Jump to content

Trojan.Agent: userinit. False Positive (XP only)


leofelix
 Share

Recommended Posts

Hi All.

I've run a quick scan in both my PCs running XP(home and Pro SP3 fully patched).

According to MBAM my XP systems are infected, but I think it's a false positive

Malwarebytes' Anti-Malware 1.41[(Italian)/b]
Versione del database: [b]2845[/b]
Windows 5.1.2600 Service Pack 3

23/09/2009 3.09.43
mbam-log-2009-09-23 (03-09-39).txt

tipo di scansione: Scansione rapida - [b]quick scan[/b]
Elementi scansionati: 87661
Tempo trascorso: 3 minute(s), 40 second(s)

Processi delle memoria infetti: 0
Moduli della memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Elementi dato del registro infetti: 2
Cartelle infette: 0
File infetti: 0

Processi delle memoria infetti:
(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:
(Nessun elemento malevolo rilevato)

Chiavi di registro infette:
(Nessun elemento malevolo rilevato)

Valori di registro infetti:
(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:
[b]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.[/b]
[b]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.[/b]

Cartelle infette:
(Nessun elemento malevolo rilevato)

File infetti:
(Nessun elemento malevolo rilevato)

I run a scan with PREVX 3.0 wich found no malware and a quick scan with SAS free which found no malware.

I also run a quick scan with MBAM on my laptop running Vista H.P SP 2 and no malware was detected.

Any idea?

Thank you in advance

Link to post
Share on other sites

Your copy of userinit.exe is patched but our system file protection is preventing it from being touched .

Copy C:\windows\system32\userinit.exe to your desktop and then submit it to virustotal.com .

Hi nosirrah and thank you

here is virustotal results (italian):

http://www.virustotal.com/it/analisis/f8b2...fad7-1253672207

Result: 0/41 (0%) Clean.

I think it is really difficult that 2 computers running XP (home and pro) fully patched (Sun Java JRE, adobe flash player and Adobe Reader up to date) can be infected and another computer of mine running Vista is not infected.

Regards

Link to post
Share on other sites

And here are novirusthanks.org results

File Info

Report generated: 23.9.2009 at 4.15.26 (GMT 1)

Filename: userinit.exe

File size: 26 KB

MD5 Hash: df69726907357c3add243f48902b0331

SHA1 Hash: DDA6F181F68D6BB6CD8E60279470C174B9D8EE4E

Self-Extract Archive: Nothing found

Binder Detector: Nothing found

Detection rate: 0 on 23

Detections

a-squared - -

Avira AntiVir - -

Avast - -

AVG - -

BitDefender - -

ClamAV - -

Comodo - -

Dr.Web - -

Ewido - -

F-PROT6 - -

Ikarus T3 - -

Kaspersky - -

McAfee - -

NOD32 v3 - -

Norman - -

Panda - -

QuickHeal - -

Solo Antivirus - -

Sophos - -

TrendMicro - -

VBA32 - -

VirusBuster - -

ZonerAntivirus - -

Scan report generated by

NoVirusThanks.org

Link to post
Share on other sites

Interesting , something odd is going on here .

Please zip and attach your copy of userinit.exe to your next post so I can take a look at it .

Hi

here is a zipped copy of my userinit.exe attached.

The very odd thing is that I run a quick scan with MBAM in my XP Pro SP 3 english version running into my Virtual Machine and MBAM found no malware.

I've just finished a SAS online scanner complete scan, and SAS found no malware.

Is it possible that only italian XP can be affected? (just an idea)

I use Avira antivirus premium, agnitum outpost 2009 free, winpatrol plus, Javacool SpywareBlaster 4.2 and MBAM (full) of course.

I do not visit dangerous webpages, I do not install suspicous software, my Firefox has several security add on (no script, WOT), I do not use P2P programs.....

Thank youuserinit.zip

[EDIT to say] MBAM keeps popping up warning me userinit.exe I copied to my desktop is infected

userinit.zip

Link to post
Share on other sites

Guest vordme34
Hi

here is a zipped copy of my userinit.exe attached.

The very odd thing is that I run a quick scan with MBAM in my XP Pro SP 3 english version running into my Virtual Machine and MBAM found no malware.

I've just finished a SAS online scanner complete scan, and SAS found no malware.

Is it possible that only italian XP can be affected? (just an idea)

I use Avira antivirus premium, agnitum outpost 2009 free, winpatrol plus, Javacool SpywareBlaster 4.2 and MBAM (full) of course.

