Windows Security Tutorials - Herong's Tutorial Examples

∟PWS (Password Stealer) Trojan Infection Removal

∟UserInit - Winlogon Registry Key

This section provides a tutorial example on how to undo changes done by the PWS Trojan on the UserInit registry value under the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

Then I used HijackThis v2.0.0 to scan my computer, and found this entry in HijackThis report:

F2 - REG:system.ini: UserInit
   =C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sovhst.exe

As you can see, The PWS Trojan was trying to run a malicious program file, sovhst.exe, as part of the UserInit registry value for the system.ini settings. But this program file had been already removed.

After searching on the Web for more information on "UserInit", I learned that Windows systems use many registry keys and values as startup program settings:

Under HKCU hive:
\Software\Microsoft\Windows\CurrentVersion\RunOnce
\Software\Microsoft\Windows\CurrentVersion\RunServices
\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Under HKLM hive:
\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
\Software\Microsoft\Windows\CurrentVersion\Run
\Software\Microsoft\Windows\CurrentVersion\RunServices
\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
\Software\Microsoft\Windows\CurrentVersion\RunOnce
\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

To undo what the PWS Trojan did to this registry setting, I changed the registry value with regedit as:

Userinit=C:\WINDOWS\system32\userinit.exe

Table of Contents

 About This Windows Security Book

 Windows 8: System Security Review

 Windows 8: System Security Protection

 Windows 8 System Recovery

 Windows 8 Defender for Real-Time Protection

 Windows 7: System Security Review

 Windows 7: System Security Protection

 Windows 7 System Recovery

 Windows 7 Forefront Client Security

 Norton Power Eraser - Anti-Virus Scan Tool

 McAfee Virus and Malware Protection Tools

 Spybot - Spyware Blocker, Detection and Removal

 Keeping Firefox Secure

 Keeping IE (Internet Explorer) Secure

 Malware (Adware, Spyware, Trojan, Worm, and Virus)

 HijackThis - Browser Hijacker Diagnosis Tool

 IE Add-on Program Listing and Removal

 "Conduit Search" - Malware Detection and Removal

 "Tube Dimmer", "Scorpion Saver" or "Adpeak" Malware

 Malware Manual Removal Experience

 Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal

 Trojan and Malware "Puper" Description and Removal

 VSToolbar (VSAdd-in.dll) - Description and Removal

►PWS (Password Stealer) Trojan Infection Removal

 What Is PWS (Password Stealer) Trojan?

 JS/Downloader.gen - JavaScript Downloader Malware

 PWS-Mmorpg.gen - A Password Stealer Trojan

 heb.exe - The Trojan Installer Program

 .exe and .dll Files Installed by the Trojan

 my.exe - A Second PWS Trojan Infection

 .exe and .dll Files of the Second Trojan

 Explorer.EXE Trying to Install a Trojan

 AccessProtectionLog.txt Log File Records

 ATF-Cleaner.exe - Temporary File Remover

 Trajon Files Left in the System Folder

 Removing PWS Trojan Files

 Removing PWS Trojan Startup Entries

 Command Processor AutoRun - Registry Value

►UserInit - Winlogon Registry Key

 js.users.51.la - hosts File Entries

 Image File Execution Options - Registry Key

 regedit.exe Not Working

 MS08-001 Vulnerability on Windows Systems

 Antivirus System PRO

 References

 Full Version in PDF/ePUB

UserInit - Winlogon Registry Key - Updated in 2021, by Dr. Herong Yang