Solved: WinXP Immediately logs out upon logging in

[Shairel]

Got a virused computer, as soon as I ran a PAV ( Mcafee Daily on NTFSDos ) to remove virii the system now gets to the welcome screen and upon clicking on a user account, it says logging in, immediately says logging off and dumps back to the welcome screen, this is with any account, including administrator, even in safe mode. I'm going to attempt to see what PAV pulled out using a linux live distro and maybe restore any missing files via recovery console, but any input on the issue would be greatly appreciated.

 

[Shairel]

it's that nail.exe thing, so I bet it entered itself as a shell= section in system.ini

[edit]
or :Sigh: the registry...time to do some more research

 

[D_Trojanator]

Hi and Welcome to TSG, I’m David

CCleaner

*Download CCleaner from http://www.filehippo.com/download_ccleaner.html
*Run the program and make sure you are on the windows tab in the top left corner.
*Click run cleaner
*This gets rid of all history, cookies, junk and temporary files

Ad-AwareSe
*Download it from http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=pdp_prod
*Check for updates when it starts and download them
*Run a scan
*Right click on one of the entries and click “select all”
*Click remove at the bottom

HijackThis
*Download HijackThis from http://www.merijn.org/files/hijackthis.zip
*Unzip the file and install it to C:/ProgramFiles
*Click on scan and save a log
*When the txt file comes up, copy all and paste here.

Ewido Security Suite

*Download Ewido from http://download.ewido.net/ewido-setup.exe
*This is a 30day free trial to use.
*At the end of the scan, a log will come up, post the log on here in the same way you did the Hijack This Log

Please post back with a new HJT log and an EWIDO log


David

 

[D_Trojanator]

When i have looked at the HJT log, i'll see if it's nail.exe or anything else;
don;t worry though as it can be easily fixed!
David

 

[Shairel]

: points to senior member tag on username : ...er...yeah...I do appreciate the help, but none of that will do any good b/c you cannot log into windows because nail.exe was set as one of the shells, i'm in recovery console right now fixing it, but that might not be 100% of the issue, as far as running hjt or ewido, can't do that if you can't log in

 

[Shairel]

added a /safeboot(alternateshell) to the boot.ini and am still getting the same issue...can't seem to find this problem on mskb either

 

[Shairel]

this site described how to fix the issue
http://channels.lockergnome.com/win...ndows_xp_after_you_remove_wsaupdaterexe.phtml

03.04.2005 @ 10:13 PM PT | Marc Erickson | Comment | Send to Friends

After you remove Wsaupdater.exe from BlazeFind by using Ad-Aware 6 Build 181 and reference file 01R314 02.06.2004 or 01R320 19.06.2004, you cannot log on to your Microsoft Windows XP-based computer.

Note: BlazeFind is a helper object for your Internet Explorer browser that redirects and changes your Internet Explorer settings.

CAUSE
Wsaupdater.exe is spyware that changes Userinit.exe, to Wsaupdater.exe in the registry. Ad-Aware by Lavasoft removes the Wsaupdater.exe file from the computer, but it cannot change the registry subkey back to Userinit.exe,. The registry subkey that is changed is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value: Userinit
Data: %Windir%\System32\Wsaupdater.exe

Note %windir% represents the location of the System32 folder. For example, if the location is C:\Windows\System32, the data would be:

C:\Windows\System32\Wsaupdater.exe.

The data should contain Userinit.exe, instead of Wsaupdater.exe. In the previous example, the data would be:

C:\Windows\System32\Userinit.exe,.

Note: The comma following the file path information is required.

RESOLUTION
Use the Recovery Console to copy Userinit.exe to Wsaupdater.exe to allow logon capability to be restored and to let you manually correct the registry data. To do this, follow these steps:


Microsoft also has a KB 82893