Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Computer logs off immediately after logon

Posted on 2010-09-01
16
Medium Priority
?
399 Views
Last Modified: 2013-11-22
I think I got a good trojan virus.  Once I logon it immediately logs off.  Tried safe mode - same thing.  
What can be done except reinstall OS?

Thanks.
0
Comment
Question by:Tiras25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +6
16 Comments
 
LVL 9

Expert Comment

by:suvmitra
ID: 33579500
It also happens some time if you have some hardware troubles like loose Hard Disk cable; loose Power Cable etc. Ensure all the power cords are properly installed.
0
 
LVL 8

Accepted Solution

by:
kcoect earned 668 total points
ID: 33579525
If you have the installation media, you can try an operating system "repair".  Boot the installation media, don't press "r" to bring up the recovery console, let the disk search the hard drive for a current installation and from there you will be able to perform a "repair" of the OS.

If the machine is on a network and you can remotely edit the registry, look at the following key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

make sure it has the current value
C:\WINDOWS\System32\userinit.exe

where C: is the drive that Windows is installed on/.
0
 
LVL 2

Expert Comment

by:ching023
ID: 33579542
Does it fresh out any screen before logging off?
Also, did you try to login with other user account? i Safe mode?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 1

Assisted Solution

by:manojkundliya
manojkundliya earned 668 total points
ID: 33579547

Log on to a networked computer.
Run Regedit.exe
Point your cursor to HKEY_LOCAL_MACHINE
Select File > Connect Remote Registry
Type computer name (infected computer)
Navigate to the following location in registry of destination or infected computer


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon


Edit these two values in right pane:

Shell
Userinit


Change these two values to
Shell=explorer.exe
Userinit = x:\windows\system32\userinit.exe
Exit from Registry
Restart Infected computer.
You should be able to log on to computer.
if it not work then go to back steps and just copy orwrite the file userinit.exe
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33579551
Download a copy of UBCD4WIN iso, burn to a CD, BOOT CD and run AV & Spyware removal progs off the CD. Then if that still does not boot, use the registry restore tools on that CD to roll back to a prior Windows Restore Point.
Usually works if the checks that kcoect gave you above fails.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33579600
This is definely a virus, before it happened my ESET poped up with few trojan messages and asked to restart.  
This is not a netoworked computer, just a stand along home laptop.  although I can probably hookup another computer on the same line and login remotely.
CD boot option would probably be the best option though.  What AV/Spyware tools would you recommend?
Thanks.
0
 
LVL 9

Expert Comment

by:suvmitra
ID: 33579633
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33579848
Let me try that too.  Thank you!!
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 33580209
I would also suggest using the Sophos Anti-root kit good for malware removal.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Also, try booting from a WinPE and see if there is anything in the startup folder and the runonce folder in the registry.
http://apcmag.com/windows_pe_20_a_tiny_version_of_windows_for_system_maintenance.htm
0
 
LVL 30

Assisted Solution

by:flubbster
flubbster earned 664 total points
ID: 33580216
If you have the wsaupdater virus, then follow this procedure:

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.


NOTE    If you don't have a Windows XP CD-ROM, you need to use Windows XP Setup floppy disks to enter the Recovery Console.

 Phase II  -  Fixing a registry entry which causes the Quick Launch issue (not retaining the settings)

Click Start, Run and type REGEDIT. Navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

In the right-pane, change the value of Userinit to "C:\WINDOWS\system32\userinit.exe,"

Type the above value exactly as given, including the comma - exclude the quotes. Also, change the path to userinit.exe appropriately, if Windows is installed in a different drive.


btw... in the instructions above, each instance that instructs you to verify/modify an entry to be userinit.exe is incorrect. The correct entry is:

c:\windows\system32\userinit.exe,   (NOTE THE COMMA)
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33581476
Yes I can try that.  I am not sure I have that specific virus though.  

I there any tools I can download as an iso image alogn with a bootable CD?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 33584077
The UBCD4WIN that i mentioned above comes with some AV & Spyware apps already on it as I mentioned above. That should be enough to get you logged in. Once your in then Just run Malwarebytes and Combofix.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33585801
If you build the ubcd4win cd, it has a tool called RegBrz that allows you to edit a local version of the registry (in other words, the registry on the pc you booted the cd from). This will allow you to view and edit the registry key noted above.  So...

Build the UBCD4WIN CD
Boot it and use the RegBrz function
Navigate to the key above and modify as I show above, with the userinit.exe, entry
Save the change, remove cd and reboot. If the real userinit.exe file has not been deleted or corrupted, it should boot. When you navigate to the key, you will see what name has been inserted in place of userinit.exe, entry. If it is not wsaupdater, pls post it here for future reference.
0
 
LVL 17

Author Comment

by:Tiras25
ID: 33591742
Will do tonight.
Thank  you again!
0
 

Expert Comment

by:stirider
ID: 33834082
I am having this same problem.  I tried the recovery console method but still cannot successfully log in.
0
 
LVL 30

Expert Comment

by:flubbster
ID: 33834307
Build the ubcd4win cd. There is another utility called RegResWiz. It is essentially the same as XP's System Restore. Run that utility, reboot to safe mode, then run the xp system restore.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
OfficeMate Freezes on login or does not load after login credentials are input.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question