How to fix the Log On/Log Off Loop in Windows XP

The Win32/Virut virus is particularly nasty in my experience. Win32/Virut is a parasitic file infector that uses process injection technology to write itself in to executable files, including explorer.exe, winlogon.exe, and userinit.exe (along with many others). Once infected, the virus is then activated at start up, in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry keys. The virus also acts as an IRC bot, logging on to a predetermined IRC server, effectively turning your machine into an IRC file serving zombie, allowing an attacker to upload files to your machine for use in IRC Warez channels.

Upon removal of Win32/Virut, users may encounter what is affectionately known as the Log On/Log Off loop. This is when a user logs into a Windows account normally, but then immediately is logged off. This is due to the removal of an infected userinit.exe, as pointed to in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

So, how do we correct the Log On/Log Off loop? For starters, you'll need your Windows XP CD-ROM available, a working Windows machine with a CD burner (you can usually borrow the use of a friend's machine), and the Windows Bootable Recovery CD known as Bart PE. This guide (http://thinkinginpixels.com/quick-fixes/fix-windows-xp-log-onlog-off-loop/2/) shows how to set up Bart PE for specifically this problem with very clear and concise step-by-step instructions. For that reason, I won't go into extreme detail, suffice it to say that once Bart PE is loaded, run the Remote RegEdit tool and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and modify the "Userinit" key to read C:\Windows\system32\userinit.exe, and then, just to be safe, manually copy userinit.exe from the X:\I386\SYSTEM32 folder to C:\Windows\system32\. (X:\ being the newly created disc drive from which Bart PE runs)

After following these instructions myself, I was indeed able to log in to my user account, however, the Explorer shell would not load. That is, the taskbar, desktop, etc... were not loading. This told me that Explorer.exe was also removed by my antivirus software. Not to be panicked, I copied Explorer.exe from the Bert PE CD into C:\Windows\ in the same fashion. This allowed me to once again have a normal looking, (yes, looking) Windows XP interface. This was not the end of my troubles.

I soon found that I did not have such simple programs as Task Manager, Command Prompt, not even Notepad. All were removed by my antivirus software. Rather than taking the time to manually copy all of these files off of the Bart PE CD, I chose to run my Windows XP CD-ROM in repair mode, thus giving me back all of these necessary programs. This time, virus-free.

You may ask, "Well, if you just ended up running Windows Repair mode, then why bother with Bart PE in the first place?" Well, I am basing this off of my own specific experience for which I found little to no help for on different tech support forums. The Log On/Log Off loop could simply be caused by your Spyware program performing practically the same action as the antivirus did. For this, more common problem, the Bart PE solution should be the end of your problems.

So now that your PC is back up to snuff, what do you do now? Make sure to run updated antivirus software on ALL drives, including external hard drives and USB thumb drives. Remember, Win32/Virut is a file infector, so any programs you use could be infected.

And there you have it. I sincerely hope that this article will help at least one frustrated user. If there are any questions, feel free to email me at rammsteinfuerimmer [at] yahoo [dot] com