system config. utility problem

[Jose]

Hi Jose, You have been  ery helpful and I appreciate that.
It was my lack of 'know how' that more likely keeps me from interpreting
your (or any ones instructions) the way it should be interpreted. This is
all new to me, so I thank you for your patience.
You asked this:
" When you try to login to Windows now, do you enter your credentials
and it looks like it is starting to work and then see a "Saving your
settings" type message and just can't get past that with another logon
attempt? "...answer is YES. I dont have my user acct where I type a
password. My user acct is the only one on there.

I am in the recovery console because I used my original CD that came withmy
system. At this point, I know I have the I386 and the "winlogon.exe" . My
computer is at that screen where the winlogon.exe thing is at......

I am just waiting for the next step...
thank you again

Boot back into RC so you are back in the C:\WINDOWS folder.

There is a malware that deletes, corrupts or replaces the c:\windows
\system32\userinit.exe file.

The userinit.exe is the file that processes your login in regular mode
or any kind of Safe Mode,
so if it the mechanism is somehow broken it creates an endless cycle
of unsuccessful logon attempts in any mode for
any user.

When you type in your user name and password the system will report
that it is Loading your personal
settings, logging off and then unloading your personal settings. This
is the malware trying to prevent you from
finding and removing it.

It may also change your registry so instead of the registry pointing
to userinit.exe, it points
to another file called wsaupdater.exe. Sometimes scanning programs
can find and replace the wsaupdater.exe
file but will not fix the registry so you need to somehow get the
system to boot and fix the rest of the
problem by hand.

It is popular enough for Microsoft to create a KB that describes the
wsaupdater problem (read it later).

http://support.microsoft.com/kb/892893

The following directions will cover more situations than the article,
but you should read it to understand.

After booting on the Recovery Console successfully, you are in the C:
\WINDOWS folder, and the userinit.exe
file is in the SYSTEM32 folder so change to the system32 folder by
entering:

cd system32

The prompt should now be:

c:\windows\system32

Check for the presence of both userinit.exe and wsaupdater.exe. They
may be there or they may not,
but we need to know to completely fix the problem.

dir userinit.exe (post results - the file exists or it does not)
dir wsaupdater.exe (post results - the file exists or it does not)

No matter what you find, replace the userinit.exe from a copy
elsewhere on your system.

There is another copy of userinit.exe in the c:\windows
\system32\dllcache folder so copy it into
the c:\windows\system32 folder.

From the c:\windows\system32 folder enter:

copy c:\windows\system32\dllcache\userinit.exe

You will get a message that says 1 file(s) copied or to overwrite the
existing?, (choose (Y)es to
overwrite) and post back what happened - it either copied or it
replaced userinit.exe.

If the copy fails for some reason, we can get a userinit.exe from your
installation CD (if you made a
Recovery Console CD, userinit.exe is not on it).

The malware may have changed your registry to point to wsaupdater.exe,
but a malware scan may
remove only the wsaupdater.exe file but the registry is still wrong
and your system will still not boot
until you copy userinit.exe to wsaupdater.exe. We will check for and
fix this later.

In case the registry was also changed, in the c:\windows\system32
folder, copy userinit.exe to wsaupdater.exe. Do not delete the
wsaupdater.exe file if it exists - just copy the userinit.exe file
over the top of it.

From the c:\windows\system32 folder enter:

copy userinit.exe wsaupdater.exe

Answer (Y)es if there is an overwrite prompt. Post the results - it
either copied it or replaced it.

Make sure userinit.exe exists be entering:

dir userinit.exe (post results - it should exist)

Type exit to leave the Recovery Console, remove the CD and reboot.

If the wsaupdater.exe file existed, we need to check the registry to
make sure it is okay,
but scan for malware first, and check/fix the registry later.

 

[Marcy]

Hi, Jose
You asked:
(1)"dir userinit.exe (post results - the file exists or it does not)"
Answer:
The volume in drice C has no label
The volume Serial Number is 3136-db0e
Directory of C:\Windows\system32\userinit.exe

8/04/04 01:00a -a-------- 24576 userinit.exe
1 file<s> 24576 bytes
34952921088 bytes free

(2)dir wsaupdater.exe (post results - the file exists or it does not)

Answer:
The volume in drice C has no label
The volume Serial Number is 3136-db0e
Directory of C:\Windows\system32\wsaupdater.exe
No matching files were found

Then you said to do this:
"From the c:\windows\system32 folder enter:

copy c:\windows\system32\dllcache\userinit.exe"

Answer:
Just so I know I did this part correct, here is what that entire line looked
like when I typed it:
C:\Windows\system32>copy c:\windows\system32\dllcache\userinit.exe
Answer: It read, "The system cannot find the file specified."

