How to remove System32.exe and Userinit.exe




Tagged Under : , , ,

Version: 52.8
Revision: 68 Build 16

How to remove System32.exe and Userinit.exe

Introduction: This virus was design by a Vietnamese citizen. He is a criminal – hacker who is trying to distribute fake files to corrupt other user’s computer and your system32 sub – directories.

Part One: remove Userinit.exe and System32.exe
———————————
1.] Download Avira Anti-Virus [Free Edition].
————————–

http://avira.com

http://softpedia.com

————————–

2.] Execute the application and scan your computer.
But, if you want to do it faster, you can go to these directories.

Right click on these folders and scan it with Avira.
————————–
C:\Windows\
C:\Windows\System32
C:\Windows\System32\System32.exe
C:\windows\system32\dllcache\win32\winlogon.exe
C:\windows\system32\dllcache\win32\csrss.exe

Notes: let the software kill all of the process. But, don’t hit the ignore button!
Also, please don’t forget to hit the delete button when the scan – engine has found the infected file!

3.] Erase all of these folders in your USB stick with Avira.
However, if you leave it alone, it’s going to regenerate the virus – that would mean: you’ll need to repeat step five!

Part Two: modify windows Shell and Userinit.exe registry
———————————

Warning: once you reboot without userinit.exe and system32.exe, windows cannot access windows successes – fully!
So, please don’t stop and wonder off at stage three…

Notes: to locate these files, please follow these instructions.
————————–
a.] In “Folder Option,” just hit the “View” tab and un – tick or select these options.

Hidden files and folders >> select: Show hidden files and folders.
Hidden files and folders >> un – tick: Hide protected operating system files (Recommended).

Items to be removed from USB memory sticks.
————————–
Autorun.inf
Secret.exe
Phimnguoilon.exe / Phim nguoi lon.exe
————————–

4.] Fix the registry location within these directories…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

a.] Click on Userinit (REG_SZ)
b.] Right click and select “Modify…”
c.] Change the directories.

Important: Please include the trailing comma. But, please be aware that ‘Windows’ was installed in C:\Windows; Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.

Wrong: C:\Windows\userinit.exe
Right: C:\Windows\System32\userinit.exe,

Important: You must make sure that the registry location and directory is correct before the initial reboot. But, if you left it UN – changed; the windows logon and access is completely disabled. So, please double check before you hit the “Restart” button!!

Advice: For better performances, you can also put ‘Userinit.exe’ into this registry location. It will boot faster after reboot.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon

a.] Go to Start >> Run and insert: regedit.
b.] Direct yourself to the correspondent registry location.
c.] At the left panel, just look for ‘Winlogon’ and move your mouse to the right panel.
d.] Right click and Select New >> String Value
e.] Rename it as ‘Userinit’ – without the quotes.
f.] Right click on your new registry – strings and select: Modify
g.] Copy the ‘value data’ which is shown underneath…
————————–
C:\Windows\System32\userinit.exe,
————————–

Important: Please include the trailing comma. But, please be aware that ‘Windows’ was installed in C:\Windows; Userinit.exe file is actually present in the System32 folder. You may want to verify that as well.

h.] Paste the data; click ‘OK’ and exit the registry.

After reboot, use iobit windows care personal and CCleaner to repair, clean and remove all the junk files.

5.] Reboot and run Avira again.

Warning: please check your registry entries (again) for any changes and repeat step four to step five. But, you don’t have to run the anti-virus again.

Part Three: double check your folders for “system32.exe and csrss.exe”
———————————
Problems: For most users, they also got one of their ‘Shell’ registry infected with a file called: System32.exe. To solve this problem, please continue and clear this hidden virus.

1.] Since Avira removed this file: System32.exe = “C:\Windows\System32\system32.exe,” you have to go to the registry and fix the location. But, don’t you even dare delete the registry entries!!

a.] Click Start >> Run >> Type: regedit >> Click OK or press Enter.
b.] Navigate through the registry folders and look for this registry location…

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

Notes: look for a file called: “Shell” [without the quotes].

2.] Right click on the value; select modify; delete the entire line from “Shell” and copy this to your registry: explorer.exe

3.] After this process, please reboot your computer ‘again’ and let the new setting take effect!

4.] Your computer is ready to go!

Background history of “csrss.exe”

Introductions: firstly, the ‘csrss.exe’ file, it should be in: “C:\Windows\System32\” or “C:\Windows\system32\dllcache.” However, it shouldn’t be in the ‘config’ directory and this directory: “C:\windows\system32\dllcache\win32\csrss.exe” or anywhere else…

Notes: Please change the directories on these registry locations to the correct links….

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = ‘C:\Windows\System32\userinit.exe,’ (REG_SZ)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell= “explorer.exe” (REG_SZ)

Notes: If these directories are missing, please re-create them.

