laurentio
27th January 2010, 01:01 AM
Problem caused by Wsaupdater.exe spyware.
Wsaupdater.exe is spyware that changes Userinit.exe, to Wsaupdater.exe in the registry. Once Wsaupdater.exe removed from the computer by an antispyware software as the registry subkey cannot be reverted back to Userinit.exe, you won't be able to log on to your account.
The registry subkey that is changed is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: Userinit
Data: %Windir%\System32\Wsaupdater.exe
Note %windir% represents the location of the System32 folder. For example, if the location is C:\Windows\System32, the data would be C:\Windows\System32\Wsaupdater.exe.
The data should contain Userinit.exe, instead of Wsaupdater.exe. In the previous example, the data would be C:\Windows\System32\Userinit.exe,.
Note The comma following the file path information is required.
SOLUTION:
Use the Recovery Console to copy Userinit.exe to Wsaupdater.exe to allow logon capability to be restored and to let you manually correct the registry data. To do this, follow these steps:Use Recovery Console to copy Userinit.exe to Wsaupdater.exe
At the Recovery Console command prompt, type cd system32, and then press ENTER.
Type copy userinit.exe wsaupdater.exe, and then press ENTER.
Type exit, and then press ENTER.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 (http://support.microsoft.com/kb/322756/) (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
Modify the registry
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
.
In the right pane, right-click userinit, and then click Modify.
Replace wsaupdater.exe with userinit.exe, (make sure to include the comma, as shown), and then click OK.
Restart your computer.
Delete the Wsaupdater.exe file
Log on to the computer by using an account that has administrator-level permissions.
Click Start, click Run, type%Windir%\system32, and then click OK.
Right-click wsaupdater.exe, click Delete, and then click OK.
As not many users understand the recovery console I would suggest using Winternals Boot CD from here:
http://www.geekstogo.com/2009/01/17/erd-commander-free-trial-from-microsoft/
Easy to use, it loads the OS registry and it lets you modify the data as you would in normal circumstances (working OS)
Wsaupdater.exe is spyware that changes Userinit.exe, to Wsaupdater.exe in the registry. Once Wsaupdater.exe removed from the computer by an antispyware software as the registry subkey cannot be reverted back to Userinit.exe, you won't be able to log on to your account.
The registry subkey that is changed is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: Userinit
Data: %Windir%\System32\Wsaupdater.exe
Note %windir% represents the location of the System32 folder. For example, if the location is C:\Windows\System32, the data would be C:\Windows\System32\Wsaupdater.exe.
The data should contain Userinit.exe, instead of Wsaupdater.exe. In the previous example, the data would be C:\Windows\System32\Userinit.exe,.
Note The comma following the file path information is required.
SOLUTION:
Use the Recovery Console to copy Userinit.exe to Wsaupdater.exe to allow logon capability to be restored and to let you manually correct the registry data. To do this, follow these steps:Use Recovery Console to copy Userinit.exe to Wsaupdater.exe
At the Recovery Console command prompt, type cd system32, and then press ENTER.
Type copy userinit.exe wsaupdater.exe, and then press ENTER.
Type exit, and then press ENTER.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 (http://support.microsoft.com/kb/322756/) (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
Modify the registry
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
.
In the right pane, right-click userinit, and then click Modify.
Replace wsaupdater.exe with userinit.exe, (make sure to include the comma, as shown), and then click OK.
Restart your computer.
Delete the Wsaupdater.exe file
Log on to the computer by using an account that has administrator-level permissions.
Click Start, click Run, type%Windir%\system32, and then click OK.
Right-click wsaupdater.exe, click Delete, and then click OK.
As not many users understand the recovery console I would suggest using Winternals Boot CD from here:
http://www.geekstogo.com/2009/01/17/erd-commander-free-trial-from-microsoft/
Easy to use, it loads the OS registry and it lets you modify the data as you would in normal circumstances (working OS)