Win32.Agent.ig
Teatimer terminated userinit.exe on a reboot:
12/9/2006 3:33:47 AM Encountered and terminated Win32.Agent.ig in C:\WINDOWS\system32\userinit.exe!
There's only one userinit.exe in System32(didn't let Teatimer delete the file.)
Properties show Company:Microsoft Corporation.Also,if you click on userinit.exe,Teatimer terminates it again.userinit.exe scanned clean at Virustotal.
I'm not sure if this is needed,but I meant to post it.(forgot)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
dword Value Data is:
C:\WINDOWS\system32\userinit.exe,
Very strange!
I am not having the same symptoms on my system:
- Microsoft Windows: XP Home Edition
- Version: 5.1.2600 Service Pack 2 Build 2600
My copy of userinit.exe appears to have originated from the XP SP2 upgrade:
- File: C:\WINDOWS\system32\userinit.exe
- Description: Userinit Logon Application
- Size: 24.0 KB (24,576 bytes)
- Created: Wednesday, July 16, 2003 3:49:24 PM
- Modified: Tuesday, August 03, 2004 11:56:58 PM
- File Version: 5.1.2600.2180
- Description: Userinit Logon Application
- Copyright: © Microsoft Corporation. All rights reserved.
- CRC-32: CB56A6BF
- MD5: 39B1FFB03C2296323832ACBAE50D2AFF
- SHA1: E5AEDCBE25A97C89101F1F3860FF846E94D70445
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
Win32.Agent.ig is listed as beta in All Products,maybe that's why I'm getting it.
Here's mine(kind of long,used Filealyzer).Looks pretty much the same,but I didn't read through it all,'cause I just realized I'm still up after 5:55 AM when I looked at the report,lol.
File: C:\WINDOWS\system32\userinit.exe
Date: 12/10/2006 5:55:14 AM
***** General ******************************************************
Location: C:\WINDOWS\system32\
Size: 24576
Version: 5.1.2600.2180
CRC-32: CB56A6BF
MD5: 39B1FFB03C2296323832ACBAE50D2AFF
SHA1: E5AEDCBE25A97C89101F1F3860FF846E94D70445
Read only: No
Hidden: No
System file: No
Directory: No
Archive: Yes
Symbolic link: No
Time stamp: Wednesday, August 04, 2004 3:56:58 AM
Creation: Saturday, December 10, 2005 2:33:22 AM
Last access: Wednesday, August 04, 2004 3:56:58 AM
Last write: Wednesday, August 04, 2004 3:56:58 AM
***** Version ******************************************************
Supported languages:: English (United States) (1033/1200)
--- Version --------------------------------------------------------
File version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Company name: Microsoft Corporation
Internal name: userinit
Comments:
Legal copyright: © Microsoft Corporation. All rights reserved.
Legal trademarks:
Original filename: USERINIT.EXE
Product name: Microsoft® Windows® Operating System
Product version: 5.1.2600.2180
File description: Userinit Logon Application
Private build:
Special build:
same here
WinXP Pro, Sp2
Using the SpyBot 1.5beta
Last edited by wk357mag; 2007-01-03 at 16:50.
False positive?
My PCs have exactly the same symptoms as Zenobia & wk357mag.
Is Spybot reporting userinit.exe as a false positive in our cases?
Should I allow this process to run even though its not recommended?
Since I can trace the origin of my copy of userinit.exe to the Windows XP SP2 upgrade and it has the same content verified by the size as well as CRC-32, MD5 and SHA1 hash values as the one that Zenobia has, I can only assume that the identification of that version of userinit.exe by TeaTimer as malicious software is a false positive.Originally Posted by CogitoErgoZoom
The execution of userinit.exe is a required process (see Note #1).
If your copy of userinit.exe is the same a the one reported by Zenobia, then I would say it is more than likely a false positive and you should allow this process to run.
If you have another version of userinit.exe, it is quite likely it is a false positive since there appears to be a problem with the detection of userinit.exe within TeaTimer as malicious software and you should probablyallow this process to run until a member of "Team Spybot" takes a look at the problem.
Note #1: Any malware can be named anything - so you should check where the files of the running processes are located on your disk. If a "non-Microsoft" .exe file is located in the C:\Windows or C:\Windows\System32 folder, then there is a high risk for a virus, spyware, trojan or worm infection! That I why I published the properties of my copy of userinit.exe for comparison purposes.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
File: C:\WINDOWS\system32\userinit.exe
Size: 24.0 KB (24,576 bytes)
Created: Tuesday, August 03, 2004 11:56:58 PM
Modified: Tuesday, August 03, 2004 11:56:58 PM
File Version: 5.1.2600.2180
CRC-32: CB56A6BF
SHA1: E5AEDCBE25A97C89101F1F3860FF846E94D70445
MD5: 39B1FFB03C2296323832ACBAE50D2AFF
This is my info, which is WinXP Pro, SP2
We will fix this false positive in the next detection update. Thanks for reporting!
"The advantage of wisdom is that you can always act the fool. The opposite is quite tough."
K. Tucholsky
_______________________________________________________________
Please help us improve Spybot and download our distributed testing client.
i'm getting the userinit false positive too.
i'm using the new spybot15beta tools, but i don't think that is the cause, looks like the definitions are wrong.
md5sum of the file: 39b1ffb03c2296323832acbae50d2aff
EDIT: looks like buster posted while i was preparing the screenshots... i'm kinda busy here at work tho, delayed posting them for a bit.
Last edited by galaad2; 2006-12-11 at 08:59.
Posting Permissions
Reply With Quote
