After you enter the password to log on to the system, the system will automatically log out again? It turned out to be a fault caused by a bot.

After you enter the password to log on to the system, the system will automatically log out again? It turned out to be a fault caused by a bot.

EndurerOriginal
2008-02-15 1st

A netizen opened a passionate webpage connection due to curiosity and unfortunately won the bid. After scanning and killing viruses with rising, the system automatically logs out after you enter your account and password to log on to the system. The reason for this situation is that the windows system file userinit.exe is incorrect.

Start with the installation CD of Windows XP, select Recover Console, and use the command

Dir C:/Windows/system32/userinit.exe

Check that the information of userinit.exe is not listed.

Run the following command:
Copy C:/Windows/system32/dllcache/userinit.exe C:/Windows/system32

Copy userinit.exe in C:/Windows/system32/dllcache to C:/Windows/system32, and then run the command: exit to restart the computer.

Now you can log on to the system normally.

After the desktop is started, the system response is still slow. Open the task manager and terminate the suspicious process: sy_win7k.jmp.

Check the record of Rising's antivirus history as follows (some duplicate virus information is deleted ):

Virus name processing result killing method path file virus source
Rootkit. win32.mnless. gv deleted successfully and manually killed C:/Windows/system32/drivers msaclue. sys Local Machine
Trojan. win32.edog. R after restarting the Computer, delete the file and manually kill C:/Windows/system32Userinit.exe> Upack0.39 Local Machine
Trojan. psw. win32.qqgame. gen after restarting the computer, delete the file and manually kill C:/Windows/system32 cmdbcs. dll
Rootkit. win32.gamehack. gen after restarting the computer, delete the file and manually kill C:/Windows/system32 gnolnait. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. B. restart the computer and delete the files. C:/Windows/system32 auhad. dll> upack0.34 Local Machine
Trojan. psw. win32.qqgame. gen after restarting the computer, delete the file and manually kill C:/Windows/system32 upxdnd. dll.
Trojan. DL. win32.mnless. WP after restarting the Computer, delete the file and manually kill the C:/Windows/system32 hddguard. dll local machine.
Rootkit. win32.gamehack. gen after restarting the computer, delete the file and manually kill C:/Windows/system32 iqnauhc. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. Ma deleted successfully and manually killed C:/Windows/system32 vsdkuyfwow. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. Ma after restarting the computer, delete the file and manually kill C:/Windows/system32 lfluaglwow. dll> upack0.34 Local Machine
Trojan. psw. win32.qqgame. gen is deleted and manually killed. C:/Windows/system32 kvsc3.dll.
Rootkit. win32.gamehack. gen after restarting the computer, delete the file and manually kill C:/Windows/system32 niluw. dll> upack0.34 Local Machine
Trojan. psw. win32.xyonline. AAY after restarting the Computer, delete the file and manually kill the C:/Windows/system32 sauhad. dll> upack0.34 Local Machine
Rootkit. win32.gamehack. gen after restarting the computer, delete files and manually kill C:/Windows/system32 jsqc. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. md deleted successfully. Manually kill C:/Windows/system32 lgpwsyewm. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. MD after restarting the Computer, delete the file and manually kill C:/Windows/system32 ayipjouwm. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. Ma deleted successfully. Manually killing C:/Windows/system32 hhhcompress. dll> upx_c Local Machine
Rootkit. win32.gamehack. gen after restarting the computer, delete the file and manually kill C:/Windows/system32 gnaixnauhqq. dll> upack0.34 Local Machine
Trojan. psw. win32.sunonline. md deleted successfully. Manually killing C:/Windows/system32 mswmkkk32.dll> upx_c Local Machine
Rootkit. win32.mnless. GW deleted successfully and manually killed C:/Windows/temp tmp19.tmp Local Machine
Trojan. psw. win32.gameol. gen is deleted and manually killed. C:/windowswinform. EXE> upack0.32
Trojan. psw. win32.gameol. gen is deleted and manually killed. C:/windowsnsiuxhqqw.exe> upack0.32
Trojan. psw. win32.gameol. gen is deleted and manually killed. C:/windowsveobdkwq.exe> upack0.32
Trojan. psw. win32.gameol. gen after restarting the computer, delete files and manually kill C:/windowsvviecohb. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. gen after restarting the computer, delete the file and manually kill the C:/windowsphwvisxr. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. gen is deleted and manually killed. C:/windowsuwdxchlm.exe> upack0.32
Trojan. psw. win32.gameol. gen after restarting the computer, delete the file and manually kill C:/windowsouxwldzx. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. gen after restarting the computer, delete files and manually kill C:/windowsuwdxchlm. dll> upack0.34 Local Machine
Trojan. psw. win32.gameol. gen is deleted and manually killed. C:/windowsupxdnd.exe> upack0.32
Trojan. psw. win32.gameol. gen is deleted and manually killed. C:/windowscmdbcs.exe> upack0.32
Trojan. psw. win32.gameol. gen is deleted and manually killed. C:/windowskvsc3.exe> upack0.32
Trojan. psw. win32.qqgame. gen is deleted and manually killed. C:/windowslotushlp.exe> upack0.32 local host
Trojan. psw. win32.gameol. gen is deleted and manually killed. C:/windowsptsshell.exe> upack0.32
Rootkit. win32.gamehack. Geo deleted successfully. Manually killing C:/Documents and Settings/user/Local Settings/temp tmp13.tmp Local Machine
Trojan. psw. win32.gameol. gen is deleted and manually killed. C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/4d2j49e3 11_1).exe> upack0.32
Trojan. psw. win32.gamesonline. Ma is deleted and manually killed. C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/4d2j49e3 51_1).exe> upack0.36
Trojan. psw. win32.xyonline. ABC is deleted successfully. Manually kill C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/oxirkxmv 101_1).exe> upack0.36 Local Machine
Trojan. psw. win32.qqhx. TVU deleted successfully and manually killed C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/oxirkxmv 131_1).exe> upack0.36 Local Machine
Trojan. psw. win32.qqhx. TVU deleted successfully and manually killed C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/oxirkxmv 16.01).exe> upack0.36 Local Machine
Trojan. psw. win32.gamesonline. Mh is deleted and manually killed. C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/0p6vst6b 141_1).exe> upack0.36
Trojan. psw. win32.sunonline. md is deleted successfully. Manually kill C:/Documents and Settings/user/Local Settings/Temporary Internet Files/content. ie5/0p6vst6b 172.161cmd.exe> upx_c Local Machine
 
