LandzDown Forum

Good evening
during the past few days I've seen few computers that after installing ad-aware latest update (build 77 from 14.9) they weren't able to login to windows any more.
the ad-aware version is ad-aware se 1.06 and I think that the problems is with the update for Win32.TrojanClicker. after scanning the computer, deleting objects and restart the computer is not able to logon to the windows anymore and after choosing a user there is a window say logging off and there is no option to enter the windows again.
 
I just wanted to tell you this information so you can fix this update, please tell me if I need to send this information to someone else
 
thanks
 
Sigal

First of all thanks for the quick response!

There is no option to start up the computer in safe mode as well. the computer just doesnt start up.
i think the removal of the spyware torijan.clicker defects the winlogon.exe file and by this prevent logging on to windows in any way.
(choosing in the F8 menu start in last good configuration doesnt help as well)

Hi, so82.  Please select Safe Mode not not last good configuration. 

Yesterday morning I sent a PM to LS_SteveJ at BBR referring him to this thread but have not received a reply.  I received a PM fro so82 that they are looking at this MS KB Article:  http://support.microsoft.com/default.aspx?scid=kb;en-us;892893#kb3

The LS KB article is here:  http://www.lavasofthelp.com/articles/v6/04/06/0901.html

The draft that SpyDie and others helped me prepare when this occured with SE is pasted below.  Anyone have any advice for so82?

This was for Blazefind/wsupdater.exe:

Lavasoft Knowledge Base Article
Unable to Log On To Windows XP After Removing wsaupdater.exe
 
SYMPTOM
After removing wsaupdater.exe from BlazeFind using Ad-Aware SE and Definition File SE1R8 13.09.2004 or  SE1R9 23.09.2004, the ability to log on to the system may be compromised.

CAUSE
This file edits an area of the registry, and Ad-Aware SE is unable to correct this registry change.  The registry item changed is

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

    Value: Userinit

    Data:  %system32%\wsaupdater.exe

%system32% represents the path to the System32 folder.  For example, if the path is C:\Windows\System32, then the data would be

    C:\Windows\System32\wsaupdater.exe

Instead of wsaupdater.exe, the data should contain userinit.exe,.  Using the example above, the data would be

    C:\Windows\System32\userinit.exe,

Note the comma following the file path information.


RESOLUTION

In the following instructions, C:\Windows\System32 shall be used as the System32 location.  Change the path accordingly to accommodate for your installation directory. 

First it is necessary to go to the recovery console.  If you are unsure of how to get to recovery console please see http://www.lavasofthelp.com/articles/v6/04/06/0901.html  for .

At the recovery console, it is necessary to replace the software hive with a previous good backup. It should look something like this:

C:\windows>cd system32\config
C:\windows\system32\config>ren software software.old
This renames the current software hive to software.old
C:\windows\system32\config>copy C:\windows\repair\software

It should indicate: "1 file(s) copied"

NOTE: After the next step, remove the CD, then boot into safe mode. If you do not boot into safe mode in Windows XP, it may prompt you to reactivate and you may not be able to get into Windows.

C:\windows\system32\config>exit

Now hit the F8 key and boot into safe mode. Logon to the administrator account when you reach the Welcome screen.

The next step is to edit the old registry to change the path to the userinit.exe file:

open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this the next step will not work)
goto file - load hive...

Select your old registry file which should be in C:\windows\system32\config\software.old
It will ask you what to name it, if you don't understand, just type "test".

Navigate to the following:
HKEY_LOCAL_MACHINE\<what your named this in the previous step>\microsoft\windows nt\currentversion\winlogon.
Look at what the userinit value is. It is likely something like %system32%\userinit.exe which is invalid.

Next change the value to read C:\windows\system32\userinit.exe

Now close the registry editor, and go back to recovery console to put your original registry back.  It should look like this:
C:\windows>cd system32\config
C:\windows\system32\config>del software
C:\windows\system32\config>ren software.old software
C:\windows\system32\config>exit

 

I've heard back from SteveJ and he has personally created and tested a fix for the problem.  He'll be sending it along to my personal email shortly.

Many thanks, Steve!

Hi, steviej.  Welcome to LzD.  I've sent a link to your post to LS_SteveJ.  He is a member of Lavasoft's Research Staff and I am sure will be addressing the issue.

In the meantime, had you quarantined anything after scanning with the last update?  If so, can you restore from quarantine?  (Launch Ad-Aware SE > click "Open Quarantine List" and select the quarantine from the last dated scan > click Restore

After that, please post a full scan logfile.  (If no quarantine, please post a logfile anyway.  )

Thank you.