Registry Userinit

[Nikita Desjardins]

Detection of modification of the registry key values of Notify, Userinit, and Shell located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKEY_LOCAL_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\. When a user logs on, the Registry key values of Notify, Userinit and Shell are used to load dedicated Windows component. Attackers may insert malicious payload following the legitimate value to launch a malicious payload.

This is my first time posting, on my own I've removed a lot of viruses that come back after malwarebytes removes and reboots, and I learnt a lot through using a search engine to find other instances of the same virus on forums. I even tried to avoid solutions involing HijackThis. One I had came up on mb scan as an .sys & came back after rebooting. I found out that I had to use rootkit to wipe the .sys file, re-run mb and mb found other files with the same name, removed them and that was the end of it.

Unfortunatly from what I can see there isn't much more I can do on my own, even thought I've had a virus that almost grounded the system to a stop, this time is worse cause I can't remove it by myself. From what I have gathered, the backdoor.bots aren't severe in terms of backdoor.bots and the userinit shouldn't be deleted but is infected. I sent the infected userinit.exe to virustotal.com for an analysis and it came back 5/42.

also, as I saw in =5591 I have an infected userinit.exe, Upon login when I sign into my account the system 'hangs' and I have to open task manager and manually get it to load the desktop (I click new task, right click a folder, click explore, and that starts 'explorer.exe' loads the desktop with the start button)

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

Thank you, I hope you gave me a personal response and not a Generalised Already Writen Response. Combofix went throught a whole process to find the infected file, which I already knew was userinit.exe thats why I posted here. I've removed lots of virus without asking for help and this is the first time becuase usernit is an infected file that can't be deleted and I can't fix it myself.

Sorry if I sound like I'm not gratful, I am grateful its just that I don't want to be classed as "Low Level Inquiry" (Thats how it took a week for xbox support to answer something they could've answered in a day!!)

So, what is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid ?? UID keeps coming back after deletion, is uid part of a virus or is it an infected windows file like userinit.exe was?

Been doing stuff by myself and I'm sorry but I don't believe you actually looked at my HijackThis Log properly. Seems like you saw infected userinit and simply suggested Combofix to restore it. Now I'm left with uid coming back and downloading backdoor.bots, and I think user miekiemoes has just inadvertently helped me in another topic which is almost identical to the stage I'm at now.

I saw a difference between the topics. There was clearly a ms****.exe problem that you missed but Mikemoes saw on another very similar topic. I have followed what Mikemoes suggested in the other topic and now everything seems to be fine

Cf is updated frequently to handle new emerging threats the malware removal process is not a one step thing and because some symptoms are not present anymore that does not mean that the problem is gone.

Makes a little bit of sense, but not much sense. I think it would be much better if there was a way you could've just pointed it out in the first post, then I wouldn't have had to spend the night deleting UID manually from registry every 10mins when it came back. As you saw with the posts I left, after userinit.exe was restored I was stuck with a reinfecting UID downloading Backdoor.bots.

Refering back to my first post, I have removed a rootkit disguised as a .sys and removed a Trojan.TDSS on my own, so this isn't the first time I've tried to solve it myself. I started the topic cause I knew I couldn't restore the userinit.exe on my own (which I am really gratefull for your help on that) and I'm glad I found that other topic to help me throught the rest.

I asked you to finish this in my last post, If you look it is written "as far as i can tell this issue is resolved, but if you can see something I can't here is the last combofix log". I added the combofix log so that you could see it and tell me if anything is wrong

Also, I have a question, Did you hand write your first post or did you as it appears just change the name? I just spoke on what I was percieving, look at my first post, I mentioned that I had an issue with XBOX Support which they could've sorted in a day but because of the already written out responses it took a week to sort out. My issue with xbox was mistreated as a low level enquiry and your first post made me think you were treating this as a low level enquiry as it seems you did not personally write that response, I never said anywhere that you don't know what you are doing.

And can I ask you why do you think I said "I think it would be much better if there was a way you could've just pointed it out in the first post"?? I said that because I do understand that is not the way things are done and I feel that would sort the problem faster.

No I hand type anything in between the original post is what is called a canned speech it is something that has the correct code for the forums with custom scan's that I like to run to spot the infections.

Ok, thank you for clearing that up and I'm sorry for any offence, really grateful for your instructions here. Wow everything is running fine, Malwarebytes isn't finding anything, but the system isn't actually clean. Just out of interest, the infected file/drivers don't seem to be affecting anything, what are they and what do they do?

Thank you so much for helping me, sorry I caused you some grief by trying to sort it out myself haha (As I said I've removed a rootkit and TDSS myself). Guess I should turn that 'passion to solve things' to my mathematical studies, need to get myself to do revision and lots to solve there.

Thanks, I've seen quite a few online virus scans but didn't really trust them. I saw VirusTotal mentioned on a forum, sent my userinit.exe file and it found 5/42. I'll definatly give this recommended one a look

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

I have the program set to start in screen center... but it does not want to display in the correct location until i do a alt-tab to bring it to the front, and then it will be displayed in the correct location.

using the userinit, and appending the executable to the end of the values line, does indeed start the application, but how do I force it to center on the screen when the screen has not been established yet?

Winlogon is a Windows component which handles various activities such as the Logon, Logoff, loading user profile during authentication, shutdown, lock screen etc. This kind of behavior is managed by the registry which defines which processes to start during Windows logon. From a red team perspective these events can be the trigger that will execute an arbitrary payload for persistence.

I've got a windows XP installation that has a corrupt registry. A worm (which was removed) had hijacked the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon entry (which should have a value of Userinit=C:\windows\system32\userinit.exe

When the worm was removed, the corrupt entry was deleted entirely, and now the system automatically logs off immediately after attempting to log in. Regardless of the user and boot mode, no accounts can be logged in to.

The only thing required to correct this behavior is to restore the registry key, but I cannot come up with any ways of editing the registry without logging in to an account. I tried remotely connecting to the registry but the required services aren't enabled on the machine.

I tried booting on the same machine using the BartPE boot CD but I could not find any way of editing the registry on the C:\Windows installation - running regedit only modifies the X:\I386\ registry in memory.

So glad I could help but I am not particularly sure why it would change. Obviously manual editing could do this; however, the majority of the time this is caused by infections and in some cases updates that get interrupted by reboots, power options, etc. I would recommend running a full scan with Kaspersky to be safe (EDIT: Already doing this ) and Malware Bytes may not be a bad idea just to be safe.

Not knowing this earlier, I simply put things back to the default configuration. As soon as the KACE agent saw this it made its change. I ran a Kaspersky scan and the whole process started over. After another, deeper, Google search and I found this:

3a8082e126