Crash2100:
You could try doing a repair installation of windows.
How to Perform an In-Place Upgrade (Reinstallation) of Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;315341
Accepted Solution
08.04.2004 at 05:37PM PDT, ID: 11722245
jagoodie:
trying that now..
08.04.2004 at 09:49PM PDT, ID: 11723250
sramesh2k:
This is caused by a malware named BlazeFind. It adds an entry in the registry which is causing the problem.
From Recovery Console, make a copy of the file userinit.exe and name it WSAUPDATER.EXE
There was a KB article at Lavasoftusa and now been removed. So, look at the previous newsgroup posting:
news:e9u3RODdEHA.1656%40TK2MSFTNGP09.phx.gbl
(Type this in Start/Run box)
Once done, you should be able to login successfully. Next, correct the registry setting, as explained here:
news:ugqPAGVdEHA.1648@TK2MSFTNGP11.phx.gbl
(Type this in Start/Run box)
The Userinit value must be changed in the registry.
08.04.2004 at 11:22PM PDT, ID: 11723513
sramesh2k:
Clearly documented at:
Quick Launch settings are not saved; Search Assistant Toolbar in Taskbar:
http://www.winxptutor.com/wsaremove.htm
08.05.2004 at 06:07AM PDT, ID: 11725635
jagoodie:
after i did the in-place install it logged in successfully. i did a scan for blazefind, and it was not present. i never get spyware.
08.21.2004 at 04:45AM PDT, ID: 11858437
lewisrw:
Hi - I solved my automatic LOGOFF problem that occurred everytime I LOGGED ON - even in SAFE Mode. The problem turned out to be that the Winlogon userinit entry was set to "wsupdater.exe," and not "userinit.exe,". I fixed the problem by 1) booting to a Repair Console (IBM provides this on their laptops), 2) changing directory to C:\WINDOWS\System32, and 3) copying userinit.exe to wsaupdater.exe (there was no wsaupdater.exe present). I then 4) rebooted into Safe mode and successfully logged-on as Adminstrator (for the first time in several days!) Next step was to 5) edit the registry and change userinit in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon from "wsaupdater.exe," to "userinit.exe,"; 6) final reboot and back to normal!
If this doesn't work, there are other things to try. See posting in microsoft.public.windowsxp.security_admin: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&safe=off&threadm=Fl2zc.336021%24M3.285711%40twister.nyroc.rr.com&rnum=21&prev=/groups%3Fq%3Dwindows%2Bxp%2Bautomatic%2Blogoff%26start%3D20%26hl%3Den%26lr%3D%26ie%3DUTF-8%26safe%3Doff%26selm%3DFl2zc.336021%2524M3.285711%2540twister.nyroc.rr.com%26rnum%3D21
Good luck
--Rick Lewis--
09.23.2004 at 06:08AM PDT, ID: 12132772
kuvain:
The problem seems to be that blazefind (malware) copies the userinit.exe file to wsaupdater.exe and refers to this file in the registry instead of userinit.exe. Anti virus programs (i noticed it with NAV myself in several cases) then delete this file which result in the problem as described.
This is easy to solve with the recovery console of windows xp. Copy (rename) the userinit.exe file to wsaupdater.exe in the recovery console. Now you're able to log on again and you can restore the original situation in the registry.
More information on how to use the revovery console us easy to find at microsoft's site.
This solution is actually the same as sramesh2k's.
09.23.2004 at 06:36AM PDT, ID: 12133032
jagoodie:
Yes, which didnt work.
10.05.2004 at 10:56PM PDT, ID: 12234754
nyashinsky:
Try the instructions listed below. The renaming the file thing mentioned above worked for me for about a week, then it seemed the malware updated itself to use a different malicious registry edit, one which I haven't figured out yet.
Note I got these instructions from a google cache of an lavasoft forum page. The latter seems unavailable and I can't find the link to the the former right now, but below is a possible alternative solution if copying the userinit.exe into wsaupdater.exe:. This gives you instructions on how to recover from a previously known good software registry hive (if I said that right). It should allow you to repair your newest registry using an old registry then go back to the newest regisry after it has been repaired.
My problem is that I don't know yet what the new malicious registry edit is to repair it. I am gonna try a text comparison tool on export of the 2 registries, but I will save that for another night.
Hope this helps,
Neil
________________________________________________________________________
RESOLUTION
First it is necessary to go to the recovery console. If you are unsure of how to get to recovery console please see http://www.lavasofthelp.com/articles/v6/04/06/0901.html .
At the recovery console, it is necessary to replace the software hive with a previous good backup. Please type in each of the following bold lines, pressing ENTER after each one.
C:\windows>cd %windir%\system32\config
C:\windows\system32\config>ren software software.old
This renames the current software hive to software.old
C:\windows\system32\config>copy C:\%windir%\repair\software
It should indicate: "1 file(s) copied"
NOTE: After the next step, remove the CD, then boot into safe mode. If you do not boot into safe mode in Windows XP, it may prompt you to reactivate and you may not be able to get into Windows.
C:\windows\system32\config>exit
Now hit the F8 key and boot into safe mode. Logon to the administrator account when you reach the Welcome screen.
The next step is to edit the old registry to change the path to the userinit.exe file:
open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this the next step will not work)
goto file - load hive...
Select your old registry file which should be in C:\windows\system32\config\software.old
It will ask you what to name it, if you don't understand, just type "test".
Navigate to the following:
HKEY_LOCAL_MACHINE\
Look at what the userinit value is. It is likely something like %system32%\userinit.exe which is invalid.
