Jump to content

restoring userinit.exe


Recommended Posts

I have a friends box at my house to "fix", but I made it worse. I ran the MBAM application, and it successfully removed the malware in question, or at least in an offline scan... I think you know where this is headed...

Let's start over. I received a box that won't boot. I thought ok, there is some issue keeping this thing from booting, and asked some probing questions; do you enjoy adult entertainment on this machine? Do you create ISO's on this box? Are you,or have you ever been involved in overthrowing the government? Are you a Communist? ... You get the idea.

Q: Do you run anti-virus or a personal firewall?

A: I downloaded ... enough said!

>> Anti-virus 2009 <<

Well, I took the box into my possession and started a chain-of-custody document :) .

I booted the box, and everything was fine. Until log in time.

>Loading personal settings<

>Saving personal settings<

>Logging off<

Well, after about twelve man-hours of searching the Internet, all I could find was a list of startup locations, and the promise that all was lost :( .

I wrote a quick VBscript and found none of the suspect locations had anything of value, but the way I did it was nice...

I used a floppy and accessed the PC via PsExec by SysInternals. {Really good thinking, yes?}

Anyways, I have a PC in my "home office" (night stand) and I can't get rid of it.

I'm sure you're wondering why is this guy here? Well, after the PsExec, I turned to MBAM on a known good PC; and attatched via EIDE-to-USB cable. Ran the scan (kinda offline) and found the malware, quarantined it and still nothing. I saw a post in the forums regarding userini.exe, and thought this could possibly be the problem.

Link to post
Share on other sites

  • Root Admin

Well basically it sounds like USERINIT.EXE was infected or modified or removed. If it was just the file then you need to copy a good, clean copy of USERINIT.EXE back to the C:\WINDOWS\SYSTEM32 folder on that drive and it should fix it. If it's a registry entry then you'll need to fix that using a tool that is able to load remote registry items from like a boot cd or as a slaved drive.

Link to post
Share on other sites

Thanks for the reply! So a tool like RegView.exe (from GMER makers) could work on a known good box (presuming RRPC, Win Net Client, and File/Print sharing are all installed? I could "remote in" with PsExec, and load the Reg with RegView.exe, to check things out, then use the Remote Reg mmc snap-in to load it remotely. But with the userinit.exe will that need to be extracted from the ISO backup, or will any XP box work; as this friend (sister-in-law) has no backups!

Thanks in advance for your help!

By the way, do you have any experience using GMER, or know how to interpret the output; where I can find guidance?

~danday3953

Link to post
Share on other sites

  • Root Admin

Do you have a link to that file RegView?

The only one I'm aware of by that name is this: RegView.exe is a command-line tool that allows you to view Group Policy Registry.pol files without applying them to the registry

Free Solutions

http://windowsxp.mvps.org/peboot.htm

http://www.ultimatebootcd.com/

http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html

http://ubcd4win.com/

Paid Solution

http://www.avast.com/eng/avast_bart_cd.html

Administrator License: $149.95

Serviceman License: $299.00

Link to post
Share on other sites

  • Root Admin

If you're semi comfortable with it you can remove the hard drive and put it into a working computer as a secondary drive and then copy the file over to the old one. Put it back in the old one and see if it works or not.

If you don't want to do that or are not comfortable doing that then the first link about the PE method is probably a good choice.

Link to post
Share on other sites

  • Root Admin

No I'll be closing this post as it's resolved as far as we can help you at this time. If after you replace the file and get the system running and need further assistance with removing Malware then please send a Private Message and we can re-open the post at that time.

Thank you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.