Userinit.exe question - help!

[David]

Hi there, I had the well-known Lavasoft Adaware problem where spyware
removed userinit.exe and replaced it with wsaupdater.exe.

I managed to fix the problem by changing my Winlogon registry entry
from

c:\windows\system32\userinit.exe,

to

c:\windows\explorer.exe,

Which saved me from being endlessly logged off every time I booted up.

Now my question is whether it is safe to keep the registry entry as
explorer.exe, or whether I will experience problems unless I go back to
userinit.exe.

The problem is that I have tried to copy userinit,exe from my Service
Pack files in the i386 directory, into my system32 directory. When I do
it in Explorer I get 'cannot copy - file already exists'.

But the file userinit.exe is not listed in the window of system32, and
does not show up in system32 when I fo a file search!

So I booted in safe mode and used the DOS prompt to copy userinit.exe
into sustem32. Sure enough DOS recognized it and asked me if I wanted
to overwrite the userinit.exe that was in system32. I said yes.

Now I go back to system32 in Explorer and it's still not listed!

And when I re-edit my registry entry for Winlogon to the pre-spyware

c:\windows\system32\userinit.exe,

the logoff problem starts again! I keep getting logged off when I boot
up. Windows takes me for a microsecond to thr desktop, without folder
icons, then logs me off.

So I change the registry entry back to

c:\windows\explorer.exe,

and it's fine. Can I leave it that way? Do I have to have userinit.exe
in my Winlogon line in the registry?

Phew. Any help much appreciated.

David

 

[David H. Lipman]

From: "David" <[email protected]>

| Hi there, I had the well-known Lavasoft Adaware problem where spyware
| removed userinit.exe and replaced it with wsaupdater.exe.
|
| I managed to fix the problem by changing my Winlogon registry entry
| from
|
| c:\windows\system32\userinit.exe,
|
| to
|
| c:\windows\explorer.exe,
|
| Which saved me from being endlessly logged off every time I booted up.
|
| Now my question is whether it is safe to keep the registry entry as
| explorer.exe, or whether I will experience problems unless I go back to
| userinit.exe.
|
| The problem is that I have tried to copy userinit,exe from my Service
| Pack files in the i386 directory, into my system32 directory. When I do
| it in Explorer I get 'cannot copy - file already exists'.
|
| But the file userinit.exe is not listed in the window of system32, and
| does not show up in system32 when I fo a file search!
|
| So I booted in safe mode and used the DOS prompt to copy userinit.exe
| into sustem32. Sure enough DOS recognized it and asked me if I wanted
| to overwrite the userinit.exe that was in system32. I said yes.
|
| Now I go back to system32 in Explorer and it's still not listed!
|
| And when I re-edit my registry entry for Winlogon to the pre-spyware
|
| c:\windows\system32\userinit.exe,
|
| the logoff problem starts again! I keep getting logged off when I boot
| up. Windows takes me for a microsecond to thr desktop, without folder
| icons, then logs me off.
|
| So I change the registry entry back to
|
| c:\windows\explorer.exe,
|
| and it's fine. Can I leave it that way? Do I have to have userinit.exe
| in my Winlogon line in the registry?
|
| Phew. Any help much appreciated.
|
| David

You need to thoroughly clean the PC with the Explorer Registry entry and when the PC is
clean, try going back to USERINIT.EXE. Make sure USERINIT.EXE is the right version for your
service pack level as well.

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Guest]

Thank you, that is a very full and detailed response. I have a lot of
scanning to do, so I will do this and report the results back to you in the
next day or so, maybe sooner, so please stay tuned.

Cheers,
David

From: "David" <[email protected]>

| Hi there, I had the well-known Lavasoft Adaware problem where spyware
| removed userinit.exe and replaced it with wsaupdater.exe.
|
| I managed to fix the problem by changing my Winlogon registry entry
| from
|
| c:\windows\system32\userinit.exe,
|
| to
|
| c:\windows\explorer.exe,
|
| Which saved me from being endlessly logged off every time I booted up.
|
| Now my question is whether it is safe to keep the registry entry as
| explorer.exe, or whether I will experience problems unless I go back to
| userinit.exe.
|
| The problem is that I have tried to copy userinit,exe from my Service
| Pack files in the i386 directory, into my system32 directory. When I do
| it in Explorer I get 'cannot copy - file already exists'.
|
| But the file userinit.exe is not listed in the window of system32, and
| does not show up in system32 when I fo a file search!
|
| So I booted in safe mode and used the DOS prompt to copy userinit.exe
| into sustem32. Sure enough DOS recognized it and asked me if I wanted
| to overwrite the userinit.exe that was in system32. I said yes.
|
| Now I go back to system32 in Explorer and it's still not listed!
|
| And when I re-edit my registry entry for Winlogon to the pre-spyware
|
| c:\windows\system32\userinit.exe,
|
| the logoff problem starts again! I keep getting logged off when I boot
| up. Windows takes me for a microsecond to thr desktop, without folder
| icons, then logs me off.
|
| So I change the registry entry back to
|
| c:\windows\explorer.exe,
|
| and it's fine. Can I leave it that way? Do I have to have userinit.exe
| in my Winlogon line in the registry?
|
| Phew. Any help much appreciated.
|
| David

You need to thoroughly clean the PC with the Explorer Registry entry and when the PC is
clean, try going back to USERINIT.EXE. Make sure USERINIT.EXE is the right version for your
service pack level as well.

