• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3032
  • Last Modified:

userinit.exe application error - malware?

I believe I may have been infected with either a virus or malware on my work laptop.  I believe I have cleaned out the offending issue, but there is a problem that persists.  When I logon to my laptop when it is not docked into my work dock I get the following error dialog box: userinit.exe application error - The instruction at 0x005x0664 references memory at 0x005x0664.  The memory could not be written.  

I am able to logon when undocked without any problems after I click off that box.  Once I login, I get another message that says, Data Execution Prevention  Microsoft Windows To help protect your computer, windows has closed this program  Name: userinit logon application

Other than this, I dont have an issue form what I can see.

What is interesting is that when I am docked into my work docking station, which would connect me to the work network, I dont have these error messages.

I have a feeling the malware or virus may have altered a setting, but I dont know where.  Below is my hijackthis log.

I am running Windows XP Professional SP2.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:27 PM, on 2/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
C:\Program

Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common

Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec

AntiVirus\DefWatch.exe
C:\Program Files\Executive

Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Intuit\Update

Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program

Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Common

Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\Program

Files\OPNET\AppCapture3.1\op_capture_server.e

xe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common

Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and

Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and

Recovery\rrservice.exe
C:\Program Files\Common

Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and

Recovery\ADM\IUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common

Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser

32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog

Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\RightFax\Client\FaxCtrl.exe
C:\Program Files\Common

Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program

Files\CardScan\CardScan\CardScanAgent.exe
C:\Program Files\Common

Files\LogiShrd\LComMgr\Communications_Helper.

exe
C:\Program

Files\Logitech\QuickCam\Quickcam.exe
C:\Program

Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jwwall\Local

Settings\Application

Data\Google\Update\GoogleUpdate.exe
C:\Program

Files\CardScan\CardScan\System\CSyncCfg.exe
C:\Program Files\Spybot - Search & 

Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop

Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Common

Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft

Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft

Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://home.aceins.com/AceMainRoot
R1 - HKCU\Software\Microsoft\Internet

Connection Wizard,ShellNext =

http://home.aceins.com/AceMainRoot
O1 - Hosts: 195.245.119.131

browser-security.microsoft.com
O2 - BHO: (no name) - AutorunsDisabled - (no

file)
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) -

{7E853D72-626A-48EC-A868-BA8D5E23E045} - (no

file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class -

{AE7CD045-E861-484f-8273-0445EE161910} -

C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class -

{CC59E0F9-7E43-44FA-9FAA-8377850BF205} -

C:\Program Files\Free Download

Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.

dll
O3 - Toolbar: Adobe PDF -

{47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence]

C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program

Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32

C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,Pw

rMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32

C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,St

artBattLog
O4 - HKLM\..\Run: [ccApp] "C:\Program

Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray]

C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax

Driver] C:\Program

Files\RightFax\Client\FaxCtrl.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy]

C:\Program Files\Common

Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed

Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [PC Pitstop Optimize

Reminder] C:\Program

Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CardScanAgent] "C:\Program

Files\CardScan\CardScan\CardScanAgent.exe"
O4 - HKLM\..\Run:

[LogitechCommunicationsManager] "C:\Program

Files\Common

Files\LogiShrd\LComMgr\Communications_Helper.

exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon]

"C:\Program

Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program

Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [UserFaultCheck]

%systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update]

"C:\Documents and Settings\jwwall\Local

Settings\Application

Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [CardScan AutoSync]

"C:\Program

Files\CardScan\CardScan\System\CSyncCfg.exe"

/background
O4 - HKCU\..\Run: [SpybotSD TeaTimer]

C:\Program Files\Spybot - Search & 

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator]

"C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator]

"C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator]

"C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator]

"C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'Default

user')
O4 - Global Startup: Windows Desktop

Search.lnk = C:\Program Files\Windows Desktop

Search\WindowsSearch.exe
O6 -

HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O8 - Extra context menu item: Download all

with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlall.htm
O8 - Extra context menu item: Download

selected with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlselected.htm
O8 - Extra context menu item: Download video

with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlfvideo.htm
O8 - Extra context menu item: Download with

Free Download Manager - file://C:\Program

Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE

/3000
O9 - Extra button: (no name) -

AutorunsDisabled - (no file)
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search

& Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF:

START_PAGE_URL=http://home.aceins.com/AceMain

Root
O15 - Trusted Zone: *.ace-ina.com
O15 - Trusted Zone: http://*.ace-ina.com
O15 - Trusted Zone: *.acegroup.com
O15 - Trusted Zone: http://*.acegroup.com
O15 - Trusted Zone: *.aceins.com
O15 - Trusted Zone: http://*.aceins.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: *.ace-ina.com (HKLM)
O15 - Trusted Zone: http://*.ace-ina.com 

(HKLM)
O15 - Trusted Zone: *.acegroup.com (HKLM)
O15 - Trusted Zone: http://*.acegroup.com 

(HKLM)
O15 - Trusted Zone: *.aceins.com (HKLM)
O15 - Trusted Zone: http://*.aceins.com 

