You are here:Home»KB»PC»Malware Removal»Logon / Logoff loop
Wednesday, 23 June 2010 16:26

Logon / Logoff loop

Written by

Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the \'loading personal settings\" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it\'s Lavahelp Knowledgebase.


  • Boot from ERD 2005, load the registry and navigate to this key

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
     
  • Look at what the userinit value is. On my customer\'s machine it was %system32%\userinit.exe which is invalid.
  • Next change the value to read

    C:\windows\system32\userinit.exe

You might see slight variations on the corrupt key, just restore to the correct value.
Additonally if the above does not work check the file is actually present, sometimes antivirus and malware scans will remove the file because of infection/corruption.
It is advised to run SFC after this procedure.

Read 915 times Last modified on Sunday, 17 April 2011 13:37