You cannot log on to Windows XP after you remove Wsaupdater.exe


SYMPTOMS

After you remove Wsaupdater.exe from BlazeFind by using Ad-Aware 6 Build 181 and reference file 01R314 02.06.2004 or 01R320 19.06.2004, you cannot log on to Microsoft Windows XP.

Note BlazeFind is a helper object for your Internet Explorer browser that redirects and changes your Internet Explorer settings.

Back to the top

CAUSE

Wsaupdater.exe is spyware that changes Userinit.exe, to Wsaupdater.exe in the registry. Ad-Aware by Lavasoft removes the Wsaupdater.exe file from the computer, but it cannot change the registry subkey back to Userinit.exe,. The registry subkey that is changed is

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon


Value: Userinit
Data: %Windir%\System32\Wsaupdater.exe

Note %windir% represents the location of the System32 folder. For example, if the location is C:\Windows\System32, the data would be C:\Windows\System32\Wsaupdater.exe.

The data should contain Userinit.exe, instead of Wsaupdater.exe. In the previous example, the data would be C:\Windows\System32\Userinit.exe,.

Note The comma following the file path information is required.

Back to the top

RESOLUTION

Use the Recovery Console to copy Userinit.exe to Wsaupdater.exe to allow logon capability to be restored and to let you manually correct the registry data. To do this, follow these steps:

Back to the top

Use Recovery Console to copy Userinit.exe to Wsaupdater.exe

1.

At the Recovery Console command prompt, type cd system32, and then press ENTER.

2.

Type copy userinit.exe wsaupdater.exe, and then press ENTER.

3.

Type exit, and then press ENTER.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows

Back to the top

Modify the registry

1.

Click Start, click Run, type regedit, and then click OK.

2.

In Registry Editor, expand

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

.

3.

In the right pane, right-click userinit, and then click Modify.

4.

Replace wsaupdater.exe with userinit.exe, (make sure to include the comma, as shown), and then click OK.

5.

Restart your computer.

Back to the top

Delete the Wsaupdater.exe file

1.

Log on to the computer by using an account that has administrator-level permissions.

2.

Click Start, click Run, type%Windir%\system32, and then click OK.

3.

Right-click wsaupdater.exe, click Delete, and then click OK.

Unable to logon to Windows after removing BlazeFind using a spyware removal utility?

Logon - Logoff loop, also caused by BlazeFind

Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the 'loading personal settings" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it's Lavahelp Knowledgebase.

Here is the solution to the logon - logoff issue in Windows XP.

Enter the Recovery Console

Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)

Type the following command and press Enter.

CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)

COPY USERINIT.EXE WSAUPDATER.EXE

Quit Recovery Console by typing EXIT and restart Windows.

You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)

Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.

Phase II - Fixing a registry entry which causes the Quick Launch issue (not retaining the settings)

Click Start, Run and type REGEDIT. Navigate to:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Winlogon

In the right-pane, change the value of Userinit to "C:\WINDOWS\system32\userinit.exe,"

Type the above value exactly as given, including the comma - exclude the quotes. Also, change the path to userinit.exe appropriately if Windows is installed in a different drive.

Close Registry Editor and restart Windows. The Quick Launch settings should be retained now.

No comments: