BleepingComputer.com: Infected with Viruses and Internet disconnected

userinit is a virus though, right? harmless or not I would like it out of my computer, if it's possible.
whatever that is crashing my anti programs must be a serious virus... a rootkit or some kind

Okay, but I'm not using the infected computer, I'm using a laptop
I don't want to take a risk using the infected computer to go on the internet
And what file am I suppose to look for?

This post has been edited by yoori: 13 November 2009 - 08:48 PM

No, there is a high possibility that userinit is not a virus as it is part of the Microsoft Windows operating system. Please upload the "userinit" file to virustotal.

Okay, so that means I gotta use the infected computer to do this?

Yes

Thats scary.... I hope nothing happens -___-'

Let me know of the results.

how can I go to the location the userinit is in? cuz it's in the system32 folder

This post has been edited by yoori: 17 November 2009 - 07:13 AM

Once in Virustotal, go To MY Computer, C:, Windows, then System32

File userinit.exe received on 2009.11.18 06:33:44 (UTC)
Current status: finished
Result: 0/40 (0.00%)


Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.18 -
AhnLab-V3 5.0.0.2 2009.11.17 -
AntiVir 7.9.1.70 2009.11.17 -
Antiy-AVL 2.0.3.7 2009.11.18 -
Authentium 5.2.0.5 2009.11.18 -
Avast 4.8.1351.0 2009.11.17 -
AVG 8.5.0.425 2009.11.17 -
BitDefender 7.2 2009.11.18 -
CAT-QuickHeal 10.00 2009.11.17 -
ClamAV 0.94.1 2009.11.18 -
Comodo 2972 2009.11.18 -
DrWeb 5.0.0.12182 2009.11.18 -
eTrust-Vet 35.1.7125 2009.11.17 -
F-Prot 4.5.1.85 2009.11.17 -
F-Secure 9.0.15370.0 2009.11.17 -
Fortinet 3.120.0.0 2009.11.18 -
GData 19 2009.11.18 -
Ikarus T3.1.1.74.0 2009.11.18 -
Jiangmin 11.0.800 2009.11.18 -
K7AntiVirus 7.10.898 2009.11.17 -
Kaspersky 7.0.0.125 2009.11.18 -
McAfee 5805 2009.11.17 -
McAfee+Artemis 5805 2009.11.17 -
McAfee-GW-Edition 6.8.5 2009.11.18 -
Microsoft 1.5202 2009.11.17 -
NOD32 4616 2009.11.18 -
Norman 6.03.02 2009.11.17 -
nProtect 2009.1.8.0 2009.11.17 -
Panda 10.0.2.2 2009.11.17 -
PCTools 7.0.3.5 2009.11.18 -
Prevx 3.0 2009.11.18 -
Rising 22.22.02.03 2009.11.18 -
Sophos 4.47.0 2009.11.18 -
Sunbelt 3.2.1858.2 2009.11.17 -
Symantec 1.4.4.12 2009.11.18 -
TheHacker 6.5.0.2.072 2009.11.18 -
TrendMicro 9.0.0.1003 2009.11.18 -
VBA32 3.12.12.0 2009.11.18 -
ViRobot 2009.11.18.2042 2009.11.18 -
VirusBuster 5.0.21.0 2009.11.17 -
Additional information
File size: 24576 bytes
MD5 : 39b1ffb03c2296323832acbae50d2aff
SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
SHA256: 5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x50E5
timedatestamp.....: 0x41107B78 (Wed Aug 4 08:00:24 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4DB8 0x4E00 6.01 16aee663ed180007a0bf5bf24b845096
.data 0x6000 0x14C 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
.rsrc 0x7000 0xB60 0xC00 3.27 b388ab1541ccd9727979fb26a23f72e1

( 7 imports )

> advapi32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> crypt32.dll: CryptProtectData
> kernel32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
> user32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> winspool.drv: SpoolerInit

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...832acbae50d2aff
ssdeep: 384:DNkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCSF4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7
PEiD : -
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: USERINIT.EXE, userinit.exe
( Microsoft )

MSDN Disc 2428.4: userinit.exeMSDN Disc 2428.5: userinit.exeMSDN Disc 2428.8: userinit.exeOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: userinit.exeVirtual PC for Mac Windows XP Home Edition: userinit.exeVirtual PC for Mac Windows XP Professional Edition: userinit.exe

Well userinit is not infected at all which is a good sign. Are you experiencing any other symptoms?

I still can't update Malwarebytes and SUPERAntiSpyware restarts the computer when I scan

Ok, please follow the instructions here for running the ESET online scanner:

Please perform a scan with ESET Online Scanner
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista Users be sure to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
You will see the Terms of Use. Tick the check-box in front of YES, I accept the Terms of Use

Now click Start.

You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.

A new window will appear asking "Do you want to install this software?" (OnlineScanner.cab)".
Answer Yes to install and download the ActiveX controls that allows the scan to run.

Click Start. (the Onlinescanner will now prepare itself for running on your pc)

To do a full-scan, check: "Remove found threats" and "Scan potentially unwanted applications"
Press Scan to start the online scan. (this could take some time to complete)
When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software. Just close the window.

Now click Start > Run... > type: C:\Program Files\EsetOnlineScanner\log.txt

The scan results will open in Notepad.

Copy and paste the log results in your next reply.


Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn\ them back on after you are finished.

what anti programs do I need to disable? I know I can't with the free ones I use
Is firewall one I need to disable.

Cuz that site won't let me install ActiveX Control

See here on how to disable some antivirus programs:

http://www.bleepingcomputer.com/forums/topic114351.html

Okay, I disable my firewall and AVG program but I keep getting this pop up that says;

To display the webpage again, Internet Explorer needs to
resend the information you've previously submitted.

If you were making a purchase, you should click Cancel to
avoid a duplicate transaction. Otherwise, click Retry to display
the webpage again.