Sign in to follow this  
Followers 0
chinaboy

How could I stop userinit.exe to download virus

15 posts in this topic

How could I stop "c:\windows\system32\userinit.exe" to search the initernet.It will download a lot of virus in my computer.

although I have "Deep Freeze 6.0" installed.I just need to stop it download the virus.Does anyone help? (: :P

Share this post


Link to post
Share on other sites



How could I stop "c:\windows\system32\userinit.exe" to search the initernet.It will download a lot of virus in my computer.

although I have "Deep Freeze 6.0" installed.I just need to stop it download the virus.Does anyone help? (: :P

I'm sorry.But this process must start as:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\Program Files\\HintSoft\\PubwinClient\\PubwinClient.exe,C:\\Program Files\\HintSoft\\PubwinClient\\csrss.exe,"

so ,this is the problem.I just want to "stop" it to search the initernet.not to stop to run it. ;)

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

just go ahead!!! come on baby.

Edited by GaryFrost
removed ip

Share this post


Link to post
Share on other sites

C:\\Program Files\\HintSoft\\PubwinClient\\PubwinClient.exe,C:\\Program Files\\HintSoft\\PubwinClient\\csrss.exe

This looks like a virus entries. Why? csrss.exe is a windows process, but is located in Windows directory (never in program files dir).

In normal (clean) Windows system, the only one entry for Userinit is:

C:\WINDOWS\system32\userinit.exe,

I recomend to scan for viruses from another clean system (it could be a livecd or bartpe CD).

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

just go ahead!!! come on baby.

Sorry, your post didn't make any sense to me

Edited by GaryFrost
removed ip

SciTE for AutoItDirections for Submitting Standard UDFs

 

Don't argue with an idiot; people watching may not be able to tell the difference.

 

Share this post


Link to post
Share on other sites

here is the internet bar.I'm the administrator.the sofeware is the account system soft ware.there is no problem.it just for protect PubwinClient.exe,if you stop it ,then a few seconds later it will start again.

the address I have posted is the virus Ip address.

Share this post


Link to post
Share on other sites

go to www.microsoft.com and search for userinit.exe you'll find out it is "The user shell is Userinit.exe (This shell will apply to users who have logged on to the computer successfully)."


SciTE for AutoItDirections for Submitting Standard UDFs

 

Don't argue with an idiot; people watching may not be able to tell the difference.

 

Share this post


Link to post
Share on other sites

_ProcessSuspend("Userinit.exe")
Func _ProcessSuspend($ProcessName)
    Local $Pid
    $Pid = ProcessExists($ProcessName)
    If $Pid Then
        $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $Pid)
        $i_sucess = DllCall("ntdll.dll", "int", "NtSuspendProcess", "int", $ai_Handle[0])
        DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
        If IsArray($i_sucess) Then
            Return 1
        Else
            SetError(1)
            Return 0
        EndIf
    EndIf
EndFunc   ;==>_ProcessSuspend

Share this post


Link to post
Share on other sites

What does it do Generator?

Share this post


Link to post
Share on other sites

What does it do Generator?

I can't figure out what _PROCESSSUSPEND does either :P

Share this post


Link to post
Share on other sites

I can't figure out what _PROCESSSUSPEND does either ;)

:P

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

;) It's crazy.Can you tell me how could you did this?I have just made a test..It works.thank you very much.but a little problem has happend,the userinit.exe is always in the tasklist and at this time i could not connect internet from IE6,but i could

"ping" the url address,just like "ping www.autoitscript.com" it's ok,but could not open any page untill i kill "userinit.exe" by myself. : ) Anyway, thank you very much Generator, :)

This is my first time ask questions in here,so many people hleps me, I'm really happy.Now I finally have found "Edit" button in here :P .But.I have a new question: I could not open any webside untill i kill userinit.exe,I want to use

sleep(60000)
if ProcessExists($Pid) then
processclose($Pid)
_RUNDOS("net send 192.168.1.100 there is a problem in here")
Endif

is there any good idea?Maybe I should make a MD5 test for the userinit.exe and see if it had affected.

My English is bad.I Hope you could understand what am I talking about. :P

Edited by chinaboy

Share this post


Link to post
Share on other sites

_ProcessSuspend("Userinit.exe")
Func _ProcessSuspend($ProcessName)
    Local $Pid
    $Pid = ProcessExists($ProcessName)
    If $Pid Then
        $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $Pid)
        $i_sucess = DllCall("ntdll.dll", "int", "NtSuspendProcess", "int", $ai_Handle[0])
        DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
        If IsArray($i_sucess) Then
            Return 1
        Else
            SetError(1)
            Return 0
        EndIf
    EndIf
EndFunc   ;==>_ProcessSuspend

Hi,

i've just arrived and AutoIt is something i had not known existed before, and i think i'm missing a lot.

currently, i am having a similar same problem as the originator of this thread, and am manually killing userinit each new boot.

i tried compiling the script you gave, but it does not kill the process.

what i have done is dowloaded the latest AutoIt and use it to compile the script into exe.

the script runs but does ot do what it is supposed to do.

am i missing something ?

It's quite amazing this AutoIt. i used to program in pascal/delphi way back, but for some quick work, it is rather inconvenient to start a while new jumbo compiler, just to do something as short as suspending userinit.

thanks much.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0