Solved

Windows XP signs me back out right after logging in, any idea why?

Posted on 2009-04-10
47
473 Views
Last Modified: 2012-05-06
I have a laptop I'm working on and the child that owns it was part of a school domain at one point, however the school offers no free tech help with the laptops.  The odd thing here is that as soon as you login to the domain with the credentials (obviously cached because the laptop is used at home, away from the domain) the laptop automatically shows "closing network connections" and logs you right back off, you never get to the desktop, just the wallpaper loads and then it logs you right back off.  According to the user this loop continues for about 10 tries and eventually it allows you to login.  

Anyone have any idea why or how to troubleshoot?
0
Comment
Question by:Jsmply
  • 20
  • 11
  • 11
  • +2
47 Comments
 
LVL 8

Accepted Solution

by:
skywalker39 earned 400 total points
Comment Utility
Insert the original Windows XP CD and reboot the computer. You may need to configure your computer to boot from the CD-ROM drive.

When the Windows XP Setup has started, press "R" to "repair the Windows XP installation using Recovery Console".

Select the Windows installation to repair (generally this is C:\Windows) by typing its number and then pressing ENTER.

Type the Administrator password and press ENTER.

 Type the following commands:

D:                               [ENTER]
CD I386                              [ENTER]
EXPAND USERINIT.EX_ C:\WINDOWS\SYSTEM32      [ENTER]

NOTE: If your CD-ROM drive has a different letter assigned to it, enter "X:" instead, where X is the appropriate drive letter.

After entering "EXPAND USERINIT.EX_ C:\WINDOWS\SYSTEM32" you should see the text "1 file(s) copied", in which case all went well.

Remove the Windows XP CD, type "EXIT" and press ENTER to restart your computer. You should now be able to log on.
0
 
LVL 11

Expert Comment

by:bmatumbura
Comment Utility
The laptop has been hit by some nasty virus. Try to boot the laptop in safe mode and use an anti-virus with the latest virus definitions to clean it
0
 
LVL 5

Expert Comment

by:wpathan
Comment Utility
try loggin in using a local account to this laptop.
0
 

Author Comment

by:Jsmply
Comment Utility
Well two things, one, the user does not know the admin password. Secondly, I can boot into safe mode no problem. I see whenever the machine boots up even in safe mode a program called "CrossTech SchoolVue Client" is always running, even on the bottom left before I login to windows. Could that be causing it?
0
 
LVL 5

Expert Comment

by:wpathan
Comment Utility
It could be a remote control client also.
0
 
LVL 11

Expert Comment

by:bmatumbura
Comment Utility
I don't think it's the "CrossTech SchoolVue Client" program; If it were, it would still log you off in safe mode.

I have encountered a virus that has those characteristics before: logs you off in normal mode, but everything seems ok in safe mode
0
 
LVL 11

Expert Comment

by:bmatumbura
Comment Utility
Goto:

http://www.google.co.bw/search?q=windows+automatically+logs+off&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

and follow some of the links. You'll get information on how you can fix this issue
0
 

Author Comment

by:Jsmply
Comment Utility
Well I checked and the CrossTec software seems to have an IP address to call home and always link the student to classes when online. Weird. Ill scan the machine with malwarebytes now.
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
I would scan malwarebytes in Safe Mode Jsmply, also try some others as well,
http://www.superantispyware.com/
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
0
 

Author Comment

by:Jsmply
Comment Utility
I'm running a full scan on Malwarebytes in safe mode right now.  Is there any definitive program that should be used for this kind of stuff?  I usually carry MalwareBytes around on my thumb stick with the latest definitions and I've very rarely found something it can't remove.  
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
Malwarebytes is a great tool to use, Also Combofix is great as well.
0
 

Author Comment

by:Jsmply
Comment Utility
Do you have a link to ComboFix?  What's generally the best cocktail for infected machines.  Is MalwareBytes and ComboFix sufficient?  Does a "true anti-virus" need to be in the mix?
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
Combofix is similar to MalwareBytes, I would run a anti-virus to be safe as well. BitDefender is a good one, so is Spyware Doctor with AntiVirus, and so is Webroot Spy Sweeper with AntiVirus. Here's the links:
http://www.bitdefender.com/
http://www.pctools.com/spyware-doctor-antivirus/
http://www.pctools.com/free-antivirus/
http://www.webroot.com/En_US/consumer-products-antivirus.html
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
You need to fix the userinit file if it is corrupt. You should be able to do it while booting with the XP CD OR you can do it by using the userinit.ex_ file in the C:\i386 folder. This is usually placed on the C drive during installation.

