userint32.exe

[Guest]

I have several glitches in my system, one being that upon start up I get a
file saying do I wish to run userint32.exe. I click no and a second window
is there also. I also noticed on my anti-virus program kept saying yesterday
that userint32.exe was trying to access the internet, and that too i said
block too. Now I do not know much about computers but i do know that this is
not right.. could you please help?

 

[Doug Knox MS-MVP]

Userinit32.exe is not a valid Windows file. Reboot your computer in Safe Mode (press F8 between the BIOS Post screen and XP actually starting to load) and run your antivirus software from there. Additionally, ensure you update your antivirus definitions.

 

[Guest]

here's what it said.
___________
Logfile of HijackThis v1.99.1
Scan saved at 10:29:43 AM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft
Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) -
http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media
Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) -
http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -
http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control)
- http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) -
http://www.drivershq.com/members/DD_v4_Member.CAB
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload
ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation -
C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec
Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

______________________

 

[Guest]

I also did a search telling the computer to find all hidden files and this is
what it came up with. I have to type all of this so please bare with and
typo's

userint32.exe
userint32.exe-0A2F2573.pf
~~~~~
the rest are IE websites but I am including them just the same
~~~~~
SWI Forums - userint32.exe
results.aspx?srch=105&FORM=A55&q=what+is+userint
results.aspx?FORM+MSNH&srch_type=0&q=userint32
newsfram.aspx?query=userint32.exe&dg=microsoft.public.windowsxp
defalut.aspx?query=userint32
default.aspx?query=userint32.exe&dg=microsoft.public.windowsxp
newsframe.aspx?query=userint32
results.aspx?FORM=MSNH&srch_type=0&q=what+is+unserint32
results.aspx?q=userint32
MSN Search: what is userint32.exe
MSN Search: userint32.exe
MSN Search: userint32.exe
MSN Search: what is userint32.exe
MSN Search: what is userint32.exe
Search Results: userint32.exe
Search Results: userint32.exe
SWI Forums -> userint32.exe?
SWI Forums > Windows cannot find E:\windows\userint32.exe
~~~~~~~~~~~~~
All of this was found with the windows desk top search engine And I have
done what i can.. not to install the program but when I boot up the computer
instantly a (2) open file windows pop up both asking if I wish to run the
program userint32.exe and in both windows I get the option to run, save, or
cancel and in both windows, I used the cancel option. should I save them to
a floppy and throw them away, hopefully ending the open window problem. I do
however know that it is not going to end the other problem of it actually
being on the computer but I do believe that is a starting point.. please let
me know if this is the righ procedure at this point and also what to do about
the existing program.
thanks

 

[Guest]

i have the same problem. except when i deleted the file, it messed up my
computer, leaving me unable to log on because i would be automatically logged
off.
then i had to call gateway and do some kind of repair windows installation.
so since just deleting it didn't work, how do i get rid of this.
its putting tons of alexa spyware on my computer.

 

[Guest]

actually, i deleted it w/ hijackthis just now. and after i restarted my
computer, it was back.

 

[Guest]

I have also found that the one program that was actually installed in the
computer is set to block. Which means it is keeping the computer from being
compromised further but, it is still in the computer. and HijackThis does not
see it. nor does Spyblaster, nor does SpyBot, Search and Dystroy, Nor does
Norton Anti-virus other then stopping it from accessing the internet. But
when I reboot the computer there are still two open windows that pop up and
say that they want to be run, just like they were being downloaded from the
internet. Should I download them to a disk and just throw away the disk..
Thank you.
geanna

 

[Doug Knox MS-MVP]

Reina,

The solution to being able to remove this file requires booting from a bootable XP CD (your restore CD, if you have one, probably won't work). Once the boot process starts, you'll be given the option to Repair the XP installation. This actually takes you into Recovery Console. This is where you need to be.

You'll be given a list of possible installations to repair, in your case, there will probably only be one. Type in the number of the installation you want to fix. Then you'll be prompted for the Administrator password. This is the built-in Administrator account. If you don't know the password, just hit Enter. Its probably blank.

Once in Recovery Console, you'll be at the C:\Winnt or C:\Windows Prompt. Type in DIR USERINIT32.EXE If it finds the file then type in DEL USERINIT32.EXE. If it doesn't find the file, type in CD System32, and repeat the DIR and DEL commands.

Now, here's the important part. If you're not already in the System32 folder, go there using the CD System32 command. Next, enter COPY USERINIT.EXE USERINIT32.EXE.

Now, remove the CD and reboot your computer.

Once you're logged in, on an account with Administrator priviliges, click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

In the right pane, locate the Userinit value. It should read C:\Windows\System32\userinit.exe, or C:\Winnt\System32\userinit.exe, And yes, the commas are intentional. If not, double click the Userinit value and change it so that its correct. Of course, if your XP installation happens to be on a drive other than C: change the entry accordingly.

 

[Guest]

Doug,
I could not help but notice the file name that you are using is not the file
name that I am discussing.. the file name that you are using is
userinIT32.exe
this is not the file I am talking about.
geanna

 

[Doug Knox MS-MVP]

Sorry, I didn't notice the lack of the 3rd "I". Use the actual name of the file.

 

[Guest]

I found that the userint32.exe is actually part of the w32.ALLIM worm virus.
If you go the the norton security site it will find it for you. Also if you
use Hijackthis and do as it says the Hkey's that you need to delete will
show up in it and you should be all done with it.