Windows XP Login Logout Loop (Virus)

(Image by JudeanPeoplesFront)

I’m writing this post with the hope that it will be helpful to people who face the same computer predicament that I did a few days ago. Here’s a little bit of background information: Last Tuesday I met John Chol Daau, who is from Sudan. He grew up as one of the Lost Boys of Sudan, forced to leave his home and wander hundreds of miles through Africa to survive. If you don’t know much about this particular humanitarian issue, I suggest spending a small amount of time reading up on it. Anyway, John told me that his PC was experiencing a debilitating virus, and asked if I would look at it. I said that I would. After spending quite a bit of time reading through various website forums, here’s a short description of the problem and its solution:

Problem: The PC (which runs Windows XP with SP2) starts normally. The Windows splash screen appears correctly and then the login prompt correctly loads. You can then enter your user name and password like normal, but as soon as you try to login you are IMMEDIATELY logged back out again. The desktop doesn’t even load. It moves immediately back to the login window where you can then enter your user name and password again. No matter how many times you try to login you always experience this immediate logout. Even if you try to login to the computer in safe mode you still experience the same problem. This problem is documented on Microsoft’s website here.

Solution: I’m sure this behavior can be caused by many different problems, but the most common cause is a virus. If you’re familiar with the Windows registry, this virus changes a few registry key values that makes it impossible to login to your computer. If you’re not familiar with the registry, don’t panic. I’ll post links to a few articles that very clearly explain how to fix this problem. Basically, the virus makes two very simple changes to your computer that render it useless. In order to fix the problem, you have to change these two things back to the way they were while your computer was working.

Easy Fix: The “easy” solution to this problem can be found here. In order to use this fix you have to have your Windows XP install CD. This is the CD that contains the files necessary to install the operating system on your computer. You probably have this disk stashed in a drawer somewhere. You should note that there’s a difference between the Windows XP install CD and the recovery CD that may have shipped with your computer. It’s actually possible that when you bought your computer that it didn’t actually come with a Windows XP install CD. Sometimes computer manufacturers will only ship you a recovery disk, which is altogether different. You need your Windows XP install CD so that you can run an application called the Recovery Console. The link above should provide documentation on how to use the Recovery Console. Unfortunately, this fix didn’t work for John’s computer, but it may work for yours.

Slightly Harder Fix: This fix is the one that ended up working to fix John’s computer. A detailed explanation of this fix can be found here. It requires you to have access to another Windows PC with a CD burner (even if it’s a friend’s computer). You have to download a program called BartPE, which is one of the greatest recovery tools that exists. For this particular problem, BartPE will enable you to quickly change the two settings that the virus messed up. You may need a Windows XP install CD for this method as well. But it may be possible for the program to find what it needs from your friend’s computer without having to have access to this disk.

If you have any questions, please feel free to contact me. The above links should give you the tutorials you need to fix the problem. And if you use a PC you should use a virus protection program! If you don’t, you’re asking for trouble! Good luck!

If you found this article helpful and would like to do something small to support Logic Nest and also benefit yourself, sign up for a Dropbox account here. Dropbox is software that syncs your files online and across your computers, and by signing up you get a 2GB free account. I also get a little bit of extra space for referring you. This is one of the best pieces of software that I use today. It’s a huge productivity booster, and helps me to back items up across computers.

(Image by JudeanPeoplesFront)

Have a comment?
  1. Connie says:

    How can I create a BartPE bootable CD if I can’t get to windows. It says to “download it and run it”. I can put the download on a CD from another computer, but then how can I run the pebuilder.exe on the correct PC (with the correct Windows XP files)?

  2. RANS says:

    Thank you so much for the information. This was a nasty virus/trojan. The following worked for me…
    1) I was able to remove the hard drive and install it on a clean computer as a slave drive. I used Norton 360 to scan and rescan the drive until it was clean of virus.
    2) I copied userinit.exe and winlogon.exe from the clean computer to the 2nd HD and replaced the existing files. And reinstalled the HD in the computer. Still had problems.
    3) Created a BartPE recovery disk – best thing! Used BartPE to get access to the computer and used regedit to update the required information.
    4) This link was extremely valuable on how to load and edit the registry once BartPE had worked, as loading registries is not easy. http://windowsxp.mvps.org/peboot.htm
    5) Added Shell and Winlogon information to Registry keys (as the antivirus had removed them)
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell=explorer.exe
    Userinit = x:\windows\system32\userinit.exe

    Thank you all

  3. RANS says:

    Oh the x:\ should be what ever drive is the main (c:\)

  4. Ramona says:

    I have tried to open the hive from my Windows Installation Drive using C:\, D E FGABC123 and nothing seems to work. BART doesn’t seem to be reading my drive at all. I’m at a loss and not sure what to do. I tried to Connect Network Registry and nothing happens. When I first boot up BART and it asks if I want to network connect I’ve said both yes and no and neither works. I also get an error message when I’ve tried ‘yes’.

    I tried doing the ‘expand’ thing in the command prompt but likewise it seems to not be reading my drive or I may be doing that part incorrectly.

    Any help would be oh so greatly appreciated.

