Computer logs off immediately after logon

I think I got a good trojan virus.  Once I logon it immediately logs off.  Tried safe mode - same thing.  
What can be done except reinstall OS?

LVL 17
Who is Participating?
If you have the installation media, you can try an operating system "repair".  Boot the installation media, don't press "r" to bring up the recovery console, let the disk search the hard drive for a current installation and from there you will be able to perform a "repair" of the OS.

If the machine is on a network and you can remotely edit the registry, look at the following key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

make sure it has the current value

where C: is the drive that Windows is installed on/.
It also happens some time if you have some hardware troubles like loose Hard Disk cable; loose Power Cable etc. Ensure all the power cords are properly installed.
Does it fresh out any screen before logging off?
Also, did you try to login with other user account? i Safe mode?
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!


Log on to a networked computer.
Run Regedit.exe
Point your cursor to HKEY_LOCAL_MACHINE
Select File > Connect Remote Registry
Type computer name (infected computer)
Navigate to the following location in registry of destination or infected computer

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Edit these two values in right pane:


Change these two values to
Userinit = x:\windows\system32\userinit.exe
Exit from Registry
Restart Infected computer.
You should be able to log on to computer.
if it not work then go to back steps and just copy orwrite the file userinit.exe
Neil RussellTechnical Development LeadCommented:
Download a copy of UBCD4WIN iso, burn to a CD, BOOT CD and run AV & Spyware removal progs off the CD. Then if that still does not boot, use the registry restore tools on that CD to roll back to a prior Windows Restore Point.
Usually works if the checks that kcoect gave you above fails.
Tiras25Author Commented:
This is definely a virus, before it happened my ESET poped up with few trojan messages and asked to restart.  
This is not a netoworked computer, just a stand along home laptop.  although I can probably hookup another computer on the same line and login remotely.
CD boot option would probably be the best option though.  What AV/Spyware tools would you recommend?
Tiras25Author Commented:
Let me try that too.  Thank you!!
Will SzymkowskiSenior Solution ArchitectCommented:
I would also suggest using the Sophos Anti-root kit good for malware removal.

Also, try booting from a WinPE and see if there is anything in the startup folder and the runonce folder in the registry.
If you have the wsaupdater virus, then follow this procedure:

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

(If that does not work, try CHDIR SYSTEM32)


Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.

NOTE    If you don't have a Windows XP CD-ROM, you need to use Windows XP Setup floppy disks to enter the Recovery Console.

 Phase II  -  Fixing a registry entry which causes the Quick Launch issue (not retaining the settings)

Click Start, Run and type REGEDIT. Navigate to:


In the right-pane, change the value of Userinit to "C:\WINDOWS\system32\userinit.exe,"

Type the above value exactly as given, including the comma - exclude the quotes. Also, change the path to userinit.exe appropriately, if Windows is installed in a different drive.

btw... in the instructions above, each instance that instructs you to verify/modify an entry to be userinit.exe is incorrect. The correct entry is:

c:\windows\system32\userinit.exe,   (NOTE THE COMMA)
Tiras25Author Commented:
Yes I can try that.  I am not sure I have that specific virus though.  

I there any tools I can download as an iso image alogn with a bootable CD?
Neil RussellTechnical Development LeadCommented:
The UBCD4WIN that i mentioned above comes with some AV & Spyware apps already on it as I mentioned above. That should be enough to get you logged in. Once your in then Just run Malwarebytes and Combofix.
If you build the ubcd4win cd, it has a tool called RegBrz that allows you to edit a local version of the registry (in other words, the registry on the pc you booted the cd from). This will allow you to view and edit the registry key noted above.  So...

Build the UBCD4WIN CD
Boot it and use the RegBrz function
Navigate to the key above and modify as I show above, with the userinit.exe, entry
Save the change, remove cd and reboot. If the real userinit.exe file has not been deleted or corrupted, it should boot. When you navigate to the key, you will see what name has been inserted in place of userinit.exe, entry. If it is not wsaupdater, pls post it here for future reference.
Tiras25Author Commented:
Will do tonight.
Thank  you again!
I am having this same problem.  I tried the recovery console method but still cannot successfully log in.
Build the ubcd4win cd. There is another utility called RegResWiz. It is essentially the same as XP's System Restore. Run that utility, reboot to safe mode, then run the xp system restore.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.