Solved

PC boots up then logs back off

Posted on 2009-04-10
25
847 Views
Last Modified: 2013-11-16
I have this computer that reboots after I start it up and then try to log in. When I click to log in instead of logging in, it saves whatever and then logs back off. I tried booting in safe mode but it does the same thing. Any ideas of how to fix this without reinstalling the operating system? Uses Avast anti virus software.

bbbb2
0
Comment
Question by:bbbb2
  • 10
  • 6
  • 4
  • +3
25 Comments
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
The following page describes how this problem occurs after you have attempted to clean up adware/spyware with a certain version of the data, and also what to do about it:

http://www.winxptutor.com/wsaremove.htm
Unable to logon to Windows after removing BlazeFind using a spyware removal utility?

[begin quote from the above page:]

Logon - Logoff loop, also caused by BlazeFind

Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the 'loading personal settings" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it's Lavahelp Knowledgebase.

Here is the solution to the logon - logoff issue in Windows XP.

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.


NOTE    If you don't have a Windows XP CD-ROM, you need to use Windows XP Setup floppy disks to enter the Recovery Console.

 Phase II  -  Fixing a registry entry which causes the Quick Launch issue (not retaining the settings)

Click Start, Run and type REGEDIT. Navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

In the right-pane, change the value of Userinit to "C:\WINDOWS\system32\userinit.exe,"

Type the above value exactly as given, including the comma - exclude the quotes. Also, change the path to userinit.exe appropriately, if Windows is installed in a different drive.

Close Registry Editor and restart Windows.

[end quote.]


Sometimes, you will find that there is no file Userinit.exe or Wsaupdater.exe in the \Windows\System32\ folder.  In this case, all you need to do is, while in the Recovery Console, use the following command to decompress the file userinit.ex_ into the \Windows\System32\ folder as userinit.exe (where X: is replaced by whatever drive letter your CD-ROM uses):

EXPAND X:\I386\USERINIT.EX_  C:\WINDOWS\SYSTEM32
0
 
LVL 3

Expert Comment

by:lukefuno
Comment Utility
try to disable the automatic restart option. if you press f8 on boot, there may be an option to to disable auto restart. then after, see if your able to login. if not, at least it will provide an error message of some sort. write it down and report it back to here.

thanks,
0
 

Author Comment

by:bbbb2
Comment Utility
WOW! When I boot from the CD and I get to the blue screen this is exactly what it says and looks like:
 
Windows XP Professional Setup
The following list shows the existing partitions and
unpartitioned space on this computer.
Use the UP and DOWN ARROW keys to select an item in the list.
. To set up Windows XP on the selected item press ENTER.
.To create a partition in the unpartitioned space press C.
.To delete the selected partiton, press D.
38163 MB Disk 0 at Id 0 on bus 0 on atapi [MBR]
         C: Partition [NTFS]      38154 MB (32394 MB free]
              Unpartitioned space       8 MB
76317 MB Disk 0 at Id 1 on bus 0 on atapi [MBR]
             Unpartitioned space      76317 MB
Enter =Install  C=Create Partition F3=Quit
 
Thats it. It doesn't say read the instructions press "R" (in the first screen) enter the Recovery Console or any of the enter Administrator Password stuff either. I dont understand why this is happening either.
Please reply.
 
Thanks
bbbb2
 
 
0
 

Author Comment

by:bbbb2
Comment Utility
Lukefuno ,I disabled auto restart and there is no error message. It just trys to load personal setting  and then very quickly tologging off and then to saving your settings then back to log on  screen.
bbbb2
0
 

Author Comment

by:bbbb2
Comment Utility
Doesn't it usually ask to Press "R" to repair?  But I don't get that when it finishes loading. Does anyone understand what my problem is? Seem like the operating system is c orrupted in some way and I dont want to install again if I don't have to because at this point I am not sure if I am going to lose any of the data that is on there now.
Thanks,
bbbb2
0
 

Author Comment

by:bbbb2
Comment Utility
LeeTutor,
Even when I try to boot in safe mode using (DOS)  the system still boots up to windows with Administator and Owner as user names. Only Owner before. But when I click on Administrator and I type in the password it does the same thing as it does under regular mode and logs off and back on.
bbbb2
 
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Is this machine on a network in which you share files? Might be able to easily view the above registry key....

start>run>regedit>File>Connect Network Registry, and enter the PC's IP/Name.

Then you can navigate to the key and make the mods there.....
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
How to edit the registry offline using BartPE boot CD ?
http://windowsxp.mvps.org/peboot.htm

Just follow the directions in the article, about loading the SYSTEM hive, and navigate to the following key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Look for the followingvalue....

Userinit=C:\Windows\system32\userinit.exe, <~~~~ Should look EXACTLY like this, including the comma...