So nothing got copied nor replaced/overwritten. *sigh*

You said,
"If the copy fails for some reason, we can get a userinit.exe from your
installation CD (if you made a Recovery Console CD, userinit.exe is not on
it)."

Great. I have the Windows original installation CD that came with my laptop,
which is what I am using now.
So, I guess I must stop for now until the next step, now that you know what
is going on thus far.

What a mess, huh!!!
I will await for the next steps. I really want to avoid a 'wipe the drive
and reinstall' if at all possible.
Thank you.







***************************************************

Hi Jose, You have been ery helpful and I appreciate that.
It was my lack of 'know how' that more likely keeps me from interpreting
your (or any ones instructions) the way it should be interpreted. This is
all new to me, so I thank you for your patience.
You asked this:
" When you try to login to Windows now, do you enter your credentials
and it looks like it is starting to work and then see a "Saving your
settings" type message and just can't get past that with another logon
attempt? "...answer is YES. I dont have my user acct where I type a
password. My user acct is the only one on there.

I am in the recovery console because I used my original CD that came with
my
system. At this point, I know I have the I386 and the "winlogon.exe" . My
computer is at that screen where the winlogon.exe thing is at......

I am just waiting for the next step...
thank you again

Boot back into RC so you are back in the C:\WINDOWS folder.

There is a malware that deletes, corrupts or replaces the c:\windows
\system32\userinit.exe file.

The userinit.exe is the file that processes your login in regular mode
or any kind of Safe Mode,
so if it the mechanism is somehow broken it creates an endless cycle
of unsuccessful logon attempts in any mode for
any user.

When you type in your user name and password the system will report
that it is Loading your personal
settings, logging off and then unloading your personal settings. This
is the malware trying to prevent you from
finding and removing it.

It may also change your registry so instead of the registry pointing
to userinit.exe, it points
to another file called wsaupdater.exe. Sometimes scanning programs
can find and replace the wsaupdater.exe
file but will not fix the registry so you need to somehow get the
system to boot and fix the rest of the
problem by hand.

It is popular enough for Microsoft to create a KB that describes the
wsaupdater problem (read it later).

http://support.microsoft.com/kb/892893

The following directions will cover more situations than the article,
but you should read it to understand.

After booting on the Recovery Console successfully, you are in the C:
\WINDOWS folder, and the userinit.exe
file is in the SYSTEM32 folder so change to the system32 folder by
entering:

cd system32

The prompt should now be:

c:\windows\system32

Check for the presence of both userinit.exe and wsaupdater.exe. They
may be there or they may not,
but we need to know to completely fix the problem.

dir userinit.exe (post results - the file exists or it does not)
dir wsaupdater.exe (post results - the file exists or it does not)

No matter what you find, replace the userinit.exe from a copy
elsewhere on your system.

There is another copy of userinit.exe in the c:\windows
\system32\dllcache folder so copy it into
the c:\windows\system32 folder.

From the c:\windows\system32 folder enter:

copy c:\windows\system32\dllcache\userinit.exe

You will get a message that says 1 file(s) copied or to overwrite the
existing?, (choose (Y)es to
overwrite) and post back what happened - it either copied or it
replaced userinit.exe.

If the copy fails for some reason, we can get a userinit.exe from your
installation CD (if you made a
Recovery Console CD, userinit.exe is not on it).

The malware may have changed your registry to point to wsaupdater.exe,
but a malware scan may
remove only the wsaupdater.exe file but the registry is still wrong
and your system will still not boot
until you copy userinit.exe to wsaupdater.exe. We will check for and
fix this later.

In case the registry was also changed, in the c:\windows\system32
folder, copy userinit.exe to wsaupdater.exe. Do not delete the
wsaupdater.exe file if it exists - just copy the userinit.exe file
over the top of it.

From the c:\windows\system32 folder enter:

copy userinit.exe wsaupdater.exe

Answer (Y)es if there is an overwrite prompt. Post the results - it
either copied it or replaced it.

Make sure userinit.exe exists be entering:

dir userinit.exe (post results - it should exist)

Type exit to leave the Recovery Console, remove the CD and reboot.

