Unusual prob - Bart didnt help..

Hi Guys,

I struck a strange one today.. And please no comment what I should do.. problem was Repaired.. I mention it here as I did not locate a likley cause..

The system:
Win XP He sp1, Cel2.6G 256Mb ram on a gigabyte MoBo.. NAV 2004 appeared to be updated to one week ago.. patches seemed ok but not SP2..

Fault;
system would boot almost to Desktop..ie wallpaper would appear then the "welcom" would reappear.. and the logon screen would come up.. (single user and no password)
Clicking on the users name would bring up a brief flash of the users wallpaper the Logging out would come up and back to logon screen:

Customer had reported that they had cleared the cookies and TIF's and emptied the Recycle Bin before switch off.. so suspicion of a critical file is considdered..

What I did:
Yep: Bart was first into the show: checked the recycle bin.. empty.. (I don't have bart setup to do file recovery..)
then a Stinger and a Mcafee AV scann (2 week old defs).. only found a couple of Downloader trojans.. ie Adware crap
Adawre 6 found the same..

A quick look at the registry, The tool I currently use looks at HKLM and HKCU strands of the registry, Showed only a couple of parasites ..ie Bridge.exe And some rundll32's ..

So a backup of the machines registry (haven't tried a restore from a remote registry bu yet so this was like putting on Bubble wrap before jumping out of a speeding car)

All funnies Renamed, moved or deleted.. ready to restart.. almost.. "Google is my friend":

A couple of tries with different combinations in google with Logo logoff and winXP .. yeilded about three mentions of the symptoms I was looking at.. each mentioned a corrupted Userinit.exe .. ok restore from CD.. Well these guys had no problems it seems.. Oh and buy the way it seems that at least one of these ppl had the same set of circumstances leading to the problem,, oh and their machines were full of spyware....

So a check of the file ..no problems correct weight and size for a SP1 HE machine.. Restore from the cd anyway!! .. Attempted restart..FAILED.. Same symptoms as before..

Can't F around anlonger with this job.. Repair install.. Fixed.. REmoved the remaining spyware crap 10 different progs.. 40 or so files (not counting 1 or 2 hundred cookies)..
Ren Win Update.. installed SP 2.. F...F...F.. Modem gone..F SP2.. reinstalled Modem.. yep the Customers Hubbies Porn Sites are back and running.. (Copied Links for future examination then) Removed them.. Installed F/Fox, and placed the porn sites in the Hosts file..redirected to 127.0.0.1


It annoys me when I cant get to the root cause of the problem..but Time is money.. and in this case it was a time restriction as well..



Anyone else seen this symptom? Be interested to see if this isn't a newish virii or Crapware..

Cheers

Undies


BTW: Had another job.. site call

Compaq Box with Win2k.. on a small network (ok TS ..a what netwerk) 3 machines via a adsl router -SLOOOOOOOOOOW ADSL 64\128

Intermittent errors in IE (they have to use it because of the Company online finance and sales logins) and Cant send emails ..

Hmm quick check: Outbox 10 emails, one with an attachment, a small picture of 52.5MB

deleted .. problem 1 solved..
Hmmm .. Taskman?,.. yep a funny in the running processes..

killed it and a quick run of FXNETSKY to remove the rest of Netsky.D.. while that was running a quick install of Adaware-se and 60 items later (mainly Cookies) ..An install of AVG..to tide them over untill my next call to install a current edition of McAfee AV.. to replace their 2yr out of date version.. (thats right 1 bloody virus.. and 2 years of no def updates..oh and the version had no email scan either) that is luck

Found another with the same problem.. a solution is given here

http://discussions.virtualdr.com/sho...hreadid=173361

Quote:

---

I think this is WSAUPDATER.EXE you have picked up and I have only found one way to fix it so far.

Put you XP CD in and boot up. Let setup run and choose the first "R" you come to. This is the Recovery Console

C:\windows now follow from here:

C:\windows
type 'cd system32' the directory should now be
C:\windows\system32
type 'copy userinit.exe wsaupdater.exe'
1 file should be copied, now REBOOT!

Login might hang for a while.

Once in windows run Regedit and go to the key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Look in the right pane for the Userinit value/subkey. Double click the Userinit subkey and change it's value to C:\Windows\System32\userinit.exe,

Make sure you have the comma at the end. Exit Regedit.

You can delete the WSAUPDATER.EXE you created before now.

---

Just incase any get a hold of it..

Cheers

More info here; the thread is more helpful...

http://www.wilderssecurity.com/archi...p/t-35120.html

Quote:

---

These show up in a HijackThis log as:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

Fix the entries and remove the folder
C:\Program Files\WindowsSA
and the file

---

Quote:

---

Search Assistant Toolbar Problem

The log will look something like this:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

Fix the above items, then reboot into safe mode and delete:
C:\Program Files\WindowsSA <= entire folder
C:\Windows\System32\wsaupdater.exe

NOTE
BEFORE reboot have them check their system32 folder to see that userinit.exe exists!!

If necessary they can copy that file from:

C:\windows\ServicePackFiles\i386\userinit.exe

to:

C:\windows\system32\userinit.exe

If userinit is missing from system32 folder and the user reboots without the file being replaced...they cannot log back on!!

Do not let the Userinit registry entry be removed by AdAware.

You will not be able to log back on if you are running XP.
http://www.wilderssecurity.com/showthread.php?t=35098
http://www.lavasoftsupport.com/index...pic=29727&st=0

First Fix this entry with HijackThis:
F2 - REG:system.ini: UserInit=E:\Windows\System32\wsaupdater.exe

Then use AdAware (after a reboot).

This issue has been resolved in the latest update.

"The latest reference-file (01R315 06.06.2004) no longer removes wsupater.exe at all, hence no longer creating the logon issue recently discovered."

So. As always, make sure every software you use is fully updated.

---

I know wher I may need to hang out more often..