Open this folder using Windows Explorer:
C:\WINDOWS\System32
and look for this file "wsaupdater.exe"
Caution: First change the userinit value to the correct value I stated.
Reboot once and then only delete wsau...exe file.
--
Ramesh - Microsoft MVP
Windows XP Shell/User
http://www.mvps.org/sramesh2k
AumHa VSOP:
http://www.aumha.org
I don't mean to sound dumb, but how do I delete that
wasaupdater.exe file? Just search for it and click delete?
-----Original Message-----
Yes. That should help. Change the line back to the
value I said and restart Windows. Upon next successful
login, delete the malware file wsaup.....exe
--
Ramesh - Microsoft MVP
Windows XP Shell/User
http://www.mvps.org/sramesh2k
AumHa VSOP:
http://www.aumha.org
message Hello Ramesh,
I was also having the same problem as Jay and I followed
your instructions and sure enough, the string
at "Userinit" at the location
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon] said "C:\WINDOWS\System32
\wsaupdater.exe,"
so I changed it to "C:\WINDOWS\System32\userinit.exe,"
This should take care of the problem I hope?
Thank you,
Marisa
-----Original Message-----
I'm not talking about HKEY_CURRENT_USER, but
HKEY_LOCAL_MACHINE.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
--
Ramesh - Microsoft MVP
Windows XP Shell/User
http://www.mvps.org/sramesh2k
AumHa VSOP:
http://www.aumha.org
On 24.06.04 09:34, Ramesh [MVP] wrote:
--- Original Message ---
Hi Jay,
This may be caused by Blazefind or any other malware.
Open Registry Editor and navigate to this location:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
In the right-pane, locate the value named "Userinit"
and note down the value data
(should be C:\Windows\System32\userinit.exe, the
correct value)
If you see any other value there, post back with
details and change the value data to:
C:\Windows\System32\userinit.exe,
(Assuming Windows is installed in C:\ drive)
There is no entry for "Userinit", doesn't exist in that
key.
All that's there is:
BuildNumber
ExcludeProfileDirs
ParseAutoexec
Should I ADD "Userinit" and the value ??
Jay
.
.