If the wsaupdater.exe file existed, we need to check the registry to
make sure it is okay,
but scan for malware first, and check/fix the registry later.

 

[Jose]

Hi, Jose
You asked:
(1)"dir userinit.exe (post results - the file exists or it does not)"
Answer:
The volume in drice C has no label
The volume Serial Number is 3136-db0e
Directory of C:\Windows\system32\userinit.exe

8/04/04 01:00a   -a--------             24576 userinit.exe
              1 file<s>        24576 bytes
               34952921088 bytes free

(2)dir wsaupdater.exe (post results - the file exists or it does not)

Answer:
The volume in drice C has no label
The volume Serial Number is 3136-db0e
Directory of C:\Windows\system32\wsaupdater.exe
No matching files were found

Then you said to do this:
"From the c:\windows\system32 folder enter:

copy c:\windows\system32\dllcache\userinit.exe"

Answer:
Just so I know I did this part correct, here is what that entire line looked
like when I typed it:
C:\Windows\system32>copy c:\windows\system32\dllcache\userinit.exe
Answer: It read, "The system cannot find the file specified."

So nothing got copied nor replaced/overwritten. *sigh*

You said,
"If the copy fails for some reason, we can get a userinit.exe from your
installation CD (if you made a Recovery Console CD, userinit.exe is not on
it)."

Your OEM system and my home grown system are not the same, so we
will get the userinit.exe another way.

Let me make sure I got this straight... You modified your boot.ini
using msconfig
and then could not boot in any mode. You used RC to rename your
boot.ini,
booted successfully, fixed the boot.ini issue, ran AVG and then got
stuck in the login
cycle?

I am trying to understand your reference to winlogon.exe. If
winlogon.exe is the problem child you
can also replace it from your XP CD if it got quarantined or messed up
by using these same instructions
for userinit.exe.

If winlogon.exe is suspicious or missing, replace it from your XP CD.

If this userinit.exe thing doesn't do it for you and winlogon.exe is
missing, etc, do the same thing
for winlogon.exe. The procedure is all the same - just a different
file. There is no harm in replacing
both files.

The objective it to replace the c:\windows\system32\userinit.exe with
the
compressed file on the CD. You may have to be intuitive and do some
poking
around since your system may not be just like mine but if you
understand the
principle, you can figure it out.

Most of the XP installation files on your CD are compressed and get
expanded
when you install XP. Any file you see on the CD that ends with an
underscore
character is compressed.

Assuming your CD drive is D, you can look in the D:\i386 folder and
find the
compressed file called userinit.ex_ and that is the file we need to
expand into
the c:\windows\system32 folder so lets make sure the suspicious one is
gone and
rename it.

Assume we are going to be doing all of this work from the c:\windows
\system32 folder
since this is where the userinit.exe file needs to be.

Rename your current userinit.exe file to something you can remember.
For me I would
just rename userinit.exe to userinit.joe

Reboot on the CD and check to be sure c:\windows\system32\userinit.exe
is really
gone now - it was there before, right?

Change to the c:\windows\system32 folder where the userinit.exe needs
to be.

To see the help for the expand command you can type:

expand /?

It takes a source file name and an optional destination folder and
will default
to the current folder which needs to be c:\windows\system32

While in the c:\windows\system32 folder, expand the d:
\i386\userinit.ex_ file into
the current c:\windows\system32 by typing:

expand d:\i386\userinit.ex_

or

expand d:\i386\userinit.ex_ c:\windows\system32

You should see a message that one file was expanded and when you look
in
c:\windows\system32 you should now see a new userinit.exe. This may
be all you
need to do for your problem. Remove the CD, reboot on the hard disk
and test.

If you have the wsaupdater problem, the registry has been modified to
point to
wsaupdater.exe instead of userinit.exe, so even a new copy of
userinit.exe will
not be looked at. From the Recovery Console back in the c:\windows
\system32
folder, copy the userinit.exe to wsaupdater.exe, remove the CD and
reboot on the
hard disk and test.

You will still need to do the malware scans.

 

[Marcy]

Hi Jose,
(1)To answer your first question in the last post, "Let me make sure I got
this straight... You modified your boot.ini
using msconfig and then could not boot in any mode. You used RC to rename
your
boot.ini, booted successfully, fixed the boot.ini issue, ran AVG and then
got
stuck in the login cycle?
Answer: YES. After I did AVG, I rebooted and got stuck in the login
cycle....

