JSI Tip 9123. You cannot log on to Windows XP after you remove Wsaupdater.exe spyware?

When you use Ad-Aware 6 Build 181 and reference file 01R314 02.06.2004 or 01R320 19.06.2004 to remove Wsaupdater.exe from BlazeFind, a helper object for your Internet Explorer browser, you cannot log on to Windows XP.

Wsaupdater.exe is spyware. It works by replacing Userinit.exe at
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonuserinit with Wsaupdater.exe.

I have scripted DelWsaupdater.bat to remove Wsaupdater.exe and correct the userinit Value Name, after you use the Recovery Console to allow your system to boot.

To fix this problem:

01. Insert the Windows XP CD-ROM into your CD-ROM, or DVD-ROM drive, and restart your computer.

02. When you see the Press any key to boot from CD message, press the space bar, or similar key.

03. Press R on the Welcome to Setup screen to start the Recovery Console.

04. When prompted, type the number of the failing installation you want to access and press Enter.

05. When prompted, type the Administrator password and press Enter.

06. In the Recovery Console command window, type the following commands, pressing Enter after each line:

cd system32
copy userinit.exe wsaupdater.exe
exit

07. Remove the Windows XP CD-ROM and restart your computer.

08. Open a CMD.EXE window.

09. Type the following commands, pressing Enter after each line:

DelWsaupdater
exit

NOTE: del /q "%systemroot%System32wsaupdater.exe" will fail.

10. Shutdown and restart your computer.

11. Open a CMD.EXE window.

12. Type the following commands, pressing Enter after each line:

DelWsaupdater
exit

DelWsaupdater.bat contains:

@echo offsetlocalset key="HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"@echo %key%for /f "Tokens=*" %%a in ('reg query %key% /V userinit^|FIND "REG_SZ"') do ( @echo %%a)@echo.@echo reg add %key% /V userinit /T REG_SZ /F /D "%systemroot%System32userinit.exe,"reg add %key% /V userinit /T REG_SZ /F /D "%systemroot%System32userinit.exe,"@echo.@echo del /q "%systemroot%System32wsaupdater.exe"del /q "%systemroot%System32wsaupdater.exe"endlocal