Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Userinit.exe


  • Please log in to reply
2 replies to this topic

#1 KenH

KenH

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 31 December 2005 - 04:26 PM

I used autoruns and the first entry listed is:

AUTORUN ENTRY: C:\WINDOWS\system32\userinit.exe

DESCRIPTION: Userinit Logon Application

PUBLISHER: (Verified) Microsoft Windows Publisher

IMAGE PATH: c:\windows\system32\userinit.exe



I found this in the startup database:

This is an undesirable program.

This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

If the description states that it is a piece of malware, you should immediately run an antivirus and antispyware program. If that does not help, feel free to ask us for assistance in the forums.


Name: 1qaw3edr5
Filename: userinit.exe
Command: C:\WINDOWS\system32\userinit.exe
Description: Added by the Troj/Kbroy-B keylogging Trojan.
File Location: %System%
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry


Is this the same program even though the descriptions are different and is from (verified) Microsoft Windows Publisher?

I want to check before I delete it.

Thank you.


BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:21 AM

Posted 31 December 2005 - 05:31 PM

That is a legit file. Generally when its verified as microsoft's is legit. This entry is also started from a different location in the registry as its supposed to.

#3 KenH

KenH
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 31 December 2005 - 06:16 PM

OK, Thank you

Ken




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users