Hello Jose,
I am writing from work now. What I meant by reformatting is taking my
machine down to like the first day I had it. I've been wanting to do this
for quite awhile as I've had this machine for about 5+ years. If I can't get
to my machine to download my files and such, it will be a great loss. BUTI
have been reading about a "non ivasive" (I think it is called, I've been
reading about it on the net) reformatting that sounds like it does save your
files for you.
I don't know of a person that has a bootable CD, they kind of looked at me
today like "UH"?
I will keep asking and I am going to check to see how much it would cost to
take the HD in and see if they can pull the files out for me, then I can do a
format without losing my stuff.
Jose and all,
Thank you guys for trying to help a very leary, not savie computer person
Debbie
Here is what I think.
The malware has done 2 things.
First, it put the wsupdater.exe in your \windows\systeem32 folder. It
may have deleted userinit.exe, corrupted it, but that is only part of
the problem.
The next thing it dis was modify your registry so that what gets run
with XP starts is not userinit, but wsupdater instead.
Just replacing userinit will not fix it, because the registry is still
pointing to wsupdater. So, if you make a copy of userinint and copy
it over the top of wsupdater, the FILE called wsupdater will get
executed but it is really the copy of userinit (are you with me?). XP
logs in fine now.
That may be fine for some people - it works, whew! But the registry
still has a reference to wsupdater.exe and shouldn't so you should
really fix that also, then delete the wsupdater.exe file leaving the
good userint and registry setting pointing to the proper file. If you
copy the userinint, XP will login, then fix the registry then delete
the unused On May 26, 2:00 pm, siamoose
Hello Jose,
I am writing from work now. What I meant by reformatting is taking my
machine down to like the first day I had it. I've been wanting to do this
for quite awhile as I've had this machine for about 5+ years. If I can'tget
to my machine to download my files and such, it will be a great loss. BUTI
have been reading about a "non ivasive" (I think it is called, I've been
reading about it on the net) reformatting that sounds like it does save your
files for you.
I don't know of a person that has a bootable CD, they kind of looked at me
today like "UH"?
I will keep asking and I am going to check to see how much it would cost to
take the HD in and see if they can pull the files out for me, then I can do a
format without losing my stuff.
Jose and all,
Thank you guys for trying to help a very leary, not savie computer person
Debbie
Here is what I think.
The malware is know by two distinct things and your machine has all
the symptoms.
First, it put the wsupdater.exe in your \windows\systeem32 folder. It
may have deleted userinit.exe, corrupted it, but that is only part of
the problem. Userinit is what the registry says to run when XP starts
so you can login.
Remember the last time you logged in and that message? Where did that
message come from? That was wsupdater NOT userinit. Maybe you didn't
answer the questions properly (buy my stuff), so it fixed you!
The next thing it did was modify your registry so that what gets run
with XP starts is not userinit, but wsupdater instead.
Just replacing userinit will not fix it, because the registry is still
pointing to wsupdater. So, if you make a copy of the known good
userinint over the top of wsupdater, the FILE called wsupdater will
get executed (from the registry) but it is really userinit and the
registry is still wrong (but it "works). Are you with me?
That may be fine for some people - it works, whew! But the registry
is has a reference to wsupdater.exe and shouldn't, so you should
really fix that also, then delete the wsupdater.exe file leaving the
good userint and registry setting pointing to the proper file. The
registry fix takes minutes (or less).
This explains why you cant' even boot in safe mode. The userinit
still gets executed at boot time in safe mode, but with this
infection, wsupdater gets run instead no matter how you let XP boot.
To fix it with no screwdrivers, without leaving the house and no data
loss, you must boot some kind of XP that is able to
at least access the hard disk to replace, copy or whatever a userinit
that works. THEN, fix the registry (or you could do it at the same
time). System Restore, Repair, Last known Good.. my butt. You can't
even get that far and it is NOT your problem.
The XP bootable CD Recovery Console will let you start "XP" enough to
allow you access to the disk (that is why it is there). That is the
cleanest way. You need to somehow get to the file system on the HDD.
There are ways to make some bootable XP like CD (like was referenced
before), but that reads like it just puts s new userinit file out
there which is not going to fix anything. I guess it would work if
userinit was just missing, but that is not how this malware works. I
have not had a need to try those methods, but might look into it.
You need a bootable XP CD of some kind - you need a bootable XP Pro
(if that is what you have) even to format your disk to reinstall - you
gotta have/borrow one. If you can borrow one even if it is years old,
it should work fine. It is not tied to a machine until you install
and license it, but you won't get anywhere near that. You just need
the recovery console. The rest is easy (maybe just one helpful
email).
If you can burn CDs, maybe you cam make one of those bootable things,
but you need more than a userinit.exe file. Making a bootable CD
sounds like a lot of trouble that "might" work, maybe, but... I
prefer the sure thing.
Jose jumps off soapbox.
Jose