Home Blog Links

sbn, 4 Mar 2009
Hi all,

Today I had a nice day of Windows "hacking". Here is the story.
So I had some kind of spyware on my pc. The spyware popped up in my browser and gave a bubble message saying I should
scan for anti-spyware with some program that would even install more spyware onto my computer.
So what did I do. I used some programs (Spybot, Malware bytes and so on) which indicated I had a "trojan" or "virus"
(called SSD). It had to do something with Userinit.exe and some registry key's.
The programs weren't able to remove the values, so I tried my self. At first try it didn't work, but then I found the
permission tab, there I gave myself all access. *POOF* all keys gone.
So I removed them and when I came back home from school my pc wouldn't login anymore. It just kept trying to login and
getting loged out (quite funny to see).

So I knew what went wrong, I deleted the registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon with value:
%windir%\system32\userinit.exe," mind the comma.

So the solution to this? Well, placing that value back. I thought it would be an easy task as I could boot into safe
mode and try it there. Guess what, no luck the same effect there (login/logout). So then I started thinking of what
software I had lying around.
First I tried the windows recovery disk, no luck. There is no program on it (by default) for even watching the registry.
So that was no option. Then I remembered I had some BartPE usb version things lying around (it once worked) I tried to
install it to usb again, but no luck on booting. It gave me some german error saying something was wrong with a file on
the disk. So I retried the different version I have installing but with out luck.

So I started an other search. A search for some linux version of regedit, some articles told me I should try wine and
use regedit from there. Knowing that the machine isn't dual boot (my bad, I should have done that in first place) that
wasn't an option, so I looked some more.

Throe the several searches I made, I always saw the page "Offline NT Password ..." but I didn't pay interest to it,
since I wasn't going to change my password or so. But after all it seemed to be the solution. The product it self is a
boot cd, but you can just copy it to usb and run pretend the usb is a bootable cd (if your mobo supports booting usb's
this is a handy feature). It wasn't hard to get the cd image (iso) on to the usb. Just mounted the image with some
program and then copied the content of it to my usb. And voila it was booting before I could blink my eyes.

Now came the hard part, editing the registry. After all it wasn't that hard, reading the help on the site.
But it was a lot of hassle to edit just one key in my registry.

So what have I learned from all this? Don't compress your windows partition (you'll need some luck if you try to edit
things that way).
And that there are a lot of useful utilities on the internet.

And that one utility is joining my favorite list which is: Offline NT Password & Registry Editor, Bootdisk / CD.
Url : http://home.eunet.no/pnordahl/ntpasswd/

So after spending hours on trying to get my PC working again, I succeed again.


Once again you amaze me with your skills Giel, I would have given up much earlier. You're an inspiration to us all.