Next change the value to read C:\windows\system32\userinit.exe
Now close the registry editor, and go back to recovery console to put your original registry back. It should look like this:
C:\windows>cd system32\config
C:\windows\system32\config>del software
C:\windows\system32\config>ren software.old software
C:\windows\system32\config>exit
MORE INFORMATION
This issue is resolved with Definition File SE1R10 28.09.2004.
Special thanks to Lavasoft Member dorkfish for his assistance in this matter.
10.06.2004 at 09:49AM PDT, ID: 12239671
thomas101:
Thank you very much for the instruction I have the same problem and follow this instruction it backup and working great
11.13.2004 at 01:38AM PST, ID: 12572891
andreni78:
works for me too!! great thanks nyashinsky!! i've been doing every method out there in existence.. and yours work perfectly!!!! i've been looking for a solution for DAYS AND DAYS on END!!! WHEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEW!!!!!!!!!!!!!!!
11.13.2004 at 12:49PM PST, ID: 12575466
bobert2:
I want to thank everyone for their assistance on this frustrating problem.
I'm posting a bit of a followup! I wasted a few hours because I thought I was following all of the instructions, but in fact I was not! I see that a few others have indicated that they tried to follow the instructions and it didn't work. It may be that they also did not follow the work around EXACTLY.
1) I tried to do my file copies from the DOS PROMPT using a DOS BOOT DISK. The files appear to copy and work, but IN FACT IT DOES NOT. Once I finally went to the original Windows Install CD and entered using the Recovery Console, everything worked correctly. From the DOS prompt using the Recovery Console, copy the userinit.exe to the wsauserupdater.exe file.
2) REBOOT INTO SAFE MODE and you should be able to logon as the administrator.
3) Correct your registry using REGEDIT. NOTE: - one user commented to watch the case sensitivity of the entry. I didn't take any chances, and made the changes to the WINLOGON entry as "C:WINDOWS\system32\userinit.exe," following it exactly for the upper and lower case, and to include the comma at the end, and everything worked for me!
I probably spent an hour or two researching this problem, and the fix should only have taken about 10 to 15 minutes. I wasted several hours by not going to the Recovery Console the first time around!
Thanks everyone!
Bob
11.13.2004 at 08:37PM PST, ID: 12577120
nyashinsky:
Dear bobert2,
I cannot speak for thomas101, and andreni78 directly on this regard, though I have every reason to believe them, but I can assure you that I did "follow the work around" _EXACTLY_. As a matter of fact if you read my post carefully you'll see I followed those instructions exactly and succesfully, once. The second time around it was exactly and unsuccessfully. Both times I used the recovery console, the second time I was even told that the file in question already existed.
I can certainly sympathize with your plight having been in a similar situations where I nearly followed the directions and only recognized my mistake after nearly doing it until I did it exactly. In the end, one truth (usually) prevails or so says Conan Edogawa, so I must thank you for your contribution to the discussion, but politely refute your suggestion that there are not variants out there that make the registry value in question simply unreadable, and the original work around, ineffective.
While I am at it, I will happy to say to thomas101 and andreni78, You're Welcome! Share and Share alike
I would also say, since I already on my soap box, that while the original answer by crash2100, would have solved the problem, it wasn't nearly as good as the one later posted by sramesh2k who I also like to Thank. He provided much more insight on the problem and his solution was much lower risk to loose existing settings, and it didnt require reapplying MS Updates. Without his posting I would have been unlikely to find the way to work around BlazeFind's, evolving evil ways.
11.15.2004 at 01:05AM PST, ID: 12582156
andreni78:
i fixed it.. but it came back.. then i fixed it again.. rescanned my computer with adaware.. and only found cookies... what's the deal? hmmm
11.15.2004 at 05:11AM PST, ID: 12583402
jagoodie:
Fun. Windows can really bite sometimes. By chance, is your PC a Dell? Mine is.
11.15.2004 at 12:02PM PST, ID: 12587221
andreni78:
yes my pc is a dell.. but that's irrelevant?
11.15.2004 at 12:03PM PST, ID: 12587230
andreni78:
by the way.. this is my 3rd time fixing it...
11.15.2004 at 12:10PM PST, ID: 12587316
andreni78:
every time.. it changes my setting to c:\winnt\system32\userinit.exe when my root NT folder is winxp.. and next to it.. is always: iprotect.exe... so what i did is.. made a folder winnt\system32 and copied userinit.exe in it.. and copied userinit.exe over iprotect.exe and gave it a read only attribute.. hopefully this solves the problem
11.15.2004 at 03:50PM PST, ID: 12589228
nyashinsky:
andreni78,
Do you have a software wirewall running our your machine? I found after installing zone alarms free version, updates/mutations to the spyware/malware were stopped. This was a decisive turning point for me.
pcplus1
07.07.2008 at 08:43PM PDT, ID: 21950693
Hey Guys,
thank you so much for your solutions. I have tried all of them and I am not able to get rid of the problem. Have there ever been a situation where none of solutions worked. I have run out time and patience. I thought about removing the hard drive from the desktop and making in a USB connection to another computer and try to scan and remove the virus. Do you if this is a possible solutions? If you guys have any other solutions, please let me know because if not I have no other choice but to wipe it.
Godchild
nuiphao
08.23.2008 at 07:12AM PDT, ID: 22297005
I have tried everything above. It seems it is not related to adaware.
Could i get some advice on this?
No comments:
Post a Comment