Windows XP Logon/Logout Loop Issue

My stepdaughter somehow managed to get a virus on my wife’s HP laptop. I had Avast and Malwarebytes on there, and I think when the Avast scanner popped up with “Hey, a virus is attempting to get onto your machine!” she clicked close/ignore assuming that it was just another one of those malware ads that try to tell you your computer is infected, etc.

I ran avast scans several times, couldn’t get malwarebytes to run due to the virus disabling the “Mbam.exe” file from running, avast kept finding viruses but it wasn’t enough.

Somehow now the machine is stuck in a loop where the thing gets to the logon screen, and no sooner do you logon then it logs itself out. I assume from googling that the virus compromised a file or three that is causing this. Also from googling I encountered some fixes that were a little beyond my threshold for computer literacy.

If anyone has an “easy” fix for this I would love the assistance. I do not have the original XP disc so I cannot do a clean install, unfortunately.

Editing registry keys scares me. Help!

Thanks!

Have you tried going into Safe Mode? Press the F8 key before the Windows startup screen display and try that.

If you can get into it, try using System Restore (it comes up as a option just as you enter Safe Mode) to restore it to a time before the virus hit. This isn’t a foolproof solution, but it works often enough to be worth a try.

Safe Mode has the same issue…

You can try renaming MBAM, the .exe, to see if that works. Also, try Super Antispyware.

Try downloading mbam-setup.exe directly to your desktop, rename it to something like winlogon.exe and run it. Run a quick “Check for updates”, then do a quick scan.

I can’t download anything because I cannot log on to the computer!

I need an option that doesn’t involve me messing with BIOS, the registry or re-installing XP if possible, and if it does involve one of those options, I need the old kid glove treatment.

ETA: With reinstalling Windows as a last resort, as I alluded to…I do not have the disk anymore…

This worked for me:

at first I tried to do the steps manually, but then I grabbed the downloadable tools and went step by step. Good tools to have anyways, good luck, let us know.

Well, there isn’t an easy fix, then. The best without reinstalling would be to create a BartPE or other disk that can boot from a floppy or flash drive and then use it to find rootkits (usually in the C:\windows\system32 folder – the time stamp on the file will probably show the culprit).

But that’s not all that easy to do. You’ll need another computer and a way to create the boot disk – and hope the bad file is actually in that folder.

Fuck.

When you log in, hold the Shift key down. This should stop the startup items from running.

BartPE is a lot of trouble to create, especially if you don’t have access to the machine. It would be a lot better to get an Antivirus bootCD. They don’t need Windows to run.

You’ll need to know how to burn an ISO file to a CD. ImgBurn will do it if you don’t know how otherwise. Choose the “Write image file to disk” option, select the ISO, and click the Write button, and soon you’ll have that CD you need.

Guys, the link I posted above does pretty much that, It walks you through downloading an .iso, which self-boots, runs a repair script, and replaces the registry keys and files that are essential to getting out of logon loop hell. It also runs a spybot scan to remove any traces of garbage left over.

My initial run in with this was due to winlogon being corrupted/replaced by a root kit. The link above is like ‘fix this for dummies’. Try it.

DaPopes method will work in most cases folks.

We actually have a similar tool that is part of a subscription tech tool package. We break about 5-6 of these login/logout loops a month with it. It also entails booting with a PE disk and running the tool.

This is not actually an active virus, this is the side effect of a virused critical system file being removed and windows crashes back out to a login when it can’t find it. Similar things happen with some viruses that reassign certain windows shell functions that will leave a machine unable to run executable files after the virus is removed.

The only problem I found with the VistaRecovery/SaveMe disk combo was that it could not access SATA drives without supplying the drivers from another disk.

If I’m not off my rocker, vista is the first OS from MS where you can supply non standard drivers via USB keys.

But I think the USB key has to be plugged in before you boot. Keep us up to date on this please!

A coworker managed to do something similar, not only to his work computer but his computer at home as well. He was hit by a malware installed from a program named qKmfGB.exe that installed a replacement windows logon handler, plus some other nasties.

The first symptom was a sickly green screened warning message that his computer had become infected and he had to CLICK HERE! to download the only hope of fixing the problem. Rather than doing that, he ran Spy-Bot to try to handle the situation. Spy-Bot discovered the bogus files and deleted them, but gave a message that it could only finish the clean-up after a re-boot. So he re-booted the computer and wa stuck in the same loop that FoieGrasIsEvil is seeing.

The problem was that Spy-bot had erased the bogus logon handler (in XP it should be a file called userinit.exe) but had not corrected the registry entry specifying the program windows is to use. This key is located (again, for XP) at:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit:

On the one system I was able to use the NT password resetting boot CD from Offline Windows Password & Registry Editor - it has a command-line based registry editor that is not for the faint of heart.

The other system wouldn’t boot from that CD, so I looked around and found a more up-to-date option, http://www.ubcd4win.com/ that did the job.

The advantage of the Universal Boot CD option is that it gives you a stripped down version of windows that should be able to access all of the hardware and it lets you run the standard regedit program on the affected machines registry.

As always, these tools are strictly use at your own risk, but I’d recommend trying the UBCD4Win option before reinstalling the OS, you should at the very least be able to use it to access and back-up the data from the laptop.