(2) While in the RC (from my cd), I do see, in C:\Windows\system32, both
the userinit.exe AND winlogon.exe.
I tried numerous ways to rename both of them. Here are ways I used and their
outcome:...

C:\>ren c:\userinit.exe userinit.old
"The system cannot find the file or directory specified"

C:\>cd\attrib -shr userinit.exe ren userinit.exe userinit.bak
"The command is not recognized. Type HELP...., etc"

I even did it like this (since I was not sure from which are to do the
renaming)..
C:\Windows>cd\attrib -shr userinit.exe ren userinit.exe userinit.bak
C:\Windows\System32>cd\attrib -shr userinit.exe ren userinit.exe
userinit.bak

***** and***
C:\Windows>ren c:\userinit.exe userinit.old
C:\Windows\System32>ren c:\userinit.exe userinit.old

I did the same using the winlogon.exe and got the exact same outcome..both
times.
So either I did something wrong in trying to rename or something. But I do
see both the userinit.exe and winlogon.exe in the
C:\Windows\System32>directory.

I am sorry I could not go further in your directions.....
I hope you want to continue with this. If not, I totally understand.
Thanks, Marcy




So, I could not go any further with your instructions...

-- __________________________________________
Thanks so very much for your help-! ! ! !

Hi, Jose
You asked:
(1)"dir userinit.exe (post results - the file exists or it does not)"
Answer:
The volume in drice C has no label
The volume Serial Number is 3136-db0e
Directory of C:\Windows\system32\userinit.exe

8/04/04 01:00a -a-------- 24576 userinit.exe
1 file<s> 24576 bytes
34952921088 bytes free

(2)dir wsaupdater.exe (post results - the file exists or it does not)

Answer:
The volume in drice C has no label
The volume Serial Number is 3136-db0e
Directory of C:\Windows\system32\wsaupdater.exe
No matching files were found

Then you said to do this:
"From the c:\windows\system32 folder enter:

copy c:\windows\system32\dllcache\userinit.exe"

Answer:
Just so I know I did this part correct, here is what that entire line
looked
like when I typed it:
C:\Windows\system32>copy c:\windows\system32\dllcache\userinit.exe
Answer: It read, "The system cannot find the file specified."

So nothing got copied nor replaced/overwritten. *sigh*

You said,
"If the copy fails for some reason, we can get a userinit.exe from your
installation CD (if you made a Recovery Console CD, userinit.exe is not on
it)."

Your OEM system and my home grown system are not the same, so we
will get the userinit.exe another way.

Let me make sure I got this straight... You modified your boot.ini
using msconfig
and then could not boot in any mode. You used RC to rename your
boot.ini,
booted successfully, fixed the boot.ini issue, ran AVG and then got
stuck in the login
cycle?

I am trying to understand your reference to winlogon.exe. If
winlogon.exe is the problem child you
can also replace it from your XP CD if it got quarantined or messed up
by using these same instructions
for userinit.exe.

If winlogon.exe is suspicious or missing, replace it from your XP CD.

If this userinit.exe thing doesn't do it for you and winlogon.exe is
missing, etc, do the same thing
for winlogon.exe. The procedure is all the same - just a different
file. There is no harm in replacing
both files.

The objective it to replace the c:\windows\system32\userinit.exe with
the
compressed file on the CD. You may have to be intuitive and do some
poking
around since your system may not be just like mine but if you
understand the
principle, you can figure it out.

Most of the XP installation files on your CD are compressed and get
expanded
when you install XP. Any file you see on the CD that ends with an
underscore
character is compressed.

Assuming your CD drive is D, you can look in the D:\i386 folder and
find the
compressed file called userinit.ex_ and that is the file we need to
expand into
the c:\windows\system32 folder so lets make sure the suspicious one is
gone and
rename it.

Assume we are going to be doing all of this work from the c:\windows
\system32 folder
since this is where the userinit.exe file needs to be.

Rename your current userinit.exe file to something you can remember.
For me I would
just rename userinit.exe to userinit.joe

Reboot on the CD and check to be sure c:\windows\system32\userinit.exe
is really
gone now - it was there before, right?

Change to the c:\windows\system32 folder where the userinit.exe needs
to be.

To see the help for the expand command you can type:

expand /?

It takes a source file name and an optional destination folder and
will default
to the current folder which needs to be c:\windows\system32

While in the c:\windows\system32 folder, expand the d:
\i386\userinit.ex_ file into
the current c:\windows\system32 by typing:

expand d:\i386\userinit.ex_

or

expand d:\i386\userinit.ex_ c:\windows\system32

You should see a message that one file was expanded and when you look
in
c:\windows\system32 you should now see a new userinit.exe. This may
be all you
need to do for your problem. Remove the CD, reboot on the hard disk
and test.

