PeterLeutert
After (partial) removal of the W32.Funner worm from my XP-Home PC
I can boot the PC (whether in secure mode or not is not important), but as soon as I login under any user account,which works ok, I am immediatly within half a second or so logged out again. I have no chance to enter into any account. Has anybody an idea what to do in this situation (beside installing the system again from scratch)?
I can boot the PC (whether in secure mode or not is not important), but as soon as I login under any user account,which works ok, I am immediatly within half a second or so logged out again. I have no chance to enter into any account. Has anybody an idea what to do in this situation (beside installing the system again from scratch)?
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
Wilhelmus
That nasty worm have changed userinit value in Registry...
<long post>
Quote:"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
Value: Userinit
Data: %system32%\wsaupdater.exe
%system32% represents the path to the System32 folder. For example, if the path is C:\Windows\System32, then the data would be: "C:\Windows\System32\wsaupdater.exe"
Instead of "wsaupdater.exe", the data should contain "userinit.exe,".
Using the example above, the data would be "C:\Windows\System32\userinit.exe,"
(!Note! the comma following the file path information.)
Using the XP's recovery console, copy userinit.exe to wsaupdater.exe to allow log on capability to be restored, and correct the registry data manually.
In the following instructions, C:\Windows\System32 shall be used as the System32 location. Change the path accordingly to accommodate for your installation directory.
Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
When you are prompted to do so, type the Administrator password.
If the administrator password is blank (which is likely the case if Windows XP was preinstalled by your computer manufacturer), just press ENTER.
You should now be in the Windows installation folder ("C:\Windows").
At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:
Quote:cd system32
copy userinit.exe wsaupdater.exe
exit
At this time, remove the startup floppy or CD-ROM from your system, and boot into Windows XP. Log on to the system using an account with administrator-level privileges, and edit the registry using this information. It is recommeded that a registry backup be created prior to continuing.
Click start, then run. Enter
regedit
and click OK. Using RegEdit, expand
HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows NT
+CurrentVersion
+Winlogon
Locate Userinit in the value column, right-click this item, and choose modify. Replace
"wsaupdater.exe" with "userinit.exe," (do not use quotes, and ensure the trailing comma is present as shown) and click OK.
Exit RegEdit.
Restart your computer, and log on to the system using an account with administrator-level privileges.
Go to My Computer, then to the System32 folder (usually C:, then Windows, then System32). If Explorer prompts that removing files from these areas is not recommended, click to continue. Locate and remove wsaupdater.exe, and delete this file.
</long post>
<long post>
Quote:"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
Value: Userinit
Data: %system32%\wsaupdater.exe
%system32% represents the path to the System32 folder. For example, if the path is C:\Windows\System32, then the data would be: "C:\Windows\System32\wsaupdater.exe"
Instead of "wsaupdater.exe", the data should contain "userinit.exe,".
Using the example above, the data would be "C:\Windows\System32\userinit.exe,"
(!Note! the comma following the file path information.)
Using the XP's recovery console, copy userinit.exe to wsaupdater.exe to allow log on capability to be restored, and correct the registry data manually.
In the following instructions, C:\Windows\System32 shall be used as the System32 location. Change the path accordingly to accommodate for your installation directory.
Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.
When you are prompted to do so, type the Administrator password.
If the administrator password is blank (which is likely the case if Windows XP was preinstalled by your computer manufacturer), just press ENTER.
You should now be in the Windows installation folder ("C:\Windows").
At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:
Quote:cd system32
copy userinit.exe wsaupdater.exe
exit
At this time, remove the startup floppy or CD-ROM from your system, and boot into Windows XP. Log on to the system using an account with administrator-level privileges, and edit the registry using this information. It is recommeded that a registry backup be created prior to continuing.
Click start, then run. Enter
regedit
and click OK. Using RegEdit, expand
HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows NT
+CurrentVersion
+Winlogon
Locate Userinit in the value column, right-click this item, and choose modify. Replace
"wsaupdater.exe" with "userinit.exe," (do not use quotes, and ensure the trailing comma is present as shown) and click OK.
Exit RegEdit.
Restart your computer, and log on to the system using an account with administrator-level privileges.
Go to My Computer, then to the System32 folder (usually C:, then Windows, then System32). If Explorer prompts that removing files from these areas is not recommended, click to continue. Locate and remove wsaupdater.exe, and delete this file.
</long post>
Wilhelmus
Quote:
"Wuurm"
In Finland, these are called "mato", which means same as English word "worm".
Quote:
If the guys creating these bastardz would put their time into creating better softwares, we'd have Longhorn out by now!
Agreed.
I wonder, why have none created a worm, which does not use "zombie" computers for spam spreading but for eg. SETI@Home, cancer curing programs, etc. Then again, this would be no "malware" then, it would be "careware".
And the programmers of these worms, would not get their money (or whatever drives them to do these pests) from their employers, if they got any.
Or these programmers could use their programming skills in eg. linux world and make it so, that we could use any Windows application in linux, without emulator of any sort.
Ok.
Daydreaming off.
Back to work ->
"Wuurm"
In Finland, these are called "mato", which means same as English word "worm".
Quote:
If the guys creating these bastardz would put their time into creating better softwares, we'd have Longhorn out by now!
Agreed.
I wonder, why have none created a worm, which does not use "zombie" computers for spam spreading but for eg. SETI@Home, cancer curing programs, etc. Then again, this would be no "malware" then, it would be "careware".
And the programmers of these worms, would not get their money (or whatever drives them to do these pests) from their employers, if they got any.
Or these programmers could use their programming skills in eg. linux world and make it so, that we could use any Windows application in linux, without emulator of any sort.
Ok.
Daydreaming off.
Back to work ->
theefool
Bah, worms, viruses and trojans have been around since the dawn of man...err...computers. I wouldn't know what to do with myself, if none of these things exist. But, one thing I do wish. That the old days of having a disk that contains both Mcafee and Norton on it to scan current computers. Via DOS. Now, one thing I have noticed which is pretty cool. Avast! has a boot up virus scanner that I have not seen before. Yes, Norton has one, but only if you are not running in NTFS. Avast! doesn't care, it can still scan away. This is run in the mode where chkdsk is run with xp.
