6 replies to this topic

[CityKid]

Hi,

Yesterday, I used SpyBot Search and Destroy to remove SpywareBot.SpywareStop from 2 Vista machines. After removing the threats from the machines normal login stopped working. The start-up login in screen came up, but the machines shut down as I was typing the password. I was able to login to Vista using the "last known to be good configuration" feature. I tried unsuccessfully, all sorts of other fixes so today, but since Vista's restore function would not work properly. Today I used SpyBots restore function and the login began to work again.

Can I roll back changes made by Malwarebytes' ? I plan to use Malwarebytes to remove the threats that I restored but am worried that if I can't restore the virus, if the same symptoms occur as did last time, I will have trashed the OS start-up routine.

[GT500]

All changed made by MBAM are saved in the quarantine so that you can restore them.

Please note that the computer you are working on probably has an issue with Userinit.exe, and that will need to be replaced off of the Vista disk before you reboot.

[CityKid]

Thank you!

It would appear that one of the culprits is a file that SpyBot deletes named SpywareStop.srv.exe. It would seem that if this file is removed normal Vista logins (and perhaps restores) fail.

[GT500]

CityKid said:

It would appear that one of the culprits is a file that SpyBot deletes named SpywareStop.srv.exe. It would seem that if this file is removed normal Vista logins (and perhaps restores) fail.

Yea, the registry entry from Userinit.exe was probably pointing at that trojan. Makes the system unbootable when you delete the trojan, so you are forced to restore it. MBAM will restore the registry entry, but you need to make sure that the original Userinit.exe is there before you restart your computer.

[CityKid]

GT500, on Apr 21 2009, 09:17 AM, said:

Yea, the registry entry from Userinit.exe was probably pointing at that trojan. Makes the system unbootable when you delete the trojan, so you are forced to restore it. MBAM will restore the registry entry, but you need to make sure that the original Userinit.exe is there before you restart your computer.

Thanks for the heads-up with regard to Userinit.exe. I found this on Microsoft's website and though it refers to a different virus on an XP machine (I'm working on a Vista machine) I assume the problem and the registry key could/should be the same: You cannot log on to Windows XP after you remove Wsaupdater.exe

Thanks again!

[CityKid]

CityKid, on Apr 21 2009, 11:57 PM, said:

Thanks for the heads-up with regard to Userinit.exe. I found this on Microsoft's website and though it refers to a different virus on an XP machine (I'm working on a Vista machine) I assume the problem and the registry key could/should be the same: You cannot log on to Windows XP after you remove Wsaupdater.exe

Thanks again!

OOPS - sorry about the bad link. See: http://support.microsoft.com/kb/892893 , You cannot log on to Windows XP after you remove Wsaupdater.exe

[GT500]

Yes, that article tells you how to repair the registry entry, which is something that MBAM will do automatically. Note that Userinit.exe must be present in the System32 folder, otherwise you will have the same problem you did before.