Windows 2000 USERINIT.EXE - A new startup

  • Thread starter Thread starter ms
  • Start date Start date
M

ms

I normally have a very stable W2K system.

This AM, I ran a utility that removes all instances of McAfee products, I
didn't ever install McAfee, but the program instantly executed and was
not able to be stopped. It apparently didn't find anything.

But since then, I have a alert utility, and get frequent notices that
USERINIT.EXE wants to be added to windows startup. I finally allowed it,
rebooted, everything *seems* normal, but I am concerned, as W2K has daily
cold booted fine for over 2 years w/o this startup.

Below is the report on the USERINIT.EXE now in my system. I don't know if
it replaced an earlier version, as I never before had occasion to look at
it. The MD5 does not agree with a web site value I found.
-----------
File: C:\WINNT\system32\USERINIT.EXE
Size: 17680 bytes
File Version: 5.00.2195.6612
Modified: Thursday, June 19, 2003, 11:05:04 AM
MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
CRC32: 53C3D624
-----------

I searched the net and find 2 opinions, it is normal and leave it alone,
(if so why a startup now)

or- it is a virus and remove it. (replace with what?)

Question
What is the correct specs for USERINIT.EXE? If it is wrong, where to
locate a good version?

Is it a normal startup? And if so, why now?

Advice?

ms
 
"ms" <ms@invalid.com> wrote in message
news:6ati4dF3854ofU1@mid.individual.net...
>I normally have a very stable W2K system.
>
> This AM, I ran a utility that removes all instances of McAfee products, I
> didn't ever install McAfee, but the program instantly executed and was
> not able to be stopped. It apparently didn't find anything.
>
> But since then, I have a alert utility, and get frequent notices that
> USERINIT.EXE wants to be added to windows startup. I finally allowed it,
> rebooted, everything *seems* normal, but I am concerned, as W2K has daily
> cold booted fine for over 2 years w/o this startup.
>
> Below is the report on the USERINIT.EXE now in my system. I don't know if
> it replaced an earlier version, as I never before had occasion to look at
> it. The MD5 does not agree with a web site value I found.
> -----------
> File: C:\WINNT\system32\USERINIT.EXE
> Size: 17680 bytes
> File Version: 5.00.2195.6612
> Modified: Thursday, June 19, 2003, 11:05:04 AM
> MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
> SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
> CRC32: 53C3D624
> -----------
>
> I searched the net and find 2 opinions, it is normal and leave it alone,
> (if so why a startup now)
>
> or- it is a virus and remove it. (replace with what?)
>
> Question
> What is the correct specs for USERINIT.EXE? If it is wrong, where to
> locate a good version?
>
> Is it a normal startup? And if so, why now?
>
> Advice?
>
> ms

Here are the details of the original Win2000 userinit.exe:
--a-- W32i APP ENU 5.0.2159.1 shp 17,168 11-30-1999 userinit.exe

The file gets executed each time you log on, i.e. after you have
entered your user-ID and password.
 
From: "ms" <ms@invalid.com>

| I normally have a very stable W2K system.
|
| This AM, I ran a utility that removes all instances of McAfee products, I
| didn't ever install McAfee, but the program instantly executed and was
| not able to be stopped. It apparently didn't find anything.
|
| But since then, I have a alert utility, and get frequent notices that
| USERINIT.EXE wants to be added to windows startup. I finally allowed it,
| rebooted, everything *seems* normal, but I am concerned, as W2K has daily
| cold booted fine for over 2 years w/o this startup.
|
| Below is the report on the USERINIT.EXE now in my system. I don't know if
| it replaced an earlier version, as I never before had occasion to look at
| it. The MD5 does not agree with a web site value I found.
| -----------
| File: C:\WINNT\system32\USERINIT.EXE
| Size: 17680 bytes
| File Version: 5.00.2195.6612
| Modified: Thursday, June 19, 2003, 11:05:04 AM
| MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
| SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
| CRC32: 53C3D624
| -----------
|
| I searched the net and find 2 opinions, it is normal and leave it alone,
| (if so why a startup now)
|
| or- it is a virus and remove it. (replace with what?)
|
| Question
| What is the correct specs for USERINIT.EXE? If it is wrong, where to
| locate a good version?
|
| Is it a normal startup? And if so, why now?
|
| Advice?
|
| ms
|

Unless it has been Trojanized (patched) it is legitimate.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
ms <ms@invalid.com> wrote in news:6ati4dF3854ofU1@mid.individual.net:

> I normally have a very stable W2K system.
>
> This AM, I ran a utility that removes all instances of McAfee
> products, I didn't ever install McAfee, but the program instantly
> executed and was not able to be stopped. It apparently didn't find
> anything.
>
> But since then, I have a alert utility, and get frequent notices that
> USERINIT.EXE wants to be added to windows startup. I finally allowed
> it, rebooted, everything *seems* normal, but I am concerned, as W2K
> has daily cold booted fine for over 2 years w/o this startup.
>
> Below is the report on the USERINIT.EXE now in my system. I don't know
> if it replaced an earlier version, as I never before had occasion to
> look at it. The MD5 does not agree with a web site value I found.
> -----------
> File: C:\WINNT\system32\USERINIT.EXE
> Size: 17680 bytes
> File Version: 5.00.2195.6612
> Modified: Thursday, June 19, 2003, 11:05:04 AM
> MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
> SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
> CRC32: 53C3D624
> -----------
>
> I searched the net and find 2 opinions, it is normal and leave it
> alone, (if so why a startup now)
>
> or- it is a virus and remove it. (replace with what?)
>
> Question
> What is the correct specs for USERINIT.EXE? If it is wrong, where to
> locate a good version?
>
> Is it a normal startup? And if so, why now?
>
> Advice?
>
> ms
>
>
Thanks to all.

