KSOD - I suspect Malware

[EdwardY]

 My friend is having a Black Screen of Death(KSOD). After trying multiple attempts to fix it, nothing has worked. After going into advanced boot options, repair, command prompt and opening RegEdit we discovered his Shell and Userinit values are changing. We've used the Command Prompt to open RegEdit and change them.  Shell gets set to cmd.exe /k start cmd.exe And Userinit gets set to X:\WINDOWS\system32\userinit.exe, After changing them correctly they still change back to the above.  There is no Safe Mode, no Task Manager etc No System Recovery slots either.

Cannot download anything to run it for any tests.

[kevinf80]

Hello EdwardY and welcome to Malwarebytes,

Which version of windows is installed on the sick PC, is 64 bit or 32 bit... Also do you have USB flashdrive available..

Thank you,

Kevin...

[EdwardY]

Windows 7 64Bit.

No USB flashdrive.

[kevinf80]

We need a Flashdrive to run FRST via recovery environment, can you borrow from a friend or family member, 4 GB is good...

[EdwardY]

No, and it doesn't much matter, my friends having the problem and would have no way to get FRST anyways.

Is there any other way you can help?

[kevinf80]

There is no way really, if we reset reg keys then as you`ve already stated they just change back. There is probably a protective rootkit hidden that we need to find.... You mention accessing command prompt... Can you go into command prompt, copy paste the following at the prompt then hit enter:

cmd /c dir /a/s c:\windows\system32\drivers\*.sys

That will produce list of drivers can you show that list for me to see....

 

[EdwardY]

Give me a minute, he's going to send me pictures of it from his phone which I'll upload here.

[EdwardY]

[kevinf80]

I`m not able to see those drivers very well, do you see any with these sizes 137,552 or 137,040

[EdwardY]

No.

[kevinf80]

Maybe there is no rootkit, what exactly are you doing when you alter Winlogon key setting for userinint. Do you load the hive, make change then unload the hive and then exit recovery environmement and see if windows will boot...?

[EdwardY]

Just change it and try and load.

[kevinf80]

Wait let me see if I can find a link to change userinit value offline with good images to follow, I could explain to you but no images will make it hard to follow... back shortly.

[EdwardY]

Alright, thank you.

[kevinf80]

Ok, you know how to access command prompt from Recovery environmemnt, the link I post is for w8 and w10 but from Command Prompt is same for windows 7 so should be reasonably easy to follow:

http://www.winhelponline.com/blog/edit-registry-offline-windows-re/

[EdwardY]

Thanks, I'll read through it. My friend isn't home atm but I'll have him try it later. Will update you then.

[kevinf80]

Ok thanks for the update, a USBflash drive loaded with FRST would definitely make things more user friendly, create log and then create fix...

[EdwardY]

He doesn't have a USB flashdrive, even if he did he has no way of getting FRST on it. 

[kevinf80]

ok I understand,

[EdwardY]

It didn't work.

[EdwardY]

I've been looking through the drivers again, and noticed one is close to what you said to look for, 138,048, could this be what you was looking for?

[kevinf80]

Yes could be, can you list please...

[EdwardY]

ETD.sys

[kevinf80]

That file is legitimate... Can you boot the system to the Recovery Environment again, then select command prompt. At the prompt type or copy/paste the following command:

sfc /scannow /offbootdir=c:\ /offwindir=c:\windows

Hit the enter key..

When complete see if windows will boot...

Edited November 5, 2017 by kevinf80

[EdwardY]

It's doing the system file check now.