USERINIT.EXE - A new startup

  • Thread starter Thread starter ms
  • Start date Start date
M

ms

I normally have a very stable W2K system.

This AM, I ran a utility that removes all instances of McAfee products, I
didn't ever install McAfee, but the program instantly executed and was
not able to be stopped. It apparently didn't find anything.

But since then, I have a alert utility, and get frequent notices that
USERINIT.EXE wants to be added to windows startup. I finally allowed it,
rebooted, everything *seems* normal, but I am concerned, as W2K has daily
cold booted fine for over 2 years w/o this startup.

Below is the report on the USERINIT.EXE now in my system. I don't know if
it replaced an earlier version, as I never before had occasion to look at
it. The MD5 does not agree with a web site value I found.
-----------
File: C:\WINNT\system32\USERINIT.EXE
Size: 17680 bytes
File Version: 5.00.2195.6612
Modified: Thursday, June 19, 2003, 11:05:04 AM
MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
CRC32: 53C3D624
-----------

I searched the net and find 2 opinions, it is normal and leave it alone,
(if so why a startup now)

or- it is a virus and remove it. (replace with what?)

Question
What is the correct specs for USERINIT.EXE? If it is wrong, where to
locate a good version?

Is it a normal startup? And if so, why now?

Advice?

ms
 
ms said:
I normally have a very stable W2K system.

This AM, I ran a utility that removes all instances of McAfee products, I
didn't ever install McAfee, but the program instantly executed and was
not able to be stopped. It apparently didn't find anything.

But since then, I have a alert utility, and get frequent notices that
USERINIT.EXE wants to be added to windows startup. I finally allowed it,
rebooted, everything *seems* normal, but I am concerned, as W2K has daily
cold booted fine for over 2 years w/o this startup.

Below is the report on the USERINIT.EXE now in my system. I don't know if
it replaced an earlier version, as I never before had occasion to look at
it. The MD5 does not agree with a web site value I found.
-----------
File: C:\WINNT\system32\USERINIT.EXE
Size: 17680 bytes
File Version: 5.00.2195.6612
Modified: Thursday, June 19, 2003, 11:05:04 AM
MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
CRC32: 53C3D624
-----------

I searched the net and find 2 opinions, it is normal and leave it alone,
(if so why a startup now)

or- it is a virus and remove it. (replace with what?)

Question
What is the correct specs for USERINIT.EXE? If it is wrong, where to
locate a good version?

Is it a normal startup? And if so, why now?

Advice?

ms
Click to expand...

Here are the details of the original Win2000 userinit.exe:
--a-- W32i APP ENU 5.0.2159.1 shp 17,168 11-30-1999 userinit.exe

The file gets executed each time you log on, i.e. after you have
entered your user-ID and password.
 
From: "ms" <[email protected]>

| I normally have a very stable W2K system.
|
| This AM, I ran a utility that removes all instances of McAfee products, I
| didn't ever install McAfee, but the program instantly executed and was
| not able to be stopped. It apparently didn't find anything.
|
| But since then, I have a alert utility, and get frequent notices that
| USERINIT.EXE wants to be added to windows startup. I finally allowed it,
| rebooted, everything *seems* normal, but I am concerned, as W2K has daily
| cold booted fine for over 2 years w/o this startup.
|
| Below is the report on the USERINIT.EXE now in my system. I don't know if
| it replaced an earlier version, as I never before had occasion to look at
| it. The MD5 does not agree with a web site value I found.
| -----------
| File: C:\WINNT\system32\USERINIT.EXE
| Size: 17680 bytes
| File Version: 5.00.2195.6612
| Modified: Thursday, June 19, 2003, 11:05:04 AM
| MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
| SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
| CRC32: 53C3D624
| -----------
|
| I searched the net and find 2 opinions, it is normal and leave it alone,
| (if so why a startup now)
|
| or- it is a virus and remove it. (replace with what?)
|
| Question
| What is the correct specs for USERINIT.EXE? If it is wrong, where to
| locate a good version?
|
| Is it a normal startup? And if so, why now?
|
| Advice?
|
| ms
|

Unless it has been Trojanized (patched) it is legitimate.
 
ms said:
I normally have a very stable W2K system.

This AM, I ran a utility that removes all instances of McAfee
products, I didn't ever install McAfee, but the program instantly
executed and was not able to be stopped. It apparently didn't find
anything.

But since then, I have a alert utility, and get frequent notices that
USERINIT.EXE wants to be added to windows startup. I finally allowed
it, rebooted, everything *seems* normal, but I am concerned, as W2K
has daily cold booted fine for over 2 years w/o this startup.

