userinit security

  • Thread starter Thread starter Skybuck Flying
  • Start date Start date
S

Skybuck Flying

The following two security entries in:

c:\windows\userinit.exe

tab properties->Security

Look suspicious:

Web Anonymous all on deny.

Web Applications all on deny.

Is this normal that these things are in there ?

Bye,
Skybuck.
 
I would strongly suspect this is a virus, trojan or some other type of malware. USERINIT.EXE is a valid Windows file, but by default only exists in Windows\System32 and Windows\System32\dllcache. You may also find a reference to it in Windows\prefetch. And neither of the users/groups you mention are listed in the Security properties.
 
1) Download the following four items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt251.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using Trend Sysclean, Stinger and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using the three
utilities; Trend Sysclean, Stinger and Adaware
7) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) Create a new Restore point

You can also try some of the below online scanners.

BitDefender:
http://www.bitdefender.com/scan/license.php

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

Freedom Online scanner:
http://www.freedom.net/viruscenter/index.html

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

RAV
http://www.ravantivirus.com/scan/

Symantec:
http://security.symantec.com/

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com


* * * Please report your results ! * * *

Dave





| The following two security entries in:
|
| c:\windows\userinit.exe
|
| tab properties->Security
|
| Look suspicious:
|
| Web Anonymous all on deny.
|
| Web Applications all on deny.
|
| Is this normal that these things are in there ?
|
| Bye,
| Skybuck.
|
|
 
Hi Skybuck,

Thanks for posting!

I have checked the Windows XP regarding this file.

It should be in C:\Windows\System32\

The file size should be 22,016 bytes/22,528 bytes on disk in a Windows XP
SP1 version.

The Create date should be 2002/8/29/3:41:28AM

The file version should be 5.1.2600.1106 (xpsp1.020828-1920).

Description: Userinit Logon Application

You may check the information above.

If it doesn't match, I suggest you remove it directly and then follow the
other's suggestion to scan for virus.

Hope it helps!

If anything else is unclear, please feel free to post back.

Best Regards,

Jeff Qiu
Microsoft Online Partner Support
MCSE 2k/2k3, MCSA 2k/2k3, MCDBA
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
 
Back
Top