|
|
|
|
Home » Spyware Protection » Hijacked Browser Analysis » Re: HijackThisLog Analysis - Matimon »
|
|
|
wsaupdater.exe
wsaupdater.exe removal - be careful as incorrectly removed, you may not be able to login to your computer.
What if I have deleted userinit.exe?
Before you start, you need a good copy of userinit.exe
userinit.exe
Userinit Logon Application
C:\WINDOWS\system32\userinit.exe
Microsoft Corporation Version 5.1.2600.1106
Check that the file existed and the version is about right.
Run regedit and look for the following key.
HKEY_LOCAL_MACHINE
\Software
\Microsoft
\WindowsNT
\Currentversion\Winlogon
Change from:
UserInit=c:\windows\system32\wsaupdater.exe,
Change to:
UserInit=c:\windows\system32\userinit.exe
Note: If you remove the file without fixing the registry, Windows XP will never log on again. It'll show the welcome screen and everything, but will immediately log off if you attempt to log on. (by any means, including safe mode command prompt).
|
UserInit.exe deleted
If UserInit.exe was deleted or corrupted, your system may not boot.
This is what you could do:
Use bootdisks to get to Repair menu. Choose Command Console option. From there, copy userinit.exe (copy this a PC that is running - hint use find file to locate it) from floppy into C: \ WINNT \ system32 using the following command:
COPY a:\userinit.exe C:\WINNT\system32
OR
Boot from your windows xp cd and run a setup over the top of your current installation (making sure you dont wipe anything.. read everything carefully). this will replace all vital system files and keep all your files / programs installed, this works majority of the time but be careful what you choose in the setup.   Post your comment
|
Post your comment
This logon off loop has been doing my head in, ran with the suggestions above without sucess, the only thing which has allowed me to fix the system was loading up ERD Commander Pro on the MiniPE2 XP cd and ran a system restore to a week ago, loading into safemode and ran some AV and spyware updates and scans before returning to normal mode. Things are sweet as sugar now - thanks for the suggestions - R
In reply to chris:
I found above solution to be correct.
Further Warnings though!!
You can get into these "logon loop" problems by (inadvertently) running axuninstall.exe, which is also dropped into windows\system32 by the installation of "Windows Search Assistant". Though axuninstall.exe uninstalls all its files, including wsaupdater.exe it FAILS to correct the registry.
So to be able to logon, according to the messed up registry, you need a running malicious wsaupdater.exe, which now no longer exists. This leads to the fenominon of getting logged off as soon as you get logged on.
Once you´re in this state:
1. Boot from XP cdrom
2. After Windows Setup Loaded you get threee options. Now press "R" to get into recovery console
(You will now have te logon with admin password)
3. CD to windows\system32
4. type "copy userinit.exe wsaupdater.exe"
5. reboot
6. now you can fix the registry as described above
7. delete wsaupdater.exe and axuninstall.exe
Phew!! Just fixed this thing Thanx everyone for the help!!
I suppose this tumor in cyberspace is going to cause a lot of people problems in the months to come.
Disease to the f#&kers who created Windows SA.!!
Chris
Richy_el_Killa
8/8/2007 12:30:13 AM - NZ
| reply
If the system is on the network all I did was run regedt32 from another system (system1) and attached to the registry of the broken system(system2) and made the change to userinit.
This took about 30 seconds.
Don
In reply to chris:
I found above solution to be correct.
Further Warnings though!!
You can get into these "logon loop" problems by (inadvertently) running axuninstall.exe, which is also dropped into windows\system32 by the installation of "Windows Search Assistant". Though axuninstall.exe uninstalls all its files, including wsaupdater.exe it FAILS to correct the registry.
So to be able to logon, according to the messed up registry, you need a running malicious wsaupdater.exe, which now no longer exists. This leads to the fenominon of getting logged off as soon as you get logged on.
Once you´re in this state:
1. Boot from XP cdrom
2. After Windows Setup Loaded you get threee options. Now press "R" to get into recovery console
(You will now have te logon with admin password)
3. CD to windows\system32
4. type "copy userinit.exe wsaupdater.exe"
5. reboot
6. now you can fix the registry as described above
7. delete wsaupdater.exe and axuninstall.exe
Phew!! Just fixed this thing Thanx everyone for the help!!
I suppose this tumor in cyberspace is going to cause a lot of people problems in the months to come.
Disease to the f#&kers who created Windows SA.!!
Chris
Anonymous
6/29/2005 10:19:22 PM - US
| reply
Worked like a champ! The only difference is that is that my userinit value was C:\windows\system32\wsaupdater.exe Thanks for the post!
