Unusual prob - Bart didnt help..
Results 1 to 2 of 2

Thread: Unusual prob - Bart didnt help..

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002

    Unusual prob - Bart didnt help..

    Hi Guys,

    I struck a strange one today.. And please no comment what I should do.. problem was Repaired.. I mention it here as I did not locate a likley cause..

    The system:
    Win XP He sp1, Cel2.6G 256Mb ram on a gigabyte MoBo.. NAV 2004 appeared to be updated to one week ago.. patches seemed ok but not SP2..

    system would boot almost to Desktop..ie wallpaper would appear then the "welcom" would reappear.. and the logon screen would come up.. (single user and no password)
    Clicking on the users name would bring up a brief flash of the users wallpaper the Logging out would come up and back to logon screen:

    Customer had reported that they had cleared the cookies and TIF's and emptied the Recycle Bin before switch off.. so suspicion of a critical file is considdered..

    What I did:
    Yep: Bart was first into the show: checked the recycle bin.. empty.. (I don't have bart setup to do file recovery..)
    then a Stinger and a Mcafee AV scann (2 week old defs).. only found a couple of Downloader trojans.. ie Adware crap
    Adawre 6 found the same..

    A quick look at the registry, The tool I currently use looks at HKLM and HKCU strands of the registry, Showed only a couple of parasites ..ie Bridge.exe And some rundll32's ..

    So a backup of the machines registry (haven't tried a restore from a remote registry bu yet so this was like putting on Bubble wrap before jumping out of a speeding car)

    All funnies Renamed, moved or deleted.. ready to restart.. almost.. "Google is my friend":

    A couple of tries with different combinations in google with Logo logoff and winXP .. yeilded about three mentions of the symptoms I was looking at.. each mentioned a corrupted Userinit.exe .. ok restore from CD.. Well these guys had no problems it seems.. Oh and buy the way it seems that at least one of these ppl had the same set of circumstances leading to the problem,, oh and their machines were full of spyware....

    So a check of the file ..no problems correct weight and size for a SP1 HE machine.. Restore from the cd anyway!! .. Attempted restart..FAILED.. Same symptoms as before..

    Can't F around anlonger with this job.. Repair install.. Fixed.. REmoved the remaining spyware crap 10 different progs.. 40 or so files (not counting 1 or 2 hundred cookies)..
    Ren Win Update.. installed SP 2.. F...F...F.. Modem gone..F SP2.. reinstalled Modem.. yep the Customers Hubbies Porn Sites are back and running.. (Copied Links for future examination then) Removed them.. Installed F/Fox, and placed the porn sites in the Hosts file..redirected to

    It annoys me when I cant get to the root cause of the problem..but Time is money.. and in this case it was a time restriction as well..

    Anyone else seen this symptom? Be interested to see if this isn't a newish virii or Crapware..



    BTW: Had another job.. site call

    Compaq Box with Win2k.. on a small network (ok TS ..a what netwerk) 3 machines via a adsl router -SLOOOOOOOOOOW ADSL 64\128

    Intermittent errors in IE (they have to use it because of the Company online finance and sales logins) and Cant send emails ..

    Hmm quick check: Outbox 10 emails, one with an attachment, a small picture of 52.5MB

    deleted .. problem 1 solved..
    Hmmm .. Taskman?,.. yep a funny in the running processes..

    killed it and a quick run of FXNETSKY to remove the rest of Netsky.D.. while that was running a quick install of Adaware-se and 60 items later (mainly Cookies) ..An install of AVG..to tide them over untill my next call to install a current edition of McAfee AV.. to replace their 2yr out of date version.. (thats right 1 bloody virus.. and 2 years of no def updates..oh and the version had no email scan either) that is luck

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Found another with the same problem.. a solution is given here


    I think this is WSAUPDATER.EXE you have picked up and I have only found one way to fix it so far.

    Put you XP CD in and boot up. Let setup run and choose the first "R" you come to. This is the Recovery Console

    C:\windows now follow from here:

    type 'cd system32' the directory should now be
    type 'copy userinit.exe wsaupdater.exe'
    1 file should be copied, now REBOOT!

    Login might hang for a while.

    Once in windows run Regedit and go to the key
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Look in the right pane for the Userinit value/subkey. Double click the Userinit subkey and change it's value to C:\Windows\System32\userinit.exe,

    Make sure you have the comma at the end. Exit Regedit.

    You can delete the WSAUPDATER.EXE you created before now.
    Just incase any get a hold of it..


    More info here; the thread is more helpful...


    These show up in a HijackThis log as:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com

    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

    Fix the entries and remove the folder
    C:\Program Files\WindowsSA
    and the file
    Search Assistant Toolbar Problem

    The log will look something like this:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

    Fix the above items, then reboot into safe mode and delete:
    C:\Program Files\WindowsSA <= entire folder

    BEFORE reboot have them check their system32 folder to see that userinit.exe exists!!

    If necessary they can copy that file from:




    If userinit is missing from system32 folder and the user reboots without the file being replaced...they cannot log back on!!

    Do not let the Userinit registry entry be removed by AdAware.

    You will not be able to log back on if you are running XP.

    First Fix this entry with HijackThis:
    F2 - REG:system.ini: UserInit=E:\Windows\System32\wsaupdater.exe

    Then use AdAware (after a reboot).

    This issue has been resolved in the latest update.

    "The latest reference-file (01R315 06.06.2004) no longer removes wsupater.exe at all, hence no longer creating the logon issue recently discovered."

    So. As always, make sure every software you use is fully updated.
    I know wher I may need to hang out more often..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts