Home » Forums » PC problems forum (NEW!) » Software problems

Can't remove userinit trojan horse

Sat, 07/12/2008 - 20:00 — winemkr

Every time I boot, the file userinit.exe appears in the root directory and in the startup folder of the start menu, and is a running process.  AdawareSE, Spybot 1.4, AVG Anti-spyware, AVG 7.5 and Easycleaner are my normal tools that are ineffective in this case.  A useful remedy would be greatly appreciated!

‹ Need help copying hard drive Problems with cleanup assistant 1.3 ›
#1Submitted by Anonymous on Wed, 11/12/2008 - 13:41.

After userinit was removed by threatfire, my system (running under XP Pro) simply re-boots as soon as the user or admin password has been entered. Even safe mode will not come up.

I have a second boot (an earlier version of Win XP Pro) which boots fine. Running AVG, PCTools AV and ThreatFire have not found a solution.

Any ideas please? Other than the obvious one of re-formatting and re-installing windows.

Anonymous

#2Submitted by Anonymous on Sat, 07/12/2008 - 21:57.

Just wondering: how do you know it's a trojan horse? Have you tested CRC with the runscanner app? What's the result? It seems to me that if the only thing you want to do is to disable the automatic startup, you can use msconfig, sysinternals autorruns or any other startup manager for that purpose.

#3Submitted by Anonymous on Tue, 07/15/2008 - 04:26.

As far as I know the legitimate userinit.exe program is supposed to reside in the windows/system32 directory. The userinit.exe program on my son's system is in the startup folder in the start menu and in the root directory. I erase them and they re-appear after booting.

I'm not familiar with the runscanner app. I will give it a try.

#4Submitted by Anonymous on Tue, 07/15/2008 - 08:13.

I don't use userinit, I was just asking. But usualy apps DON'T reside in the /system32, but in the /program files folder. It seems to me you must improve your defense A LOT, I would see - at least - this site's firewall, antivirus and antispyware sections. With antivirus and antispyware its important you keep them updated, and Windows should also be properly patched.

#5Submitted by JonathanT on Tue, 07/15/2008 - 12:44.

Hi

I think an outbound firewall is not necessary for most users, unless it also has a HIPS component. Too much trouble and too little gain in protection. A good preventive strategy like a sandbox (Sandboxie, GesWall, maybe HauteSecure) with a behavioural blocker (ThreatFire, DriveSentry, DSA, or HIPS with firewalls like Online Armor) with an anti-virus and a few on-demand scanners is a light and easy to use setup which is very secure. And yes, as you said, updating like with Secunia and Windows Update.

#6Submitted by peter on Sat, 07/12/2008 - 20:30.

See also here:
http://www.runscanner.net/files/exe/userinit/userinit.exe.aspx
and here:
http://www.techsupportalert.com/best-free-adware-spyware-scumware-remove...

#7Submitted by winemkr on Tue, 07/15/2008 - 06:27.

I downloaded SAS as suggested, ran it and deleted all of the numerous files it found. Now my system won't boot. When attempting reboot, I get the blue screen with the following message:
stop: C0000135 {Unable to locate Component}
This application has failed to start because baseiobs32 was not found. Re-installing the application may fix the problem.

Have any SAS users had it go too far? What did you do to recover your installation?

#8Submitted by JonathanT on Tue, 07/15/2008 - 12:40.

Hi

One option is just reinstall Windows again. With a computer full of malware and errors it could actually be easier than fixing it all up.

#9Submitted by Anonymous on Tue, 07/15/2008 - 14:51.

Try to boot in safe mode (F8 while booting) before reinstallation, and than use System Restore. Do you have a Windows CD? Try the startup repair - not sure if this is available in XP - and if that doesn't work, use System Restore from the CD.

#10Submitted by Anonymous on Tue, 07/15/2008 - 14:54.

But I also agree with Someone.

#11Submitted by winemkr on Wed, 07/16/2008 - 17:06.

The system won't boot in safe mode so that's not an option. I have an early OEM XP disk. System recovery is supposed to be iffy with OEM OS disks. Re-install is painful. I'm thinking to try making a UBCD4win boot disk per an article on this site. I'll need to make the disk on another system. I'm not sure if the disk will be portable.

It may be that the system is infected, but it wasn't any infection that put me in this predicament. It was using SAS. SAS recommended that I eliminate a file or files that caused the system to be unable to boot even in safe mode. I'm going to think twice about using SAS in the future.

#12Submitted by Anonymous on Wed, 07/16/2008 - 18:01.

I haven't experienced any problem with SAS, but I NEVER get any nasties while scanning. That problem is not specific of SAS, ANY state-of-the-art anti-malware can do that, although they are extensively tested they are not 100% risk free. If I were you I would think on a good defense instead, because "prevention is better than the cure".

#13Submitted by JonathanT on Thu, 07/17/2008 - 10:46.

Hi

Well the user will need to fix the current problem before they focus on the prevention.

#14Submitted by Anonymous on Thu, 07/17/2008 - 11:43.

Of course!

#15Submitted by Anonymous on Tue, 07/15/2008 - 09:30.

http://www.google.pt/search?q=C0000135+&ie=utf-8&oe=utf-8&aq=t&rls=org.m...

#16Submitted by Anonymous on Sat, 07/12/2008 - 20:23.

I would start updating those tools and scanning again. If that doesn't work try SAS and/or MBAM.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <b> <address> <blockquote> <br> <caption> <center> <code> <dd> <del> <div> <dl> <dt> <em> <font> <h2> <h3> <h4> <h5> <h6> <hr> <i> <img> <li> <ol> <p> <pre> <span> <strong> <sub> <sup> <table> <tbody> <td> <tfoot> <th> <thead> <tr> <u> <ul> <tr>
  • Lines and paragraphs break automatically.

More information about formatting options