Solved

Computer logs off immediately after logon

Posted on 2010-09-01
16
390 Views
Last Modified: 2013-11-22
I think I got a good trojan virus.  Once I logon it immediately logs off.  Tried safe mode - same thing.  
What can be done except reinstall OS?

Thanks.
0
Comment
Question by:Tiras25
  • 4
  • 3
  • 2
  • +6
16 Comments
 
LVL 9

Expert Comment

by:suvmitra
ID: 33579500
It also happens some time if you have some hardware troubles like loose Hard Disk cable; loose Power Cable etc. Ensure all the power cords are properly installed.
0
 
LVL 8

Accepted Solution

by:
kcoect earned 167 total points
ID: 33579525
If you have the installation media, you can try an operating system "repair".  Boot the installation media, don't press "r" to bring up the recovery console, let the disk search the hard drive for a current installation and from there you will be able to perform a "repair" of the OS.

If the machine is on a network and you can remotely edit the registry, look at the following key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

make sure it has the current value
C:\WINDOWS\System32\userinit.exe

where C: is the drive that Windows is installed on/.
0
 
LVL 2

Expert Comment

by:ching023
ID: 33579542
Does it fresh out any screen before logging off?
Also, did you try to login with other user account? i Safe mode?
0
 
LVL 1

Assisted Solution

by:manojkundliya
manojkundliya earned 167 total points
ID: 33579547

Log on to a networked computer.
Run Regedit.exe
Point your cursor to HKEY_LOCAL_MACHINE
Select File > Connect Remote Registry
Type computer name (infected computer)
Navigate to the following location in registry of destination or infected computer


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon


Edit these two values in right pane:

Shell
Userinit


Change these two values to
Shell=explorer.exe
Userinit = x:\windows\system32\userinit.exe
Exit from Registry
Restart Infected computer.
You should be able to log on to computer.
if it not work then go to back steps and just copy orwrite the file userinit.exe
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33579551
Download a copy of UBCD4WIN iso, burn to a CD, BOOT CD and run AV & Spyware removal progs off the CD. Then if that still does not boot, use the registry restore tools on that CD to roll back to a prior Windows Restore Point.
Usually works if the checks that kcoect gave you above fails.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33579600
This is definely a virus, before it happened my ESET poped up with few trojan messages and asked to restart.  
This is not a netoworked computer, just a stand along home laptop.  although I can probably hookup another computer on the same line and login remotely.
CD boot option would probably be the best option though.  What AV/Spyware tools would you recommend?
Thanks.
0
 
LVL 9

Expert Comment

by:suvmitra
ID: 33579633
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33579848
Let me try that too.  Thank you!!
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33580209
I would also suggest using the Sophos Anti-root kit good for malware removal.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Also, try booting from a WinPE and see if there is anything in the startup folder and the runonce folder in the registry.
http://apcmag.com/windows_pe_20_a_tiny_version_of_windows_for_system_maintenance.htm
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 166 total points
ID: 33580216
If you have the wsaupdater virus, then follow this procedure:

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.


NOTE    If you don't have a Windows XP CD-ROM, you need to use Windows XP Setup floppy disks to enter the Recovery Console.

 Phase II  -  Fixing a registry entry which causes the Quick Launch issue (not retaining the settings)

Click Start, Run and type REGEDIT. Navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

In the right-pane, change the value of Userinit to "C:\WINDOWS\system32\userinit.exe,"

Type the above value exactly as given, including the comma - exclude the quotes. Also, change the path to userinit.exe appropriately, if Windows is installed in a different drive.


btw... in the instructions above, each instance that instructs you to verify/modify an entry to be userinit.exe is incorrect. The correct entry is:

c:\windows\system32\userinit.exe,   (NOTE THE COMMA)
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33581476
Yes I can try that.  I am not sure I have that specific virus though.  

I there any tools I can download as an iso image alogn with a bootable CD?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33584077
The UBCD4WIN that i mentioned above comes with some AV & Spyware apps already on it as I mentioned above. That should be enough to get you logged in. Once your in then Just run Malwarebytes and Combofix.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33585801
If you build the ubcd4win cd, it has a tool called RegBrz that allows you to edit a local version of the registry (in other words, the registry on the pc you booted the cd from). This will allow you to view and edit the registry key noted above.  So...

Build the UBCD4WIN CD
Boot it and use the RegBrz function
Navigate to the key above and modify as I show above, with the userinit.exe, entry
Save the change, remove cd and reboot. If the real userinit.exe file has not been deleted or corrupted, it should boot. When you navigate to the key, you will see what name has been inserted in place of userinit.exe, entry. If it is not wsaupdater, pls post it here for future reference.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33591742
Will do tonight.
Thank  you again!
0
 

Expert Comment

by:stirider
ID: 33834082
I am having this same problem.  I tried the recovery console method but still cannot successfully log in.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33834307
Build the ubcd4win cd. There is another utility called RegResWiz. It is essentially the same as XP's System Restore. Run that utility, reboot to safe mode, then run the xp system restore.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now