WARNING: WSAUPDATER

Discussion in 'spyware news and general information' started by Pieter_Arntz, May 27, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    New blazefind hijack

    These show up in a HijackThis log as:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com

    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

    Fix the entries and remove the folder
    C:\Program Files\WindowsSA
    and the file
    C:\Windows\System32\wsaupdater.exe

    Credit to Bulldog
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    SearchAssistent

    Search Assistant Toolbar Problem

    The log will look something like this:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

    Fix the above items, then reboot into safe mode and delete:
    C:\Program Files\WindowsSA <= entire folder
    C:\Windows\System32\wsaupdater.exe

    NOTE
    BEFORE reboot have them check their system32 folder to see that userinit.exe exists!!

    If necessary they can copy that file from:

    C:\windows\ServicePackFiles\i386\userinit.exe

    to:

    C:\windows\system32\userinit.exe

    If userinit is missing from system32 folder and the user reboots without the file being replaced...they cannot log back on!!

    More details in the next post.
     
    Last edited: Sep 9, 2004
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    WSAUPDATER

    Do not let the Userinit registry entry be removed by AdAware.

    You will not be able to log back on if you are running XP.
    https://www.wilderssecurity.com/showthread.php?t=35098
    http://www.lavasoftsupport.com/index.php?showtopic=29727&st=0

    First Fix this entry with HijackThis:
    F2 - REG:system.ini: UserInit=E:\Windows\System32\wsaupdater.exe

    Then use AdAware (after a reboot).

    This issue has been resolved in the latest update.

    "The latest reference-file (01R315 06.06.2004) no longer removes wsupater.exe at all, hence no longer creating the logon issue recently discovered."

    So. As always, make sure every software you use is fully updated.

    Regards,

    Pieter
     
    Last edited: Jun 7, 2004
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.