Greetings to the forum.
Our home PC is stuck in a login/logoff loop due to a malware infection (which modified the Userinit entry in the registry) and I've been directed here by Charles from the HJT Team for expert assistance with this issue. Thus thank you so much already for any and all help.
I'll paste next my original initial post at the HJT Forum. (I tried to cut out some possibly irrelevant details for the analysis of the problem here. I apologise, though, for it's still a rather longish post... As I apologise if there are still any possibly unimportant details still included. On the other hand, for any further details if needed, do please refer to my original initial post at the HJT Forum.)
A couple weeks back, I was to find our home PC (running XP SP2) infected with a banker trojan.
Symptoms of the banker trojan were:
A fake message being displayed (when the blue screen for the desktop loads but still before any icon has appeared) saying that Adobe FlashPlayer 9 ActiveX was being installed. The window message had a cancel button and an installation progress bar which however was static at less than half way through completion.
WinPatrol warning of unsrvc.exe attempting to set as a startup entry.
Sygate Firewall warning of unsrvc.exe attempting to connect to spectrum.iitalia.com (220.127.116.11) on port 80 / HTTP protocol.
(unsrvc.exe was located in C:\WINDOWS\system32\.)
I denied each warning at once, of course. Then again, note that, when denying unsrvc.exe to set as a startup entry via WinPatrol, that would cause that fake message window of FlashPlayer being installed to be closed. Also, still regarding this message window, I did never click its cancel button nor the [X] to close it, since I didn't know whether those might just have some twisted function and instead of cancelling/closing the message window, it might instead fire up some other unwanted/malicious process/action. So, just to be on the safer side, I always got that to close from the WinPatrol warning.
As every other time I was to deal with malware infections, so I started out with the preliminary cleaning. Cleaned out all temp files (with CCleaner) which at once deleted one of the malware files, flash_wizard.exe, which was stored among the temporary internet files.
Next ran Ad-Aware + SpyBot + AVG Anti-Spyware + SuperAntiSpyware, all in Safe Mode. (A note, to say that, as I booted to Safe Mode, even then the fake message window of FlashPlayer being installed appeared. I checked on Windows Task Manager, and unsrvc.exe was among the processes running. As I didn't want to risk closing the message window by hitting its cancel button or [X], so I chose to terminate the unsrvc.exe process via Task Manager. This indeed caused the message window to close.)
I rebooted back to Normal Mode afterwards. As none of those previous anti-spyware scans had however detected the banker trojan, unsrvc.exe, obviously the fake message window of FlashPlayer being installed still appeared, as so unsrvc.exe was still present as well, of course. When I first took notice of the infection, as per usual at once I submitted the suspicious files for analysis at virustotal.com, and by then, actually not many of the scanners detected unsrvc.exe. So I held on a couple days more, and then ran a new scan on the file. More scanners detected it now, including Panda, so I proceeded to run Panda's online ActiveScan. It found and disinfected 3 items, all of which it reported as being the same malware/infection: unsrvc.exe, install_flash_player.exe which was stored on My Documents (and which, as I had previously checked, also had the same creation/modification date/time as unsrvc.exe, though a different size, which I presume must have been the program which my brother initially ran and which got the trojan installed), and yet sysstr.sys on C:\WINDOWS\. So, after this cleaning by Panda, I went for a new reboot. My intention was to follow up with a couple other online antivirus scans (F-Secure and Kaspersky) to check if and what else might still be left, yet I thought of rebooting after this cleaning by Panda, also to run a new HJT scan, to check if the entries referring to unsrvc.exe were also already gone by now.
(There was, for sure, at least this entry: F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\unsrvc.exe -runservice. Can't say for sure whether there was also this other: O4 - HKLM\..\Run: [unsrvc] C:\WINDOWS\system32\unsrvc.exe -runservice; sincerely I can't recall it, and then, after all the many similar logs I've gone through in my search for helpful hints over the forums, honestly I can't confirm it anymore, whether this entry was on my own HJT log or not, I'm sorry... Though I'm also in doubt about it, cos of WinPatrol; I mean, if denying unsrvc.exe attempt to set as a startup entry, is it possible that that entry in the registry would still be created nonetheless? Or does it all depend on whether WinPatrol detects that on time to prevent such entry from being created or not? Hmm, that wouldn't make WinPatrol all too efficient in such purpose, then, or?... This really has caused me some doubt, all of a sudden... Then again, I also am not certain whether C:\WINDOWS\system32\unsrvc.exe appeared as a running process on my HJT log, shamingly haven't taken notice of this detail... As I was saying above, I don't recall having confirmed it, in Task Manager, whether unsrvc.exe kept running after closing the fake message window for FlashPlayer via WinPatrol, thus I'm not certain whether the process would still be running when the HJT scan was ran... I'm also in doubt seen that Panda was able to delete the file; would it be possible that Panda had deleted unsrvc.exe in case it was a running process?)
