Windows Security Tutorials - Herong's Tutorial Examples - v3.01, by Dr. Herong Yang
UserInit - Winlogon Registry Key
This section provides a tutorial example on how to undo changes done by the PWS Trojan on the UserInit registry value under the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.
Then I used HijackThis v2.0.0 to scan my computer, and found this entry in HijackThis report:
F2 - REG:system.ini: UserInit =C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sovhst.exe
As you can see, The PWS Trojan was trying to run a malicious program file, sovhst.exe, as part of the UserInit registry value for the system.ini settings. But this program file had been already removed.
After searching on the Web for more information on "UserInit", I learned that Windows systems use many registry keys and values as startup program settings:
Under HKCU hive: \Software\Microsoft\Windows\CurrentVersion\RunOnce \Software\Microsoft\Windows\CurrentVersion\RunServices \Software\Microsoft\Windows\CurrentVersion\RunServicesOnce \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Under HKLM hive: \Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks \Software\Microsoft\Windows\CurrentVersion\Run \Software\Microsoft\Windows\CurrentVersion\RunServices \Software\Microsoft\Windows\CurrentVersion\RunServicesOnce \Software\Microsoft\Windows\CurrentVersion\RunOnce \Software\Microsoft\Windows\CurrentVersion\RunOnceEx \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
To undo what the PWS Trojan did to this registry setting, I changed the registry value with regedit as:
Userinit=C:\WINDOWS\system32\userinit.exe
Table of Contents
About This Windows Security Book
Windows 8: System Security Review
Windows 8: System Security Protection
Windows 8 Defender for Real-Time Protection
Windows 7: System Security Review
Windows 7: System Security Protection
Windows 7 Forefront Client Security
Norton Power Eraser - Anti-Virus Scan Tool
McAfee Virus and Malware Protection Tools
Spybot - Spyware Blocker, Detection and Removal
Keeping IE (Internet Explorer) Secure
Malware (Adware, Spyware, Trojan, Worm, and Virus)
HijackThis - Browser Hijacker Diagnosis Tool
IE Add-on Program Listing and Removal
"Conduit Search" - Malware Detection and Removal
"Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware
Malware Manual Removal Experience
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
►PWS (Password Stealer) Trojan Infection Removal
What Is PWS (Password Stealer) Trojan?
JS/Downloader.gen - JavaScript Downloader Malware
PWS-Mmorpg.gen - A Password Stealer Trojan
heb.exe - The Trojan Installer Program
.exe and .dll Files Installed by the Trojan
my.exe - A Second PWS Trojan Infection
.exe and .dll Files of the Second Trojan
Explorer.EXE Trying to Install a Trojan
AccessProtectionLog.txt Log File Records
ATF-Cleaner.exe - Temporary File Remover
Trajon Files Left in the System Folder
Removing PWS Trojan Startup Entries
Command Processor AutoRun - Registry Value
►UserInit - Winlogon Registry Key
js.users.51.la - hosts File Entries
Image File Execution Options - Registry Key