Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about what to do when Event ID 26 Source Application Popup appears on the server. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

The server reports Application Popup: Information: 26:Application popup: userinit.exe-DLL Initialization Failed: The application failed to initialize because the window station is shutting down. Information, a description of the event indicates that the application mentioned in the event failed to initialize or start when the operating system was shut down (or restarted or logged out). This message will be reported if, for some reason, Windows is restarting immediately after shutting down, or if several applications do not exit normally during this event. In most cases, this message can be ignored.

So what is the program of userinit.exe and what is its use?

Userinit.exe is a key process of Windows operating system. Used to manage different startup sequences, such as the establishment of network links and the startup of Windows. When the system is just started, if you call up the task manager, you will see userinit.exe, but after a period of time, after the system is loaded, userinit.exe will disappear automatically.

Previous Robot Dog viruses and their variants can cause userinit.exe anomalies. For solutions to userinit virus, please refer to the following methods:

Manual solution to userinit.exe virus

It is recommended to disinfect the virus in the following order to prevent the virus from coming back.

1. Replace the userinit.exe file modified by the virus with the system file userinit.exe, and the path c:windowssystem32userinit.exe (take the system disk as disk C as an example) forbids the operation of IGM.exe and IGW.exe before the virus is killed. In the dos window, enter:

Reg add "HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File/Execution Options/IGM.EXE" / v debugger / t reg_sz / d debugfile.exe / f

Reg add "HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File/Execution Options/IGW.EXE" / v debugger / t reg_sz / d debugfile.exe / f

Description: the use of image hijacking (this topic knowledge points, abbreviated as IFEO) technology, prohibited the operation of IGW.exe and IGM.exe.

two。 Enter safe mode and delete the registry key value

Delete the "WinSysM" and "WinSys" keys under [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run].

Under [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run]

"MSDEG32", "MSDWG32", "MSDCG32", "MSDOG32", "MSDSG32", "MSDMG32", "MSDHG32", "MSDQG32" key values.

Empty the contents of "AppInit_DLLs" under [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Windows].

Delete the file under [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Shell/ExecuteHooks]

Smydpm.dll

M32 sztcpm.dll

M32 C:/windows/system32kawdbzy.dll

Arjbpi.dll

M32 C:/windows/system32avzxdmn.dll

Aqjbpi.dll

M32 C:/windows/system32/avwgcmn.dll

C:/windows/system32/sidjazy.dll

C:/windows/system32/kapjbzy.dll

C:/windows/system32/kaqhezy.dll

C:/windows/system32/avwlbmn.dll

Atbfpi.dll

M32 C:/windows/system32/kvdxcma.dll

Sjzbpm.dll

M32 C/:windows/system32/kafyezy.dll

3. Enter safe mode and force the following files to be deleted. You can use the tool XDelBox

C:/Windows/system32/kvdxsbma.dll

C:/Windows/system32/rsjzbpm.dll

C:/Windows/system32/kvdxcma.dll

C:/Windows/system32/ratbfpi.dll

C:/Windows/system32/avwlbmn.dll

C:/Windows/system32/kaqhezy.dll

C:/Windows/system32/kapjbzy.dll

C:/Windows/system32/sidjazy.dll

C:/Windows/system32/avwgcmn.dll

C:/Windows/system32/raqjbpi.dll

C:/Windows/system32/avzxdmn.dll

C:/Windows/system32/rarjbpi.dll

C:/Windows/system32/kawdbzy.dll

C:/Windows/system32/rsztcpm.dll

C:/Windows/system32/rsmydpm.dll

C:/Windows/system32/sidjazy.dll

C:/Windows/igw.exe

C:/Windows/igm.exe

C:/Windows/system32/sedrsvedt.exe

C:/Windows/igm.exe

C:/Windows/system32/sjzbpm.dll

C:/Windows/system32/acvsvc.exe

C:/Windows/system32/driverssvchost.exe

C:/Windows/cmdbcs.exe

C:/Windows/dbghlp32.exe

C:/Windows/vdispdrv.exe

C:/Windows/upxdnd.exe

C:/Windows/system32/cmdbcs.dll

C:/Windows/dbghlp32.exe

C:/Windows/vdispdrv.exe

C:/Windows/upxdnd.exe

C:/Windows/system32/cmdbcs.dll

C:/Windows/system32/dbghlp32.dll

C:/Windows/system32/upxdnd.dll

C:/Windows/system32/yfmtdiouaf.dll

4. Search all disk root directories and delete hidden files auto.exe and autorun.inf

5. Run services.msc to disable the service "4f506c9e"

6. Also check the hosts file to see if the viral website IP is forcibly associated.

You can also download its kill tools and repair tools.

After reading the above, do you have any further understanding of what to do when the server appears Event ID 26 Source Application Popup? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.