Jump to content

Userinit false positive ?


Recommended Posts

Malwarebytes' Anti-Malware 1.44

Database version: 3816

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

3/03/2010 9:07:44 AM

mbam-log-2010-03-03 (09-07-40).txt

Scan type: Quick Scan

Objects scanned: 119005

Time elapsed: 4 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: c:\windows\system32\userinit.exe -> No action taken. [8018CF85CA708FD8814F60F6DD8D1B8E]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: system32\userinit.exe -> No action taken. [8018CF85CA708FD8814F60F6DD8D1B8E]

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

How do you get confirmation (I really don't know much about the way these things work)?

Since I suspected it was an F/P, I ignored the scan results. MBAM wanted to delete 2 files out of the registry and I'm afraid to muck about with files unless I know more about what I'm doing. I'm not really all that knowledgeable about restoring system files (though I could probably use system restore to fix it). Should I just ignore the "infected" files for now, or is that pose some danger?

Link to post
Share on other sites
How do you get confirmation (I really don't know much about the way these things work)?

...... Should I just ignore the "infected" files for now, or is that pose some danger?

I am no wiser, but it said " No Action taken", so I have left them untouched for the time being.

Just waiting for the experts to reply to our threads. :lol:

Link to post
Share on other sites
I am no wiser, but it said " No Action taken", so I have left them untouched for the time being.

Just waiting for the experts to reply to our threads. :lol:

Just to clarify, MBAM also took no action when the scan ran. Post-scan, it appears I could manually delete the "infected" files if I chose to do so. Until I know more, I just exited out of the program, so the files are still on my PC.

Link to post
Share on other sites
Just to clarify, MBAM also took no action when the scan ran. Post-scan, it appears I could manually delete the "infected" files if I chose to do so. Until I know more, I just exited out of the program, so the files are still on my PC.

I don't think there is anything wrong with my C:\WINDOWS\system32\userinit.exe, so it is likely to a false detection in the registry.

Link to post
Share on other sites
I don't think there is anything wrong with my C:\WINDOWS\system32\userinit.exe, so it is likely to a false detection in the registry.

Honestly, I don't know enough to know what would happen if something were wrong with that file, but there appear to be zero problems with my PC or Windows.

Link to post
Share on other sites
If your copy of userinit is infected this is the detection you will get as MBAM prevents userinit from being deleted , I am looking into this now .

I have practically no idea what you just said (I'd have to google Userinit to even know what it is), so, if it is a real problem, please tell me - in very simple terms - how to fix it.

Also, like I said, I ran MBAM with def file 3805 literally a few seconds before I updated to 3816 and re-ran a scan. I usually run MBAM every evening, but only update every few days (it's not my primary AV).

Link to post
Share on other sites
Confirmed FP and fixed .

It would be a good idea to upgrade to SP3 as well guys .

nosirrah, thanks...I'll take that under advisement. :lol::D

Here is a fresh scan after latest defs update.

Malwarebytes' Anti-Malware 1.44

Database version: 3817

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

3/03/2010 10:46:37 AM

mbam-log-2010-03-03 (10-46-37).txt

Scan type: Quick Scan

Objects scanned: 119126

Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
Confirmed FP and fixed .

It would be a good idea to upgrade to SP3 as well guys .

Already did. Then uninstalled and went back to SP2. There's some sort of compatibility issue with SP3 and my PC. I think it's an issue with the ... Athlon chip, I think. When I installed SP3, the PC went into some sort of continuous boot (boot loop?). Took me over a half hour to get any control whatsoever over the desktop and even then programs would take 10+ minutes to start up. When I managed to get control, I did a system restore and rolled back to SP2. Problem solved.

I don't remember the exact particulars. I do remember that I found out later it was a fairly widespread problem. IIRC, it had to do with the type of chip or processor or something. Anyway, no Service Pack 3 for me. We have other computers in the house, but this is my personal PC. Wife keeps trying to get me to buy a laptop, mumbling something about how much she loves Vista, but, nah.... I basically only surf a little at home and do some work with Word/Excel. I'm keeping this computer until it dies completely, then looking into getting a Mac. Or maybe just going without a personal PC. I actually wouldn't mind being entirely computer free at home.

