problem in defnition file SE1R66 14.09.2005

so82 · September 18, 2005, 09:23:05 PM

Good evening
during the past few days I've seen few computers that after installing ad-aware latest update (build 77 from 14.9) they weren't able to login to windows any more.
the ad-aware version is ad-aware se 1.06 and I think that the problems is with the update for Win32.TrojanClicker. after scanning the computer, deleting objects and restart the computer is not able to logon to the windows anymore and after choosing a user there is a window say logging off and there is no option to enter the windows again.

I just wanted to tell you this information so you can fix this update, please tell me if I need to send this information to someone else

thanks

Sigal

Corrine · September 18, 2005, 09:47:21 PM

Hi, Sigal. Welcome to LandzDown Forum. I'll copy/paste the reply I gave you at Freedomlist here. Since you have registered here at LzD, I will close the thread at FL.

If you are helping some people who have this problem, please have them start up in Safe Mode
( http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 ) .

Once in Safe Mode:

Launch Ad-Aware SE > Click "Open quarantine list" and select the quarantine file with the creation date of the last scan to be restored.

Please assist them in posting a logfile here for review and we will do our best to help.

so82 · September 19, 2005, 05:11:11 AM

First of all thanks for the quick response!

There is no option to start up the computer in safe mode as well. the computer just doesnt start up.
i think the removal of the spyware torijan.clicker defects the winlogon.exe file and by this prevent logging on to windows in any way.
(choosing in the F8 menu start in last good configuration doesnt help as well)

so82 · September 19, 2005, 05:29:33 AM

of course there is no option to retireve the log file because there is no option to logon to the windows

Corrine · September 19, 2005, 10:59:14 AM

Hi, so82. Please select Safe Mode not not last good configuration.

so82 · September 19, 2005, 11:16:59 AM

I'm sorry i havent explained myself clearly, there is no option to logon to windows in safe mode.
even when choosing safe mode when getting to the user select screen and clicking on a user or Adminstrator the computer starts logging on and then logs off automaticly.

Corrine · September 20, 2005, 02:49:26 PM

Yesterday morning I sent a PM to LS_SteveJ at BBR referring him to this thread but have not received a reply. I received a PM fro so82 that they are looking at this MS KB Article: http://support.microsoft.com/default.aspx?scid=kb;en-us;892893#kb3

The LS KB article is here: http://www.lavasofthelp.com/articles/v6/04/06/0901.html

The draft that SpyDie and others helped me prepare when this occured with SE is pasted below. Anyone have any advice for so82?

This was for Blazefind/wsupdater.exe:

QuoteLavasoft Knowledge Base Article
Unable to Log On To Windows XP After Removing wsaupdater.exe

SYMPTOM
After removing wsaupdater.exe from BlazeFind using Ad-Aware SE and Definition File SE1R8 13.09.2004 or SE1R9 23.09.2004, the ability to log on to the system may be compromised.

CAUSE
This file edits an area of the registry, and Ad-Aware SE is unable to correct this registry change. The registry item changed is

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Value: Userinit

Data: %system32%\wsaupdater.exe

%system32% represents the path to the System32 folder. For example, if the path is C:\Windows\System32, then the data would be

C:\Windows\System32\wsaupdater.exe

Instead of wsaupdater.exe, the data should contain userinit.exe,. Using the example above, the data would be

C:\Windows\System32\userinit.exe,

Note the comma following the file path information.

RESOLUTION

In the following instructions, C:\Windows\System32 shall be used as the System32 location. Change the path accordingly to accommodate for your installation directory.

First it is necessary to go to the recovery console. If you are unsure of how to get to recovery console please see http://www.lavasofthelp.com/articles/v6/04/06/0901.html for .

At the recovery console, it is necessary to replace the software hive with a previous good backup. It should look something like this:

C:\windows>cd system32\config
C:\windows\system32\config>ren software software.old
This renames the current software hive to software.old
C:\windows\system32\config>copy C:\windows\repair\software

It should indicate: "1 file(s) copied"

NOTE: After the next step, remove the CD, then boot into safe mode. If you do not boot into safe mode in Windows XP, it may prompt you to reactivate and you may not be able to get into Windows.

C:\windows\system32\config>exit

Now hit the F8 key and boot into safe mode. Logon to the administrator account when you reach the Welcome screen.

The next step is to edit the old registry to change the path to the userinit.exe file:

open regedit.exe
Highlight HKEY_LOCAL_MACHINE (note: this is important, if you do not highlight this the next step will not work)
goto file - load hive...

Select your old registry file which should be in C:\windows\system32\config\software.old
It will ask you what to name it, if you don't understand, just type "test".

Navigate to the following:
HKEY_LOCAL_MACHINE\<what your named this in the previous step>\microsoft\windows nt\currentversion\winlogon.
Look at what the userinit value is. It is likely something like %system32%\userinit.exe which is invalid.

Next change the value to read C:\windows\system32\userinit.exe

Now close the registry editor, and go back to recovery console to put your original registry back. It should look like this:
C:\windows>cd system32\config
C:\windows\system32\config>del software
C:\windows\system32\config>ren software.old software
C:\windows\system32\config>exit

Corrine · September 23, 2005, 10:03:48 PM

Hi, so82. Sorry for the delay. Steve wasn't available and didn't receive my message until yesterday and I was unavailable yesterday. :( Originally Steve indicated that he thought the KB article above would work. However, he sent the following message today:

QuoteHey Corrine... I realise now that the solution on the old knowledge base article is not going to work for this problem... please stand by while we develop a fix

Sorry for the inconvenience

//Steve

winchester73 · September 24, 2005, 12:00:20 AM

:shock:

so82 · September 24, 2005, 08:19:22 AM

thanks for all the help

Corrine · September 24, 2005, 12:01:57 PM

I've heard back from SteveJ and he has personally created and tested a fix for the problem. He'll be sending it along to my personal email shortly.

Many thanks, Steve!

steviej · October 05, 2005, 11:52:00 AM

Hi,

I have a laptop that is suffering from the same symptoms; I can logon but get logged off immediately. This even happens in safe mode.

This started happening after a recent Ad-aware update and scan.

Has a fix been created?

TIA

Corrine · October 05, 2005, 01:48:12 PM

Hi, steviej. Welcome to LzD. I've sent a link to your post to LS_SteveJ. He is a member of Lavasoft's Research Staff and I am sure will be addressing the issue.

In the meantime, had you quarantined anything after scanning with the last update? If so, can you restore from quarantine? (Launch Ad-Aware SE > click "Open Quarantine List" and select the quarantine from the last dated scan > click Restore

After that, please post a full scan logfile. (If no quarantine, please post a logfile anyway. :) )

Thank you.

steviej · October 06, 2005, 08:06:45 AM

Hi Corinne,

The problem was a missing userinit value in the registry.

LS_SteveJ helped me add the value and now I am able to logon again.

Thanks.