Windows SA

I tried to download something from the internet (which shall remain nameless) and apparantly loaded a trojan onto my system. Norton caught it, but I guess it installed something called Windows SA.

I accidentally removed it with add/remove programs before I found out that it changes my userinit.exe file. When I rebooted, I tried to log in but Windows just flashed my wallpaper and logged me out automatically. I searched the web and found that I should rename the wsaupdater.exe back to userinit.exe using the recovery console. I couldn't find the wsaupdater.exe file in the directory, and the userinit.exe file was still there.

I then tried to do a repair installation of Windows XP and after it went through the install process, the Windows XP splash screen appears to be loading Windows but I get a split second blue screen and my system just continuously reboots. When I go into safe mode, it starts loading files but a message appears at the bottom of the screen telling me to "Press escape to abort loading...", but it goes too fast to read the file name and pressing escape does nothing. My system just keeps rebooting.

Any ideas other than reinstalling and losing all of my data? Sorry this was so long. Thanks!

 

Windows Search Assistant. Some report this works, others report still having problems:

Cause:
Windows SA replaces userinit.exe used in logon with its own wsaupdater.exe. But uninstalling doesn't revert it back.

some adaware programs may also remove or quarantine wsaupdater.exe thinking that it's harmful.

Fix:
1. Boot using your winxp cd.
2. Enter recovery console.
3. at the command prompt go to

C:/windows/system32

4. next type:

copy userinit.exe wsaupdater.exe

5. exit and reboot normally. You should now be able to logon. But you're not done yet!

6. run regedit

7. find the Userinit key in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

8. modify the entry:

C:\WINDOWS\System32\wsaupdater.exe,

so that it reads:

C:\WINDOWS\System32\userinit.exe,

** Make sure you have the comma!

 

After I booted into the Recovery console and checked out the directory, no wsaupdater.exe was found. The userinit.exe was still there. I tried to login and there was no change even after I copied a new copy of userinit.exe over the existing one. At this point after "repairing" the installation, I can't even get to the login screen.

 

I think the idea at step 4 is to get a legitimate copy of userinit.exe into the system32 folder, but named wsaupdater.exe (whether wsaupdater.exe already exists there or not), as that is what the registry is going to try to run.

 

I have brain farts in the console...how would I create a wsaupdater.exe file if it is not already there?

 

Do like step 4. The command "copy userinit.exe wsaupdater.exe" willl copy the userinit.exe file from the CD to the folder, but with the name wsaupdater.exe. If you do that you will have both a copy of userinit.exe and wsaupdater.exe that are both, in fact userinit.exe. Seems that would be the way to go, since, in re-reading the fix, I am left to wonder what happens after step 8, when one would ostensibly re-boot and have Windows again looking for userinit.exe when it is there, but named wsaupdater.exe.

 

That makes sense to me...I'll try that when I get home tonight and update later. Thanks for the tip!

 

Changing the file name at this point is a lost cause. I threw my other drive into the machine with the SATA capable mother board, booted into ME(this is why I need my good machine), and it didn't see the SATA drive. I haven't added the drivers for the mobo, so I'm hoping that when I do ME recognizes the drive. Then I'll be able to move all of my documents and start over with a fresh install of XP. Seems to be the last resort before losing all of my data.