In reply to Norm Marks:
This is apparently a relatively new problem and I just found an awesome post up on
the Ad-Aware website that corrects this problem. I and a lot of others have used
this and it works perfectly. There´s a peice of spyware called the usaupdater.exe
which apparently comes from Blazefind. When Ad-Aware removes Blazefind is when the
problems occur. Hope this works for you!
Norm
HERE´S THE POST:
I haven´t tested this. I used a similar method on a customer´s computer and it worked.
Second NOTE: Most of these steps assume that Windows is installed to C:\windows.
If your installation is not in C:\windows, then please change the paths in my instructions
to where your installation is.
OK, I just had a customer that had this problem and here is how I resolved it. I
limited the steps some to (hopefully) make it easier.
First things first get to recovery console using previous methods provided. If you
are unsure of how to get to recovery console look at the previous methods of resolving
this problem and they explain it.
OK, now that we are at recovery console, we need to replace the software hive with
a previous good backup. It should look something like this:
C:\windows>cd system32\config
C:\windows\system32\config>ren software software.old
This renames the current software hive to software.old
C:\windows\system32\config>copy C:\windows\repair\software
It should say "1 file(s) copied"
NOTE: After the next step you will want to remove the cd, then boot into safe mode.
If you do not boot into safe mode in Windows XP it may prompt you to reactivate and
you may not be able to get into Windows.
C:\windows\system32\config>exit
Now hit the F8 key and boot into safe mode. Logon to the administrator account when
you reach the welcome screen. Hopefully you will be able to logon.
Now we need to edit your old registry to change the path to the userinit.exe file:
open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this
the next step will not work)
goto file - load hive...
Now select your old registry file which should be in C:\windows\system32\config\software.old
It will ask you what to name it, if you don´t understand, just type "test".
Now navigate to the following:
HKEY_LOCAL_MACHINE\\microsoft\windows
nt\currentversion\winlogon.
Look at what the userinit value is. On my customer´s machine it was %system32%\userinit.exe
which is invalid.
NOTE: If you can, post what your value is when you look at this.
Next change the value to read C:\windows\system32\userinit.exe
Now close the registry editor, and we need to go back to recovery console to put
your original registry back which should look like this:
C:\windows>cd system32\config
C:\windows\system32\config>del software
C:\windows\system32\config>ren software.old software
C:\windows\system32\config>exit
This (in theory) should get you back into Windows.
Please post here what your results are so that we can have some good feedback on
the solution.
My theory is that Adaware SE is fixing the wsaupdater.exe problem, but it is setting
the value in the registry to %system32%\userinit.exe which does not work on all systems.
Let me know if this helps.
This post has been edited by dorkfish on Sep 26 2004, 03:45 PM
--------------------
On Monday, September 20, 2004 at 3:19 am, KT wrote:
>I have Windows XP, and every time I try to log in I´m taken back to the welcome
screen
>a split second later. I tried restarting in Safe Mode, and it didn´t work...and
neither
>did using the Admin account! I don´t know what to do...can anyone help?
Cave_Goat
4/12/2005 9:04:05 AM - US
| reply
You forgot the comma after exe
Robear
11/25/2004 5:12:01 AM - US
| reply
Thanx heaps you saved me a long reload it worked like a charm
Jinx
In reply to chris:
I found above solution to be correct.
Further Warnings though!!
You can get into these "logon loop" problems by (inadvertently) running axuninstall.exe, which is also dropped into windows\system32 by the installation of "Windows Search Assistant". Though axuninstall.exe uninstalls all its files, including wsaupdater.exe it FAILS to correct the registry.
So to be able to logon, according to the messed up registry, you need a running malicious wsaupdater.exe, which now no longer exists. This leads to the fenominon of getting logged off as soon as you get logged on.
Once you´re in this state:
1. Boot from XP cdrom
2. After Windows Setup Loaded you get threee options. Now press "R" to get into recovery console
(You will now have te logon with admin password)
3. CD to windows\system32
4. type "copy userinit.exe wsaupdater.exe"
5. reboot
6. now you can fix the registry as described above
7. delete wsaupdater.exe and axuninstall.exe
Phew!! Just fixed this thing Thanx everyone for the help!!
I suppose this tumor in cyberspace is going to cause a lot of people problems in the months to come.
Disease to the f#&kers who created Windows SA.!!
Chris
Talen77
10/5/2004 5:52:16 PM - AU
| reply
This is apparently a relatively new problem and I just found an awesome post up on
the Ad-Aware website that corrects this problem. I and a lot of others have used
this and it works perfectly. There´s a peice of spyware called the usaupdater.exe
which apparently comes from Blazefind. When Ad-Aware removes Blazefind is when the
problems occur. Hope this works for you!
Norm
HERE´S THE POST:
I haven´t tested this. I used a similar method on a customer´s computer and it worked.
Second NOTE: Most of these steps assume that Windows is installed to C:\windows.