These are the registry to delete…

1.] Go to this directory: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\…

2.] Look under “Image File Execution Options” folders and locate this sub-folder: “explorer.exe” [without the quotes]

Notes: It creates sub-key “explorer.exe” and the value under it:
Debugger=c:\windows\csrss.exe

3.] Delete it!

Optional – Part four: use ComboFix.exe to fix / remove other viruses
———————————
1.] Download ComboFix from these links…
———————————
ComboFix: http://www.combofix.org/
Mirror: http://subs.geekstogo.com/ComboFix.exe
———————————

2.] Make a folder in your C:\ drive.
3.] Drag your ComboFix.exe into that folder.
4.] Disable all anti-virus application, anti-spyware application and all software that has HIPS function.

Notes: if you want to safely disable their system guard for ComboFix.exe to clean your computer, I would recommend you to disable it in: “Computer Management” consol.

Click Start >> Right click: My Computer >> Select: Manage >> Services and Applications >> Services

5.] Double check your security guards to see if it’s disabled. After that, just execute ComboFix.

Notes: ComboFix will warn you if you haven’t disable the security guards. But, click Ok if you already disabled the Shield…

6.] The scanner will trigger another box which contains a list of infected files.

7.] After the scan, it will ask you to reboot your computer. All you need to do is click the “Ok” button or hit the “Enter” key (on your keyboard).

8.] After reboot, just don’t touch anything and let it remove these parasite!
The files which will be remove are shown in combofix.

9.] When everything is cleared and dusted, you’ll need to wait for a while.
This is because; the application is generating a ‘Log.txt’ file about ComboFix removal process.

20.] Install CCleaner and clear your Internet Explorer + Firefox temporary files and internet system cache.

Part five: remove ComboFix.exe from your computer
———————————
1.] Click Start >> Run >> Type: Combofix /u
2.] Click Ok or press “Enter” on your keyboard
3.] Disable your System Restore and re-enable it…
4.] Re-activate your ‘System Shield’ and reboot your computer.
5.] Finish!

Copyrighted by Lair360

Posted by admin in Virus Removal | (1) Comment | Read more



How to remove W32 – Explorer.exe




Tagged Under : , , , , ,

Version: 13.2g
Revision: 122 Build 12c

How to remove W32 – Explorer.exe

Introduction: recently, my computer was attacked by a bunch of spammers. But, guess what? One of the email had an infected attachment. So, I decided to analyze the source and write an article to revert the infection. Anyway, you don’t have to worry… I am testing it on my Virtual Server. Its pretty sealed and protected!

All of my Windows Files and everything else are Fake! These malware are stupid and they are only written by idiots to fool your computer and steal your privacy! Also, there is a warning: take care of your computer! Especially, looking at your emails and downloading attachments. Any of these unknown email, there is a chance that your computer is going to get really Sick!

Now, if you’re infected with “W32/ExploreZip.pak” virus, then please print this article and disconnect your computer from the internet! After that, you’ll need to take a deep breath and take it easy…

——————————————-

Warning: if you’re on a server, you’ll need to tell your company to shut down all active computers! If you don’t, this infection will spread itself into another computer by LAN connections – mostly, the server’s “Shared Documents”.

Overview: This particular Worm travels, by sending email messages to random users. It drops the file: “explore.exe” and modifies either the “WIN.INI” or modifies the Registry. However, this malware is still active and I am not sure how it comes into my inbox (Gmail). But, the user who sent the attachment, he / she is a very stupid user!

What you’ll need for this procedure…
——————————————–
Notepad++ [http://notepad-plus.sourceforge.net]

1.] Click Start >> Run >> Type: REGEDIT
2.] Wait for the registry to appear and navigate yourself to these locations and look for this registry binary. However, you’ll need to be very careful!

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Notes: if the binaries doesn’t exist, you’ll need to expand “Windows” directories and look into another folder called: Run.

Binary to locate and remove: run=C:\WINNT\System32\Explore.exe

Notes: You’ll need to do the same to these files, if they exist within the registry library.

File Name: explore, zipped_f, zipped_files or _setup

3.] Reboot your computer, then remove the following file: “C:\WINNT\System32\Explore.exe” from your “System32″ Folders.

4.] Repeat Step 3 for “_SETUP.EXE and ZIPPED_FILES.EXE”.

5.] Find this file: “WIN.INI” and remove either of these commands, if they exist.

run=c:\winnt\system32\explore.exe
run=c:\winnt\_setup.exe

6.] Scan your computer with Avira Antivirus or Kaspersky.
After that, just clear computer’s temporary files with CCleaner.

7.] Finish!

Copyrighted By Lair360

Posted by admin in Computer Security, Virus Removal | No Comments | Read more