Boot into safe mode first to check if the folder and file is there. If so, reboot again to "Safe mode with cmd prompt" and follow the instructions above describing how to expand and replace the file. If it turns out that you do not have the C:\i386 folder on the pc, then do the following:

Download ERD Commander from here:
http://www.fullandfree.info/software/erd-commander-2005/
you will need the password to unrar it. The password is simply the website you downloaded it from, as follows:

www.fullandfree.info

After it is unrared (same as unzip), you will have an iso file. Burn the iso to a CD (do not just copy the iso. make sure you use an image burning tool). Boot with the CD and you will boot into a windows environment. The CD includes a utility to reset the admin password. This will allow you to now boot from a windows cd to get to the recovery console. Perform the repair as above.
0
 

Author Comment

by:Jsmply
Comment Utility
Okay, I ran MalwareBytes and it removed 63 infections so that's good, but the bad news is I still can't get in.  I'm going to try what Flubbster said now.
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
Based on the fact that you found a considerable amount of malware, you should perform this full procedure to fix the logon problem. It goes a little beyond the above fix.

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry

Click Start, Run and type REGEDIT. Navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

In the right-pane, change the value of Userinit to "C:\WINDOWS\system32\userinit.exe,"

Type the above value exactly as given, including the comma - exclude the quotes. Also, change the path to userinit.exe appropriately, if Windows is installed in a different drive.

Close Registry Editor and restart Windows.
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
I would recommend what flubbster suggests (as I mentioned something similar in my first post).
0
 

Author Comment

by:Jsmply
Comment Utility
I'm working on that now.  The admin password was nothing I could guess so I'm burning the ISO for ERD Commander.  That's very useful if it can reset the admin password.  What OS'ses will it work for?
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
Just Xp I believe. However, if you can boot properly to safe mode, you may not need to do the ERD thing. I would do it anyway just to reset the admin password. However, you might be able  make the required repairs in safe mode by accessing the registry and following the above procedure. The only thing I am not sure of is whether you will be able to copy the file while windows is running. You will be able to do it in safe mode with cmd prompt though. Copy the file, I mean. Then boot and make the registry edit.
0
 

Author Comment

by:Jsmply
Comment Utility
Well it did not have an I386 folder on the C drive, so I'm going the ERD route and will then use the XP cd.  Out of curiousity, is there a similiar method for resetting the admin password on Vista?  This is a problem I've run into with several clients with no easy solution.  Now I have one for XP, thanks!  Is there any limitation on XP?  IE: Which service pack it needs, etc.  Thx!
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
No, it is sp independent. It simply provides a windows environment and provides several tools for troubleshooting a non-booting system. As far as Vista goes, apparently it can be done by using a vista dvd to provide some required files. Take a look here:

http://www.windowsvistaplace.com/vista/erd-commander/
0
 

Author Comment

by:Jsmply
Comment Utility
I just tried changing the admin password using the "Locksmith" program in ERD commander.  For some reason, when I booted up tp the XP SP3 CD and tried to go into the repair console, it would not take the password it changes the administator PW too.  I'm not sure why.  I'm going to try locksmith again.
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
just remove the password if you can instead of trying to change it to something else.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 30

Expert Comment

by:flubbster
Comment Utility
basically, when it asks for the new password, just hit enter.
0
 

Author Comment

by:Jsmply
Comment Utility
Strange, I booted back into ERD and ran locksmith and it said "you have a pending password change, you must restart your computer for it to take effect". I did that already since I had to restart to try the repair console. Could it want me to shutdown competely?  I don't see what that would do.
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
That is strange. I have not seen that message before. I guess it can't hurt though.
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 100 total points
Comment Utility
If you continue to have trouble resetting the admin password, then use this instead. It is a linux based rest program. 99%+ of the time, just use the defaults as they are presented, selecting "1" to change the admin password. Leave new password blank! DO NOT select a new password, just hit enter.

