Stuck in logoff loop

[Bart Bailey]

In Message-ID:<[email protected]> posted

In Message-ID:<[email protected]> posted

It really is irritating to me that just by visiting a website my
regsitry can be modified at this 'deep' level without Windows even
notifying me that something is trying to do this.

You could remove the culprit subroutine [mshtml.dll] but then your IE
wouldn't work and you would have to get a safe alternative browser.

But how many legitimate processes (as far as viewing web pages goes) need to
make entries or changes to the registry at all?

Gregg C.

AFAIK none, at least not with my browser (Opera).
The microsoft html rendering engine I referred to has some exploitable
features that can wreak all sorts of "entertainment" on your machine.

 

[Jay]

Hi,

On 8 Jun 2004 12:44:47 -0700, (e-mail address removed) (Jay) wrote:

[...]

This look similair to the problem I have when I installed Ad-Aware on
my fiends PC. Can you tell me how you have corrected the problem. I
really do not know XP that well. I would appreciate it because I have
the same log off thing going on with her E-machine.
Thanks.

"Blazefind changes the following registry-key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\userinit.exe,"

in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\wsaupdater.exe,"



Used Lavasoft Adaware to get rid of the pest ----> removed blazefind
and
with it the wsaupdater.exe

==> next time i tried to logon my computer the system tries to run
wsaupdater.exe which it couldn't find ! FAILED LOGON -> LOGOFF

I first tried to find ways to change the registry from within the
recovery console but i did not succeed (ERD commander will probably
work, but since i wasn't sure that this was the problem i thought it a
little bit too expensive)...
Then i thought of this:
just copy userinit.exe as wsaupdater.exe !! It's as simple as that....

YES!! it works again... and blazefind is gone (it seems.... )"

Using the recovery console employ the command

copy C:\Windows\System32\userinit.exe
C:\Windows\System32\wsaupdater.exe

(this is one line separated by a space, supposing the partition where
windows is installed is C, and supposing blazefind caused this)

Good luck

Thanks I will see what I can do when I go back over there.

 

[Gregg Cattanach]

Gregg,

This look similair to the problem I have when I installed Ad-Aware on
my fiends PC. Can you tell me how you have corrected the problem. I
really do not know XP that well. I would appreciate it because I have
the same log off thing going on with her E-machine.
Thanks.

From a previous post, assuming blazefind hosed your registry, the below is
how I fixed it.

The main thing is to get to the Recovery Console by booting with the
WindowsXP CD, then do:
copy C:\Windows\System32\userinit.exe C:\Windows\System32\wsaupdater.exe

Gregg

From a recent post:

"Blazefind changes the following registry-key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\userinit.exe,"

in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
"Userinit" = "C:\WINNT\system32\wsaupdater.exe,"



Used Lavasoft Adaware to get rid of the pest ----> removed blazefind
and
with it the wsaupdater.exe

==> next time i tried to logon my computer the system tries to run
wsaupdater.exe which it couldn't find ! FAILED LOGON -> LOGOFF

I first tried to find ways to change the registry from within the
recovery console but i did not succeed (ERD commander will probably
work, but since i wasn't sure that this was the problem i thought it a
little bit too expensive)...
Then i thought of this:
just copy userinit.exe as wsaupdater.exe !! It's as simple as that....

YES!! it works again... and blazefind is gone (it seems.... )"

Using the recovery console employ the command

copy C:\Windows\System32\userinit.exe
C:\Windows\System32\wsaupdater.exe

(this is one line separated by a space, supposing the partition where
windows is installed is C, and supposing blazefind caused this)

Good luck

This worked excellently!! Much easier than all that complicated stuff about
booting into Linux. It was the blazefind spyware that goofed up the
registry, so that let me get booted up then I could fix the registry from
there.

Ad-aware deletes the wsaupdater.exe file, but DOESN'T correct the registry
change made, so it tries to boot up with a nonexistant exe file.

Gregg C.

 

[roger]

On 9 Jun 2004 07:10:42 -0700, (e-mail address removed) (Jay) wrote:

[...]

Thanks I will see what I can do when I go back over there.

You're welcome.
Hope it works, good luck.

 

[Locke Nash Cole]

You should not fix it this way however, you could correct the registry entry
to simply point to the REAL windows executable, and delete the fake one.

-L

 

[Gregg Cattanach]

You should not fix it this way however, you could correct the
registry entry to simply point to the REAL windows executable, and
delete the fake one.

-L

You must do the fix I listed FIRST, in order to get your system to boot up.
You can't fix the registry if you can't boot up. THEN you can manually
correct your registry to point to userinit.exe and delete wsaupdate.exe.

Gregg C.