Thing is, when rebooting after this cleaning by Panda, the computer got stuck in the login screen. (Note that, previously, it was not set for no login screen, it would enter Windows directly and load the desktop after the welcome screen.) And as attempting to login, it just automatically logged off again. It would only say "loading your personal definitions", show the blue background (as when it's about to load the desktop) for only a couple seconds, and then automatically logoff, saying "saving your personal definitions", and that was it. And this would happen even in Safe Mode. So, I'm just stuck in this login/logoff loop, and wondering of what step to take next?...
(After some research, I understand now that this is caused by UserInit currently being referred to C:\WINDOWS\system32\unsrvc.exe for login, instead of to C:\WINDOWS\system32\userinit.exe as it should, and as that file C:\WINDOWS\system32\unsrvc.exe isn't there anymore since Panda had it be deleted, so this causes the loop and the impossibility to login at all, correct? I wasn't at all aware of the importance on this UserInit detail, otherwise I wouldn't have dared to proceed with even the preliminary cleaning without asking for guidance from the start... Guess it goes to show that it may just not always be the most advisable, to start off with such preliminary cleaning on our own, to only then come for expert help at the forum... Also I always thought that any antimalware/antivirus scanner would also always "take care" of any related correction necessary to be made to the registry when removing malware, I always trusted this was how "things worked"?... Just painfully learned otherwise, so I see...)
And back to the start then, back to our home PC stuck in the login/logoff loop, (which is also my most main concern after all), what step must I take next, then, in order to solve this situation, I wonder?... When I was first faced with the situation, at once I panicked, as at once my thought was that this was certainly a "no return" situation, and so I thought that the only "solution" to such a case should innevitably be having to format C:\... Moreover, after some research for other cases of such trojan infection, the few pages found by the time also didn't sound too cheering (various other users had too come to the same login/logoff loop, and eventually ended up formatting; even a helper in a forum plainly replied to someone "if you can't start the system, then I see no other solution than to format")...
(At once, at this point, a doubt came up, and I wonder if it's ok to share it here?... Well, you see, this computer was bought second-hand and, while it has only one physical hard-drive, there were two "local disks" on My Computer, disk C:\ and disk F:\. I suppose then that those were two partitions in which the physical hard-drive must have been "divided" when it was prepared for installing the OS... correct?... I really am pretty much lay when it comes to the "computer's world", so I only hope I'm not actually saying nonsense words, sorry if I am... So, my doubt here was: in such a case that one would have to format the partition in which the OS is installed in order to re-install the OS afterwards, and in this specific case that partition being C:\; in such a case, when formatting C:\, would that cause also the contents of, in this specific case, F:\ to be erased/lost as well, or?... I do really wonder... From what I've been reading, from what I can understand, I believe the answer to my question is "no"; no contents of any other partition are erased/lost, other than those of the partition which is formatted... correct?... Yet, as I just ain't 100% certain, so I thought I'd take the chance to share the doubt here, in hope for a straight-forward "yes or no" answer... Or, isn't this actually a straight-forward "yes or no" answer kind of matter?... )
By the time I also considered to choose to "reset" the system to the "last known good configuration" (from the startup menu one gets when hitting F8 on boot). But then, as every other case I had read about of other users who had the same infection and had also tried this option, seemingly that didn't work for anyone, so I dropped the thought myself too... (Also, as I've never tried this before, and wasn't quite even sure of whether that might do good or eventually wrong to "my case", I didn't feel all too confident to try it anyway... Should I still?...)
Thankfully though, as time passed on and more similar topics popped up around, I could learn that there may be a chance that formatting C:\ may not be so innevitable after all... (Fingers crossed here!) I came across a few "fix alternatives", as follows:
Suggested by the site admin on this other Internet Security dedicated forum is to use the boot CD available from the site above in order to be able to edit the registry and change the necessary value for Userinit. According to the instructions in that post, (also see the detailed walkthrough-guide on using this boot disk for instructions on each precedent step), upon loading the SOFTWARE part of the registry (which is the part including the Winlogon\Userinit key and thus the one nedeed to be loaded for editing) and "entering" the registry editor, one must write on the prompt >
cd Windows NT
(I take it that these sequential "cd" commands is for changing from one key level to another in order to get us to the Winlogon key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, where there's Userinit which we want to edit, thus the "ed" for Userinit there, correct? My only doubt is regarding the "Windows NT" in there... cos of the space between "Windows" and "NT"... are spaces allowed in such command line prompts, or?...)
It is said that at this point the value for Userinit should be displayed, yet, since it's corrupted, nothing should appear. One should then just write:
(Which I take it is for editing/changing the current value for Userinit, the malicious unsrvc.exe -runservice, for the necessary default userinit.exe, correct? I wonder, though, what should one do in the event that a value for Userinit is displayed initially, upon entering the command "ed Userinit" before?...)
And then follow the prompts, in order to save the changes, and reboot.