If you have the wsaupdater problem, the registry has been modified to
point to
wsaupdater.exe instead of userinit.exe, so even a new copy of
userinit.exe will
not be looked at. From the Recovery Console back in the c:\windows
\system32
folder, copy the userinit.exe to wsaupdater.exe, remove the CD and
reboot on the
hard disk and test.

You will still need to do the malware scans.

 

[Jose]

Hi Jose,
(1)To answer your first question in the last post, "Let me make sure I got
this straight...  You modified your boot.ini
using msconfig and then could not boot in any mode.  You used RC to rename
your
boot.ini, booted successfully, fixed the boot.ini issue, ran AVG and then
got
stuck in the login cycle?
Answer: YES. After I did AVG, I rebooted and got stuck in the login
cycle....

(2) While in the RC (from my cd), I do see, in C:\Windows\system32,  both
the userinit.exe AND winlogon.exe.
I tried numerous ways to rename both of them. Here are ways I used and their
outcome:...

C:\>ren c:\userinit.exe userinit.old
 "The system cannot find the file or directory specified"

C:\>cd\attrib -shr userinit.exe ren userinit.exe userinit.bak
"The command is not recognized. Type HELP...., etc"

I even did it like this (since I was not sure from which are to do the
renaming)..
C:\Windows>cd\attrib -shr userinit.exe ren userinit.exe userinit.bak
C:\Windows\System32>cd\attrib -shr userinit.exe ren userinit.exe
userinit.bak

***** and***
C:\Windows>ren c:\userinit.exe userinit.old
C:\Windows\System32>ren c:\userinit.exe userinit.old

I did the same using the winlogon.exe and got the exact same outcome..both
times.
So either I did something wrong in trying to rename or something. But I do
see both the userinit.exe and winlogon.exe in the
C:\Windows\System32>directory.

I am sorry I could not go further in your directions.....
I hope you want to continue with this. If not, I totally understand.
Thanks, Marcy

So, I could not go any further with your instructions...

-- __________________________________________
Thanks so very much for your help-! ! ! !"Jose" <[email protected]> wrote in message

You are c: happy. Stop putting c: in front of everything - that is
what got you mixed up before!

When you start RC you are in the C:\WINDOWS folder which is correct.

You need to do your ALL your work in the C:\WINDOWS\SYSTEM32 folder.
The prompt should be something like:

C:\WINDOWS\SYSTEM32

First, rename the files you want to replace:

ren userinit.exe userinit.old
ren winlogon.exe winlogon.old

Reboot RC and get back into the c:\windows\system32 folder, make sure
the files you want to replace are really gone and then expand the
replacements from your installation CD (all this from within c:\windows
\system32)

expand d:\i386\userinit.ex_
expand d:\i386\winlogon.ex_

The messages should tell you the expand worked.

Now, see if there is a file in c:\windows\system32 called
wsaupdater.exe. If there is a wsaupdater.exe, copy userinit.exe over
the top of wsaupdater.exe and we'll fix the rest later.

Hopefully I made no typos. You get the idea though - in c:\windows
\system32 you want to replace the two suspicious files by renaming
them, rebooting, expanding the two replacements from your XP CD... Do
the appropriate dir commands to make sure the files get renames,
copied, expanded, etc as you go.

Remove the CD and see how rebooting/logging in on the HDD looks now.

 

[Marcy]

Thanks Jose:
I did the rename of :
ren userinit.exe userinit.old
ren winlogon.exe winlogon.old

I rebooted back into RC and got back into the c:\windows\system32 folder.
The "exe" files I renamed were gone (only the newly renamed "old" were
there).
So I went on your next step-to expand. I did:

expand d:\i386\userinit.ex_
expand d:\i386\winlogon.ex_

The messaged stated it worked..

I went to see if there is a file in c:\windows\system32 called
wsaupdater.exe. Wsaupdater.exe was NOT there. I did see a
suspicious/malware file in there with a similar name, winupdate86.exe. But
no executable file that had exact letters of wsaupdater.exe

Ironically, I noticed when searching for the wsaupdater.exe that BOTH the
userinit.exe AND userinit.old, plus the winlogon.exe AND winlogon.old were
there. Was that supposed to happen?