Virus name processing result killing method accessing the process file of the infected file
Trojan. win32.edog. K deleted successfully. File monitoring C:/program files/real/RealPlayer/realplay. exe c:/Windows/system32/a.exe> nspack
Trojan. win32.edog. r deleted successfully. File monitoring: C:/Windows/system32/lssass.exe> upack0.39
Rootkit. win32.gamehack. gen deleted successfully. File monitoring: C:/program files/Microsoft SQL Server/MSSQL/binn/sqlservr. exec:/Windows/system32/niluw. DLL> upack0.34
Rootkit. win32.gamehack. gen deleted successfully. File monitoring: C:/program files/Microsoft SQL Server/MSSQL/binn/sqlservr. exec:/Windows/system32/jsqc. DLL> upack0.34
Trojan. psw. win32.gameol. gen deleted successfully. File Monitor C:/Windows/EXPLORER. exe c:/Windows/nsiuxhqqw.exe> upack0.32
Rootkit. win32.gamehack. gen deleted successfully. File monitoring: C:/program files/Microsoft SQL Server/MSSQL/binn/sqlservr. exec:/Windows/system32/iqnauhc. DLL> upack0.34
Rootkit. win32.gamehack. gen deleted successfully. File monitoring: C:/program files/Microsoft SQL Server/MSSQL/binn/sqlservr. exec:/Windows/system32/gnolnait. DLL> upack0.34
Trojan. psw. win32.gameol. B deleted successfully. File monitoring C:/program files/Microsoft SQL Server/MSSQL/binn/sqlservr. exec:/Windows/system32/auhad. DLL> upack0.34
Trojan. psw. win32.xyonline. AAY deleted successfully file monitoring C:/program files/Microsoft SQL Server/MSSQL/binn/sqlservr. exec:/Windows/system32/sauhad. DLL> upack0.34
Failed.
Download the pe_xscan scan log. During the scan, rising detected several viruses:
/---
Virus name processing result killing method accessing the process file of the infected file
Trojan. psw. win32.qqpass. gen deleted successfully. File monitoring C:/program files/Internet Explorer/iw.e. exe c:/program files/Internet Explorer/plugins/winsys8k. sys
Trojan. psw. win32.qqpass. gen deleted successfully. File Monitor D:/pe_xscan.exe C:/program files/Internet Explorer/plugins/sys_win7s.jmp> upx_c> File

