WARNING: WSAUPDATER

Discussion in 'news, general information and FAQs' started by Pieter_Arntz, May 27, 2004.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    New blazefind hijack

    These show up in a HijackThis log as:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.blazefind.com/search.php?search=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.blazefind.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.blazefind.com/search_page.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com

    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

    Fix the entries and remove the folder
    C:\Program Files\WindowsSA
    and the file
    C:\Windows\System32\wsaupdater.exe

    Credit to Bulldog
  2. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    SearchAssistent

    Search Assistant Toolbar Problem

    The log will look something like this:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

    O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

    Fix the above items, then reboot into safe mode and delete:
    C:\Program Files\WindowsSA <= entire folder
    C:\Windows\System32\wsaupdater.exe

    NOTE
    BEFORE reboot have them check their system32 folder to see that userinit.exe exists!!

    If necessary they can copy that file from:

    C:\windows\ServicePackFiles\i386\userinit.exe

    to:

    C:\windows\system32\userinit.exe

    If userinit is missing from system32 folder and the user reboots without the file being replaced...they cannot log back on!!

    More details in the next post.
    Last edited: Sep 9, 2004
  3. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    WSAUPDATER

    Do not let the Userinit registry entry be removed by AdAware.

    You will not be able to log back on if you are running XP.
    http://www.wilderssecurity.com/showthread.php?t=35098
    http://www.lavasoftsupport.com/index.php?showtopic=29727&st=0

    First Fix this entry with HijackThis:
    F2 - REG:system.ini: UserInit=E:\Windows\System32\wsaupdater.exe

    Then use AdAware (after a reboot).

    This issue has been resolved in the latest update.

    "The latest reference-file (01R315 06.06.2004) no longer removes wsupater.exe at all, hence no longer creating the logon issue recently discovered."

    So. As always, make sure every software you use is fully updated.

    Regards,

    Pieter
    Last edited: Jun 7, 2004
Thread Status:
Not open for further replies.