•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Tech Talk category of DaniWeb, a massive community of 374,045 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 2,895 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Tech Talk advertiser:
Apr 20th, 2005, 10:09 am
One of my friends asked me to look at his pc today. It was logging in, then logging straight back off again.
It turned out, he'd downloaded a file called 'funny.exe' via MSN, which changed the login program his registry pointed to...
To cut a 3hr long story short, I booted the system using an XP disk, then launched the recovery console by pressing 'r' when asked.
I then entered the administrator password.
It came up with the C:/Windows command prompt.
I then typed 'cd system32' (without the quotes) to enter the system32 folder, and then typed 'copy userinit.exe userinit32.exe'.
Basically userinit.exe is the legitimate file, but the program alters the registry to point to userinit32.exe. The commands above overwrote the virus file with the original one, meaning I was able then to boot the system normally (after typing 'exit').
When it finally reached windows, I could run regedit and go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
And change the userinit key to point to userinit, not userinit32.
Thanks to a visitor at the 'Bored Guru' discussion of this virus for providing the above solution. ( http://www.boredguru.com/modules/art...php?item_id=87 )
I then had to do a 'delete on reboot' via Hijackthis to remove zjciebhs.exe, which kept appearing in the HiJackThis log, but I think that's another story...
It turned out, he'd downloaded a file called 'funny.exe' via MSN, which changed the login program his registry pointed to...
To cut a 3hr long story short, I booted the system using an XP disk, then launched the recovery console by pressing 'r' when asked.
I then entered the administrator password.
It came up with the C:/Windows command prompt.
I then typed 'cd system32' (without the quotes) to enter the system32 folder, and then typed 'copy userinit.exe userinit32.exe'.
Basically userinit.exe is the legitimate file, but the program alters the registry to point to userinit32.exe. The commands above overwrote the virus file with the original one, meaning I was able then to boot the system normally (after typing 'exit').
When it finally reached windows, I could run regedit and go to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
And change the userinit key to point to userinit, not userinit32.
Thanks to a visitor at the 'Bored Guru' discussion of this virus for providing the above solution. ( http://www.boredguru.com/modules/art...php?item_id=87 )
I then had to do a 'delete on reboot' via Hijackthis to remove zjciebhs.exe, which kept appearing in the HiJackThis log, but I think that's another story...
This blog entry was written by DaveSW. It has received 2,214 views, 0 comments, and 4 linkbacks.
•
•
•
•
advertising apple botnet business crime data development email environment europe facebook firefox games gaming google hacking hardware ibm internet iphone ipod law legal linux malware microsoft mobile mozilla news privacy ps3 red hat research search security social networking software sony spam survey technology trojan uk video virus vista web windows yahoo youtube
All Recent Tags Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Tech Talk Marketplace
Related Blog Entries
- Intel To Focus on Devices, Again (9 Hours Ago)
- 5-4-3-2-1 your website in infected (1 Day Ago)
- Apple ships 2.5 million Macs, sells 11 million iPods and 717,000 iPhones in just 3 months (2 Days Ago)
- Limbo 2 Trojan comes complete with guarantee of invisibility (3 Days Ago)
- More Dark Spots on Apple's MobileMe Migration (3 Days Ago)
- Power-Sipping PC Runs Linux (3 Days Ago)
- Fake UPS invoices deliver Pushdo botnet package (4 Days Ago)
- Crystal Ball Sunday #8: Virtual Appliances (4 Days Ago)
- How to put in a new motherboard without losing your Operating System (8 Days Ago)
- Implementing a *Real* Internet Highway (11 Days Ago)
Related Forum Threads
- svchost.exe using 100% cpu! (Windows NT / 2000 / XP / 2003)
- Windows 2000 pro - svchost.exe using 100% cpu (Windows NT / 2000 / XP / 2003)
- Something Isnt Right!! (trojans, Spyware) (Viruses, Spyware and other Nasties)
- My story, funny hardware, and the ghost in the machine. (Motherboards, CPUs and RAM)
- hclean.exe trojan, norton anitvirus not working and google search problems (Viruses, Spyware and other Nasties)
- Windows XP keeps restarting since a new video card (Windows NT / 2000 / XP / 2003)
- C++ (C++)
