Windows XP allows a user to login and then it immediately logs out

Quite an odd thing happened today… I encountered the same very specific error twice on two completely unrelated computers (two different clients). In _both_ cases, clamwin had unnecessarily quarantined the following file:

C:\WINDOWS\system32\userinit.exe

On both machines, this occurred during a scheduled scan. The symptoms of this problem are that windows will allow the user to login, but it immediately logs out after a second or two. Here’s how I fixed it in both cases:

  1. Boot into the recovery console using a Windows XP install disk
  2. Select the windows installation experiencing the problem and type the Administrator password when asked
  3. Run the following command (assuming that your CD-ROM is D:\ and your hard drive is C:\):
    expand D:\I386\USERINIT.EX_ C:\WINDOWS\system32
  4. Remove the CD from the drive then type ‘exit’ and hit ‘enter’ to reboot.

Once the computer boots properly (and allows you to stay logged in), use Malwarebytes, Spybot, HijackThis, etc. to scan your computer for viruses and/or spyware.

Update, 5 August 2009:

Just an additional note; you’ll want to be sure that the version of the file you copy from the installation disk is compatible with the service pack installed (it’s likely not). Symptoms of this incompatibility include things like explorer freezing when you try to shutdown or restart the computer. Uninstalling then Reinstalling the service pack should fix this issue. Alternatively, (and if ClamWin was the culprit) you could restore the old userinit.exe file from ClamWin’s quarantine directory… be sure to scan the file before doing this or else you could end up restoring an infected copy. So far, on every computer I’ve had to fix because of this (five and counting), ClamWin had falsely identified the userinit.exe file as a virus.