If your installation is not in C:\windows, then please change the paths in my instructions
to where your installation is.
OK, I just had a customer that had this problem and here is how I resolved it. I
limited the steps some to (hopefully) make it easier.
First things first get to recovery console using previous methods provided. If you
are unsure of how to get to recovery console look at the previous methods of resolving
this problem and they explain it.
OK, now that we are at recovery console, we need to replace the software hive with
a previous good backup. It should look something like this:
C:\windows>cd system32\config
C:\windows\system32\config>ren software software.old
This renames the current software hive to software.old
C:\windows\system32\config>copy C:\windows\repair\software
It should say "1 file(s) copied"
NOTE: After the next step you will want to remove the cd, then boot into safe mode.
If you do not boot into safe mode in Windows XP it may prompt you to reactivate and
you may not be able to get into Windows.
C:\windows\system32\config>exit
Now hit the F8 key and boot into safe mode. Logon to the administrator account when
you reach the welcome screen. Hopefully you will be able to logon.
Now we need to edit your old registry to change the path to the userinit.exe file:
open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this
the next step will not work)
goto file - load hive...
Now select your old registry file which should be in C:\windows\system32\config\software.old
It will ask you what to name it, if you don´t understand, just type "test".
Now navigate to the following:
HKEY_LOCAL_MACHINE\\microsoft\windows
nt\currentversion\winlogon.
Look at what the userinit value is. On my customer´s machine it was %system32%\userinit.exe
which is invalid.
NOTE: If you can, post what your value is when you look at this.
Next change the value to read C:\windows\system32\userinit.exe
Now close the registry editor, and we need to go back to recovery console to put
your original registry back which should look like this:
C:\windows>cd system32\config
C:\windows\system32\config>del software
C:\windows\system32\config>ren software.old software
C:\windows\system32\config>exit
This (in theory) should get you back into Windows.
Please post here what your results are so that we can have some good feedback on
the solution.
My theory is that Adaware SE is fixing the wsaupdater.exe problem, but it is setting
the value in the registry to %system32%\userinit.exe which does not work on all systems.
Let me know if this helps.
This post has been edited by dorkfish on Sep 26 2004, 03:45 PM
--------------------
On Monday, September 20, 2004 at 3:19 am, KT wrote:
>I have Windows XP, and every time I try to log in I´m taken back to the welcome
screen
>a split second later. I tried restarting in Safe Mode, and it didn´t work...and
neither
>did using the Admin account! I don´t know what to do...can anyone help?
In reply to chris:
I found above solution to be correct.
Further Warnings though!!
You can get into these "logon loop" problems by (inadvertently) running axuninstall.exe, which is also dropped into windows\system32 by the installation of "Windows Search Assistant". Though axuninstall.exe uninstalls all its files, including wsaupdater.exe it FAILS to correct the registry.
So to be able to logon, according to the messed up registry, you need a running malicious wsaupdater.exe, which now no longer exists. This leads to the fenominon of getting logged off as soon as you get logged on.
Once you´re in this state:
1. Boot from XP cdrom
2. After Windows Setup Loaded you get threee options. Now press "R" to get into recovery console
(You will now have te logon with admin password)
3. CD to windows\system32
4. type "copy userinit.exe wsaupdater.exe"
5. reboot
6. now you can fix the registry as described above
7. delete wsaupdater.exe and axuninstall.exe
Phew!! Just fixed this thing Thanx everyone for the help!!
I suppose this tumor in cyberspace is going to cause a lot of people problems in the months to come.
Disease to the f#&kers who created Windows SA.!!
Chris
Norm Marks
10/1/2004 12:44:45 AM - US
| reply
I found above solution to be correct.
Further Warnings though!!
You can get into these "logon loop" problems by (inadvertently) running axuninstall.exe, which is also dropped into windows\system32 by the installation of "Windows Search Assistant". Though axuninstall.exe uninstalls all its files, including wsaupdater.exe it FAILS to correct the registry.
So to be able to logon, according to the messed up registry, you need a running malicious wsaupdater.exe, which now no longer exists. This leads to the fenominon of getting logged off as soon as you get logged on.
Once you´re in this state:
1. Boot from XP cdrom
2. After Windows Setup Loaded you get threee options. Now press "R" to get into recovery console
(You will now have te logon with admin password)
3. CD to windows\system32
4. type "copy userinit.exe wsaupdater.exe"
5. reboot
6. now you can fix the registry as described above
7. delete wsaupdater.exe and axuninstall.exe
Phew!! Just fixed this thing Thanx everyone for the help!!
I suppose this tumor in cyberspace is going to cause a lot of people problems in the months to come.
Disease to the f#&kers who created Windows SA.!!
Chris
chris
8/31/2004 12:46:58 PM - US
| reply
|
|
Mail this page
|
|
|
|
|
|
