Network connections and sound not working after malwarebytes

[dahernandez]

Ok heres the log from it, it found something in userinit.exe but couldnt fix it.

 

[mflynn]

AllRight!

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt.

@echo off
cd\
attrib /s userinit.exe >"%USERPROFILE%"\Desktop\userinit.txt
dir /s userinit.exe >>"%USERPROFILE%"\Desktop\userinit.txt
exit
exit

Now post the userinit.txt from the new icon on the desktop back to the thread.

Now if before you did not install Recovery Console when you ran ComboFix do it now.

Mike

 

[dahernandez]

Here it is, my network cable is still not connected nor do I have my network icon back to install the recovery console should I retry post #6 command and try to get my internet back on?

 

[mflynn]

We are going to replace the bad userinit with a good one from backup

Plug up and install the Recovery console.

Then print this post for a guide.

Boot to Recovery console
type
copy C:\WINDOWS\ServicePackFiles\i386\userinit.exe C:\WINDOWS\system32

answer yes to over write existing file

Then
type
copy C:\WINDOWS\ServicePackFiles\i386\userinit.exe C:\WINDOWS\system32\dllcache
answer yes to over write existing file

Then type exit to reboot

Report back when complete.

Mike

 

[dahernandez]

Ok so I can't get my internet back on this time. I've tried the old and updated versions of post #6 and tried a bunch of different times. these are the txt files from post #8.

 

[mflynn]

Ok I am preparing a post to get the Internet back but run Trojan Remover, I need to confirm the usuerinit repair.

Mike

 

[dahernandez]

well i cant install the recovery console without the internet unless theres a manual way of doing it

 

[mflynn]

Shutdown computer/Turn off.

Bring up in Safe Mode networking and try.

Mike

EDIT:

Do this again if you did not include it in the last things you tried/

Try this again also in Safe Mode Networking.

Run SuperAntiSpyware

Then Click Preferences
then click Repairs

Then counting down from top do the following entries

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Reboot to normal and test.

 

[dahernandez]

didnt work

 

[mflynn]

The EDIT from my last post either?

Mike

EDIT: Copy then paste the below into an open cmd prompt!

@echo off
netsh winsock reset
netsh int ip reset
exit
exit

Look at the below settings, try a repair
Start-Run
type
NCPA.CPL

And these confirm Computer Browser, DHCP, Server and Work Station are all on.
Start-Run
type
services.msc

Mike

 

[dahernandez]

neither worked

 

[mflynn]

Check my edits on last post!

mike

 

[mflynn]

Ok I am going to have to go to bed.

I have lost track if you did the Services network repair etc.

I will be logging of in less than 10 minutes.

Will check in in morning.

Mike

 

[dahernandez]

Ok I opened up the network connections and theres nothing there to repair. In the past when I have gone from my network places to my network connections it would give an error saying some file/folder could not be found. I did the services and DHCP and Computer browser were not running I started them and that did nothing unless I was supposed to restart. Also in the past a lot of the problems that mbam and sas would find was in services.exe not sure if related or not. Well goodnight thanks again for the help mike I know even a really patient person might have given up on me a long time ago many many thanks and hopefully we can get this damn thing straightened out soon.
-David

 

[mflynn]

We do not want to System Restore now or we will put back some of what we cleaned. Especially we do not want to put back the Hijacked userinit.exe!

OK lets do a System Restore point name it "While cleaning at TechSpot".

Then go into Device Mgr and rt click and remove/uninstall the Network Adapter only.

Reboot and let it reinstall.

If you have a Flash drive then on another computer get these bring to problem computer and run.

To look deeply at you system:

Download RSIT
http://images.malwareremoval.com/random/RSIT.exe

Run it, when finished it will open a log Maximized on the screen, copy/paste the contents of this log back here then close that log.

Then the 2nd log is Minimized so Max it and post it also to a separate post.
The logs will contain a HighJackThis log also.

Download WinsockFix http://files.snapfiles.com/localdl834/WinsockxpFix.exe

I will be away for a meeting for up to 3-4 hours.

Mike

 

[dahernandez]

There are 4 different things under network adapter should I disable/uninstall all of them?

Also new 'symptom' I suppose since I started today the top of my task manager dissapeared.

Also the link for the winsockxpfix isn't right but I was able to find it anyways.

 

[mflynn]

Just the 2 nvidia nforce's!

Run the Winsok fix after rebooting from this if needed.

Mike

 

[dahernandez]

Still no internet, I deleted them and after reboot one got reinstalled but not the other and no internet ran the winsockfix and rebooted and still nothing. When I go from network places to network connections it gives me an error "unable to retrive list of network adapters from your machine. Please make sure the network connections service is enabled and running"

Also I tried to run the RSIT and i got an error right after running saying "autoIt error: line 1-. Error: Incorrect number of parameter in function call."


So no other way of installing recovery console to fix the userinit?

 

[mflynn]

Start-Run
type
services.msc
Hit Enter or click OK

Confirm Network Connections Service is running!

