userinit.exe reading all files during boot

[dimplewathen]

Has anyone ever seen a situation where 'userinit.exe' reads all
application files during reboot? (What I mean by "read" is, according
to Sysinternal's FILEMON, is open, read the first 4096 bytes, close,
continue to the next file.)

It is as if 'userinit.exe' is checking the file versions, but that is
just speculation...

According to Explorer:

c:\windows\system32\userinit.exe 28,160 bytes, created 9/3/2004,
version 5.1.2600.2180

 

[Jon]

Seen iexplore.exe do some odd file checking too recently, so quite possible

Jon

 

[dimplewathen]

I need to change my name to Odd Bob*...

Check out some scoop on Userinit.exe:

http://msdn.microsoft.com/library/d...-us/secauthn/security/msgina_dll_features.asp

"Userinit.exe is an application that is executed by MSGina.dll when the
user has logged on. It runs in the newly logged-on user's context and
on the application desktop. Its purpose is to set up the user's
environment, including restoring net uses, establishing profile
settings such as fonts and screen colors, and running logon scripts.
After completing those tasks, Userinit.exe executes the user shell
program(s). The shell programs inherit the environment that
Userinit.exe sets up. The specific shell programs that Userinit.exe
executes are stored in the Shell key value under the Winlogon registry
key.

"The Shell key value can contain a comma-separated list of programs to
be executed. Explorer is the default shell program and will be executed
if the Shell key value is null or not present. By default, Explorer is
listed."

And Microsoft makes this happen by a single registry key?!?!?!? And if
this key gets munged, and we know this *easily* can happen due to the
many posts here, the entire XP system breaks and/or is vulnerable to
exploit.

Holy #(&^%#%%^ cow!

 

[Jon]

Yep, same goes for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit

key itself

and the


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\UIHost

key


Jon

 

[dimplewathen]

On another machine:

userinit.exe 24,576 bytes, created 8/29/2002, version 5.1.2600.2180

Aha! Could it be that the other one is infected?? (i.e. on
viruslist.com: "a classic appending virus that increases the size of
infected files by 3 KB.")

Yes, this "bad" system had a trojan related to "dl.exe" which I am
still looking into. (Finding technical details on trojans/viruses is
even more difficult than finding technical details on WIndows!)

P.S. (Which is why I posted file details.) I have been looking for and
have not found a reference of Windows system file details as to file
size, version, etc.

Anyone know of such a place?

 

[dimplewathen]

Ah, check this out (yes, I talk to myself *all* the time):

http://www.mcse.ms/message1748360.html

I got hit by this virus W32.Licum Gaelicum.A now I can't
event login to my computer in normal or safe mode. It
displays the login screen after entering the password and
login in it take me back the login screen.
Any ideas on fixing this?

You won't be able to fix it; the virus has replaced thousands of exe
files on your hard drive with infected versions. It CANNOT be
repaired.

Get your data off and wipe it; good thing for you that this virus only
goes after exe files.

 

[Jon]

Start > run > sfc /scannow

Jon

Ah, check this out (yes, I talk to myself *all* the time):

http://www.mcse.ms/message1748360.html


You won't be able to fix it; the virus has replaced thousands of exe
files on your hard drive with infected versions. It CANNOT be
repaired.

Get your data off and wipe it; good thing for you that this virus only
goes after exe files.