Jump to content
Sign in to follow this  
EdwardY

KSOD - I suspect Malware

Recommended Posts

 My friend is having a Black Screen of Death(KSOD). After trying multiple attempts to fix it, nothing has worked. After going into advanced boot options, repair, command prompt and opening RegEdit we discovered his Shell and Userinit values are changing. We've used the Command Prompt to open RegEdit and change them.  Shell gets set to cmd.exe /k start cmd.exe And Userinit gets set to X:\WINDOWS\system32\userinit.exe, After changing them correctly they still change back to the above.  There is no Safe Mode, no Task Manager etc No System Recovery slots either.

Cannot download anything to run it for any tests.

Share this post


Link to post
Share on other sites

Hello EdwardY and welcome to Malwarebytes,

Which version of windows is installed on the sick PC, is 64 bit or 32 bit... Also do you have USB flashdrive available..

Thank you,

Kevin...

Share this post


Link to post
Share on other sites

We need a Flashdrive to run FRST via recovery environment, can you borrow from a friend or family member, 4 GB is good...

Share this post


Link to post
Share on other sites

No, and it doesn't much matter, my friends having the problem and would have no way to get FRST anyways.

Is there any other way you can help?

Share this post


Link to post
Share on other sites

There is no way really, if we reset reg keys then as you`ve already stated they just change back. There is probably a protective rootkit hidden that we need to find.... You mention accessing command prompt... Can you go into command prompt, copy paste the following at the prompt then hit enter:

cmd /c dir /a/s c:\windows\system32\drivers\*.sys

That will produce list of drivers can you show that list for me to see....

 

Share this post


Link to post
Share on other sites

Give me a minute, he's going to send me pictures of it from his phone which I'll upload here.

Share this post


Link to post
Share on other sites

I`m not able to see those drivers very well, do you see any with these sizes 137,552 or 137,040

Share this post


Link to post
Share on other sites

Maybe there is no rootkit, what exactly are you doing when you alter Winlogon key setting for userinint. Do you load the hive, make change then unload the hive and then exit recovery environmement and see if windows will boot...?

Share this post


Link to post
Share on other sites

Wait let me see if I can find a link to change userinit value offline with good images to follow, I could explain to you but no images will make it hard to follow... back shortly.

Share this post


Link to post
Share on other sites

Thanks, I'll read through it. My friend isn't home atm but I'll have him try it later. Will update you then.

Share this post


Link to post
Share on other sites

Ok thanks for the update, a USBflash drive loaded with FRST would definitely make things more user friendly, create log and then create fix...

Share this post


Link to post
Share on other sites

I've been looking through the drivers again, and noticed one is close to what you said to look for, 138,048, could this be what you was looking for?

Share this post


Link to post
Share on other sites

That file is legitimate... Can you boot the system to the Recovery Environment again, then select command prompt. At the prompt type or copy/paste the following command:

sfc /scannow /offbootdir=c:\ /offwindir=c:\windows

Hit the enter key..

When complete see if windows will boot...

Edited by kevinf80

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.