Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USERINIT Altered and REGISTRY INFECTED


  • This topic is locked This topic is locked
8 replies to this topic

#1 thriftgirl62

thriftgirl62

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 10 February 2010 - 11:23 PM

I've tried all the scanners nothing will start except Spywareblaster.

Avast won't start at all and it won't let me start the services - it shuts down the program and keeps them stopped.

Malwarebytes will start but stops suddenly after a few minutes.

Virus Effect Remover shuts down suddenly.

Tune-Up Utilities will start but shuts down all the time.

Security Task Manager won't start either or if it does start, it shuts down.

I tried booting in safe-mode but it just freezes.

The blue screen came up 3 times in the past week.

I ran HiJack This yesterday or the day before but I think it gobbled that one up - I can't find it now.

Spybot Search & Destroy was starting but then shuts down - now I don't think it starts either.

Tried MicroSofts Live Scanner and it wouldn't even install the files to make it run.

Now what? Pretty soon I'm going to get crazy and try something dangerous - so HELP is needed...THANKS.

1:50 am ADDED: part of a Process List I got just now...right before it suddenly shut down Chrome. It runs IE way too slow.

smss.exe \SystemRoot\System32\smss.exe

csrss.exe C:\WINDOWS.0\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512

lsass.exe C:\WINDOWS.0\system32\lsass.exe

svchost.exe C:\WINDOWS.0\system32\svchost -k DcomLaunch

svchost.exe C:\WINDOWS.0\system32\svchost -k rpcss

jqs.exe "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program

mdm.exe "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"

wmiprvse.exe C:\WINDOWS.0\system32\wbem\wmiprvse.exe

Edited by thriftgirl62, 11 February 2010 - 04:50 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 AM

Posted 11 February 2010 - 08:54 AM

Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. Other types of malware may delete the main mbam.exe executable file during installation or when attempting to perform a scan which results in various errors. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware for using Rkill or downloading a renamed version of mbam.exe.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 thriftgirl62

thriftgirl62
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 11 February 2010 - 10:17 PM

No, Malwarebytes has nothing to do with the problem that started a few days before I even attempted to run Malwarebytes. I only ran that scanner because all the other ones kept being disabled and stopping and now they won't start. Malwarebytes just happened to be the one that still starts but it always gets shut down within 60-120 seconds.

The problem is the REGISTRY is INFECTED and the USERINIT has been ALTERED and did you see all the weird files that I added to the end. Those lrass or whatever they are. Those are in the process list I added above. Do you see those files? Those are the problem. It WON'T re-boot in safe mode. I CANNOT get a scanner to remove the thing that keeps re-loading every time I restart the computer. And just recently the BLUE SCREEN CAME ON.

It said this: PAGE_FAUTLT_IN_NONPAGED_AREA


The problem is all the processes running and it shut down services and won't let me turn them back on. How do I fix that??

Edited by thriftgirl62, 11 February 2010 - 10:19 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 AM

Posted 11 February 2010 - 11:19 PM

You edited your first post today and I don't recall what was added or changed. When posting for help you should not do that as it causes confusion.

Did you reinstall Windows to this location? C:\WINDOWS.0
Windows should be located in C:\WINDOWS if installed properly.

smss.exe is the session manager subsystem process which is responsible for starting the user session. It is initiated by the system thread and is responsible for various activities including launching the Winlogon and Csrss.exe processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens normally, the system shuts down; if it happens unexpectedly, the system stops responding. Besides performing a number of key system initialization steps, the session manager acts as a switch and monitor between applications and debuggers. The legit smss.exe file is located in the C:\Windows\System32 folder.

csrss.exe is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem. It is responsible for managing most graphical commands in Windows, console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment. This process is important for stable and secure operation of your system and should not be terminated. The legit csrss.exe file is located in the C:\Windows\System32 folder.

lsass.exe is the Local Security Authentication Server which verifies the validity of user logons to your computer and generates the process responsible for authenticating users for the Winlogon service. The lsass.exe process receives authentication requests from WINLOGON and calls the appropriate authentication package (implemented as a DLL) to perform the actual verification, such as checking whether a password matches what is stored in the SAM (the part of the registry that contains the definition of the users and groups). This process is important for stable and secure operation of your system and should not be terminated. The legit lsass.exe file is located in the C:\Windows\System32 folder.

svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs). This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimise the running of the various services. The legit svchost.exe file is located in the C:\Windows\System32 folder.

Wmiprvse.exe is Windows Management Instrumentation, a process that provides management information and control in an enterprise environment and deals with WMI operations through the WinMgmt.exe. WMI resides in a shared service host with several other services. Multiple instances of Wmiprvse.exe can run at the same time under different accounts: LocalSystem, NetworkService, or LocalService. The WMI core WinMgmt.exe is loaded into the shared Local Service host named Svchost.exe. The legit wmiprvse.exe file is located in the C:\Windows\System32\WBEM folder.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another techinique is for the process to alter the registry and add itself as a Startup program or service so that it can run automatically each time the computer is booted.

Userinit.exe is related to Microsoft's Userinit Logon Application which specifies the programs that Winlogon runs when a user logs on. By default, Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface. Userinit is a registry key that specifies what program should be launched right after a user logs into Windows and is responsible for restoring profile, fonts, colors, etc for your user name. Programs can be added that will launch from the userinit key by separating the programs with a comma. When userinit contains a comma (,) it may or may not be a bad entry. However, when it is linked to another file (i.e. UserInit=userinit,nddeagnt.exe) it is usually bad. This linking allows both programs to run when you log in and is a common place for Trojans, hijackers, and spyware to launch from.

