PDA

View Full Version : Winlogon registry entry UserInit changed



marie2x
2008-01-03, 21:11
I can't decide whether to allow or deny this change. Old Data: C:\WINDOWS\system32\Icpywinp.exe,C:\WINDOWS\system32\userinit.exe
New Data: C\WINDOWS\system32\userinit.exe
Is this something Spybot has fixed and I need to allow it? or is it something it has found someone esle doing that shouldn't be done and therefore I should deny it?

spybotsandra
2008-01-03, 23:37
Hello,

userinit / userinit.exe is an essential windows process which
is used when the pc is booting.
Among other things, it is needed for the launch of the windows shell, and other boot operations.

Best regards
Sandra
Team Spybot

marie2x
2008-01-04, 03:59
So if Spybot says it has detected an important registry enty that has been changed and gave the previous data that I gave you, do I allow or deny?

marie2x
2008-01-04, 18:03
There's got to be a computer geek out there somewhere that knows which registry entry is correct if the Spybot Team doesn't. Please review my previous postings and advise.

marie2x
2008-01-04, 18:25
By the way, this happened after I ran spybot for the first time and it found 50 spyware (red entries) which seem to have been fixed successfully.

md usa spybot fan
2008-01-04, 18:57
marie2x:

It would appear that the following registry entry changed from:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit"="C:\WINDOWS\system32\Icpywinp.exe,C:\\WINDOWS\\system32\\userinit.exe,"
To:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit"="C:\\WINDOWS\\system32\\userinit.exe,"
I can't find any information on Icpywinp.exe (the program removed from the entry).

My corresponding registry entry reads:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit"="C:\\WINDOWS\\system32\\userinit.exe,"

If you were fixing things with Spybot when the message was receive, my first inclination would be to allow the change.

Perhaps the Fixes.yymmdd-hhmm.log produced by Spybot at that time might contain a clue to what stimulated the change. If you like to post the Fixes.yymmdd-hhmm.log from the running of Spybot when you received the message, we could take a look at that.

There are two methods to copy and post that information:
Method 1:
Go into Spybot > Mode > Advanced mode > Tools > View Reports > View Previous reports. Look for the Fixes.yymmdd-hhmm.log file that was produced when you found and fixed the detection you are questioning. Open it. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.
Method 2
The Fixes.yymmdd-hhmm.log files are stored in the following folders:
Windows 95 or 98:
C:\Windows\Application Data\Spybot - Search & Destroy\Logs
Windows ME:
C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows NT, 2000 or XP:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows Vista:
C:\ProgramData\Spybot - Search & Destroy
Using Windows Explorer, navigate to the correct Fixes.yymmdd-hhmm.log. Double click on it and it should open with Notepad. To copy it to the Clipboard, right click on the listing and select Select All > Right click again and select Copy. Paste (Ctrl+V) the contents of the Clipboard into a new post in this thread.
Note: By default here are two Checks.yymmdd-hhmm.log files produced during a scan. The second Checks.yymmdd-hhmm.log has the details of what the scan found. A Fixes.yymmdd-hhmm.log is produced if you fix or attempt to fix something.

cmnetworx
2008-12-27, 08:20
I realize this post is somewhat old by now, but I just thought I'd mention that there is very rarely any legit program that makes an entry with userinit.exe, Most times this is spyware or something of the sort designed to load immediately at login, and it sometimes replaces the userinit.exe registry entry with itself, something like c:\windows\system32\winloads.exe . When this happens and you delete winloads.exe the computer will act like its logging in, then immediatly log back out because it did not properly load userinit.exe or its spyware alternative winloads.exe..

You pretty much always want this entry to be exactly as follows, and mentioned above..



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit"="C:\\WINDOWS\\system32\\userinit.exe,"