So no other way of installing recovery console to fix the userinit?
Reply With Quote

We have already fixed userinit! And what ever put it there or it had a hold of has caused this.

Right now we have no need for the recovery console.

Mike

 

[dahernandez]

I was under the impression we hadn't fixed it yet. In post #54 You asked me to plug my internet back in to install the recovery console that I hadn't been able to install when previously running combofix, and I responded saying that my internet didn't work and that I could not install the recovery console and I assumed the recent steps were to try and get my internet back on to install the recovery console and run the subsequent steps to replace the userinit. Unless you meant use the XP CD to boot into the XP recovery console http://support.microsoft.com/kb/307654 ? I wasn't sure if the two were the same or related at all but previously all talk of recovery console was related to combofix and needing the internet to install it.

 

[mflynn]

Yeah after rereading I can see how you may have thought that. I did not make it clear.

Here Trogan remover found the problem

----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
142848 bytes
Created: 8/16/2005 1:18 AM
Modified: 2/2/2009 5:04 AM
Company: [no info]
C:\WINDOWS\system32\userinit.exe appears to contain: DOWNLOADER
C:\WINDOWS\system32\userinit.exe - cannot restore a good copy of this file
----------

Then here we located all the userinit.exe's

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt.
Code:

@echo off
cd\
attrib /s userinit.exe >"%USERPROFILE%"\Desktop\userinit.txt
dir /s userinit.exe >>"%USERPROFILE%"\Desktop\userinit.txt
exit
exit

Now post the userinit.txt from the new icon on the desktop back to the thread.

Then here they are

A C:\i386\userinit.exe
C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
C:\WINDOWS\ServicePackFiles\i386\userinit.exe
A C:\WINDOWS\system32\dllcache\userinit.exe
A C:\WINDOWS\system32\userinit.exe
Volume in drive C has no label.
Volume Serial Number is 1805-8E47

Directory of C:\i386

08/10/2004 02:00 AM 41,984 userinit.exe
1 File(s) 41,984 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 02:00 AM 41,984 userinit.exe
1 File(s) 41,984 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 04:12 PM 43,520 userinit.exe
1 File(s) 43,520 bytes

Directory of C:\WINDOWS\system32

02/02/2009 05:04 AM 142,848 userinit.exe
1 File(s) 142,848 bytes

Directory of C:\WINDOWS\system32\dllcache

02/02/2009 05:04 AM 142,848 userinit.exe
1 File(s) 142,848 bytes

Total Files Listed:
5 File(s) 413,184 bytes
0 Dir(s) 12,370,038,784 bytes free

Notice the one in c:\windows\system32 and dll Cache has a size of 142,848 bytes
but the newest backup from C:\WINDOWS\ServicePackFiles\i386 is 43,520 bytes the correct size..

So (Uh oh I just now see the problem.

In Post 54 I asked you to boot to Recovery Console and fix it.

But in Post 55 I assumed you did it and the result was you could not now get on the Internet. You did not say you did or did not do it.

Then today you asked about the recovery console I did not catch it until I walked thu it just now to explain it to you. Communications.

But here is the answer to fix userinit.exe.

--------------------------------------------------------------------------------------------------------
Download RC.ISO (Bootable Recovery Consle) from Here:

http://www.thecomputerparamedic.com...

Now burn this ISO image to a CD
Once the CD is created, place it in the problem computer

Then reboot that CD in the CD-ROM drive.
Make sure the PC is set to boot from the CD as the primary boot device.

When the PC boots, it will boot from the CD...after the first several screens load, you will be given a choice to choose R for Recovery Console.

You will be asked to log in.

At the prompt
type
copy C:\WINDOWS\ServicePackFiles\i386\userinit.exe C:\WINDOWS\system32

answer yes to over write existing file

Then
type
copy C:\WINDOWS\ServicePackFiles\i386\userinit.exe C:\WINDOWS\system32\dllcache
answer yes to over write existing file

Then type exit to reboot
Hit the Enter key
then
type
exit

This will reboot the computer hopefully into windows if not there can be other steps.

Mike

 

[dahernandez]

i tired both commands and it responds with access is denied

 

[mflynn]

So you have downloaded the RC.ISO burned it to CD and Booted from cd into Recovery Console and did the commands?

Mike

 

[dahernandez]

Yes I succesfully burned the iso image and booted into the recovery console and after I hit enter on the commands when I should be saying yes to overwriting the files it says 'access is denied' with both commands

 

[mflynn]

OK try it this way

At the prompt
type
cd windows
cd system32
del userinit.exe
copy C:\WINDOWS\ServicePackFiles\i386\userinit.exe

Then

type
del C:\WINDOWS\system32\dllcache\userinit.exe
copy C:\WINDOWS\ServicePackFiles\i386\userinit.exe C:\WINDOWS\system32\dllcache

Then type exit to reboot
Hit the Enter key
then
type
exit

Mike