internet explorer page and three pop ups saying "you may have a security problem, click ok to scan for viruses"
0
 

Author Comment

by:Jsmply
ID: 24118048
Okay, i tried installing SuperAntiSpyware, but it wont let me install from safe mode and since I can't boot into Windows normally, that doesn't leave me much.  I'm trying a full scan again from MalwareBytes from the admin account.  Should that make a difference?
0
 

Author Comment

by:Jsmply
ID: 24118076
Btw: I checked the registry in safe mode, it shows the path you gave me already
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24118084
It shouldn't make a difference in the admin account.
0
 

Author Comment

by:Jsmply
ID: 24118097
I didn't think so. Any other ideas?
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24118132
You could try using a UBCD The Ultimate Boot CD? Here's a link: http://www.ultimatebootcd.com/
It has Anti-Virus/Malware Tools on the cd, since you can't boot into normal Windows.
0
 

Author Comment

by:Jsmply
ID: 24118138
Well I can boot into safemode, just not normal Windows
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24118139
Do you have system restore enabled? You can to do a system restore in Safe Mode.
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24118162
I understand that you can't boot into Normal Windows, the reason I mentioned UBCD is because it has some different  Anti-Virus/Malware Tools to try if you wanted to.
0
 

Author Comment

by:Jsmply
ID: 24118192
Thanks, i can try that.  I just found a link to several other places that had the problem with no resolution beyond the one's we have tried so far =(

http://www.geekstogo.com/forum/Windows-XP-Logs-Then-Immediately-Logs-Off-t15771.html&st=15
0
 

Author Comment

by:Jsmply
ID: 24118428
I'm in!  I re-read flubsters post and realized that was just taking userinit.exe from the system32 folder on the c drive and copying it to wsaupdated.exe assuming that was the issue. But the registry showed it was not pointing to wsaupdated, but userinit. This made me realize maybe userinit was corrupt. Sure enough, skywalkers post worked just fine. I should have tried that from the beggining. It copies a new copy from the CD. I'm good to go now!  Thanks!  I'm downloading updates for superantispyware. I'm going to give a few points to fubbster bc his post about the admin pw got me into the recovery console. That was needed too. Thanks!
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24118465
Glad you got it to work!
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24118485
Thank you Jsmply!
0
 
LVL 30

Expert Comment

by:flubbster
ID: 24118503
Glad you're in...

take care  :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disclosure: Use this tutorial only when no other options helps to get Windows XP running without any problems and you don't want to format the drive. The back up of the data is the responsible of the user, however there is a description of how t…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now