Rootkit. win32.gamehack. GEU deleted successfully. File Monitor D:/tools/bat_do.exe C:/Windows/system32/Drivers/msyecp. sys
Rootkit. win32.mnless. gv deleted successfully. File monitoring C:/tools/fileinfo. exe c:/Windows/system32/Drivers/msaclue. sys
---/

Suspicious items are found in the pe_xscan log:

/=
Pe_xscan 08-01-29 by Purple endurer
12:13:42
Windows XP Service Pack 2 (5.1.2600)
Administrator user group
 
C:/WINDOWS/EXPLORER.EXE* 1668 | 2007-6-13 21:21:56 | Microsoft(R) Windows(R) Operating System | 6.00.2900.3156 | Windows Explorer | (C) Microsoft Corporation. All rights reserved. | 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Microsoft Corporation| ? | explorer | EXPLORER.EXE 
　　 C:/PROGRAM FILES/INTERNET EXPLORER/PLUGINS/WINSYS8K.SYS
C:/WINDOWS/SYSTEM32/CTFMON.EXE* 1704 | 2004-8-23 16:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON | CTFMON.EXE 
　　 C:/PROGRAM FILES/INTERNET EXPLORER/PLUGINS/WINSYS8K.SYS
O2 - BHO - {6167F471-EF2B-41DD-A5E5-C26ACDB5C096} - C:/PROGRAM FILES/INTERNET EXPLORER/PLUGINS/WINSYS8K.SYS
O4 - HKLM/../POLICIES/EXPLORER/RUN: [NSIUXHQQW]  NSIUXHQQW.EXE
O23-service: ati2hddsrv (ati2hddsrv)-C:/Windows/system32/Drivers/ati32srv. sys (manual)
O23-service: msertk (msertk)-system32/Drivers/msyecp. sys (will be started)
O23-service: msskye (msskye)-system32/Drivers/msaclue. sys (will be started)
O23-service: deepfree Update (deepfree update)-C:/Windows/system32/Drivers/pcihdd2.sys (manual)
O23-service: pciharddisk (pciharddisk)-C:/Windows/system32/Drivers/pcidisk. sys (manual)
O24 - SHLEXECHOOK: [] - {6167F471-EF2B-41DD-A5E5-C26ACDB5C096} = C:/PROGRAM FILES/INTERNET EXPLORER/PLUGINS/WINSYS8K.SYS
O26 - IFEO: 360rpt.exe -> ntsd -d
O26 - IFEO: 360Safe.exe -> ntsd -d
O26 - IFEO: 360tray.exe -> ntsd -d
O26 - IFEO: adam.exe -> ntsd -d
O26 - IFEO: AgentSvr.exe -> ntsd -d
O26 - IFEO: AppSvc32.exe -> ntsd -d
O26 - IFEO: autoruns.exe -> ntsd -d
O26 - IFEO: avconsol.exe -> ntsd -d
O26 - IFEO: avgrssvc.exe -> ntsd -d
O26 - IFEO: AvMonitor.exe -> ntsd -d
O26 - IFEO: avp.com -> ntsd -d
O26 - IFEO: avp.exe -> ntsd -d
O26 - IFEO: ccSvcHst.exe -> ntsd -d
O26 - IFEO: EGHOST.exe -> ntsd -d
O26 - IFEO: FTCleanerShell.exe -> ntsd -d
O26 - IFEO: FYFireWall.exe -> ntsd -d
O26 - IFEO: HijackThis.exe -> ntsd -d
O26 - IFEO: IceSword.exe -> ntsd -d
O26 - IFEO: iparmo.exe -> ntsd -d
O26 - IFEO: Iparmor.exe -> ntsd -d
O26 - IFEO: isPwdSvc.exe -> ntsd -d
O26 - IFEO: kabaload.exe -> ntsd -d
O26 - IFEO: KaScrScn.SCR -> ntsd -d
O26 - IFEO: KASMain.exe -> ntsd -d
O26 - IFEO: KASTask.exe -> ntsd -d