(HKLM)
O16 - DPF:

{0E5F0222-96B9-11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://www.pcpitstop.com/betapit/PCPitStop.CA

B
O16 - DPF:

{17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF:

{4788DE0A-3552-49EA-AC8C-233DA52523B9}

(AxLoaderPassword Class) -

http://www.blackberry.com/devicesoftware/AxLo

ader.cab
O16 - DPF:

{7B62F6EE-D046-11D3-9C5E-0060082627F7}

(TWDownloader Class) -

https://mail.visit-aci.com/messenger/download

/TWDownload.cab
O16 - DPF:

{8C28EFD7-767B-11D1-844B-0060972DC2AC} -

http://misportal.ace-ina.com/aceina/zeroadmin

/component/Brio.InsightNoHelp.en.cab
O16 - DPF:

{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}

(GpcContainer Class) -

https://europassistance-usa.webex.com/client/

T26L/webex/ieatgpc.cab
O16 - DPF:

{FFB3A759-98B1-446F-BDA9-909C6EB18CC7}

(PCPitstop Exam) -

http://utilities.pcpitstop.com/Optimize2/pcpi

tstop2.dll
O17 -

HKLM\System\CCS\Services\Tcpip\Parameters:

Domain = aceins.com
O17 - HKLM\Software\..\Telephony: DomainName

= aceins.com
O17 -

HKLM\System\CS1\Services\Tcpip\Parameters:

Domain = aceins.com
O17 -

HKLM\System\CS2\Services\Tcpip\Parameters:

Domain = aceins.com
O23 - Service: Symantec Event Manager

(ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition

Watcher (DefWatch) - Symantec Corporation -

C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software

International, Inc. - C:\Program

Files\Executive

Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc)

- Google - C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC)

- Unknown owner -

C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Intuit Update Service

(IntuitUpdateService) - Intuit Inc. -

C:\Program Files\Common Files\Intuit\Update

Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Sun Microsystems,

Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service -

Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Tivoli Endpoint (lcfd) -

Unknown owner - C:\Program

Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: LiveUpdate - Symantec

Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. -

C:\Program Files\Common

Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) -

Logitech Inc. - C:\Program Files\Common

Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc.

- C:\Program Files\Common

Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: OPNET Application Capture

Agent - Unknown owner - C:\Program

Files\OPNET\AppCapture3.1\op_capture_server.e

xe
O23 - Service: Remote Packet Capture Protocol

v.0 (experimental) (rpcapd) - Unknown owner -

C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec -

C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers

Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) -

Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec

Corporation - C:\Program Files\Symantec

AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor

Service - Lenovo Group Limited - C:\Program

Files\Common

Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service

- Unknown owner - C:\Program

Files\Lenovo\Rescue and

Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo

Group Limited - C:\Program

Files\Lenovo\Rescue and

Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group

Limited - C:\Program Files\Common

Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner -

C:\Program Files\Lenovo\Rescue and

Recovery\ADM\IUService.exe

--
End of file - 13617 bytes

0
jwalloga
Asked:
jwalloga
  • 4
  • 4
1 Solution
 
Hypercat (Deb)Commented:
Check the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Look for a value named "userinit" and see what data is in that value.  It should be:
c:\windows\system32\userinit.exe
If something else is in there, please post that information.
0
 
jwallogaAuthor Commented:
Thank, just looked for that and here is the data under userinit:

C:\WINDOWS\system32\userinit.exe,

the comma is not a mistype, it is in there.  I read on another site that it was supposed to be there, so I have not deleted it.
0
 
orangutangCommented:
Can you reupload the log as a file or code snippet?
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
orangutangCommented:
Also, scan with Malwarebytes' Anti-Malware
 (http://www.malwarebytes.org/mbam.php)
0
 
jwallogaAuthor Commented:
I ran Malwarebytes a few times in Safe Mode.  I am attaching those logs.  For some reason, I have a hard time getting a log that is 100% clean.  It does appear though, that the userinit problem is not occuring at this time.

Also attached is latest hijackthis log.

I am also attaching a screenprint of a popup I keep receiving stating that Symantec AV is disabled.  I believe this is a virus too, but I dont know how to remove it.

Is there any way for me to completely clean out the system so this stops occuring?
Symantec-Fake.jpg
hijackthis.log
mbam-log-2009-02-19--15-19-56-.txt
mbam-log-2009-02-19--09-32-05-.txt
mbam-log-2009-02-19--08-57-53-.txt
mbam-log-2009-02-19--08-17-41-.txt
mbam-log-2009-02-18--22-07-50-.txt
0
 
jwallogaAuthor Commented:
Thanks.  Is this a broadsword or a scapel?  Do you know if these are known to help the Symantec fake popup?
0
 
orangutangCommented:
:) Well, I'm just trying some broad stuff to see if maybe you still have left overs of a virus.
0
 
jwallogaAuthor Commented:
No worries Sage, I will try that today and advise status.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now