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[David]

Hi there, I've nearly finished scanning and I haven't yet found any
malware or anything.

I still have the problem that when I go to windows\system32 in
Explorer, I cannot find userinit.exe listed, even though DOS recognizes
it as being there.

When I set the registry entry for Winlogon to
c:\windows\system32\userinit.exe, and try to logon in normal mode, I
enter my password, Windows takes me to the desktop without icons for a
nanosecond, then logs me out again.

When I change the registry entry to c:\windows\explorer.exe, it's fine.

I have used the Windows CD to boot, and then gone to the
\ServicePackFiles\i386 folder on c:, and copied over userinit.exe to
system32, using the DOS command. It prompts me to overwite, and I do.

But still I get the logoff problem. It's weird. I checked my PC at
work, and userinit.exe is listed right there is system32, and the
registry entry shows userinit.exe, -- so what's going on with my
laptop?

I only reinstalled XP with SP2 a week ago, and it was all fine until
what I assume was the Adaware problem. I am not certain that it found
the infamous wsaupdater spyware, but it probably did and that's what
caused the problem. But now I have no spyware but I still have a
userinit problem.

Help!!

Thank you very much,
David

 

[David H. Lipman]

From: "David" <[email protected]>

| Hi there, I've nearly finished scanning and I haven't yet found any
| malware or anything.
|
| I still have the problem that when I go to windows\system32 in
| Explorer, I cannot find userinit.exe listed, even though DOS recognizes
| it as being there.
|
| When I set the registry entry for Winlogon to
| c:\windows\system32\userinit.exe, and try to logon in normal mode, I
| enter my password, Windows takes me to the desktop without icons for a
| nanosecond, then logs me out again.
|
| When I change the registry entry to c:\windows\explorer.exe, it's fine.
|
| I have used the Windows CD to boot, and then gone to the
| \ServicePackFiles\i386 folder on c:, and copied over userinit.exe to
| system32, using the DOS command. It prompts me to overwite, and I do.
|
| But still I get the logoff problem. It's weird. I checked my PC at
| work, and userinit.exe is listed right there is system32, and the
| registry entry shows userinit.exe, -- so what's going on with my
| laptop?
|
| I only reinstalled XP with SP2 a week ago, and it was all fine until
| what I assume was the Adaware problem. I am not certain that it found
| the infamous wsaupdater spyware, but it probably did and that's what
| caused the problem. But now I have no spyware but I still have a
| userinit problem.
|
| Help!!
|
| Thank you very much,
| David


Sorry I can't be of further assistance. I'm baffled :-(

 

[Guest]

I'm baffled too! Here are some more precise details:

1) When I go to the DOS prompt in Windows, in fact it does *not* recognise
userinit.exe even if I previously successfully copied the file to system32
using DOS!

2) If I rename userinit.exe to something else, say Blah.exe, and then copy
it to system32, it *is* recognized in DOS.

3) If I copy userinit.exe to any other folder, e.g. \windows\system, it is
recognized.

4) In \windows\ServicePackFiles\i386 the file is listed.

5) So, trying a gamble, I changed the Winlogon entry in the registry to
\windows\ServicePackFiles\i386\userinit.exe, and behold it works when I boot
up and takes me straight to the desktop!

6) Can I stick with this solution, or do you envisage problems?

7) Finally, it seems that something is stopping userinit.exe from being
recognized in the system32 folder. It's weird. I can't find any spyware.

Thanks,
David

 

[David H. Lipman]

From: "David" <[email protected]>

Replies are inline...

| I'm baffled too! Here are some more precise details:
|
| 1) When I go to the DOS prompt in Windows, in fact it does *not* recognise
| userinit.exe even if I previously successfully copied the file to system32
| using DOS!


You mean a Command Prompt. There is no DOS in WinXP.
The file could be marked as Hisdden and System and thus invisible to normal searches
The command line utility ATTRIB can change that
attrib -r -h -s %windir%\system32\userinit.exer

The above removes the ReadOnly, System and Hidden file attributes


|
| 2) If I rename userinit.exe to something else, say Blah.exe, and then copy
| it to system32, it *is* recognized in DOS.
|
| 3) If I copy userinit.exe to any other folder, e.g. \windows\system, it is
| recognized.
|
| 4) In \windows\ServicePackFiles\i386 the file is listed.


That is a backup stoage location not used by the OS.
%windir%\system32 is the location where it is used and executed from.


|
| 5) So, trying a gamble, I changed the Winlogon entry in the registry to
| \windows\ServicePackFiles\i386\userinit.exe, and behold it works when I boot
| up and takes me straight to the desktop!


Something is playing havoc -- I don't know what.
If setting the Registry to; c:\windows\ServicePackFiles\i386\userinit.exe
works OK, It should really hut the OS.


| 6) Can I stick with this solution, or do you envisage problems?


Yes, malware applications may in the future flag it since it is not the deafult and
standard running location.


|
| 7) Finally, it seems that something is stopping userinit.exe from being
| recognized in the system32 folder. It's weird. I can't find any spyware.
|
| Thanks,
| David

Anti malware utilities are good for detecting what is known and to some extent, what is not
known via Heuristics.
There *may* be something running and causing your problems.


Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order

http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7