I do not visit dangerous webpages, I do not install suspicous software, my Firefox has several security add on (no script, WOT), I do not use P2P programs.....

Thank youuserinit.zip

[EDIT to say] MBAM keeps popping up warning me userinit.exe I copied to my desktop is infected

Don't worry pal, it's definetely a false positive. It just happened to my Greek XP SP3 too! This is the first time it happens (I use an automated scan everyday at 6 am) and I just got the same report. Chances are too few, that we both got just infected. I expect that many other users will complain about this..

Link to post
Share on other sites

Guest vordme34
Don't worry pal, it's definetely a false positive. It just happened to my Greek XP SP3 too! This is the first time it happens (I use an automated scan everyday at 6 am) and I just got the same report. Chances are too few, that we both got just infected. I expect that many other users will complain about this..

I should note though, that contrary to you, I DO visit dangerous websites, and to be honest a few hours ago while visiting one, avast blocked (at least that's what it said it did) a so called "HTML:Iframe-inf". Dunno if this would help nosirrah.. I hope this is a false positive!

Link to post
Share on other sites

Don't worry pal, it's definetely a false positive. It just happened to my Greek XP SP3 too! This is the first time it happens (I use an automated scan everyday at 6 am) and I just got the same report. Chances are too few, that we both got just infected. I expect that many other users will complain about this..

Hi welcome aboard,

I was pretty sure it is a false positive.

Thank you for your feedback, I think many italian people will have a panick attack tomorrow :blink: especially who do not update regurarly.

I'm sure MalwareBytes' Corp developers will fix it soon, as usual.

Καλημέρα :)

Link to post
Share on other sites

I should note though, that contrary to you, I DO visit dangerous websites, and to be honest a few hours ago while visiting one, avast blocked (at least that's what it said it did) a so called "HTML:Iframe-inf". Dunno if this would help nosirrah.. I hope this is a false positive!

Well

your computer shouldn't be infected, Avast blocked the suspicous Iframe.

Just clean you browser cache with CCleaner or AT Cleaner.

However update now MalwareBytes' AntiMalware: they fixed the false positive right now :blink:

If I were you I'd use somthing RETURNIL when surfing dangerous websites.

cheers:)

[EDIT to say] MBAM now detect userinit.exe as "Heuristic.Word.Exploit", another false positive.. and I do not use MS Word

Link to post
Share on other sites

Guest vordme34
Well

your computer shouldn't be infected, Avast blocked the suspicous Iframe.

Just clean you browser cache with CCleaner or AT Cleaner.

However update now MalwareBytes' AntiMalware: they fixed the false positive right now :)

If I were you I'd use somthing RETURNIL when surfing dangerous websites.

cheers:)

[EDIT to say] MBAM now detect userinit.exe as "Heuristic.Word.Exploit", another false positive.. and I do not use MS Word

Haha, fact is I didn't know it was dangerous, I mean it wasn't meant to be one of those that are supposed to be anyway. Probably it was just hacked.

buongiorno :blink:

Link to post
Share on other sites

buongiorno :blink:

Thank you:)

here is my new log, MBAM now detects as infected only userini.exe of my XP Home (not by scanning the single file)

--------------------------------

Malwarebytes' Anti-Malware 1.41

Versione del database: 2847

Windows 5.1.2600 Service Pack 3

23/09/2009 6.06.07

mbam-log-2009-09-23 (06-06-02).txt

Tipo di scansione: Scansione rapida

Elementi scansionati: 87690

Tempo trascorso: 4 minute(s), 25 second(s)

Processi delle memoria infetti: 0

Moduli della memoria infetti: 0

Chiavi di registro infette: 0

Valori di registro infetti: 0

Elementi dato del registro infetti: 0

Cartelle infette: 0

File infetti: 1

Processi delle memoria infetti:

(Nessun elemento malevolo rilevato)

Moduli della memoria infetti:

(Nessun elemento malevolo rilevato)

Chiavi di registro infette:

(Nessun elemento malevolo rilevato)

Valori di registro infetti:

(Nessun elemento malevolo rilevato)

Elementi dato del registro infetti:

(Nessun elemento malevolo rilevato)

Cartelle infette:

(Nessun elemento malevolo rilevato)

File infetti:

C:\Documents and Settings\Mione\desktop\userinit.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

-----------------

and here is my XP home userinit.exe zipped

RegardsuserinitXPhome.zip

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.