O26 - IFEO: KAV32.exe -> ntsd -d
O26 - IFEO: KAVDX.exe -> ntsd -d
O26 - IFEO: KAVPF.exe -> ntsd -d
O26 - IFEO: KAVPFW.exe -> ntsd -d
O26 - IFEO: KAVSetup.exe -> ntsd -d
O26 - IFEO: KAVStart.exe -> ntsd -d
O26 - IFEO: KISLnchr.exe -> ntsd -d
O26 - IFEO: KMailMon.exe -> ntsd -d
O26 - IFEO: KMFilter.exe -> ntsd -d
O26 - IFEO: KPFW32.exe -> ntsd -d
O26 - IFEO: KPFW32X.exe -> ntsd -d
O26 - IFEO: KPfwSvc.exe -> ntsd -d
O26 - IFEO: KRegEx.exe -> ntsd -d
O26 - IFEO: KRepair.com -> ntsd -d
O26 - IFEO: KsLoader.exe -> ntsd -d
O26 - IFEO: KVCenter.kxp -> ntsd -d
O26 - IFEO: KvDetect.exe -> ntsd -d
O26 - IFEO: KvfwMcl.exe -> ntsd -d
O26 - IFEO: KVMonXP.kxp -> ntsd -d
O26 - IFEO: KVMonXP_1.kxp -> ntsd -d
O26 - IFEO: kvol.exe -> ntsd -d
O26 - IFEO: kvolself.exe -> ntsd -d
O26 - IFEO: KvReport.kxp -> ntsd -d
O26 - IFEO: KVScan.kxp -> ntsd -d
O26 - IFEO: KVSrvXP.exe -> ntsd -d
O26 - IFEO: KVStub.kxp -> ntsd -d
O26 - IFEO: kvupload.exe -> ntsd -d
O26 - IFEO: kvwsc.exe -> ntsd -d
O26 - IFEO: KvXP.kxp -> ntsd -d
O26 - IFEO: KvXP_1.kxp -> ntsd -d
O26 - IFEO: KWatch.exe -> ntsd -d
O26 - IFEO: KWatch9x.exe -> ntsd -d
O26 - IFEO: KWatchX.exe -> ntsd -d
O26 - IFEO: MagicSet.exe -> ntsd -d
O26 - IFEO: mcconsol.exe -> ntsd -d
O26 - IFEO: mmqczj.exe -> ntsd -d
O26 - IFEO: mmsk.exe -> ntsd -d
O26 - IFEO: Navapw32.exe -> ntsd -d
O26 - IFEO: nod32.exeNavapsvc.exe -> ntsd -d
O26 - IFEO: nod32krn.exe -> ntsd -d
O26 - IFEO: nod32kui.exe -> ntsd -d
O26 - IFEO: NPFMntor.exe -> ntsd -d
O26 - IFEO: OllyDBG.EXE -> ntsd -d
O26 - IFEO: OllyICE.EXE -> ntsd -d
O26 - IFEO: PFW.exe -> ntsd -d
O26 - IFEO: PFWLiveUpdate.exe -> ntsd -d
O26 - IFEO: procexp.exe -> ntsd -d
O26 - IFEO: QHSET.exe -> ntsd -d
O26 - IFEO: QQDoctor.exe -> ntsd -d
O26 - IFEO: QQKav.exe -> ntsd -d
O26 - IFEO: RegTool.exe -> ntsd -d
O26 - IFEO: rfwProxy.exe -> ntsd -d
O26 - IFEO: rfwstub.exe -> ntsd -d
O26 - IFEO: safelive.exe -> ntsd -d
O26 - IFEO: scan32.exe -> ntsd -d
O26 - IFEO: shcfg32.exe -> ntsd -d
O26 - IFEO: SREng.EXE -> ntsd -d
O26 - IFEO: symlcsvc.exe -> ntsd -d
O26 - IFEO: SysSafe.exe -> ntsd -d
O26 - IFEO: TrojanDetector.exe -> ntsd -d
O26 - IFEO: Trojanwall.exe -> ntsd -d
O26 - IFEO: TrojDie.kxp -> ntsd -d
O26 - IFEO: UIHost.exe -> ntsd -d
O26 - IFEO: UmxAgent.exe -> ntsd -d
O26 - IFEO: UmxAttachment.exe -> ntsd -d
O26 - IFEO: UmxCfg.exe -> ntsd -d
O26 - IFEO: UmxFwHlp.exe -> ntsd -d
O26 - IFEO: UmxPol.exe -> ntsd -d
O26 - IFEO: UpLive.exe -> ntsd -d
O26 - IFEO: vsstat.exe -> ntsd -d
O26 - IFEO: webscanx.exe -> ntsd -d
O26 - IFEO: WoptiClean.exe -> ntsd -d
===/