Virus False Alarm? wuauclt userinit32.exe

[TheRedSunRiseth]

Hello,

I am running WinXP Pro with all the patches done except for SP2.

I turned off Windows autoupdate in services.msc and in the control panel but
wuauclt.exe kept on popping up.

I thought I had a virus and did a scan with TrendMicro, Panda, AVG etc.. and
they all reported negative results.

My system seems fine... except for perhaps a little slow at bootup this
week.

I did a google search and found that one site considered it a backdoor virus
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.clt.html
and
http://securityresponse.symantec.com/avcenter/venc/data/w32.petch.html
1.. Changes the value to:

"Userinit"="C:\Windows\system32\userinit32.exe"
in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

I did a registry search and everything came up negative - no reference to
wuauclt.exe anywhere except for esent and search assistant.

However, I did find reference to the userinit32.exe in the registry - see
above. So i guess I could have the w32 petch virus. But I couldn't find the
file on my computer.

Has my system been compromised?

(I am running a XP Pro computer with cable modem+ ZoneAlarmPro5 firewall
+TrojanHunter+AVG)

 

[TheRedSunRiseth]

I found the registry entry

C:\WINDOWS\system32\userinit.exe,

in the winnt logon section.

I can't find any traces of the userinit.exe file in the computer. Should I
delete the entry from the registry then?

 

[null]

I found the registry entry

C:\WINDOWS\system32\userinit.exe,

in the winnt logon section.

I can't find any traces of the userinit.exe file in the computer. Should I
delete the entry from the registry then?

Not until you find out what your problem is. There's a legit system
file by that name:

http://www.liutilities.com/products/wintaskspro/processlibrary/userinit/


Art
http://www.epix.net/~artnpeg

 

[null]

Hello,

I am running WinXP Pro with all the patches done except for SP2.

I turned off Windows autoupdate in services.msc and in the control panel but
wuauclt.exe kept on popping up.

I thought I had a virus and did a scan with TrendMicro, Panda, AVG etc.. and
they all reported negative results.

My system seems fine... except for perhaps a little slow at bootup this
week.

I did a google search and found that one site considered it a backdoor virus
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.clt.html
and
http://securityresponse.symantec.com/avcenter/venc/data/w32.petch.html
1.. Changes the value to:

"Userinit"="C:\Windows\system32\userinit32.exe"
in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

I did a registry search and everything came up negative - no reference to
wuauclt.exe anywhere except for esent and search assistant.

However, I did find reference to the userinit32.exe in the registry - see
above. So i guess I could have the w32 petch virus. But I couldn't find the
file on my computer.

Has my system been compromised?

(I am running a XP Pro computer with cable modem+ ZoneAlarmPro5 firewall
+TrojanHunter+AVG)

Upload or email the wuauclt.exe file for scanning here:

http://www.virustotal.com/flash/index_en.html

Let us know what is found.


Art
http://www.epix.net/~artnpeg

 

[Mike Dimmick]

I found the registry entry

C:\WINDOWS\system32\userinit.exe,

in the winnt logon section.

I can't find any traces of the userinit.exe file in the computer. Should I
delete the entry from the registry then?

No, definitely not. That process loads your registry data from your user
profile, then loads your shell (probably Explorer). If you delete this key,
you can get to the login prompt, but after that nothing will happen.