• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3023
  • Last Modified:

userinit.exe application error - malware?

I believe I may have been infected with either a virus or malware on my work laptop.  I believe I have cleaned out the offending issue, but there is a problem that persists.  When I logon to my laptop when it is not docked into my work dock I get the following error dialog box: userinit.exe application error - The instruction at 0x005x0664 references memory at 0x005x0664.  The memory could not be written.  

I am able to logon when undocked without any problems after I click off that box.  Once I login, I get another message that says, Data Execution Prevention  Microsoft Windows To help protect your computer, windows has closed this program  Name: userinit logon application

Other than this, I dont have an issue form what I can see.

What is interesting is that when I am docked into my work docking station, which would connect me to the work network, I dont have these error messages.

I have a feeling the malware or virus may have altered a setting, but I dont know where.  Below is my hijackthis log.

I am running Windows XP Professional SP2.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:27 PM, on 2/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
C:\Program

Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common

Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Symantec

AntiVirus\DefWatch.exe
C:\Program Files\Executive

Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Intuit\Update

Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program

Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Common

Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\Program

Files\OPNET\AppCapture3.1\op_capture_server.e

xe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common

Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and

Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and

Recovery\rrservice.exe
C:\Program Files\Common

Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and

Recovery\ADM\IUService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common

Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser

32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog

Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec

Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\RightFax\Client\FaxCtrl.exe
C:\Program Files\Common

Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program

Files\CardScan\CardScan\CardScanAgent.exe
C:\Program Files\Common

Files\LogiShrd\LComMgr\Communications_Helper.

exe
C:\Program

Files\Logitech\QuickCam\Quickcam.exe
C:\Program

Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\jwwall\Local

Settings\Application

Data\Google\Update\GoogleUpdate.exe
C:\Program

Files\CardScan\CardScan\System\CSyncCfg.exe
C:\Program Files\Spybot - Search & 

Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop

Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Common

Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft

Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft

Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://home.aceins.com/AceMainRoot
R1 - HKCU\Software\Microsoft\Internet

Connection Wizard,ShellNext =

http://home.aceins.com/AceMainRoot
O1 - Hosts: 195.245.119.131

browser-security.microsoft.com
O2 - BHO: (no name) - AutorunsDisabled - (no

file)
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) -

{7E853D72-626A-48EC-A868-BA8D5E23E045} - (no

file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} -

C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class -

{AE7CD045-E861-484f-8273-0445EE161910} -

C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class -

{CC59E0F9-7E43-44FA-9FAA-8377850BF205} -

C:\Program Files\Free Download

Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.

dll
O3 - Toolbar: Adobe PDF -

{47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray]

C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence]

C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program

Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32

C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,Pw

rMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32

C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,St

artBattLog
O4 - HKLM\..\Run: [ccApp] "C:\Program

Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray]

C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax

Driver] C:\Program

Files\RightFax\Client\FaxCtrl.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy]

C:\Program Files\Common

Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [Adobe Reader Speed

Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [PC Pitstop Optimize

Reminder] C:\Program

Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [CardScanAgent] "C:\Program

Files\CardScan\CardScan\CardScanAgent.exe"
O4 - HKLM\..\Run:

[LogitechCommunicationsManager] "C:\Program

Files\Common

Files\LogiShrd\LComMgr\Communications_Helper.

exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon]

"C:\Program

Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Program

Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [UserFaultCheck]

%systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update]

"C:\Documents and Settings\jwwall\Local

Settings\Application

Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [CardScan AutoSync]

"C:\Program

Files\CardScan\CardScan\System\CSyncCfg.exe"

/background
O4 - HKCU\..\Run: [SpybotSD TeaTimer]

C:\Program Files\Spybot - Search & 

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator]

"C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator]

"C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator]

"C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator]

"C:\Program Files\Microsoft Office

Communicator\Communicator.exe" (User 'Default

user')
O4 - Global Startup: Windows Desktop

Search.lnk = C:\Program Files\Windows Desktop

Search\WindowsSearch.exe
O6 -

HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O8 - Extra context menu item: Download all

with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlall.htm
O8 - Extra context menu item: Download

selected with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlselected.htm
O8 - Extra context menu item: Download video

with Free Download Manager -

file://C:\Program Files\Free Download

Manager\dlfvideo.htm
O8 - Extra context menu item: Download with

Free Download Manager - file://C:\Program

Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE

/3000
O9 - Extra button: (no name) -

AutorunsDisabled - (no file)
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search

& Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O14 - IERESET.INF:

START_PAGE_URL=http://home.aceins.com/AceMain

Root
O15 - Trusted Zone: *.ace-ina.com
O15 - Trusted Zone: http://*.ace-ina.com
O15 - Trusted Zone: *.acegroup.com
O15 - Trusted Zone: http://*.acegroup.com
O15 - Trusted Zone: *.aceins.com
O15 - Trusted Zone: http://*.aceins.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: *.ace-ina.com (HKLM)
O15 - Trusted Zone: http://*.ace-ina.com 

(HKLM)
O15 - Trusted Zone: *.acegroup.com (HKLM)
O15 - Trusted Zone: http://*.acegroup.com 