    Thank you

  5. Scott says:

    The second option worked for me. Thank you very much. fwiw, I had an issue where the machine would browse to the windows directory when loading the hive but it appeared empty. Out of frustration, i clicked it over and over again and weirdly enough, up came the sub directories and I was able to locate the software file for the registry. Success!

  6. Vic says:

    Do I need to use the exact same Windows XP CD that came with the computer?

    I am trying to fix a friend’s computer that has this problem, and his computer, a HP Compaq, did not come with a Windows XP CD. I have my own Windows XP CD, with a different service pack than the one that was originally installed on his computer. Can I create a BART PE disk from the CD that I have? Thanks.

  7. MR says:

    vic.. you can use any windows installation cd,,

    just for sharing, i also have the same problem, but it all ready solved,
    checked the following links http://windowsxp.mvps.org/peboot.htm

    there are steps for this problem,
    steps
    1. boot from your BartPE cd
    2. from the GO menu, choose to browse c:\windows\system32
    3. find the userinit.exe file (seems virus deleted this file)
    4. if you couldn’t find it, try to fnd on your BartPE CD ( on BartPE\I386) and copy it to c:\windows\system32
    5. and for the rest,, check above link

    it works for me

  8. Greg says:

    HI All,
    I am having the same issue when prompted for the user password at Windows XP Home logon screen, it logs you on, then disconnects network connections and logs you off again.

    I created a BartPE and copied the userinit.exe from the bart CD and replaced the old one in C:\windows\system32\.

    I also run regedit and adjusted the settings as described in the link posted by MR this morning.

    It still doesn’t let me log on. Could it be that a virus is still active and needs to be “killed” first? how would i do that if i can’t even log on? Any ideas?

  9. surya says:

    what it’s a magic trick

  10. Jeff Green - Washington, DC says:

    Hey, Don’t know if you still check this post but your solution works F A N T A S T I C A L L Y !!!!

    I had a bart pe disk, but didn’t know where in the registry the fix needed to be made.

    Got an old laptop up and logged on in about 5 minutes !!

    Thanks,

    Jeff

  11. EPIC! says:

    The Slightly Harder Fix did it for me. Wow….all the other forums have the easy fixes that didnt work!

    A+

  12. EPIC! says:

    Greg go ahead and try to take the hard drive out and get IDE/SATA to USB adapter to scan your HD for viruses

  13. Emz says:

    I have this problem however I have a netbook so i don’t have a CD drive is there any other way to fix this problem? I went to a computer shop to see if i could get it fixed and they told me it would be £50

  14. MP says:

    This solution worked perfectly. I tried the first solution countless times until I found this secondary solution! I used another computer without a boot disc and got my BartPE from there and burned the ISO to a CD. As others have said, the key is to make sure your in the C:\ Drive and not in the X:\ drive, which the program defaults to so pay attention to every detail! I had to manually type the exact location of the SOFTWARE location in order for it to load and allow me to name my hive.

    THANK YOU VERY MUCH!

  15. Matthew says:

    This just happened to me. I run a company with this computer and was shut down all day. Your page helped me save my computer and my company. Thank you !

    Thank you!!! THANK YOU!!!!

    god bless and good day…..

    matt

  16. Matthew says:

    FOR GREG,

    I see exactly your problem, i found this video that explains it step by step. This is a BRITISH guy who mubbles the word Ultimate boot CD for Win…….

    hopefully this will help.

    http://www.youtube.com/watch?v=avjLawmpWZ8

  17. Andres says:

    Thank you so much, the second link did the trick, finally managed to save a friend’s PC without having to reinstall windows XP.

  18. Foundtheansw says:

    Ok I got the answer to all those whose BARTPE’s cant find the c drive,

    go into recovery console and go to windows\system32\config
    ren software to software.old and then type “copy C:\windows\repair\software”

    now it should load into windows where you can do the hive fix. Dont even need bart pe.

    then go back to the recovery console and rename software to software.temp and rename software.old(the one where you did the hive fix) to software, reboot and viola!

  19. Andrew says:

    i have followed the steps for the harder fix but userinit reg does not exist in the winlogon folder ,c:\windows\system32\userinit .exe exists any ideas how to fix this

  20. Jason Saunders says:

    I would like to thank Mr. Kane for posting this to the web. I am an artist and frankly don’t have a lot of money to hire someone to fix my computer. So, I have to do it myself. After Googling the description, and following several false paths this page finely set me on the right one. In my case usernit.exe has gone missing. Once I found instructions on how to restore that program my computer immediately started functioning. I was down for about a day. I have no idea if a virus erased it or if my computer hiccuped and deleted it. I’m just super happy to have my computer working again. Thanks :*)

    This is the page with the instructions:
    http://www.f-prot.com/support/windows/fpwin_faq/106.html

    P.S. PC’s may be more susceptible to viruses then Macs but they’re more affordable and they have a right mouse button.

    • Evert says:

      Great man!!! I regretfully tried everything I could think of and googled on until I came across this instruction on the above link. Thanx again … this search was rewarding.

Trackbacks for this post

Comments are closed now.