Jump to content

Malwarebytes

Is it OK to let Malwarebytes - "Remove" c:\windows\system32\userinit.exe ?

Started by Mel_3, Jan 26 2009 03:34 PM

1 reply to this topic

#1
Mel_3
Posted 26 January 2009 - 03:34 PM

    New Member

  • Members
  • Pip
  • 26 posts
- If this is not the correct forum for this please direct me and I will repost - thanks

- I'm running XP-Pro and latest Malwarebytes with latest updates
- I read the instructions at "I'm infected. What do I do now?"
- Malwarebytes reported...

===== Start Report =====

Multiple threat dection
Infection list:
1
File name: c:\windows\system32\userinit.ece
Threat name: Trojan horse Downloader.Agent.ATHF
Detected on open
2
File name: c:\windows\system32\userinit.ece
Threat name: Trojan horse Downloader.Agent.ATHF
Detected on open
Details:
1 Process Name: C:\Malwarebyes' Anti-Malware\mbam.exe
Process ID: 4476
2 Process Name: C:\Malwarebyes' Anti-Malware\mbam.exe
Process ID: 2304

===== End Report =====

- I chose "Ignore" (because I had read somewhere else that "removing" userinit.exe would prevent you from logging on later)
- Then Malwarebytes reported the scan was complete and showed two registery errors
- (BUT no file errors... which seems to confilct with the report above)
- Should I have chose "Remove threat as Power User" or was it correct to choose "Ignore"

Here is the log:

===== Log start =====
Malwarebytes' Anti-Malware 1.33
Database version: 1687
Windows 5.1.2600 Service Pack 3

1/26/2009 10:11:44 AM
mbam-log-2009-01-26 (10-11-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 167717
Time elapsed: 47 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===== Log end =====

- Should I chose "Remove Selected" for the two registry keys shown above?
- How can I get this Trojan of this machine? I read fixing the file userinit.exe is difficult and risky. Some say run sfc.exe /scannow with original xp-pro cd in machine... but this Toshiba laptop only comes with an "image" and Toshiba told me it will only restore the entire system... so I lose data dna have to reinstall all app's.

Thanks for any help on this.

#2
AdvancedSetup
Posted 26 January 2009 - 09:25 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Please post in the HJT forum here: http://www.malwareby...php?showforum=7

MBAM should not remove it, but don't tell it to just in case. We'll use Combofix to try and repair it.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to General Malwarebytes Anti-Malware Forum · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Malwarebytes Anti-Malware Support
  3. General Malwarebytes Anti-Malware Forum

Products

About

Partners

Follow Us