I was not able to go further to this next step....
"If there is a wsaupdater.exe, copy userinit.exe over
the top of wsaupdater.exe" and we'll fix the rest later.
**Note that I would not know how to do this Copy part anyways, so when this
next step comes, unfortunetly i would need more step by step to avoid
messing up.
***Note that for some reason, when starting my pc this morning for the first
time, my machine did not want to read/start up the cd disk. I went to BIOS
and changed the boot order for now, and luckily I was able to get CD to let
me do all this RC stuff noted here.
Thanks Jose and will await yet another step.




-*********************************************************************-

Hi Jose,
(1)To answer your first question in the last post, "Let me make sure I got
this straight... You modified your boot.ini
using msconfig and then could not boot in any mode. You used RC to rename
your
boot.ini, booted successfully, fixed the boot.ini issue, ran AVG and then
got
stuck in the login cycle?
Answer: YES. After I did AVG, I rebooted and got stuck in the login
cycle....

(2) While in the RC (from my cd), I do see, in C:\Windows\system32, both
the userinit.exe AND winlogon.exe.
I tried numerous ways to rename both of them. Here are ways I used and
their
outcome:...

C:\>ren c:\userinit.exe userinit.old
"The system cannot find the file or directory specified"

C:\>cd\attrib -shr userinit.exe ren userinit.exe userinit.bak
"The command is not recognized. Type HELP...., etc"

I even did it like this (since I was not sure from which are to do the
renaming)..
C:\Windows>cd\attrib -shr userinit.exe ren userinit.exe userinit.bak
C:\Windows\System32>cd\attrib -shr userinit.exe ren userinit.exe
userinit.bak

***** and***
C:\Windows>ren c:\userinit.exe userinit.old
C:\Windows\System32>ren c:\userinit.exe userinit.old

I did the same using the winlogon.exe and got the exact same outcome..both
times.
So either I did something wrong in trying to rename or something. But I do
see both the userinit.exe and winlogon.exe in the
C:\Windows\System32>directory.

I am sorry I could not go further in your directions.....
I hope you want to continue with this. If not, I totally understand.
Thanks, Marcy

So, I could not go any further with your instructions...

-- __________________________________________
Thanks so very much for your help-! ! ! !"Jose" <[email protected]>
wrote in message

You are c: happy. Stop putting c: in front of everything - that is
what got you mixed up before!

When you start RC you are in the C:\WINDOWS folder which is correct.

You need to do your ALL your work in the C:\WINDOWS\SYSTEM32 folder.
The prompt should be something like:

C:\WINDOWS\SYSTEM32

First, rename the files you want to replace:

ren userinit.exe userinit.old
ren winlogon.exe winlogon.old

Reboot RC and get back into the c:\windows\system32 folder, make sure
the files you want to replace are really gone and then expand the
replacements from your installation CD (all this from within c:\windows
\system32)

expand d:\i386\userinit.ex_
expand d:\i386\winlogon.ex_

The messages should tell you the expand worked.

Now, see if there is a file in c:\windows\system32 called
wsaupdater.exe. If there is a wsaupdater.exe, copy userinit.exe over
the top of wsaupdater.exe and we'll fix the rest later.

Hopefully I made no typos. You get the idea though - in c:\windows
\system32 you want to replace the two suspicious files by renaming
them, rebooting, expanding the two replacements from your XP CD... Do
the appropriate dir commands to make sure the files get renames,
copied, expanded, etc as you go.

Remove the CD and see how rebooting/logging in on the HDD looks now.

 

[Daave]

I did see a
suspicious/malware file in there with a similar name,
winupdate86.exe.

FYI:

http://www.bleepingcomputer.com/startups/winupdate86.exe-25303.html

 

[Jose]

Thanks Jose:
I did the rename of :
ren userinit.exe userinit.old
ren winlogon.exe winlogon.old

I rebooted back into RC and got back into the c:\windows\system32 folder.
The "exe" files I renamed were gone (only the newly renamed "old" were
there).
So I went on your next step-to expand. I did:

expand d:\i386\userinit.ex_
expand d:\i386\winlogon.ex_

The messaged stated it worked..

I went to see if there is a file in c:\windows\system32 called
wsaupdater.exe.  Wsaupdater.exe was NOT there. I did see a
suspicious/malware file in there with a similar name, winupdate86.exe. But
no executable file that had exact letters of wsaupdater.exe

 Ironically, I noticed when searching for the wsaupdater.exe that BOTH the
userinit.exe AND userinit.old, plus  the winlogon.exe AND winlogon.old were
there. Was that supposed to happen?