Link to post
Share on other sites

Hmmm...It's now about 18 hours later, and I just did a scan -- after updating -- that reports the same two registry infections mentioned in this thread. However, my scan also reports a file infection for Trojan.PWS in addition to the two registry keys. The file is Windows\system32\dllcache\userinit.exe. All 3 are "no action taken." I'm surprised this is happening after the update. Are these all false positives? For now I am not removing anything. I will note that I DID just have to re-install my AV earlier today after it wasn't updating properly. It SEEMS OK now (including updating), and a virus scan turned up nothing suspicious. In fact, the problem with my AV and need to be on the net unprotected for awhile while reinstalling it is why I chose to run a MBAM scan in the first place.

Look forward to any advice re this. Thanks in advance.

Link to post
Share on other sites

If I just may add, SP2 on XP will only be supported with security and stability updates until July 13th, 2010. SP3 until April 2014.

Link to post
Share on other sites

Oh, after logging in I see that the post times have changed and it looks like the things discussed here have just transpired. So I will run an update and try again, and only post back if there is still a possible problem. BTW, I am also using XP SP2.

Link to post
Share on other sites

I updated MBAM from 3016 to 3017 and it seems to have solved my problem. Thanks.

And, yeah, I'm aware they're discontinuing support for SP2 this year. I've talked it over with the IT guys at work and am not particularly concerned. Long as I can shop online a bit and use MS Office, I'm good to go.

Link to post
Share on other sites
If I just may add, SP2 on XP will only be supported with security and stability updates until July 13th, 2010. SP3 until April 2014.

Sigh...It was time-consuming nightmare trying to update to XP3, and then trying to "recover" from the update attempt. But I guess I'd better try again... Thanks for the info.

Link to post
Share on other sites
Sigh...It was time-consuming nightmare trying to update to XP3, and then trying to "recover" from the update attempt. But I guess I'd better try again... Thanks for the info.

You're a braver man than me. Or have more time to spend on issues like this. I'll take my chances with SP2.

Link to post
Share on other sites
  • Staff

You can keep SP2 if you want but keep in mind that as time passes new software and drivers will opt to be more compatible with SP3 due to the majority of users using it .

If you are the type of person that likes learning new things and handling all of their own IT their is a way to make your XPSP(0-2) disk into an XPSP3 disk . I wont go into a lot of details (because if you cant figure it out your should not be doing it) but if you slipstream SP3 into a new disk you can perform the best update path available .

Run the install from your desktop and you will get an option to upgrade , take it . From there it will ask if you want windows to look for new setup files online , also take this option . From there windows will set up like it usually does but with one extra reboot (the windows loading screen has a silver bar (instead of blue or green) for that one reboot , great trivia question BTW) .

This is the best way to upgrade to SP3 as it will also fix loads of OS problems at the same time and ensure that you have the best setup files to do it . This is far less likely to fail than doing a web or standalone SP3 upgrade .

Link to post
Share on other sites
You can keep SP2 if you want but keep in mind that as time passes new software and drivers will opt to be more compatible with SP3 due to the majority of users using it .

If you are the type of person that likes learning new things and handling all of their own IT their is a way to make your XPSP(0-2) disk into an XPSP3 disk . I wont go into a lot of details (because if you cant figure it out your should not be doing it) but if you slipstream SP3 into a new disk you can perform the best update path available .

Run the install from your desktop and you will get an option to upgrade , take it . From there it will ask if you want windows to look for new setup files online , also take this option . From there windows will set up like it usually does but with one extra reboot (the windows loading screen has a silver bar (instead of blue or green) for that one reboot , great trivia question BTW) .

This is the best way to upgrade to SP3 as it will also fix loads of OS problems at the same time and ensure that you have the best setup files to do it . This is far less likely to fail than doing a web or standalone SP3 upgrade .

Thanks for your advices...but I will demur. I will wait until I custom build a new system with whatever is the latest and most stable OS at the time. This a 32 bit OS installed on 64 bit architecture(motherboard), i.e has inbuilt DEP. I fee fairly safe. :D

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.