You edited your first post today and I don't recall what was added or changed. When posting for help you should not do that as it causes confusion.
Did you reinstall Windows to this location? C:\WINDOWS.0
Windows should be located in C:\WINDOWS if installed properly.smss.exe
is the session manager subsystem process which is responsible for starting the user session. It is initiated by the system thread and is responsible for various activities including launching the Winlogon and Csrss.exe processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens normally, the system shuts down; if it happens unexpectedly, the system stops responding. Besides performing a number of key system initialization steps, the session manager acts as a switch and monitor between applications and debuggers. The legit smss.exe file is located in the C:\Windows\System32 folder.csrss.exe
is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for managing most graphical commands in Windows, console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment. This process is important for stable and secure operation of your system and should not be terminated. The legit csrss.exe file is located in the C:\Windows\System32 folder. lsass.exe
is the Local Security Authentication Server which verifies the validity of user logons to your computer and generates the process responsible for authenticating users for the Winlogon service. The lsass.exe process receives authentication requests from WINLOGON and calls the appropriate authentication package (implemented as a DLL) to perform the actual verification, such as checking whether a password matches what is stored in the SAM (the part of the registry that contains the definition of the users and groups). This process is important for stable and secure operation of your system and should not be terminated. The legit lsass.exe file is located in the C:\Windows\System32 folder.svchost.exe
is a generic host
process name for a group of services that are run from dynamic-link libraries (DLLs). This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time
in Task manager in order to optimise the running of the various services. The legit svchost.exe file is located in the C:\Windows\System32 folder.Wmiprvse.exe
is Windows Management Instrumentation, a process that provides management information and control in an enterprise environment and deals with WMI operations through the WinMgmt.exe. WMI resides in a shared service host with several other services. Multiple instances of Wmiprvse.exe can run at the same time
under different accounts: LocalSystem, NetworkService, or LocalService. The WMI core WinMgmt.exe is loaded into the shared Local Service host named Svchost.exe. The legit wmiprvse.exe file is located in the C:\Windows\System32\WBEM folder.
Determining whether a file is malware or a legitimate process usually depends on the location
(path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program
so that it can run automatically each time the computer is booted.Userinit.exe
is related to Microsoft's Userinit Logon Application which specifies the programs that Winlogon runs when a user logs on. By default, Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface. Userinit
is a registry key that specifies what program should be launched right after a user logs into Windows and is responsible for restoring profile, fonts, colors, etc for your user name. Programs can be added that will launch from the userinit key by separating the programs with a comma. When userinit contains a comma (,) it may or may not be a bad entry. However, when it is linked to another file (i.e. UserInit=userinit,nddeagnt.exe) it is usually bad. This linking allows both programs to run when you log in and is a common place for Trojans, hijackers, and spyware to launch from.
There are some types of malware which can alter
the Userinit area in the registry. This can occur if the userinit.exe file has been deleted, infected or corrupted or the registry keys associated with it may have been deleted or corrupted. This can also occur if you have been using security tools which removes the malicious file but fails to correct the registry modification. When the Winlogon service tries to load the Windows default shell (explorer.exe) and user shell (userinit.exe) from the registry the machine will no longer boot properly. As a result, when you try to login to Windows where the 'Loading Personal Settings
" appears, the computer will suddenly logoff in a continuous loop
when making repeated attempts to log back into the system.
Malware (such as a malicious lsass.exe) which causes LSA (Local Security Authority) Shell and RPC (Remote Procedure Call) failure can result in the 60 second shutdown message. LSA generates the process responsible for authenticating users for the Winlogon servic and is used to validate logon for local and remote users. The presence of a rootkit
infection can also cause similar symptoms.
When you get a message that the system is shutting down, follow these steps to stop the cycle:
- Press the Windows Key + R keys on your keyboard or go to > Run..., and in the Open dialog box, type: cmd
- Click Ok or press Enter.
- At the command prompt C:\>, type: shutdown -a
- Press Enter.
users can refer to these instructions: How to Enable Run Command in Vista
- How to Run a command prompt as an Administrator
That should give you enough time to run Rkill and rescan immediately afterwards with Malwarebytes. Rkill terminates malware processes which target your security tools and keeps them from running or completing a scan.