Below is the report on the USERINIT.EXE now in my system. I don't know
if it replaced an earlier version, as I never before had occasion to
look at it. The MD5 does not agree with a web site value I found.
-----------
File: C:\WINNT\system32\USERINIT.EXE
Size: 17680 bytes
File Version: 5.00.2195.6612
Modified: Thursday, June 19, 2003, 11:05:04 AM
MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
CRC32: 53C3D624
-----------

I searched the net and find 2 opinions, it is normal and leave it
alone, (if so why a startup now)

or- it is a virus and remove it. (replace with what?)

Question
What is the correct specs for USERINIT.EXE? If it is wrong, where to
locate a good version?

Is it a normal startup? And if so, why now?

Advice?

ms
Click to expand...
Thanks to all.

I had in Winnt\NT Service Pack Uninstall folder:
userinit.exe 2195.3649 17,680 7/22/02

In Winnt\Service Pack\386 folder:
userinit.exe 2195.6612 17,680 6/17/03

Neither is exactly the one mentioned in Pegasus's post.

Which one is better to use in C:\WINNT\system32\ ?

I did not understand this in that post: --a-- W32i APP ENU, is this a
location on the CD?

The other question remains: if this is updated every time I log in, why
was it suddenly a startup when never before? and is that OK?

Thanks

ms
 
See below.

ms said:
Thanks to all.

I had in Winnt\NT Service Pack Uninstall folder:
userinit.exe 2195.3649 17,680 7/22/02

In Winnt\Service Pack\386 folder:
userinit.exe 2195.6612 17,680 6/17/03

Neither is exactly the one mentioned in Pegasus's post.
Click to expand...

*** This is probably due to mine being the original CD version
*** whereas yours has been updated by service packs.
Which one is better to use in C:\WINNT\system32\ ?
Click to expand...

*** Use the one you have. It is most likely the current version.
I did not understand this in that post: --a-- W32i APP ENU, is this a
location on the CD?
Click to expand...

*** It is what filever.exe reports. "W32i" probably means "Windows
*** 32 bits Intel", "App" I don't know and "ENU" is probably
*** "English Update".
The other question remains: if this is updated every time I log in, why
was it suddenly a startup when never before? and is that OK?
Click to expand...

*** What makes you think it gets updated each time you log on?
*** What do you mean with "it was suddenly a startup"?
Thanks
Click to expand...

*** You're welcome.
 
See below.



*** This is probably due to mine being the original CD version
*** whereas yours has been updated by service packs.


*** Use the one you have. It is most likely the current version.


*** It is what filever.exe reports. "W32i" probably means "Windows
*** 32 bits Intel", "App" I don't know and "ENU" is probably
*** "English Update".


*** What makes you think it gets updated each time you log on?
*** What do you mean with "it was suddenly a startup"?


*** You're welcome.
Click to expand...
I mis-spoke. You said:
"The file gets executed each time you log on, i.e. after you have
entered your user-ID and password."

In my OP:
"But since then, I have a alert utility, and get frequent notices that
USERINIT.EXE wants to be added to windows startup. I finally allowed it,
rebooted, everything *seems* normal, but I am concerned, as W2K has daily
cold booted fine for over 2 years w/o this startup. "

If it was not a *startup* entry for about 3 years, and is a normal file,
why now?. I notice it is a running service. (Autoruns) I don't see it in
any of my startup process utilities.

ms
 
I mis-spoke. You said:
"The file gets executed each time you log on, i.e. after you have
entered your user-ID and password."

In my OP:
"But since then, I have a alert utility, and get frequent notices that
USERINIT.EXE wants to be added to windows startup. I finally allowed it,
rebooted, everything *seems* normal, but I am concerned, as W2K has daily
cold booted fine for over 2 years w/o this startup. "

If it was not a *startup* entry for about 3 years, and is a normal file,
why now?. I notice it is a running service. (Autoruns) I don't see it in
any of my startup process utilities.

ms
Click to expand...

Sorry, I cannot comment on your observation. I am not familiar
with your "alert" facility but I suspect that it is alerting you about
a non-existent danger.
 
Sorry, I cannot comment on your observation. I am not familiar
with your "alert" facility but I suspect that it is alerting you about
a non-existent danger.
Click to expand...
At this point, user logon is normal, else is normal. My startup utilities
don't recognize anything unusual, so I guess OK.

BTW, my "alert" utility is WinPatrol, a fine process control application.

Thank you for the help in this thread. My only remaining task in W2K/SP4
is to save my data and then finally install the old rollup patch. Due to
my browsing habits, missing security patches haven't caused problems.

ms
 
Pegasus wrote
*** It is what filever.exe reports. "W32i" probably means "Windows
*** 32 bits Intel", "App" I don't know and "ENU" is probably
*** "English Update".
Click to expand...

Actually, "ENU" stands for English (USA) - "ENG" would be English (GB),
and so on...

Cheers
 
Back
Top