Forum
Comments:
-
- on Wed 29 Apr 2009
- 03:26:09 AM UTC
location
locations in Windows are:
C:\WINDOWS\system32
C:\WINDOWS\ServicePackFiles\i386My advise would be to:
verify the servicePack file location FIRST :-)
if exist, then:
turn off PC
restart in Command Prompt mode
delete the file in windows/system32
then copy from ServicePackFiles\i386 folder and paste into system32 folder.
shutdown, restart.
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/ -
- on Wed 29 Apr 2009
- 05:09:47 AM UTC
SP2
You can Google for an SP3 version, but I did find an
SP2 version here
-------
Against Intuition - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
G7W {G.O.M}
http://g7w.net/ -
- on Wed 29 Apr 2009
- 04:05:31 AM UTC
That's a nasty infection
That's a nasty infection
It usually needs a strong tool like combofix and the assistance of an expert that knows how to read the combofix log.
The experts at Malwarebytes are good at removing this infection:
http://www.malwarebytes.org/forums/index.php?showf...
Read and follow the directions I'm infected - What do I do now? -
- on Wed 29 Apr 2009
- 04:32:07 AM UTC
Well...
For the moment, the immediate priority is restoring a clean version of userinit.exe. Afterwards, I'll have him/her run HijackThis to help detect any additional malware and GMER to detect any rootkits. ComoboFix is not in the plans at this time but we'll see...
The user has already run quick and full scans with Malwarebytes' Anti-Malware and SUPERAntiSpyware. He/she installed Avira AntiVir Free today and said that he/she had begun a full scan so I'm awaiting those results.
I'm trying not to move too quickly as rushing could have consequences...
-
- on Wed 29 Apr 2009
- 04:58:09 PM UTC
Dr Web
Grab the free Dr Web CureIt. It will "cure" the infected userinit.exe without deleting it like some other antivirus will try to do.
In the Dr Web results look for win32.virut entries which is associated with the userinit.exe infections that are around right now. If it's Virut then suggest a reformat and reinstall.
-
- on Wed 29 Apr 2009
- 10:16:01 PM UTC
Re: Dr. Web
The user is replacing the infected userinit.exe with a clean version from C:\WINDOWS\ServicePackFiles\i386. I do like Dr. Web though. :-)
Infected "userinit.exe"
I recently helped a Wikipedia user clean up some nasty rogueware infections. [Spyware Protect 2009] They were running AVG Free which they are replacing with Avira AntiVir Free today. ;)
However, AVG did pick an infected userinit.exe file. The detected threat was "Virus identified Win32/Cryptor". Userinit.exe is a critical Windows system file that is required for login. AVG had the file whitelisted so it did not attempt to delete it or quarantine it.
However the user lacks a Windows Install CD (They are running Windows XP Service Pack 3) so repairing system files via a reinstall of the Windows system files is not an option.
Does anyone know of a good clean downloadable version of userinit.exe? The user is has a Sony VAIO laptop from 2007, model VGN-FE790.
Almost all the malware on his/her computer is nowhowever. ;) Malwarebytes' Anti-Malware and SUPERAntiSpyware worked their magic.
I have already given recommendations of software and tips to the user to help prevent future infections.
I commend the user for remaining calm and performing the clean-up excellently. :D
I have considered the possibility of another AVG false positive (AVG Free detected a safe VAIO hotkey process as a potential backdoor Trojan on this user's computer) so I have asked the user to upload the userinit.exe to VirusTotal and to then post the URL of the scan results. I will post that here the moment the user posts it on Wikipedia.
To help maintain privacy; I have not provided the user's name nor my identitity on Wikipedia. :P Thanks in advance!
--Edit--
The VirusTotal scan: http://www.virustotal.com/analisis/e02137ab0e99d09...
—Xp54321