(HKLM)
O15 - Trusted Zone: *.aceins.com (HKLM)
O15 - Trusted Zone: http://*.aceins.com 

(HKLM)
O16 - DPF:

{0E5F0222-96B9-11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://www.pcpitstop.com/betapit/PCPitStop.CA

B
O16 - DPF:

{17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF:

{4788DE0A-3552-49EA-AC8C-233DA52523B9}

(AxLoaderPassword Class) -

http://www.blackberry.com/devicesoftware/AxLo

ader.cab
O16 - DPF:

{7B62F6EE-D046-11D3-9C5E-0060082627F7}

(TWDownloader Class) -

https://mail.visit-aci.com/messenger/download

/TWDownload.cab
O16 - DPF:

{8C28EFD7-767B-11D1-844B-0060972DC2AC} -

http://misportal.ace-ina.com/aceina/zeroadmin

/component/Brio.InsightNoHelp.en.cab
O16 - DPF:

{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}

(GpcContainer Class) -

https://europassistance-usa.webex.com/client/

T26L/webex/ieatgpc.cab
O16 - DPF:

{FFB3A759-98B1-446F-BDA9-909C6EB18CC7}

(PCPitstop Exam) -

http://utilities.pcpitstop.com/Optimize2/pcpi

tstop2.dll
O17 -

HKLM\System\CCS\Services\Tcpip\Parameters:

Domain = aceins.com
O17 - HKLM\Software\..\Telephony: DomainName

= aceins.com
O17 -

HKLM\System\CS1\Services\Tcpip\Parameters:

Domain = aceins.com
O17 -

HKLM\System\CS2\Services\Tcpip\Parameters:

Domain = aceins.com
O23 - Service: Symantec Event Manager

(ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition

Watcher (DefWatch) - Symantec Corporation -

C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software

International, Inc. - C:\Program

Files\Executive

Software\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc)

- Google - C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC)

- Unknown owner -

C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Intuit Update Service

(IntuitUpdateService) - Intuit Inc. -

C:\Program Files\Common Files\Intuit\Update

Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Sun Microsystems,

Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service -

Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Tivoli Endpoint (lcfd) -

Unknown owner - C:\Program

Files\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: LiveUpdate - Symantec

Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. -

C:\Program Files\Common

Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) -

Logitech Inc. - C:\Program Files\Common

Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc.

- C:\Program Files\Common

Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: OPNET Application Capture

Agent - Unknown owner - C:\Program

Files\OPNET\AppCapture3.1\op_capture_server.e

xe
O23 - Service: Remote Packet Capture Protocol

v.0 (experimental) (rpcapd) - Unknown owner -

C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec -

C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers

Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) -

Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec

Corporation - C:\Program Files\Symantec

AntiVirus\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor

Service - Lenovo Group Limited - C:\Program

Files\Common

Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Backup Protection Service

- Unknown owner - C:\Program

Files\Lenovo\Rescue and

Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo

Group Limited - C:\Program

Files\Lenovo\Rescue and

Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group

Limited - C:\Program Files\Common

Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner -

C:\Program Files\Lenovo\Rescue and

Recovery\ADM\IUService.exe

--
End of file - 13617 bytes

0
jwalloga
Asked:
jwalloga
  • 4
  • 4
1 Solution
 
Hypercat (Deb)Commented:
Check the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Look for a value named "userinit" and see what data is in that value.  It should be:
c:\windows\system32\userinit.exe
If something else is in there, please post that information.
0
 
jwallogaAuthor Commented:
Thank, just looked for that and here is the data under userinit:

C:\WINDOWS\system32\userinit.exe,

the comma is not a mistype, it is in there.  I read on another site that it was supposed to be there, so I have not deleted it.
0
 
orangutangCommented:
Can you reupload the log as a file or code snippet?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
orangutangCommented:
Also, scan with Malwarebytes' Anti-Malware
 (http://www.malwarebytes.org/mbam.php)
0
 
jwallogaAuthor Commented:
I ran Malwarebytes a few times in Safe Mode.  I am attaching those logs.  For some reason, I have a hard time getting a log that is 100% clean.  It does appear though, that the userinit problem is not occuring at this time.

Also attached is latest hijackthis log.

I am also attaching a screenprint of a popup I keep receiving stating that Symantec AV is disabled.  I believe this is a virus too, but I dont know how to remove it.

Is there any way for me to completely clean out the system so this stops occuring?
Symantec-Fake.jpg
hijackthis.log
mbam-log-2009-02-19--15-19-56-.txt
mbam-log-2009-02-19--09-32-05-.txt
mbam-log-2009-02-19--08-57-53-.txt
mbam-log-2009-02-19--08-17-41-.txt
mbam-log-2009-02-18--22-07-50-.txt
0
 
jwallogaAuthor Commented:
Thanks.  Is this a broadsword or a scapel?  Do you know if these are known to help the Symantec fake popup?
0
 
orangutangCommented:
:) Well, I'm just trying some broad stuff to see if maybe you still have left overs of a virus.
0
 
jwallogaAuthor Commented:
No worries Sage, I will try that today and advise status.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now