The most common cause of this right now, is running a malware detection progam that deletes a file, but the registry still points at it. This, wsaupdater.exe, seems to be the most widely seen culprit, but it could potentially be other things, too.
Let's test it out.
Boot using your winxp cd.
Enter recovery console.
at the command prompt go to
C:/windows/system32
next type:
Dir *.exe
If you find, it, type
copy userinit.exe wsaupdater.exe
Exit and reboot normally. You should now be able to logon.
Run regedit
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the right pane, you should see
C:\WINDOWS\System32\wsaupdater.exe,
Change it so that it reads:
C:\WINDOWS\System32\userinit.exe
That should solve the problem, if the malware was the one that caused the issue.
The scary thing is since more malware programs are inserting themselves into the winlogon key, this is going to be a moving target.
Logon - Logoff loop, also caused by BlazeFind
Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the 'loading personal settings" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it's Lavahelp Knowledgebase.
Here is the solution to the logon - logoff issue in Windows XP.
Enter the Recovery Console
Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)
Type the following command and press Enter.
CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)
COPY USERINIT.EXE WSAUPDATER.EXE
Quit Recovery Console by typing EXIT and restart Windows.
You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)
Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.
Fix:
1. Boot using your winxp cd.
2. Enter recovery console.
3. at the command prompt go to
That should do the trick! no reinstalling windows required!
Let's test it out.
Boot using your winxp cd.
Enter recovery console.
at the command prompt go to
C:/windows/system32
next type:
Dir *.exe
If you find, it, type
copy userinit.exe wsaupdater.exe
Exit and reboot normally. You should now be able to logon.
Run regedit
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
In the right pane, you should see
C:\WINDOWS\System32\wsaupdater.exe,
Change it so that it reads:
C:\WINDOWS\System32\userinit.exe
That should solve the problem, if the malware was the one that caused the issue.
The scary thing is since more malware programs are inserting themselves into the winlogon key, this is going to be a moving target.
Logon - Logoff loop, also caused by BlazeFind
Another critical symptom caused by this malware: This malware modifies the Userinit area in the registry (replacing the userinit.exe with wsaupdater.exe) and Ad-Aware (with a particular definition update) removes the wsaupdater.exe file from the system, thus causing the Logon - Logoff loop. That is, when you login to Windows, the 'loading personal settings" verbose will appear, but suddenly it will logoff. This issue was documented clearly by Lavasoftusa in it's Lavahelp Knowledgebase.
Here is the solution to the logon - logoff issue in Windows XP.
Enter the Recovery Console
Boot the system using the Windows XP CD-ROM. In the first screen when the Setup begins, read the instructions press "R" (in the first screen) enter the Recovery Console. Type-in the built-in Administrator password to enter the Console. You'll see the prompt reading C:\Windows (Or any other drive-letter where you've installed XP)
Type the following command and press Enter.
CD SYSTEM32
(If that does not work, try CHDIR SYSTEM32)
COPY USERINIT.EXE WSAUPDATER.EXE
Quit Recovery Console by typing EXIT and restart Windows.
You'll be able to login successfully as you've created the wsaupdater.exe file (now, a copy of userinit.exe)
Now, change the USERINIT value in the registry (see Phase II in this page) and change it accordingly.
Cause:
Windows SA replaces userinit.exe used in logon with its own wsaupdater.exe. But uninstalling doesn't revert it back.
Windows SA replaces userinit.exe used in logon with its own wsaupdater.exe. But uninstalling doesn't revert it back.
Fix:
1. Boot using your winxp cd.
2. Enter recovery console.
3. at the command prompt go to
C:/windows/system32
5. exit and reboot normally. You should now be able to logon. But you're not done yet!
6. run regedit
7. find the Userinit key in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
8. modify the entry:
C:\WINDOWS\System32\wsaupdater.exe
so that it reads:
C:\WINDOWS\System32\userinit.exe
That should do the trick! no reinstalling windows required!
No comments:
Post a Comment