Solved: WinXP Immediately logs out upon logging in

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Shairel

Thread Starter
Joined
Jan 14, 2003
Messages
312
Got a virused computer, as soon as I ran a PAV ( Mcafee Daily on NTFSDos ) to remove virii the system now gets to the welcome screen and upon clicking on a user account, it says logging in, immediately says logging off and dumps back to the welcome screen, this is with any account, including administrator, even in safe mode. I'm going to attempt to see what PAV pulled out using a linux live distro and maybe restore any missing files via recovery console, but any input on the issue would be greatly appreciated.
 

Shairel

Thread Starter
Joined
Jan 14, 2003
Messages
312
it's that nail.exe thing, so I bet it entered itself as a shell= section in system.ini

[edit]
or :Sigh: the registry...time to do some more research
 
Joined
May 13, 2005
Messages
4,699
Hi and Welcome to TSG, I’m David

CCleaner

*Download CCleaner from http://www.filehippo.com/download_ccleaner.html
*Run the program and make sure you are on the windows tab in the top left corner.
*Click run cleaner
*This gets rid of all history, cookies, junk and temporary files

Ad-AwareSe
*Download it from http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10399602.html?tag=pdp_prod
*Check for updates when it starts and download them
*Run a scan
*Right click on one of the entries and click “select all”
*Click remove at the bottom

HijackThis
*Download HijackThis from http://www.merijn.org/files/hijackthis.zip
*Unzip the file and install it to C:/ProgramFiles
*Click on scan and save a log
*When the txt file comes up, copy all and paste here.


Ewido Security Suite

*Download Ewido from http://download.ewido.net/ewido-setup.exe
*This is a 30day free trial to use.
*At the end of the scan, a log will come up, post the log on here in the same way you did the Hijack This Log

Please post back with a new HJT log and an EWIDO log


David
 
Joined
May 13, 2005
Messages
4,699
When i have looked at the HJT log, i'll see if it's nail.exe or anything else;
don;t worry though as it can be easily fixed!
David (y)
 

Shairel

Thread Starter
Joined
Jan 14, 2003
Messages
312
: points to senior member tag on username : ...er...yeah...I do appreciate the help, but none of that will do any good b/c you cannot log into windows because nail.exe was set as one of the shells, i'm in recovery console right now fixing it, but that might not be 100% of the issue, as far as running hjt or ewido, can't do that if you can't log in
 

Shairel

Thread Starter
Joined
Jan 14, 2003
Messages
312
added a /safeboot(alternateshell) to the boot.ini and am still getting the same issue...can't seem to find this problem on mskb either
 

Shairel

Thread Starter
Joined
Jan 14, 2003
Messages
312
this site described how to fix the issue
http://channels.lockergnome.com/win...ndows_xp_after_you_remove_wsaupdaterexe.phtml

03.04.2005 @ 10:13 PM PT | Marc Erickson | Comment | Send to Friends

After you remove Wsaupdater.exe from BlazeFind by using Ad-Aware 6 Build 181 and reference file 01R314 02.06.2004 or 01R320 19.06.2004, you cannot log on to your Microsoft Windows XP-based computer.

Note: BlazeFind is a helper object for your Internet Explorer browser that redirects and changes your Internet Explorer settings.

CAUSE
Wsaupdater.exe is spyware that changes Userinit.exe, to Wsaupdater.exe in the registry. Ad-Aware by Lavasoft removes the Wsaupdater.exe file from the computer, but it cannot change the registry subkey back to Userinit.exe,. The registry subkey that is changed is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Value: Userinit
Data: %Windir%\System32\Wsaupdater.exe

Note %windir% represents the location of the System32 folder. For example, if the location is C:\Windows\System32, the data would be:

C:\Windows\System32\Wsaupdater.exe.

The data should contain Userinit.exe, instead of Wsaupdater.exe. In the previous example, the data would be:

C:\Windows\System32\Userinit.exe,.

Note: The comma following the file path information is required.

RESOLUTION
Use the Recovery Console to copy Userinit.exe to Wsaupdater.exe to allow logon capability to be restored and to let you manually correct the registry data. To do this, follow these steps:


Microsoft also has a KB 82893
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top