"resident denied the change of userinit"??

[joelinit]

Hello all!

Having clicked "deny" to a recent change, I now have a continually refreshing column of Resident windows on the right hand side of my desktop that read...

"Resident denied the change of userinit (category System Startup user entry) based on your black list"

I have no idea what this is and how to stop it - any advice would be hugely appreciated!! Having looked it up it appears I'm not the first to have this problem, though the advice given is advised as specific to those users' computers, so please pardon the repeat post!

Thanks in advance...

[Zenobia]

Hi.
Could you please rightclick Teatimer and select Show log?Go to Edit,Select All,then rightclick somewhere in the page and select copy,then Paste it here.

[joelinit]

Thanks so much for your reply! I've since googled one of the popups I was getting from AVG which alerted me of a threat from "SDRS64" and found a series of posts explaining how to remove what is apparently a Trojan.

However, as it seems (i think?) i didn't yet have the trojan, as this is what Spybot was blocking (?) I wasn't actually able to complete these instructions - I did however follow this post "http://www.pcanswers.co.uk/blog/sdra64exe-remove-trojan-menace-21-05-09?page=1" as far as the point where I could see the registry key "C:\Windows\System32\Userinit.exe". Figuring this was the bad file I deleted it, and although now it appears it isn't a bad file, the popup windows have stopped, following a reboot.

This all seemed a bit too easy though and fearing the computer was still infected, I downloaded Malwarebytes and ran a check - it picked up 3 files and upon deleting them, it also reinstated the userinit registry key.

So that's now where I'm at - the column of Resident popups has stopped and userinit registry key reinstated. This all seems a bit easy though? Does Spybot need a big pat on the back for blocking the change to userinit and upon deleting this regkey has the Trojan threat now vanished, or am i potentially infected with something hiding on my compter?! I'm hoping you might be able to follow my ramblings!

And this is the log pasted below. The bottom command line is repeated hundreds of times which I presume is the column of Resident pop ups?

Thanks again for your efforts here!

29/12/2007 17:27:44 Allowed (based on user decision) value "AVG7_Run" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE") added in System Startup user entry!
29/12/2007 17:27:51 Allowed (based on user decision) value "AVG7_CC" (new data: "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP") added in System Startup global entry!
29/12/2007 17:27:54 Allowed (based on user decision) value "avgwlntf" (new data: "") added in Winlogon Notifiers!
29/12/2007 17:32:05 Allowed (based on user decision) value "AVG7_Run" (new data: "") deleted in System Startup user entry!
29/12/2007 17:34:55 Allowed (based on user decision) value "BootExecute" (new data: "autocheck autochk *
lsdelete
") changed in Session manager!
30/12/2007 00:03:20 Allowed (based on user decision) value "ALUAlert" (new data: "") deleted in System Startup global entry!
30/12/2007 00:03:41 Allowed (based on user decision) value "ALUAlert" (new data: "C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe") added in System Startup global entry!
30/12/2007 01:02:17 Allowed (based on user whitelist) value "ALUAlert" (new data: "") deleted in System Startup global entry!
02/06/2008 14:23:22 Allowed (based on user decision) value "NWEReboot" (new data: "") added in System Startup global entry!
04/08/2008 15:35:07 Denied (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe") added in System Startup user entry!
03/09/2008 17:25:34 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe") added in System Startup user entry!
03/09/2008 22:53:54 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
03/11/2008 17:30:20 Allowed (based on user decision) value "Desktop SMS" (new data: "") deleted in System Startup global entry!
03/11/2008 17:30:23 Allowed (based on user decision) value "QuickTime Task" (new data: "") deleted in System Startup global entry!
03/11/2008 17:30:26 Allowed (based on user decision) value "iTunesHelper" (new data: "") deleted in System Startup global entry!
03/11/2008 17:30:40 Allowed (based on user decision) value "MSConfig" (new data: ""C:\Windows\system32\msconfig.exe" /auto") added in System Startup global entry!
08/11/2008 14:19:04 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe") added in System Startup user entry!
10/11/2008 13:06:24 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
08/12/2008 19:39:35 Denied (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe") added in System Startup user entry!
03/01/2009 12:05:37 Allowed (based on user decision) value "{22BF413B-C6D2-4d91-82A9-A0F997BA588C}" (new data: "") added in Browser Helper Object!
03/01/2009 12:05:47 Allowed (based on user decision) value "Skype" (new data: ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized") added in System Startup user entry!
09/01/2009 14:33:33 Allowed (based on user decision) value "Boots Insert Detect" (new data: "C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe") added in System Startup user entry!
12/01/2009 18:37:19 Allowed (based on user decision) value "Boots Insert Detect" (new data: "") deleted in System Startup user entry!
12/01/2009 18:39:11 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
13/01/2009 18:20:04 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
24/02/2009 12:38:12 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe") added in System Startup user entry!
25/02/2009 12:02:43 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
02/07/2009 21:43:46 Allowed (based on user decision) value "{0972B098-DEE9-4279-AC7E-4BAAA029102D}" (new data: "") added in ActiveX Distribution Unit!
25/08/2009 19:51:09 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe") added in System Startup user entry!
29/08/2009 14:48:23 Denied (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
08/09/2009 16:33:51 Denied (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
12/09/2009 14:32:17 Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
12/09/2009 18:28:19 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!
12/09/2009 18:28:37 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!
12/09/2009 20:54:05 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!
12/09/2009 20:54:08 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!
12/09/2009 20:54:20 Denied (based on user decision) value "userinit" (new data: "C:\Users\susie\AppData\Roaming\sdra64.exe") added in System Startup user entry!

[Zenobia]

You might want to get checked out in Malware Removal,to be on the safe side.

Please read the 'Before You Post" sticky topic:
http://forums.spybot.info/showthread.php?t=288

Malware Removal:
http://forums.spybot.info/forumdisplay.php?f=22

[joelinit]

Thanks Zenobia!

that's actually where i started this post before it was moved!

thanks again for your time...

[tashi]

Hello joelinit,

that's actually where i started this post before it was moved!

The reason the topic was moved to the Spybot-S&D forums is because to post in the Malware removal forum requesting help, one needs to follow that forum's FAQ.

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

Please see that thread and then start a new topic in the Malware Removal Forum

Cheers.