Solved

Computer logs off immediately after logon

Posted on 2010-09-01
16
396 Views
Last Modified: 2013-11-22
I think I got a good trojan virus.  Once I logon it immediately logs off.  Tried safe mode - same thing.  
What can be done except reinstall OS?

Thanks.
0
Comment
Question by:Tiras25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +6
16 Comments
 
LVL 9

Expert Comment

by:suvmitra
ID: 33579500
It also happens some time if you have some hardware troubles like loose Hard Disk cable; loose Power Cable etc. Ensure all the power cords are properly installed.
0
 
LVL 8

Accepted Solution

by:
kcoect earned 167 total points
ID: 33579525
If you have the installation media, you can try an operating system "repair".  Boot the installation media, don't press "r" to bring up the recovery console, let the disk search the hard drive for a current installation and from there you will be able to perform a "repair" of the OS.

If the machine is on a network and you can remotely edit the registry, look at the following key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

make sure it has the current value
C:\WINDOWS\System32\userinit.exe

where C: is the drive that Windows is installed on/.
0
 
LVL 2

Expert Comment

by:ching023
ID: 33579542
Does it fresh out any screen before logging off?
Also, did you try to login with other user account? i Safe mode?
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 1

Assisted Solution

by:manojkundliya
manojkundliya earned 167 total points
ID: 33579547

Log on to a networked computer.
Run Regedit.exe
Point your cursor to HKEY_LOCAL_MACHINE
Select File > Connect Remote Registry
Type computer name (infected computer)
Navigate to the following location in registry of destination or infected computer


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon


Edit these two values in right pane:

Shell
Userinit


Change these two values to
Shell=explorer.exe
Userinit = x:\windows\system32\userinit.exe
Exit from Registry
Restart Infected computer.
You should be able to log on to computer.
if it not work then go to back steps and just copy orwrite the file userinit.exe
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33579551
Download a copy of UBCD4WIN iso, burn to a CD, BOOT CD and run AV & Spyware removal progs off the CD. Then if that still does not boot, use the registry restore tools on that CD to roll back to a prior Windows Restore Point.
Usually works if the checks that kcoect gave you above fails.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33579600
This is definely a virus, before it happened my ESET poped up with few trojan messages and asked to restart.  
This is not a netoworked computer, just a stand along home laptop.  although I can probably hookup another computer on the same line and login remotely.
CD boot option would probably be the best option though.  What AV/Spyware tools would you recommend?
Thanks.
0
 
LVL 9

Expert Comment

by:suvmitra
ID: 33579633
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33579848
Let me try that too.  Thank you!!
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33580209
I would also suggest using the Sophos Anti-root kit good for malware removal.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Also, try booting from a WinPE and see if there is anything in the startup folder and the runonce folder in the registry.
http://apcmag.com/windows_pe_20_a_tiny_version_of_windows_for_system_maintenance.htm
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 166 total points
ID: 33580216
If you have the wsaupdater virus, then follow this procedure:

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.


NOTE    If you don't have a Windows XP CD-ROM, you need to use Windows XP Setup floppy disks to enter the Recovery Console.

 Phase II  -  Fixing a registry entry which causes the Quick Launch issue (not retaining the settings)

Click Start, Run and type REGEDIT. Navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

In the right-pane, change the value of Userinit to "C:\WINDOWS\system32\userinit.exe,"

Type the above value exactly as given, including the comma - exclude the quotes. Also, change the path to userinit.exe appropriately, if Windows is installed in a different drive.


btw... in the instructions above, each instance that instructs you to verify/modify an entry to be userinit.exe is incorrect. The correct entry is:

c:\windows\system32\userinit.exe,   (NOTE THE COMMA)
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33581476
Yes I can try that.  I am not sure I have that specific virus though.  

I there any tools I can download as an iso image alogn with a bootable CD?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33584077
The UBCD4WIN that i mentioned above comes with some AV & Spyware apps already on it as I mentioned above. That should be enough to get you logged in. Once your in then Just run Malwarebytes and Combofix.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33585801
If you build the ubcd4win cd, it has a tool called RegBrz that allows you to edit a local version of the registry (in other words, the registry on the pc you booted the cd from). This will allow you to view and edit the registry key noted above.  So...

Build the UBCD4WIN CD
Boot it and use the RegBrz function
Navigate to the key above and modify as I show above, with the userinit.exe, entry
Save the change, remove cd and reboot. If the real userinit.exe file has not been deleted or corrupted, it should boot. When you navigate to the key, you will see what name has been inserted in place of userinit.exe, entry. If it is not wsaupdater, pls post it here for future reference.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33591742
Will do tonight.
Thank  you again!
0
 

Expert Comment

by:stirider
ID: 33834082
I am having this same problem.  I tried the recovery console method but still cannot successfully log in.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33834307
Build the ubcd4win cd. There is another utility called RegResWiz. It is essentially the same as XP's System Restore. Run that utility, reboot to safe mode, then run the xp system restore.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
OfficeMate Freezes on login or does not load after login credentials are input.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question