The download is here:
http://home.eunet.no/pnordahl/ntpasswd/cd080802.zip  Agian, burn the image.

The website is here:
http://home.eunet.no/pnordahl/ntpasswd/

walkthrough here:
http://home.eunet.no/pnordahl/ntpasswd/walkthrough.html
0
 

Author Comment

by:Jsmply
Comment Utility
I tried ERD till my head hurt, it won't do change the password.  Could it be because it's changing the domain password on the machine and not the local acccount?  i don't know, really weird.  

Either way, I'm trying your linux one now.
0
 

Author Comment

by:Jsmply
Comment Utility
Ok. Good news and bad news. Good news is I was able to use your linux tool to reset admin pw and get into recovery console. I copied the files you told me and restarted. Same thing, immediatly upon logging it it says loading profile . . . Closing network connections . . . Logging off . . . And bam I'm back on the logon screen.
0
 

Author Comment

by:Jsmply
Comment Utility
Its not the account either, I just tried to logon to the comp locally with the admin username now that I reset the pw. Same deal, logs on and logs off. Never get to the desktop.
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
so... you copied userinit.exe to wsaupdater.exe?
0
 

Author Comment

by:Jsmply
Comment Utility
Yep. It said copied succesfully. Restarted, and same thing.
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
If you can boot to safe mode, look at the registry and make sure that the second part is ok... ensuring that userinit, is the correct entry.
0
 

Author Comment

by:Jsmply
Comment Utility
Ok. Could it be more malware?  I left the machine at the logon prompt while I was typing on EE and came back and it still said press ctrl alt del to logon, but there was an empty internet explorer page and three pop ups saying "you may have a security problem, click ok to scan for viruses"
0
 

Author Comment

by:Jsmply
Comment Utility
Okay, i tried installing SuperAntiSpyware, but it wont let me install from safe mode and since I can't boot into Windows normally, that doesn't leave me much.  I'm trying a full scan again from MalwareBytes from the admin account.  Should that make a difference?
0
 

Author Comment

by:Jsmply
Comment Utility
Btw: I checked the registry in safe mode, it shows the path you gave me already
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
It shouldn't make a difference in the admin account.
0
 

Author Comment

by:Jsmply
Comment Utility
I didn't think so. Any other ideas?
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
You could try using a UBCD The Ultimate Boot CD? Here's a link: http://www.ultimatebootcd.com/
It has Anti-Virus/Malware Tools on the cd, since you can't boot into normal Windows.
0
 

Author Comment

by:Jsmply
Comment Utility
Well I can boot into safemode, just not normal Windows
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
Do you have system restore enabled? You can to do a system restore in Safe Mode.
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
I understand that you can't boot into Normal Windows, the reason I mentioned UBCD is because it has some different  Anti-Virus/Malware Tools to try if you wanted to.
0
 

Author Comment

by:Jsmply
Comment Utility
Thanks, i can try that.  I just found a link to several other places that had the problem with no resolution beyond the one's we have tried so far =(

http://www.geekstogo.com/forum/Windows-XP-Logs-Then-Immediately-Logs-Off-t15771.html&st=15
0
 

Author Comment

by:Jsmply
Comment Utility
I'm in!  I re-read flubsters post and realized that was just taking userinit.exe from the system32 folder on the c drive and copying it to wsaupdated.exe assuming that was the issue. But the registry showed it was not pointing to wsaupdated, but userinit. This made me realize maybe userinit was corrupt. Sure enough, skywalkers post worked just fine. I should have tried that from the beggining. It copies a new copy from the CD. I'm good to go now!  Thanks!  I'm downloading updates for superantispyware. I'm going to give a few points to fubbster bc his post about the admin pw got me into the recovery console. That was needed too. Thanks!
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
Glad you got it to work!
0
 
LVL 8

Expert Comment

by:skywalker39
Comment Utility
Thank you Jsmply!
0
 
LVL 30

Expert Comment

by:flubbster
Comment Utility
Glad you're in...

take care  :)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now