RedMule.com

Fix the logon-logoff loop virus

I recently encountered a difficult to fix virus/malware issue. The Windows machine had some kind of infection that rendered it impossible to logon to any account on the machine. As soon as I would click on a username to logon, the desktop background would briefly flash and it would immediately logoff.

Many of the articles I found about how to fix this had a critical flaw: they would instruct to log on and run some virus scanner or stop some startup program. There's a simple problem here: the one thing you can't do is log on. Not as Administrator. Not in safe mode. You cannot log on. So many of the "normal" ways to diagnose and fix a malware infection are impossible to attempt.

Anyway, the fix was simple after lots of Googling for a solution. I found several clues that helped me piece it together even tho none of them had exactly the solution. (There seem to be several variants of this problem and/or it's malware perpetrator.)

Attach the Hard Drive to a Different Machine

This is the easiest solution if possibly not the most convenient.

If you have the option, remove the hard drive from the affected computer and attach it to another known-good computer. Using the good computer, search the hard drive from the failing computer and look for a file named userinit.exe

Once you've found it, copy it to c:\Windows\system32, also copy it to c:\Windows\System32\wsaupdater.exe.

Return the hard drive to the original system and reboot. You should be able to log on.

Recovery Console

(I despise the Windows Recovery Console. There surely has never been a more lame and incompetent "console" program ever written. But sometimes it's all you have.)

Anyway, boot a Windows XP disk into Recovery Console. Navigate to c:\Windows\system32. If Userinit.exe is there, copy it to wsaupdater.exe. If it's not, navigate down one level to dllcache, if it's there copy it "up" to c:\Windows\System32. In either case also copy it to c:\Windows\system32\wsaupdater.exe.

Now, reboot the system and you should be able to log on.

Finish the Job

Finally, read this Knowledgebase Article and see if you need to fix the registry entry referenced. Mine didn't need it.

Now, do a very thorough cleaning of the affected system as it probably has lots of other infections of every imaginable stripe. Enjoy!

(Ok, there is nothing enjoyable about cleaning up electronic vandalism. But at least enjoy being a hero to the person whose computer you just rescued.)

Your questions and comments are welcome at comments@redmule.com



Home Software Open Source Software Commercial Software Articles Authored Hire Me Desired Types of Work Areas of Expertise Résumé Portfolio Contact Us Why would anyone name a technology company Red Mule? Here's the story. Verse for the Day Behold, the tabernacle of God is with men, and he will dwell with them, and they shall be his people, and God himself shall be with them, and be their God. Rev 21:3	Fix the logon-logoff loop virus I recently encountered a difficult to fix virus/malware issue. The Windows machine had some kind of infection that rendered it impossible to logon to any account on the machine. As soon as I would click on a username to logon, the desktop background would briefly flash and it would immediately logoff. Many of the articles I found about how to fix this had a critical flaw: they would instruct to log on and run some virus scanner or stop some startup program. There's a simple problem here: the one thing you can't do is log on. Not as Administrator. Not in safe mode. You *cannot* log on. So many of the "normal" ways to diagnose and fix a malware infection are impossible to attempt. Anyway, the fix was simple after lots of Googling for a solution. I found several clues that helped me piece it together even tho none of them had exactly the solution. (There seem to be several variants of this problem and/or it's malware perpetrator.) Attach the Hard Drive to a Different Machine This is the easiest solution if possibly not the most convenient. If you have the option, remove the hard drive from the affected computer and attach it to another known-good computer. Using the good computer, search the hard drive from the failing computer and look for a file named userinit.exe Once you've found it, copy it to c:\Windows\system32, also copy it to c:\Windows\System32\wsaupdater.exe. Return the hard drive to the original system and reboot. You should be able to log on. Recovery Console (I despise the Windows Recovery Console. There surely has never been a more lame and incompetent "console" program ever written. But sometimes it's all you have.) Anyway, boot a Windows XP disk into Recovery Console. Navigate to c:\Windows\system32. If Userinit.exe is there, copy it to wsaupdater.exe. If it's not, navigate down one level to dllcache, if it's there copy it "up" to c:\Windows\System32. In either case also copy it to c:\Windows\system32\wsaupdater.exe. Now, reboot the system and you should be able to log on. Finish the Job Finally, read this Knowledgebase Article and see if you need to fix the registry entry referenced. Mine didn't need it. Now, do a very thorough cleaning of the affected system as it probably has lots of other infections of every imaginable stripe. Enjoy! (Ok, there is nothing enjoyable about cleaning up electronic vandalism. But at least enjoy being a hero to the person whose computer you just rescued.) Your questions and comments are welcome at comments@redmule.com

Front Sight Free Gun	Home ∴ Contact Us ∴ Webmaster Copyright© 2000-2008 Red Mule Technology. All Rights Reserved.