Persistant Winlogon report

E

Eddydde

New member
As a new member of Spybot I apologise if this is posted in the wrong forum - please tell me if so.

When I select 'Show info baloons' - every two seconds it displays this message even after a complete Spybot scan and removal of rouge entries.

'Resident denied the change of USERINIT (CATERGORY Winlogon) based on your black list'

Does this mean my computer is being attacked every two seconds?

What do I need to do to stop this?

Eddydde
 
What were the "rouge" entries? Can you remember? If not, then go to Spybot>>Recovery. Spybot keeps a backup of the removed file incase something goes wrong, so you can find out what exactly Spybot removed.

From the "information" you provided, it seems that you are denying a change and ticked 'Remember My Decision' because it said based on the user's blacklist.

No, it does not mean your computer is being attacked. It simply means that a change is being 'blocked'.

Since you are providing the word-for-word information, it is difficult to tell if value was added or removed.

Right-click on the TeaTimer icon in the taskbar and click "Show Log". Copy and Paste it back here.
 
Thank You.

The log file is HUGH and consists of hundreds of these entries:

28/08/2008 12:58:33 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,") changed in Winlogon!
28/08/2008 12:58:34 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,") changed in Winlogon!

Regards,
Eddydde
 
More info:

At the start of the log file these are the entries:

7/08/2008 9:46:05 AM Allowed (based on user decision) value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
13/08/2008 12:18:37 PM Allowed (based on user decision) value "iTunesHelper" (new data: "") deleted in System Startup global entry!
13/08/2008 12:18:46 PM Allowed (based on user decision) value "iTunesHelper" (new data: ""C:\Program Files\iTunes\iTunesHelper.exe"") added in System Startup global entry!
21/08/2008 12:06:39 PM Denied (based on user decision) value "wextract_cleanup0" (new data: "rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\"") added in System Startup global entry!
24/08/2008 9:59:00 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,") changed in Winlogon!
24/08/2008 9:59:13 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,") changed in Winlogon!
24/08/2008 9:59:25 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,") changed in Winlogon!
24/08/2008 9:59:32 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,") changed in Winlogon!

Followed by multiple listings as pasted in earlier email.

Eddydde
 
I'm sorry to hear of your troubles. Whatever the "oembios.exe" process it, it is serious from my research.

http://www.bleepingcomputer.com/startups/oembios.exe-23775.html
This trojan is a backdoor... which means your PC could be potentially "hacked".
-
"wextract_cleanup0" is fine, you can allow it because it is usually related to Microsoft applications. Such as when you attempt to update DirectX, TeaTimer will prompt you with the creation of the startup entry (RunOnce). What I can tell you (if I'm correct) it is a good thing that you are denying the "oembios.exe" from writing over the old data. In a sense, it's more like you're keeping it at bay.
-
I apologize for the late response, I didn't see the thread, because there was so many on my monitor.

Here are the instructions:
Consider posting in the Malware Removal forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:-
Good Luck.
 
Have this same prob

So I'm bumping this old thread b/c starting 2 days ago I started having EXACTLY the same problem as described in the OP: all of a sudden the S&D Resident started going haywire, alerting me of a registry change denied (b/c I selected "remember this action the first time I denied it) roughly every 1 second. Here's what the bottom-right portion of me screen looks like:
regerror.jpg


The only difference between the OP and my problem is that when I right-click the Resident icon and select Show Log, the text I see does NOT reference a oembio.exe process, but rather in its place a bootwindows.exe process. But I'm aware that this could be the same problem with simply a different malware filename. So the Resident.log file (for me) looks like:

9/27/2008 2:23:55 AM Allowed (based on user decision) value "DellSupport" (new data: "") deleted in System Startup user entry!
9/29/2008 9:00:20 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Dan\LOCALS~1\Temp\IXP000.TMP\"") added in System Startup global entry!
9/29/2008 9:00:25 AM Allowed (based on user decision) value "wextract_cleanup0" (new data: "") deleted in System Startup global entry!
10/21/2008 9:03:11 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
10/21/2008 9:04:51 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
10/24/2008 9:03:42 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
11/7/2008 4:57:57 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
11/7/2008 4:58:14 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
11/10/2008 9:20:36 AM Allowed (based on user decision) value "KernelFaultCheck" (new data: "%systemroot%\system32\dumprep 0 -k") added in System Startup global entry!
11/11/2008 6:12:48 PM Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
11/23/2008 11:16:10 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
12/11/2008 9:41:19 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
12/11/2008 9:41:22 AM Allowed (based on user decision) value "WinampAgent" (new data: ""C:\Program Files\Winamp\winampa.exe"") changed in System Startup global entry!
1/24/2009 6:14:26 PM Allowed (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "") deleted in Global browser toolbar!
1/24/2009 6:15:12 PM Denied (based on user decision) value "{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}" (new data: "") added in Browser Helper Object!
1/24/2009 6:15:16 PM Denied (based on user decision) value "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (new data: "hex:00") added in Global browser toolbar!
3/24/2009 7:10:36 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
4/2/2009 7:33:56 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
4/4/2009 2:43:48 PM Allowed (based on user decision) value "Gnewuh" (new data: "rundll32.exe "C:\WINDOWS\iqoguvimupagidi.dll",e") added in System Startup global entry!
4/10/2009 9:24:55 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:24:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:04 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:08 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:10 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:58 AM Denied (based on user decision) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:25:59 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:00 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:01 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/10/2009 9:26:02 AM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
.
.
.
(there are literally thousands of clone entries of the above...like I said, this S&D error msg is popping up every 1 second).

Some pertinent info:
- I run my school's Symantec Antivirus, and a complete scan comes up clean (also use S&D and AdAware)
- On the suggestion of a dif forum, I downloaded SUPERAntiSpyware and ran it, and it found something it labeled a Trojan.backdoor or something (sounds bad, obv) so I used the program to remove that file, but even after a reboot, S&D is still going haywire.
- A few symptoms I've noticed in recent days, I don't know if they're related to this or what, but (i) Firefox has been REAAAALLY slow for me...like slowed to an absolute crawl, but IE, and all my other internet-based app's run just fine, (ii) I've noticed that when I click on hyperlinks, sometimes a completely unrelated link will open instead of the intended destination...like I'll click on a link in Amazon.com to view a product, and a spammy-looking ad or search page will show in the browser instead...
- Oh, p.s. a search of my HD reveals no file named bootwindows.exe

Tell me what I should do (i already chg'd all pertinent passwords from a clean machine)
 
Last edited:
Just correcting one point from my post above: there IS a bootwindows.exe file on my computer in the C:\WINDOWS\system32 folder. I don't know if it appearing in the SD log means that it's the corrupt file or what. Its properties, FWIW, are:

Created: Tues, Aug 10, 2004, 2:51:16pm
Modified: Sunday, April 13, 2008, 8:11:24pm
Accessed: Today (April 11), 2009, 3:55:29am
 
Well, looks like I'm getting somewhere (although I'm not quite sure where).
On the suggestion of a few other AVS forums, I ran Malwarebytes' Anti-Malware; here are the results.

malw.jpg


Alright, obviously a few of those things look pretty ugly. Now the additional question comes: is my standard AVS protection not enough? I have the corporate version of Symantec AVS (which updates itself every day), Lavasoft's Adaware, and Spybot S&D. Scans with all of those come up clean. How are they missing these apparently nasty items that Anti-Malware caught?

Have things changed in the last year or so such that there are other free scanning apps that I should get and run on a regular basis?
 
Just an update; even after deleting all those nasty-looking things the malware program found and rebooting, I'm still getting the S&D Teatimer going haywire with popups every one second, generating thousands upon thousands of entries just like the following one in the Resident.log file:

4/11/2009 5:39:28 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/11/2009 5:39:29 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/11/2009 5:39:30 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/11/2009 5:39:31 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!


Don't know what to do...

EDIT: I JUST SAW THE POST ABOVE, AND WILL READ THAT POST AND START MY OWN THREAD IN THE MR FORUM.
 
Last edited:
domino66 said:
Just an update; even after deleting all those nasty-looking things the malware program found and rebooting, I'm still getting the S&D Teatimer going haywire with popups every one second, generating thousands upon thousands of entries just like the following one in the Resident.log file:

4/11/2009 5:39:28 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/11/2009 5:39:29 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/11/2009 5:39:30 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!
4/11/2009 5:39:31 PM Denied (based on user blacklist) value "UserInit" (new data: "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\bootwindows.exe,") changed in Winlogon!


Don't know what to do...
Click to expand...

This Malware will start everytime when Windows starts.

Please follow the instructions in my previous post. :)

Ok, I've read your edit. ;) Good luck.
 
Last edited:
You must log in or register to reply here.
Back
Top