Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

userinit.exe not self terminating


  • Please log in to reply
2 replies to this topic

#1 streamside

streamside

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 13 October 2008 - 09:57 AM

Hi, new to the forum as a poster, but have fixed a couple of problems before following the advice given others in these threads, keep up the good work!
I am running XP Home, ver 2002, SP3. My current problem has to do with the userinit.exe not self terminating. This is located in C:/windows/system32. From everything I have researched so far, I undrstand that this is a vital program for Windows to startup and logon. The problem is that the program does not self terminate after startup, then blocks access to the internet and email servers. Terminating the process in task mananger eliminates the problem, and thats the work around I am using right now until I can figure out what has modified the program. When I pull up the properties on userinit.exe, they show that the program was modified on Oct 7 2008 at 11:50:39 AM. I know for a fact that my computer was on at that time, but I was in town, taking a clients car to the shop, when I returned home at 2:00 PM, I first detected I had a problem and the hunt was on. Avira is the only software that detects this problem, and it calls it TR/agent.agga. I was thinking about replacing userinit.exe with a clean copy from C:/I386, but I want some more advice before I mess with this critcal program.
So there is my sad story, what do you think?
Malwarebytes' Anti-Malware 1.28
Database version: 1266
Windows 5.1.2600 Service Pack 3

10/13/2008 2:07:46 PM
mbam-log-2008-10-13 (14-07-46).txt

Scan type: Quick Scan
Objects scanned: 46982
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Not selected for removal.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Not selected for removal.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by streamside, 13 October 2008 - 05:13 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 PM

Posted 13 October 2008 - 07:13 PM

Try running the System File Checker (SFC).

How to Use SFC.EXE to Repair System Files
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 streamside

streamside
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 14 October 2008 - 10:00 AM

Thanks Budapest, I ran "sfc /scannow" from the "start"..."run" menu, Windows checked all of the protected files, automatically replaced the modified file, and all is well!!! I ran Spybot, Avira, Ewideo, Malwarebytes, and checked my HJThis logs. I also checked the properties of C:\windows\system32\userinit.exe and they are back to normal. I AM CLEAN!

THANK YOU




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users