You can do it either way, with BartPE, or UBCD4Win. Or simply slave this drive into another workstation....

What is the Ultimate Boot CD for Windows?
http://www.ubcd4win.com/

Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD
http://www.nu2.nu/pebuilder/

Also, there could be a possibilty that the userinit.exe is not the proper one, and you can extract a good copy from the CD.....

Rename the existing one, to have a backup of it....

rename c:\windows\system32\userinit.exe to c:\windows\system32\userinit.old

Then.....

Extract a copy from the CD, or I386 directory.
If the CDRom is D....

expand d:\i386\userinit.ex__ c:\windows\system32\userinit.exe

Keep in mind, the size of an SP2 and SP3 userinit.exe is between 21 and 24kb, and it will have a valid signature from Microsoft when you rt click to look at the properties. Anything other, and you found your culprit. Or it might just be flat missing.......
0
 
LVL 3

Expert Comment

by:lukefuno
Comment Utility
hey
did you activate this version of windows? i think if you don't activate windows it may exhibit this kind of pattern and make OS unusable.

<<To set up Windows XP on the selected item press ENTER.>> if you hit enter here or on that screen, it may ask you after if you want to press R for repair current OS install. do that and it will do system repair.

"Press Enter to start the Windows Setup.

  Do Not choose "To repair a Windows XP installation using the Recovery Console, press  R", (you Do Not want to load Recovery Console). I repeat, Do Not choose "To repair a Windows XP installation using the Recovery Console, press  R".

Accept the License Agreement and Windows will search for existing Windows installations.

Select the XP installation you want to repair from the list and press R to start the repair.

 If Repair is not one of the options, END setup.

Setup will copy the necessary files to the hard drive and reboot.  Do not press any key to boot from CD when the message appears. Setup will continue as if it were doing a clean install, but your applications and settings will remain intact."


0
 
LVL 16

Expert Comment

by:warturtle
Comment Utility
Hello,

Has this started randomly?? Or have you had this before on this PC? I don't know for sure, but you might have a variant of Conficker virus on your machine, because the symptoms are quite similar. I suggest taking the hard-disk out and scanning with Microsoft Malicious Software Removal Tool which can be downloaded from:

http://www.microsoft.com/security/malwareremove/default.mspx

Hope it helps.
0
 

Author Comment

by:bbbb2
Comment Utility
warturtle,
You might be on to something. Sorry to all of the rest of you guys who have answered with there suggestions. But here it what I have. It is a single desktop PC. One person uses it. It is not on a network unless you want to call broadband a network :-) . Has for activating the oprating system. I have installed this coperate edition that I slipstream to SP 3 onto several PC's. This paticular desktop PC was running just fine for since I formated the hard drive and did all the updates and sold it to a customer. He has had know problems with it until now. I am thinking virus, malware, or spyware.  But I have never seen this type of behavior from an infected PC like this before. With not being able to boot the PC in safe mode of see repair when I boot from the operating system cd I am about to just reinstall the operating system. But before I do that, will I loose the data and program that are already on there if I just reinstall the operating system with formating. Basiclly repairing the operating system but I dont see the repair option. Please scroll up where I type exactly what the screen shows after I boot from XP cd and get to the blue screen.
Thanks
bbbb2
0
 
LVL 3

Expert Comment

by:lukefuno
Comment Utility
with something this bizarre, i would suggest you do a reinstall. dont want to mess with any comprised systems and then give them back to customer thinking you fixed this issue when you didnt. you need to be safe, not sorry.

if u want to do repair install only boot from the XP CD first, meaning pop in the XP CD and power down pc and the start it up again. make sure you selected boot from cd as first choice in BIOS

then,
Press Enter to start the Windows Setup.

Accept the License Agreement and Windows will search for existing Windows installations.

Select the XP installation you want to repair from the list and press R to start the repair.

 If Repair is not one of the options, END setup.



0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 150 total points
Comment Utility
There shouldnt be a need for a reinstall yet. This is usually quite simple to remedy, as it is most likely either a missing userinit.exe, an infected userinit.exe or an invalidmissing userinit value in the registry ... If you slave this to another disk, you can verify all this within about 10 minutes...... Then, if it still fails, backit up, and reformat.....

