Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Winlogon, Userinit, Spoolsv, Svhost... Blue Screen!

  • This topic is locked This topic is locked
3 replies to this topic

#1 s3semantic


  • Members
  • 2 posts
  • Local time:02:37 PM

Posted 17 September 2008 - 11:45 AM


I've never posted here before but I'm hoping someone can help me out. A couple days ago while browsing the internet I got a popup from TeaTimer (Spybot) that the Winlogon value was changed. Old Data = c:\windows\system32\userinit.exe New Data = c:\windows\system32\userinit.exe, c:\windows\system32\oembios.exe. I've been racking my brain trying to figure this out. I obviously click Deny Change whenever it comes up, but my system pretty much stands still. I ran spybot and found the Smitfraud-c.gp and Win32.agent.pz, so I fixed those problems and I think it may have worked as I don't see the svhost.exe in the ...system32\drivers\ folder anymore. After seeing that virus in Spybot and continuing to get the popups from Teatimer I decided I should try closing the svhost files in task manager. I closed a couple of them and then when I closed the tree for the third I got an error message stating there was an error with "DCom server process launcher service", and then a blue screen with unknown hard error. I let it reboot and when Windows finally loaded it went to a blue screen again... same unknown hard error. I went in in Safe Mode and did some checking around. I changed the settings to allow me to choose my logon (admin vs user) and created passwords for both, hoping to stop the virus. That didn't work though. Booting back up I get csrss.exe errors and the teatimer notifies me of Winlogon. I also have a spoolsv process that is running out of control in program manager. Seems to take up a lot of memory and cpu time. There is also a new link in my start menu that says "heal yourself for $8,500" or somewhere around there. I clicked on it to see where it would take me, but it wouldn't load the site. it kept bringing back up the teatimer for the winlogon. I was able to navigate to yahoo and google and other sites, but not that one. Something is seriously wrong with my system. I am keeping the internet connection off until I can hopefully get it fixed out of fear that my personal information may be being swiped. Could someone please give me some direction.

P.s. I'm going to try and do a hjt log, but I don't have hjt installed on the pc and i'm afraid to connect to the internet. Please help. Thanks.


Edited by s3semantic, 17 September 2008 - 11:47 AM.

BC AdBot (Login to Remove)


#2 cryptodan


    Bleepin Madman

  • Members
  • 21,868 posts
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:37 PM

Posted 17 September 2008 - 11:52 AM

You can also go to safe mode with networking download it there, and then reboot and install it.

#3 hamluis



  • Moderator
  • 56,265 posts
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:37 PM

Posted 17 September 2008 - 01:39 PM

BleepingComputer.com - Am I infected What do I do - http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,009 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:37 PM

Posted 18 September 2008 - 05:47 PM

Hello s3semantic and welcome to BC :thumbsup:

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/170059/mcafee-blocked-browser-redirectdeny-oembiosexe/

We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult.

This leaves you with a choice:

1) Have this thread reopened and the HiJack This log topic deleted


2) Keep this thread closed and wait for assistance in the HiJack This log forum. Please note that that forum is VERY busy.

Please send a Private Message indicating your choice.

Assuming you wish assistance in the HiJack This forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users