Register
Login
FAQ
It is currently Mon Sep 06, 2010 6:04 am

View unanswered posts | View active topics


Board index » Microsoft Support Forums » Microsoft Windows Workstation O/S » Windows XP

All times are UTC - 6 hours




Post Reply
  Page 1 of 1 [ 1 post ] 
Print view Previous topic | Next topic
Author Message
admin
 Post subject: Windows XP Logs On Then Off Automatically
PostPosted: Tue Jan 12, 2010 12:41 pm 
Site Admin

Joined: Thu Jan 22, 2009 12:08 am
Posts: 22
Windows XP Logs On Then Off Automatically, Cannot Logon In Normal Or Safe Mode.

This is typically caused by malware changing a registry key to point to a foreign file instead of the windows file that is supposed to be there. Many malware removers will clean the file on the hard drive, but fail to update the registry key back to the original value, causing the log off loop to occur.

LEGAL DISCLAIMER
These are common steps DNS Texas technicians have followed in the past to resolve the problem outlined above, follow the directions in the article carefully. DNS Texas does not warranty or guarantee the steps below will work for you. We are not responsible for any damages you might encounter or cause by following the steps outlined below. You are advised to use the information below AT YOUR OWN RISK.

STEP 1 : Replace Hijacker Files (Boot Disc Required)
    * You will need to boot off of a boot disc with NTFS support to complete this operation (since you cannot logon). You can use the Windows XP installation CD (in recovery console mode), a 3rd party boot disc (with NTFS support), ERD commander, etc.
    * When you are at a command prompt, go to "c:\windows\system32" (cd\windows\system32)
    * Look for the following file(s): wsaupdater.exe, winlogon86.exe, logon.exe (dir wsaup*.*<enter>, dir winlo*.*<enter>, dir logon*.*<enter>)
    * Note any file(s) found with these name patterns.
    * Use the copy command to replace the file(s) found above. For example, if you found only one result when doing the DIR command above, note that found filename (winlogon86.exe for example) and using the copy command, replace it with userinit.exe. (copy userinit.exe winlogon86.exe) <- replace winlogon86.exe with the file(s) you found from above.
    * Exit and reboot normally. You should now be able to logon.

STEP 1 : Replace Hijacker Files (Alternate Method)
This method is efficient in some cases only. It involves using the network function of the registry editor. If the machine having the issue is not attached to a network (wireless or wired) and you do not have another computer you can access this registry from, you should use the method above for step 1 and skip this alternate method.
* This method works well for computers attached to a domain, where technicians have administrator override access accounts. Home users may experience difficulty with this network method, since network workgroups may be different and credentials between the systems may not match up. You must have administrator access to the machines to perform remote registry calls. Again, this method is designed for advanced users *
    * Using a good computer, attach to the registry of the bad computer, to do this, open regedit (START, RUN, REGEDIT) on the good computer
    * Click 'File' at the top of registry editor and choose 'Connect Remote Registry'
    * Enter the computer name of the bad computer
    * Once connected, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    * In the right pane, you should see USERINIT with a value, that value should be c:\windows\system32\userinit.exe, if it is anything else change it back to the original value (c:\windows\system32\userinit.exe).
    * Reboot the bad computer, proceed to STEP 3 (below)

STEP 2: Once Logged Back In
    * Run REGEDIT (START, RUN, REGEDIT)
    * Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    * In the right pane, you should see USERINIT with a value, that value should be c:\windows\system32\userinit.exe, if it is anything else change it back to the original value (c:\windows\system32\userinit.exe).
    * Reboot

STEP 3 : Final Cleanup
    * Download and run "MalwareBytes" from your favorite download website -OR- (file attached to this post, below)
    * Be sure and click the 'update' tab to install the latest definitions
    * On the 'scanner' tab, choose the C: drive and 'Full Scan'
    * Remove anything that malwarebytes finds
    * Reboot after malwarebytes finishes
    * Computer should be repaired.

Additional Thoughts : this hijacker started off as WSAUPDATER.EXE, it has since morphed into WINLOGON86.EXE, LOGON.EXE and possibly WINLOGON32.EXE at the time of this posting. I'm sure there will be other flavors that slightly change the processes outlined above. Feel free to post any updates to this article.


Attachments:
MalwareBytes(12.2009).exe [4.62 MiB]
Downloaded 25 times
Offline
 Profile  
 
Display posts from previous:  Sort by  
Post Reply
  Page 1 of 1 [ 1 post ] 

Board index » Microsoft Support Forums » Microsoft Windows Workstation O/S » Windows XP

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

cron