I was not able to go further to this next step....
"If there is a wsaupdater.exe, copy userinit.exe over
the top of wsaupdater.exe" and we'll fix the rest later.
**Note that I would not know how to do this Copy part anyways, so when this
next step comes, unfortunetly i would need more step by step to avoid
messing up.
***Note that for some reason, when starting my pc this morning for the first
time, my machine did not want to read/start up the cd disk. I went to BIOS

Still in the system32 folder ...

You renamed the userinit and winlogon. Then you expanded replacements
from the CD to that gives you a .old (the old one) and a .exe (the
expanded one). You are doing fine.

Sounds good so far except for the winupdate86.exe. I somehow got
stuck on thinking winlogon - that indeed appears to be malware and so
rename it to something else, reboot... Thanks to Daave for the
reminder. It presents other symptoms while you are running, but it
should not be there. The Internet seems to tell you about it and what
it does, but not too much what to do about it. Check if you have
winlogon86.exe, and if so rename it too.

You could till have the wsaupdater issue so if the same symptoms, copy
the userinit.exe to wsaupdater.exe, reboot...

We need to know what happens on the two reboots.

We just need to get you running and back on the Internet so you can
run MBAM and SAS, then fix any residue.

 

[Azy]

Next step:
Hi,
I did the rename of the malware file from "winupdate86.exe to
winupdate86.old". I rebooted using the HD to see if it fixed the login prob.
Nope. Still doing the same thing and staying stuck in Windows blue logon
part.

I rebooted then went on to do the copy thing: " copy userinit.exe
wsaupdater.exe "
I again rebooted and I am still stuck on the Welcome screen. It wont advance
after that.

*I rebooted back to RC once again and note the following.....
*Note: the winupdate86.old is there (not winupdate86.exe). ALSO,
wsaupdater.exe is showing now, finally.
Thanks and I will check back for next step.
*****************************************

Thanks Jose:
I did the rename of :
ren userinit.exe userinit.old
ren winlogon.exe winlogon.old

I rebooted back into RC and got back into the c:\windows\system32 folder.
The "exe" files I renamed were gone (only the newly renamed "old" were
there).
So I went on your next step-to expand. I did:

expand d:\i386\userinit.ex_
expand d:\i386\winlogon.ex_

The messaged stated it worked..

I went to see if there is a file in c:\windows\system32 called
wsaupdater.exe. Wsaupdater.exe was NOT there. I did see a
suspicious/malware file in there with a similar name, winupdate86.exe. But
no executable file that had exact letters of wsaupdater.exe

Ironically, I noticed when searching for the wsaupdater.exe that BOTH the
userinit.exe AND userinit.old, plus the winlogon.exe AND winlogon.old were
there. Was that supposed to happen?

I was not able to go further to this next step....
"If there is a wsaupdater.exe, copy userinit.exe over
the top of wsaupdater.exe" and we'll fix the rest later.
**Note that I would not know how to do this Copy part anyways, so when
this
next step comes, unfortunetly i would need more step by step to avoid
messing up.
***Note that for some reason, when starting my pc this morning for the
first
time, my machine did not want to read/start up the cd disk. I went to BIOS

Still in the system32 folder ...

You renamed the userinit and winlogon. Then you expanded replacements
from the CD to that gives you a .old (the old one) and a .exe (the
expanded one). You are doing fine.

Sounds good so far except for the winupdate86.exe. I somehow got
stuck on thinking winlogon - that indeed appears to be malware and so
rename it to something else, reboot... Thanks to Daave for the
reminder. It presents other symptoms while you are running, but it
should not be there. The Internet seems to tell you about it and what
it does, but not too much what to do about it. Check if you have
winlogon86.exe, and if so rename it too.

You could till have the wsaupdater issue so if the same symptoms, copy
the userinit.exe to wsaupdater.exe, reboot...

We need to know what happens on the two reboots.

We just need to get you running and back on the Internet so you can
run MBAM and SAS, then fix any residue.

 

[Marcy]

SORRY about the reply from "Azy"- I had to borrow another pc to continue
working/troubleshoot on my laptop and forgot to do the post from my other
pc.Here is my same reply under me, Marcy:
Next step:
Hi,
I did the rename of the malware file from "winupdate86.exe to
winupdate86.old". I rebooted using the HD to see if it fixed the login prob.
Nope. Still doing the same thing and staying stuck in Windows blue logon
part.

