|
| ||
| One of my friends asked me to look at his pc today. It was logging in, then logging straight back off again. It turned out, he'd downloaded a file called 'funny.exe' via MSN, which changed the login program his registry pointed to... To cut a 3hr long story short, I booted the system using an XP disk, then launched the recovery console by pressing 'r' when asked. I then entered the administrator password. It came up with the C:/Windows command prompt. I then typed 'cd system32' (without the quotes) to enter the system32 folder, and then typed 'copy userinit.exe userinit32.exe'. Basically userinit.exe is the legitimate file, but the program alters the registry to point to userinit32.exe. The commands above overwrote the virus file with the original one, meaning I was able then to boot the system normally (after typing 'exit'). When it finally reached windows, I could run regedit and go to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon And change the userinit key to point to userinit, not userinit32. Thanks to a visitor at the 'Bored Guru' discussion of this virus for providing the above solution. ( http://www.boredguru.com/modules/art...php?item_id=87 ) I then had to do a 'delete on reboot' via Hijackthis to remove zjciebhs.exe, which kept appearing in the HiJackThis log, but I think that's another story... |