From a customer's point of view, they would most probably appreciate it stuill intact as they left it, instead of a fresh image for them to have to reinstall thier apps.....
0
 

Author Comment

by:bbbb2
Comment Utility
@John6767,
If I slave the hard drive, how is it soppose to read in regedit since it will not not be C: drive? I will try this and also run a Virus ,spyware, malware scan on that drive.
thanks
bbbb2
0
 

Author Comment

by:bbbb2
Comment Utility
Hooked up hard drive as a slave and ran virus scan. Numerous virus's found. Also ran SuperAntiSpyware and found several infections there. After running scans I will put the hard drive back into the PC turn of system restore, reboot and turn it back on since several files where infected in there as well. That is if it will boot up when I install the hard drive. While I have the drive on this PC, I did a search on the slave drive for userinit.exe and it was found in Windows\system32. Does this mean that I want need to go into the registry and do what was mentioned earlier?
Thanks
bbbb2
0
 
LVL 59

Assisted Solution

by:LeeTutor
LeeTutor earned 150 total points
Comment Utility
No, the registry might still be corrupted.  That is what usually causes the logon-logoff loop. The UserInit entry at

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

must have the value of  "C:\WINDOWS\system32\userinit.exe,"
0
 
LVL 3

Expert Comment

by:lukefuno
Comment Utility
<<From a customer's point of view, they would most probably appreciate it stuill intact as they left it, instead of a fresh image for them to have to reinstall thier apps.....>> yes this is true good point. that is why i suggest repair option if ya can get away with it.


how many viruses did you find ?

0
 
LVL 3

Expert Comment

by:lukefuno
Comment Utility
for my working xp machine, this is my value for

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]


thought this may help.
0
 
LVL 3

Expert Comment

by:lukefuno
Comment Utility
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
oops didnt take rtf file format.
initjpg.JPG
0
 

Author Comment

by:bbbb2
Comment Utility
How would I change the registry on the "G: drive"(slave) from this PC? I found about alot of virus's.
 Here is a screen shot of the virus vault of the scan of the G: drive (slave or the one I am working on).
BTW before reading the latest feedback I hook the hard drive back into the PC and you guys are correct. It is still doing the same thing.
I appreciate the help and looks like I still need some. hehe
bbbb2

Screen-shot-of-AVG-virus-vault.JPG
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
You can do what's called offline registry editing.   Boot up in a parallel copy of XP.

Open REGEDIT

If the information you want to access was in HKEY_CURRENT_USER: Highlight HKEY_USERS, choose "Load hive" from the File menu, open

X:\Documents and settings\<UserProfileName>\ntuser.dat.

(where X: should be replaced by the drive letter corresponding to the secondary slaved drive you have mounted from the nonfunctional computer.)

When asked for a name, choose "OldProfile" (or whatever other easily remembered name you choose).  Access/backup the keys you're interested in. Once you're done, highlight the "OldProfile" key, choose "Unload hive" from the file menu.

If the information you want to access was in HKEY_LOCAL_MACHINE\System or in HKEY_LOCAL_MACHINE\Software: Highlight HKEY_LOCAL_MACHINE, choose "Load hive" from the File menu, open

X:\Windows\system32\config\system

or

X:\Windows\system32\config\software

(no extension). When asked for a name, choose "OldSystem" or "OldSoftware" (or whatever). Access/backup the keys you're interested in. Once you're done, highlight the "OldSystem" or "OldSoftware" key, choose "Unload hive" from the file menu.
0
 

Author Comment

by:bbbb2
Comment Utility
@LeeTutor,
Thanks. I will be away for a couple hours and will try this late this afternoon.
Happy Easter  Everybody
bbbb2
0
 
LVL 8

Accepted Solution

by:
MrMintanet earned 200 total points
Comment Utility
I would suggest a fresh format/reinstall of Windows at this point.  I have seen this happen several times, and I have yet to see an OS function properly prior to doing any registry restore.  I'm not trying to convey that this computer is not going to be able to get running again, but I am saying that it will never be the same if you do get it to logon again.

I would suggest that you use some sort of live cd to backup all data, and then reinstall a fresh copy of Windows.

This is just my oppinion.  I still have users who come out of the wood work with random problems that are caused by this "patch" of a solution.  Everytime I have someone come to me with their mangled OS, I always say to myself, "Why didn't I just reinstall the damn OS?"  

Good luck, and brother... I feel for you. :(
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
"If I slave the hard drive, how is it soppose to read in regedit since it will not not be C: drive"

LeeTutor gave you excellent steps on loading the registry hives.... While you are loaded with that drive slaved.....

Navigate to that Drive\Windows\System32, and sort the columns by Date Modified... Scroll to the most recent date... Should only have a handful of files in there that are legit. Others are 99% malware. If you give us a screenshot, we can tell you which ones to delete......

And also clear out your Temp files under \Windows, and Docs and Settings\USER\Local Settings\Temp, and Docs and Settings\USER\Local Settings\Temporary Internet Files\Content.ie5 folders.....

0
 

Author Closing Comment

by:bbbb2
Comment Utility
Talked to the customer and all he wanted saved was his "favorites". He had nothing in his My Documents folder and uses web mail. So the easiest and best solution wast to save teh favorites and format.
Did the updates and installed anti virus and spyware programs.

Thanks to everyone who had input in this headache. I got lucky that all he cared about was his favorites.
bbbb2
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now