I rebooted then went on to do the copy thing: " copy userinit.exe
wsaupdater.exe "
I again rebooted and I am still stuck on the Welcome screen. It wont advance
after that.

*I rebooted back to RC once again and note the following.....
*Note: the winupdate86.old is there (not winupdate86.exe). ALSO,
wsaupdater.exe is showing now, finally.
Thanks and I will check back for next step.
*****************************************





--
Thanks so very much for your help-! ! ! !

Thanks Jose:
I did the rename of :
ren userinit.exe userinit.old
ren winlogon.exe winlogon.old

I rebooted back into RC and got back into the c:\windows\system32 folder.
The "exe" files I renamed were gone (only the newly renamed "old" were
there).
So I went on your next step-to expand. I did:

expand d:\i386\userinit.ex_
expand d:\i386\winlogon.ex_

The messaged stated it worked..

I went to see if there is a file in c:\windows\system32 called
wsaupdater.exe. Wsaupdater.exe was NOT there. I did see a
suspicious/malware file in there with a similar name, winupdate86.exe. But
no executable file that had exact letters of wsaupdater.exe

Ironically, I noticed when searching for the wsaupdater.exe that BOTH the
userinit.exe AND userinit.old, plus the winlogon.exe AND winlogon.old were
there. Was that supposed to happen?

I was not able to go further to this next step....
"If there is a wsaupdater.exe, copy userinit.exe over
the top of wsaupdater.exe" and we'll fix the rest later.
**Note that I would not know how to do this Copy part anyways, so when
this
next step comes, unfortunetly i would need more step by step to avoid
messing up.
***Note that for some reason, when starting my pc this morning for the
first
time, my machine did not want to read/start up the cd disk. I went to BIOS

Still in the system32 folder ...

You renamed the userinit and winlogon. Then you expanded replacements
from the CD to that gives you a .old (the old one) and a .exe (the
expanded one). You are doing fine.

Sounds good so far except for the winupdate86.exe. I somehow got
stuck on thinking winlogon - that indeed appears to be malware and so
rename it to something else, reboot... Thanks to Daave for the
reminder. It presents other symptoms while you are running, but it
should not be there. The Internet seems to tell you about it and what
it does, but not too much what to do about it. Check if you have
winlogon86.exe, and if so rename it too.

You could till have the wsaupdater issue so if the same symptoms, copy
the userinit.exe to wsaupdater.exe, reboot...

We need to know what happens on the two reboots.

We just need to get you running and back on the Internet so you can
run MBAM and SAS, then fix any residue.

 

[thanatoid]

Next step:
Hi,
I did the rename of the malware file from "winupdate86.exe
to winupdate86.old". I rebooted using the HD to see if it
fixed the login prob. Nope. Still doing the same thing and
staying stuck in Windows blue logon part.

I rebooted then went on to do the copy thing: " copy
userinit.exe wsaupdater.exe "
I again rebooted and I am still stuck on the Welcome
screen. It wont advance after that.

*I rebooted back to RC once again and note the
following..... *Note: the winupdate86.old is there (not
winupdate86.exe). ALSO, wsaupdater.exe is showing now,
finally. Thanks and I will check back for next step.
*****************************************

<SNIP>

Since this is not an XP-specific problem, I will dare to comment
even though I am new to the XP groups.

A lot of malware will not allow itself to be deleted or renamed
within Windows, or it will "come back" anyway.

The only solution I have found is to have DOS and/or
Win9x/whatever on another partition (I know that is somewhat
difficult to achieve if you have XP installed on your only
partition) and delete all the problematic stuff "from the
outside" using one of the other OS's.

I don't know if I would dare to do it myself, but you /probably/
have enough free space to create another partition with a third
party partition program and then move XP /as is/ (ie infected)
to D or E or whatever - if possible, it may not be - and put DOS
on C and then delete the malware as described above. You /might/
end up losing all your data, but you might end up losing all
your data ANYWAY.

/Only/ the system and progs should be on C. Partitions are VERY
useful. That's why /no/ new computers come with any except C.
The "hidden backup partition" and RC's are largely mythical and
highly vaporous beasts from what I have heard and read, and not
what I am talking about anyway.

I had 16 virtual drives on a 40GB drive once and I was happy
happy happy. NO partition ever took more than a minute to
defrag, in 95B, and restoring C from an Acronis image when
something went wrong took all of 5 minutes.