Immediate Logout after Login (Windoze XP)

P

PHTech

Senior Member
Joined
Aug 21, 2006
Messages
588
Reaction score
0
Location
Witbank
Hi There...

I have searched google for a solution but none seems to help.

When my client's notebook PC starts up, and where a user selection has been done, Windoze starts to load the account, but then an immediate logoff operation followed.

I have tried the Fix for the wsaupdater.exe to userinit.exe thing, but does not seem to fix the problem... Have tried repairing the Windoze installation, but still the same problem...

What I have Noticed is when I try to change the userinit registry key, it won't save the changes, and still displays: "C:\recycled\svchost.exe," in the registry key's line...

ANY HELP WOULD BE APPRECIATED!!!
 
I have actually tried that site, but what I have noticed is that when trying to change the registry key, it doesn't save the changes...!?!? Any ideas how to fix that...?
 
Can you remove the HDD, put it in an USB enclosure and scan the HDD for viruses thus?

Whilst busy, copy all data off the HDD - it might be developing bad sectors, this would be a wise move should the HDD be on its way out...
 
I had this a while ago. What a helpless feeling.

I think I eventually resorted to doing a Windows XP repair and followed numerous other solutions I found online. It wasn't easy to fix. :(

Good luck getting it sorted.
 
I also had this problem a while ago, googled it the whole day and eventually i found out it has to do with a virus that must have been removed and then it changed some of the registry keys.

I took the drive out of the pc and put it in another xp pc and went in to regedit and loaded the registry hive from that drive and fixed the specific keys and after that it booted but i just copied all my stuff off that machine and did a clean install.

I am sure if you google this you will eventually find the keys that need fixing and from there you can try to remove that drive and maybe connect it to a pc.

The other thing that you can also do is to try a bartpe/hiren disk and boot into the registry editor and try to fix the keys from there.
 
I have came to the conclusion that the PC is infected with a worm called "Rungbu.b". It changes the userinit.exe file in the registry to point to "C:\recycled\svchost.exe," and therefore no login to Windows... I am currently busy on finding any alternatives to remove the virus as I can only start into Safe Mode. Will post the steps for future reference and to people who are also struggling with this WORM!!!
 
Good luck on killing that insect, give us your poison recipe after the funeral. :)
 
W@P said:
Good luck on killing that insect, give us your poison recipe after the funeral. :)
Click to expand...

Will do so!!! On the other sites the fix for the Logout after login thing, is related to a "BlazeFind" malware which also causes the same symptoms, but this virus which I am dealing with is running processes and changes registry keys... Will keep you guys posted...
 
MANUAL REMOVAL FOR RUNGBU.B FOR PC's WITHOUT AN ANTI-VIRUS

01. Boot the infected PC in safe mode.
02. Disable System Restore.
03. Kill the following processes (CTRL+ALT+DEL)
  • ctfmon.exe
  • docicon.exe
  • smss.exe
  • spoolsv.exe
  • svchost.exe
** Note that the processe to disable will be displayed in capital letters.
04. Delete the following registry keys:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe "C:\Recycled\svchost.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=C:\Recycled\svchost.exe
  • HKEY_CURRENT_USER\Word.Document.8\DefaultIcon\(default)\C:\Program Files\Microsoft Office\Office\docicon.exe
  • HKEY_CURRENT_USER\scrfile\(Default)\Microsoft Word Document
05. Delete the following files (You can use a trustworthy anti-virus in this step - I have used NOD32 v2.7 - Virus Signature: 3256):
  • docicon.exe - C:\Program Files\Microsoft Office\Office
  • ctfmon.exe, smss.exe, spoolsv.exe, svchost.exe - C:\Recycled
06. Go to: Start -> Run. Type the following in the run dialog: C:\recycled\ and press enter.
07. Delete all the files in the Recycled folder.
08. Restart the PC and boot with a Windows XP CD.
09. Do a Windows repair. (After pre-loaded files have been loaded, press enter "To install Windows XP" - do not press the R button now. At the next screen press F8 to agree, and THEN press the R button. It will look like a Windows install, but is the actual repair.)
10. After Windows have been repaired, you can log in using the normal mode.
11. Now go to REGEDIT and find all the keys with the following string: C:\recycled\SVCHOST.exe and CLEAR the values of the keys (only the C:\recycled\SVCHOST.exe part)

The virus / worm is now removed. I use NOD32 v2.7 on my PC and when updated regularly, is possibly the best anti-virus system ever.

These steps worked for me. You can PM me any time if something is not clear to you...
 
i have had that on about 50 pc's,its a virus called brontok,if it is that far,format is the only way to fix it properly
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X