Jump to content

userinit.exe was flagged now it is not ( false positive or something more worrying?)

Recommended Posts

Few days ago I got infected with a trojan (variation of zbot I believe) rather nasty as it compromised all security applications (firewall, prevented Spybot/hijack this from running etc, I suspect Norton too as that only detected the threats after several restarts of the machine), redirected google searches and security url's. From reading these and other forums I was able to gain control and remove all signs of the infection except for userinit.exe.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Although it says Quarantined and deleted, it survived at least three attempts to be removed by Mbam (and restarts). From what I remember reading on threads here Mbam does not deleted the userinit.exe due to the issues this can create, so again I doubt that it tried to delete the files.

At this point I'd resigned myself to a complete re-install, which is what i'm going to do anyway. However as I was preparing and backing up recent data, I would periodically run Mbam, since I had no idea how the trojan got onto my system (first virus in 12 years of using PC's). Well after a day or two of it constantly claiming that userInit.exe was infected it suddenly stopped!

This is obviously concerning as it breaks the trust I had developed for the application. I don't remember running any other applications that could have repaired it. Norton doesn't have it in its logs, Spybot I don't think would fix it, didn't use hijackThis to fix anything and the few online scanners I tried only detect threats. In fact I was all prepared to get ComboFix or try a winXp repair on the files in question, as from what i'd read on various forums this looked like the only way to fix it. However by that point i'd decided to do a re-install instead and then noticed it was no longer being flagged in Mbam.

I'm still suspicious of the userInit.exe file since it has a modification date of 24.03.09 (the date of the infection) and is just 15kb. The one in my backup is at least 25kb and I think thats compressed. I've scanned the file with Norton and various online scanners and none report it as infected.

So does anyone have a good explanation for why Mbam has stopped flagging the registry key to this file and presumably the file itself as a trojan? Anyone else be suspicious of the file considering the mod date and file size?


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.