So I wonder, should this be a/the method to consider, or?... (It seems to be pretty much straight-forward... Anyone by chance "familiar" with this boot disk?...) Please advise.
Instructions here are to apply the provided reg fix by using BartPE boot CD. Should this be a/the preferred method? (I'm not familiar with using BartPE boot CD either... Though I'm well aware that this is pretty much the "reference boot disk" for mostly everyone! Only "hesitation" for me here is that, for going for this, I would still have to create the XP CD slipstreamed with SP2, since the CD we have is of XP without SP2... Oh dear, I wonder only if I'm capable of doing this "procedure" successfully... Hmm, maybe it's just better to try to ask any friend who may have a XP CD including SP2 already, for lending it to us for this... Or, can't it be done with a borrowed CD?...)
Down the page there's also reference to dealing with such a login/logoff loop. Instructions there do not refer specifically to the malicious file I'm dealing with myself, yet, assuming that those may be adapted to my case (don't know if they may at all, though?), would this also be a/the method to consider, or?... (Two doubts here. At once: seen that the computer runs XP SP2, can the XP CD be used for launching the Recovery Console? Or does it too have to be a XP CD with SP2?... And also: what about the Run key also referring to unsrvc.exe? What would happen then, if copying the file userinit.exe as unsrvc.exe, in this case that this Run key exists, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > "unsrvc"="C:\\WINDOWS\\system32\\unsrvc.exe -runservice"? Would or might this cause any problem, or?...)
(Ed.: Reference to this is also found in the following Microsoft article: http://support.microsoft.com/kb/892893)
I do have ERUNT installed in our home PC. Don't actually have it set for making a backup on each boot, but, I do make backups regularly, so there should be a backup recent enough for restoring the registry to a state previous to the infection, in order to get those unsrvc.exe-related entries fixed and thus consequently the login/logoff loop as well (correct?). So, ERUNT being an option for me, should this be a/the preferred method after all? (Also never used ERUNT for restoring the registry before... But heck, any time has to be the first, right? My doubt here is: the "Recovery Console method" is no valid option for my case, seen that, according to the ERUNT instructions, "Note that you can use this method only if you saved the registry
backup inside the Windows folder, and that using this procedure only
the system registry is restored.", and, while I do indeed have the registry backups saved inside the Windows folder as by default, the part of the registry which I need restored is the SOFTWARE part and not the SYSTEM one, and therefore the "Recovery Console method" just wouldn't do, in my case, correct? Thus the "BartPE method" is then the one I should go for, right? A doubt here too: seen that the SOFTWARE part of the registry is that we want fixed, would it then be ok/advisable to restory only that part of the registry, the SOFTWARE part? Or is it just best/advisable to simply restore the registry in full? One last general/basic doubt: if the registry is restored to a date previous to, for example, some legit program had been installed, then chances are that that program will afterwards be "broken"/not function, correct? I mean, hmm, I don't think that should be my case, as I don't think I have installed any program after the last registry backup, but still anyway... Thought of asking, just to know it, for reference for any future time...)
So, to sum it up:
After a preliminary cleaning, the home PC got "stuck" in login/logoff loop. What to do in order to "recover" it from such login/logoff loop (to then proceed with removing the remainder of the trojan infection)?
I do thank you in advance for all of your patience with my "case" (and with all of my questioning and doubts and sometimes perhaps even confusing explanation of things) as much as I truly appreciate all guidance/help you may please provide to hopefully solving it.
(And yet I do as well apologise for the rather long post, and all the many details included, some even perhaps useless, I don't know, but in any case I thought I'd detail it all the most I could, hoping that it may be of help, who knows, to any other users "googling" for helpful hints in any such similar case as mine... Thank you for your understanding, and again, patience, overall.)
Note: Per Charles request, I have by now tried the "last known good configuration" boot option. Yet, as we were antecipating, it did not work in the end.
Also, by now, I've come to a couple more links which I wonder if may be of help too?...
How to edit the registry offline using BartPE boot CD > http://windowsxp.mvps.org/peboot.htm
Ultimate Boot CD for Windows > http://www.ubcd4win.com (referred in this BC post)
How to start the System Restore tool at a command prompt in Windows XP > http://support.microsoft.com/kb/304449 (referred in this BC post)
In short words: I'm somewhat lost, as to what to do, and what should be best to do. I so would most appreciate your advicing on what should be the following step to try. What way would you recommend be best (and possibly/hopefully easiest) to try to recover from this login/logoff loop situation? Would you recommend that I'd go for any of those solution options as referred in my initiall post? Or would you actually recommend yet any other alternative procedure? I'd truly very much appreciate your guidance with regards to this matter, thank you so much, once more.
P.S. Just to add that this is no brand computer (I mean, it's not an HP or Compaq or Dell etc). (Reading other threads, I see that this is usually something which you ask at once, so I thought I'd mention it.) Also, if there's any further detail needed about the computer, which I can provide?...
Edited by DeLuk, 24 January 2008 - 07:26 AM.