Seeing a whole lot more of these infections as of late. I pride myself in being able to normally kill whatever is lurking in a PC, but lately I have been seeing some distastefully hard infections to remove. As outlined below – This is one of many.

The Infection

Although its pretty clear how the machine is infected and what files it modified/registry entries it changed I am still yet to see this latest variant come in at the infection phase. This is leading me to believe that it must be some sort of trojan. The pattern of infection however, is pretty much the same as the typical fake alert, leading me to also believe that AV’s are capable of killing a partial portion, breaking the OS and causing the current symptoms that I see.

Battling a typical userinit hijack

As a routine, I regularly check the winlogon entry just as a precaution, but I will outline below the symptoms, and the typical fix.

Please note that in these instances of infections the typical fix did not work!

The userinit hijack is a common method of infection. It ensures the virus loads at login, at any stage of OS operation, and does not require a rootkit to maintain file integrity once logged in. Most users hit a brick wall when removing these infections though;

1. After proceeding through the removal, they miss the userinit hijack and are greeted with their login page booting them back to user selection each time they attempt to logon.
2. Their AV removes the files and they are greeted with the same issue

The fix

In order to fix this, one will need tools to perform the following;

• Accessing the filesystem
• Editing the registry

There are many methods, as I will write and relink later, but for the sake of wholeness, I will provide a one-stop tool for this.

You will need to download an ISO file called Hirens. It is an accumulation of helpful tools. The most useful of which is MiniXP, a stripped down, fully functional CD bootable install of XP with a range of tools.

Once inside minixp, the first thing to do is verify that the following exists;

c:\windows\system32\userinit.exe

If this file does not exist, it will need to be replaced. Either copy the file from another source, or decompress it from the XP install CD (Adding perm link later to describe how to do this).

After doing that, open up the Offline registry editor, and load all files except user profiles (NTuser.dat)

Navigate to the following subkey;

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

Verify that the following subkey exists;

Userinit

And that the data contained is; (where x refers to your drive letter – commonly c)

x:\windows\system32\userinit.exe,

As long as these details are correct and the file exists, windows will load ntuser.dat and login to the profile.

By changing these details back, you can recover without a reinstall.

However in the latest infections, all of these details are correct, yet the same issue remains. I have toyed with the idea that it may be a filesystem thing, a deliberate error in the file system, meaning that although the file exists, part of the sectors its sitting on are virtually corrupted. I have toyed with chkdsk’s and the paramater /p – which forces repairs, but to no avail. The settings are changing back either. They are correct. Always.

I also toyed with the idea that it could be a rootkit, but upon searching for it via sig checks, uploads etc etc I found no evidence that such an infection existed.

I did manage to fix it with a side-by-side install. Not really a fix though. I did however notice in the partition lists, a 78MB partition. After deleting it, the OS threw a C000034***A BSOD. I am now certain that partition had something to do with the reoccurance, and maybe a rootkit resided there.

I have also toyed with the idea of a bootkit – but MFT entries looked nominal, and hadn’t been modified.

This one has me for now?

UPDATES

I am now cerain that it has something to do with the registry. I used a registry restore wizard and an old restore point to roll a few back and tada! Working logon functions. Im now thinking it could be a permission/shadowing/rootkit hidden key that is causing the problems. Also another common issue is that i0384prt.sys is corrupt in all of these infections. A quick upload to virus total shows 0/40 but Im sure that it has something to do with this!

Welcome to the accumulation of my thoughts, comments, suggestions, outbursts and general brain farts
that either dont make it out of my mouth or make it out and are worthy of being repeated into the infinite
wisdom that is the internet!

Just a quick note – I am a newcommer to wordpress and as such, will probably have a completely disorganized
site until such time as I can gather the basic knowledge to structure the site. I am making an article/post on a
side note, so that is one positive! At least my site will have content!

So a lil bit about myself?

Study – Mathematics. My main focus is in the field of quantum mechanics and the intricacies that follow from
the mind fuck that it presents. Imagine, wait… Nope – Cant do that. Thats quantum mechanics in a nut shell.
Cant imagine it, can just put two and two together and say that the probable cause was either an atom here,
or one 3000 light years away. Yup.

Work – A lowly IT technician. Just kidding! I manage an IT shop! But when it all comes down to it, I’m really a
glorified technician. I work wayyyyy too hard, and dont enjoy life enough.

Life – I have a semi-fufilling life. I have a wonderful girlfriend – She isnt perfect (And trust me – No one is
gonna fill those shoes!) But she is as close as I can get! Her name is Alex and hopefully she doesnt stumble
across here – But just incase she does I’ll keep it G rated..

Haha – Like I wouldn’t!! Its the internet geeze!!!

If your liking the theme, its care of inanis over at www.inanis.net – a very talented web developer and a fellow blogger!

Anyways thats all for now – Ill be posting up a great deal of content soon!