Version: 52.8
Revision: 68 Build 16
How to remove System32.exe and Userinit.exe
Introduction: This virus was design by a Vietnamese citizen. He is a criminal – hacker who is trying to distribute fake files to corrupt other user’s computer and your system32 sub – directories.
Part One: remove Userinit.exe and System32.exe
———————————
1.] Download Avira Anti-Virus [Free Edition].
————————–
http://avira.com
http://softpedia.com
————————–
2.] Execute the application and scan your computer.
But, if you want to do it faster, you can go to these directories.
Right click on these folders and scan it with Avira.
————————–
C:\Windows\
C:\Windows\System32
C:\Windows\System32\System32.exe
C:\windows\system32\dllcache\win32\winlogon.exe
C:\windows\system32\dllcache\win32\csrss.exe
Notes: let the software kill all of the process. But, don’t hit the ignore button!
Also, please don’t forget to hit the delete button when the scan – engine has found the infected file!
3.] Erase all of these folders in your USB stick with Avira.
However, if you leave it alone, it’s going to regenerate the virus – that would mean: you’ll need to repeat step five!
Part Two: modify windows Shell and Userinit.exe registry
———————————
Warning: once you reboot without userinit.exe and system32.exe, windows cannot access windows successes – fully!
So, please don’t stop and wonder off at stage three…
Notes: to locate these files, please follow these instructions.
————————–
a.] In “Folder Option,” just hit the “View” tab and un – tick or select these options.
Hidden files and folders >> select: Show hidden files and folders.
Hidden files and folders >> un – tick: Hide protected operating system files (Recommended).
Items to be removed from USB memory sticks.
————————–
Autorun.inf
Secret.exe
Phimnguoilon.exe / Phim nguoi lon.exe
————————–
4.] Fix the registry location within these directories…
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
a.] Click on Userinit (REG_SZ)
b.] Right click and select “Modify…”
c.] Change the directories.
Important: Please include the trailing comma. But, please be aware that ‘Windows’ was installed in C:\Windows; Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.
Wrong: C:\Windows\userinit.exe
Right: C:\Windows\System32\userinit.exe,
Important: You must make sure that the registry location and directory is correct before the initial reboot. But, if you left it UN – changed; the windows logon and access is completely disabled. So, please double check before you hit the “Restart” button!!
Advice: For better performances, you can also put ‘Userinit.exe’ into this registry location. It will boot faster after reboot.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon
a.] Go to Start >> Run and insert: regedit.
b.] Direct yourself to the correspondent registry location.
c.] At the left panel, just look for ‘Winlogon’ and move your mouse to the right panel.
d.] Right click and Select New >> String Value
e.] Rename it as ‘Userinit’ – without the quotes.
f.] Right click on your new registry – strings and select: Modify
g.] Copy the ‘value data’ which is shown underneath…
————————–
C:\Windows\System32\userinit.exe,
————————–
Important: Please include the trailing comma. But, please be aware that ‘Windows’ was installed in C:\Windows; Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.
h.] Paste the data; click ‘OK’ and exit the registry.
After reboot, use iobit windows care personal and CCleaner to repair, clean and remove all the junk files.
5.] Reboot and run Avira again.
Warning: please check your registry entries (again) for any changes and repeat step four to step five. But, you don’t have to run the anti-virus again.
Part Three: double check your folders for “system32.exe and csrss.exe”
———————————
Problems: For most users, they also got one of their ‘Shell’ registry infected with a file called: System32.exe. To solve this problem, please continue and clear this hidden virus.
1.] Since Avira removed this file: System32.exe = “C:\Windows\System32\system32.exe,” you have to go to the registry and fix the location. But, don’t you even dare delete the registry entries!!
a.] Click Start >> Run >> Type: regedit >> Click OK or press Enter.
b.] Navigate through the registry folders and look for this registry location…
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notes: look for a file called: “Shell” [without the quotes].
2.] Right click on the value; select modify; delete the entire line from “Shell” and copy this to your registry: explorer.exe
3.] After this process, please reboot your computer ‘again’ and let the new setting take effect!
4.] Your computer is ready to go!
Background history of “csrss.exe”
Introductions: firstly, the ‘csrss.exe’ file, it should be in: “C:\Windows\System32\” or “C:\Windows\system32\dllcache.” However, it shouldn’t be in the ‘config’ directory and this directory: “C:\windows\system32\dllcache\win32\csrss.exe” or anywhere else…
Notes: Please change the directories on these registry locations to the correct links….
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = ‘C:\Windows\System32\userinit.exe,’ (REG_SZ)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell= “explorer.exe” (REG_SZ)
Notes: If these directories are missing, please re-create them.
These are the registry to delete…
1.] Go to this directory: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\…
2.] Look under “Image File Execution Options” folders and locate this sub-folder: “explorer.exe” [without the quotes]
Notes: It creates sub-key “explorer.exe” and the value under it:
Debugger=c:\windows\csrss.exe
3.] Delete it!
Optional – Part four: use ComboFix.exe to fix / remove other viruses
———————————
1.] Download ComboFix from these links…
———————————
ComboFix: http://www.combofix.org/
Mirror: http://subs.geekstogo.com/ComboFix.exe
———————————
2.] Make a folder in your C:\ drive.
3.] Drag your ComboFix.exe into that folder.
4.] Disable all anti-virus application, anti-spyware application and all software that has HIPS function.
Notes: if you want to safely disable their system guard for ComboFix.exe to clean your computer, I would recommend you to disable it in: “Computer Management” consol.
Click Start >> Right click: My Computer >> Select: Manage >> Services and Applications >> Services
5.] Double check your security guards to see if it’s disabled. After that, just execute ComboFix.
Notes: ComboFix will warn you if you haven’t disable the security guards. But, click Ok if you already disabled the Shield…
6.] The scanner will trigger another box which contains a list of infected files.
7.] After the scan, it will ask you to reboot your computer. All you need to do is click the “Ok” button or hit the “Enter” key (on your keyboard).
8.] After reboot, just don’t touch anything and let it remove these parasite!
The files which will be remove are shown in combofix.
9.] When everything is cleared and dusted, you’ll need to wait for a while.
This is because; the application is generating a ‘Log.txt’ file about ComboFix removal process.
20.] Install CCleaner and clear your Internet Explorer + Firefox temporary files and internet system cache.
Part five: remove ComboFix.exe from your computer
———————————
1.] Click Start >> Run >> Type: Combofix /u
2.] Click Ok or press “Enter” on your keyboard
3.] Disable your System Restore and re-enable it…
4.] Re-activate your ‘System Shield’ and reboot your computer.
5.] Finish!
Copyrighted by Lair360