There are some types of malware which can alter the Userinit area in the registry. This can occur if the userinit.exe file has been deleted, infected or corrupted or the registry keys associated with it may have been deleted or corrupted. This can also occur if you have been using security tools which removes the malicious file but fails to correct the registry modification. When the Winlogon service tries to load the Windows default shell (explorer.exe) and user shell (userinit.exe) from the registry the machine will no longer boot properly. As a result, when you try to login to Windows where the 'Loading Personal Settings" appears, the computer will suddenly logoff in a continuous loop when making repeated attempts to log back into the system.

Malware (such as a malicious lsass.exe) which causes LSA (Local Security Authority) Shell and RPC (Remote Procedure Call) failure can result in the 60 second shutdown message. LSA generates the process responsible for authenticating users for the Winlogon servic and is used to validate logon for local and remote users. The presence of a rootkit infection can also cause similar symptoms.

When you get a message that the system is shutting down, follow these steps to stop the cycle:
  • Press the Windows Key + R keys on your keyboard or go to Posted Image > Run..., and in the Open dialog box, type: cmd
  • Click Ok or press Enter.
  • At the command prompt C:\>, type: shutdown -a
  • Press Enter.
-- Vista users can refer to these instructions: How to Enable Run Command in Vista - How to Run a command prompt as an Administrator

That should give you enough time to run Rkill and rescan immediately afterwards with Malwarebytes. Rkill terminates malware processes which target your security tools and keeps them from running or completing a scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 thriftgirl62

thriftgirl62
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 12 February 2010 - 04:34 AM

There is no message saying when it will shut down. It usually does that with a sudden blue screen.

The last one said: IRQL_NOT_LESS_OR_EQUAL the one before that is also listed above: PAGE_FAULT_IN_NONPAGED_AREA

There is no scanner that will run after windows starts and it won't boot in Safe Mode. I can go to the Recovery Console

and get a Dos prompt but what then??? Windows XP was reinstalled into that Windows.0 subdirectory a long time ago

but I don't remember why. How do I fix those logon userinit things so it runs right?



Question added: What is RKILL ??

Edited by thriftgirl62, 12 February 2010 - 04:36 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 AM

Posted 12 February 2010 - 07:43 AM

There is no scanner that will run after windows starts

You still have not told me, if you tried running MBAM after using Rkill? Rkill is a tool created by Grinler here at BC and has proven effective in many causes to terminate malware which stops security tools from running properly. I referred you to this link to see how to use it.

If you do a search on the net for IRQL_NOT_LESS_OR_EQUAL, you will find a lot of complaints with various causes and possible solutions. What works for one person may not work for another.

The IRQL_NOT_LESS_OR_EQUAL error is usually due to a bad driver or faulty/incompatible hardware. This error condition means that a kernel-mode process or driver tried to access a memory location to which it did not have permission, or at a kernel Interrupt ReQuest Level (IRQL) that was too high.

Error Message: IRQL_NOT_LESS_OR_EQUAL "Stop 0x0000000A"

Typically, this error occurs when a driver uses an incorrect memory address. Other possible causes of this error include an incompatible device driver, a general hardware problem, or incompatible software...

You receive a "Stop 0x0000000A" error message

This Stop message indicates that a kernel-mode process or driver attempted to access a memory address to which it did not have permission to access. The most common cause of this error is an incorrect or corrupted pointer that references an incorrect location in memory...This error usually occurs after the installation of a buggy device driver, system service, or BIOS...

Error Message: IRQL_NOT_LESS_OR_EQUAL

And just recently the BLUE SCREEN CAME ON. It said this: PAGE_FAUTLT_IN_NONPAGED_AREA

This Stop message occurs when requested data is not found in memory. The system generates a fault, which normally indicates that the system looks for data in the paging file. In this circumstance, however, the missing data is identified as being located within an area of memory that cannot be paged out to disk. The system faults, but cannot find, the data and is unable to recover. Faulty hardware, a buggy system service, antivirus software, and a corrupted NTFS volume can all generate this type of error.

technet.microsoft

Cause
Bug check 0x50 usually occurs after the installation of faulty hardware or in the event of failure of installed hardware (usually related to defective RAM, be it main memory, L2 RAM cache, or video RAM).

Another common cause is the installation of a faulty system service.

Antivirus software can also trigger this error, as can a corrupted NTFS volume.

Bug Check 0x50: PAGE_FAULT_IN_NONPAGED_AREA

However, since you say this just occurred, I need to ask if it started after installing Tuesday's round of updates from Microsoft. See this discussion thread. You may be dealing with multiple issues.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 thriftgirl62

thriftgirl62
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 13 February 2010 - 02:55 AM

Nothing is working. It's just doing it's own thing, freezing or making noises. How do I get rid of the bad USERINIT files that keep taking over?

I don't think this had anything to do with Microsoft updates. I don't really know what happened but it's doing stuff 24-7 and I don't know what.

No scanners will start except 1 or 2 and they quit. Now what? What about a DOS scanner or something? It won't go into safe-mode either.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:28 AM

Posted 13 February 2010 - 09:05 AM

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,942 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:28 AM

Posted 14 February 2010 - 10:40 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/295655/userinit-altered-and-registry-infected/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users