PDA

View Full Version : Win32.Agent.ig



Zenobia
2006-12-09, 10:43
Teatimer terminated userinit.exe on a reboot:
12/9/2006 3:33:47 AM Encountered and terminated Win32.Agent.ig in C:\WINDOWS\system32\userinit.exe!

There's only one userinit.exe in System32(didn't let Teatimer delete the file.)
Properties show Company:Microsoft Corporation.Also,if you click on userinit.exe,Teatimer terminates it again.userinit.exe scanned clean at Virustotal.

Zenobia
2006-12-09, 12:20
I'm not sure if this is needed,but I meant to post it.(forgot)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
dword Value Data is:
C:\WINDOWS\system32\userinit.exe,

md usa spybot fan
2006-12-09, 17:54
Very strange!

I am not having the same symptoms on my system:
Microsoft Windows: XP Home Edition
Version: 5.1.2600 Service Pack 2 Build 2600
My copy of userinit.exe appears to have originated from the XP SP2 upgrade:
File: C:\WINDOWS\system32\userinit.exe
Description: Userinit Logon Application
Size: 24.0 KB (24,576 bytes)
Created: Wednesday, July 16, 2003 3:49:24 PM
Modified: Tuesday, August 03, 2004 11:56:58 PM


File Version: 5.1.2600.2180
Description: Userinit Logon Application
Copyright: © Microsoft Corporation. All rights reserved.


CRC-32: CB56A6BF
MD5: 39B1FFB03C2296323832ACBAE50D2AFF
SHA1: E5AEDCBE25A97C89101F1F3860FF846E94D70445

Zenobia
2006-12-10, 12:24
Win32.Agent.ig is listed as beta in All Products,maybe that's why I'm getting it.
Here's mine(kind of long,used Filealyzer).Looks pretty much the same,but I didn't read through it all,'cause I just realized I'm still up after 5:55 AM when I looked at the report,lol. :spider: :D:

File: C:\WINDOWS\system32\userinit.exe
Date: 12/10/2006 5:55:14 AM


***** General ******************************************************
Location: C:\WINDOWS\system32\
Size: 24576
Version: 5.1.2600.2180
CRC-32: CB56A6BF
MD5: 39B1FFB03C2296323832ACBAE50D2AFF
SHA1: E5AEDCBE25A97C89101F1F3860FF846E94D70445
Read only: No
Hidden: No
System file: No
Directory: No
Archive: Yes
Symbolic link: No
Time stamp: Wednesday, August 04, 2004 3:56:58 AM
Creation: Saturday, December 10, 2005 2:33:22 AM
Last access: Wednesday, August 04, 2004 3:56:58 AM
Last write: Wednesday, August 04, 2004 3:56:58 AM


***** Version ******************************************************
Supported languages:: English (United States) (1033/1200)
--- Version --------------------------------------------------------
File version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Company name: Microsoft Corporation
Internal name: userinit
Comments:
Legal copyright: © Microsoft Corporation. All rights reserved.
Legal trademarks:
Original filename: USERINIT.EXE
Product name: Microsoft® Windows® Operating System
Product version: 5.1.2600.2180
File description: Userinit Logon Application
Private build:
Special build:

wk357mag
2006-12-10, 17:45
same here

WinXP Pro, Sp2

Using the SpyBot 1.5beta

CogitoErgoZoom
2006-12-10, 20:55
My PCs have exactly the same symptoms as Zenobia & wk357mag.
Is Spybot reporting userinit.exe as a false positive in our cases?

Should I allow this process to run even though its not recommended? :eek:

md usa spybot fan
2006-12-10, 22:31
Is Spybot reporting userinit.exe as a false positive in our cases?
Since I can trace the origin of my copy of userinit.exe to the Windows XP SP2 upgrade and it has the same content verified by the size as well as CRC-32, MD5 and SHA1 hash values as the one that Zenobia (http://forums.spybot.info/member.php?u=145) has, I can only assume that the identification of that version of userinit.exe by TeaTimer as malicious software is a false positive.


Should I allow this process to run even though its not recommended?
The execution of userinit.exe is a required process (see Note #1).

If your copy of userinit.exe is the same a the one reported by Zenobia (http://forums.spybot.info/member.php?u=145), then I would say it is more than likely a false positive and you should allow this process to run.

If you have another version of userinit.exe, it is quite likely it is a false positive since there appears to be a problem with the detection of userinit.exe within TeaTimer as malicious software and you should probablyallow this process to run until a member of "Team Spybot" takes a look at the problem.

Note #1: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection! That I why I published the properties of my copy of userinit.exe for comparison purposes.

wk357mag
2006-12-10, 23:34
File: C:\WINDOWS\system32\userinit.exe
Size: 24.0 KB (24,576 bytes)
Created: Tuesday, August 03, 2004 11:56:58 PM
Modified: Tuesday, August 03, 2004 11:56:58 PM
File Version: 5.1.2600.2180
CRC-32: CB56A6BF
SHA1: E5AEDCBE25A97C89101F1F3860FF846E94D70445
MD5: 39B1FFB03C2296323832ACBAE50D2AFF

This is my info, which is WinXP Pro, SP2

Buster
2006-12-11, 08:11
:oops: We will fix this false positive in the next detection update. Thanks for reporting!:bigthumb:

galaad2
2006-12-11, 09:57
i'm getting the userinit false positive too.
i'm using the new spybot15beta tools, but i don't think that is the cause, looks like the definitions are wrong.

md5sum of the file: 39b1ffb03c2296323832acbae50d2aff

http://img.photobucket.com/albums/v229/galaad2/false_detection.png

http://img.photobucket.com/albums/v229/galaad2/userinit.png


EDIT: looks like buster posted while i was preparing the screenshots... i'm kinda busy here at work tho, delayed posting them for a bit.

wk357mag
2006-12-11, 15:59
thanks buster

pgroot
2006-12-14, 08:28
I also had from TeaTimer 12/12/2006 6:48:52 PM Encountered and terminated Win32.Agent.ig in C:\WINDOWS\system32\userinit.exe!
I have Spybot 1.4 and I do use beta detections.
Definitions are 2006-12-09. But I last updated beta
12/8/2006 10:46:10 AM downloaded update ßDetection rules (beta)