I had in Winnt\NT Service Pack Uninstall folder:
userinit.exe 2195.3649 17,680 7/22/02

In Winnt\Service Pack\386 folder:
userinit.exe 2195.6612 17,680 6/17/03

Neither is exactly the one mentioned in Pegasus's post.

Which one is better to use in C:\WINNT\system32\ ?

I did not understand this in that post: --a-- W32i APP ENU, is this a
location on the CD?

The other question remains: if this is updated every time I log in, why
was it suddenly a startup when never before? and is that OK?

Thanks

ms
 
See below.

"ms" <ms@invalid.com> wrote in message
news:6b04o8F39ebdjU1@mid.individual.net...
> ms <ms@invalid.com> wrote in news:6ati4dF3854ofU1@mid.individual.net:
>
>> I normally have a very stable W2K system.
>>
>> This AM, I ran a utility that removes all instances of McAfee
>> products, I didn't ever install McAfee, but the program instantly
>> executed and was not able to be stopped. It apparently didn't find
>> anything.
>>
>> But since then, I have a alert utility, and get frequent notices that
>> USERINIT.EXE wants to be added to windows startup. I finally allowed
>> it, rebooted, everything *seems* normal, but I am concerned, as W2K
>> has daily cold booted fine for over 2 years w/o this startup.
>>
>> Below is the report on the USERINIT.EXE now in my system. I don't know
>> if it replaced an earlier version, as I never before had occasion to
>> look at it. The MD5 does not agree with a web site value I found.
>> -----------
>> File: C:\WINNT\system32\USERINIT.EXE
>> Size: 17680 bytes
>> File Version: 5.00.2195.6612
>> Modified: Thursday, June 19, 2003, 11:05:04 AM
>> MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
>> SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
>> CRC32: 53C3D624
>> -----------
>>
>> I searched the net and find 2 opinions, it is normal and leave it
>> alone, (if so why a startup now)
>>
>> or- it is a virus and remove it. (replace with what?)
>>
>> Question
>> What is the correct specs for USERINIT.EXE? If it is wrong, where to
>> locate a good version?
>>
>> Is it a normal startup? And if so, why now?
>>
>> Advice?
>>
>> ms
>>
>>
> Thanks to all.
>
> I had in Winnt\NT Service Pack Uninstall folder:
> userinit.exe 2195.3649 17,680 7/22/02
>
> In Winnt\Service Pack\386 folder:
> userinit.exe 2195.6612 17,680 6/17/03
>
> Neither is exactly the one mentioned in Pegasus's post.

*** This is probably due to mine being the original CD version
*** whereas yours has been updated by service packs.

> Which one is better to use in C:\WINNT\system32\ ?

*** Use the one you have. It is most likely the current version.

> I did not understand this in that post: --a-- W32i APP ENU, is this a
> location on the CD?

*** It is what filever.exe reports. "W32i" probably means "Windows
*** 32 bits Intel", "App" I don't know and "ENU" is probably
*** "English Update".

> The other question remains: if this is updated every time I log in, why
> was it suddenly a startup when never before? and is that OK?

*** What makes you think it gets updated each time you log on?
*** What do you mean with "it was suddenly a startup"?

> Thanks

*** You're welcome.
 
"Pegasus \(MVP\)" <I.can@fly.com.oz> wrote in news:ur9XplNyIHA.552
@TK2MSFTNGP06.phx.gbl:

> See below.
>
> "ms" <ms@invalid.com> wrote in message
> news:6b04o8F39ebdjU1@mid.individual.net...
>> ms <ms@invalid.com> wrote in news:6ati4dF3854ofU1@mid.individual.net:
>>
>>> I normally have a very stable W2K system.
>>>
>>> This AM, I ran a utility that removes all instances of McAfee
>>> products, I didn't ever install McAfee, but the program instantly
>>> executed and was not able to be stopped. It apparently didn't find
>>> anything.
>>>
>>> But since then, I have a alert utility, and get frequent notices that
>>> USERINIT.EXE wants to be added to windows startup. I finally allowed
>>> it, rebooted, everything *seems* normal, but I am concerned, as W2K
>>> has daily cold booted fine for over 2 years w/o this startup.
>>>
>>> Below is the report on the USERINIT.EXE now in my system. I don't
know
>>> if it replaced an earlier version, as I never before had occasion to
>>> look at it. The MD5 does not agree with a web site value I found.
>>> -----------
>>> File: C:\WINNT\system32\USERINIT.EXE
>>> Size: 17680 bytes
>>> File Version: 5.00.2195.6612
>>> Modified: Thursday, June 19, 2003, 11:05:04 AM
>>> MD5: BF179C5B8A722CC79AEF1CA90D6C7D48
>>> SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C
>>> CRC32: 53C3D624
>>> -----------
>>>
>>> I searched the net and find 2 opinions, it is normal and leave it
>>> alone, (if so why a startup now)
>>>
>>> or- it is a virus and remove it. (replace with what?)
>>>
>>> Question
>>> What is the correct specs for USERINIT.EXE? If it is wrong, where to
>>> locate a good version?
>>>
>>> Is it a normal startup? And if so, why now?
>>>
>>> Advice?
>>>
>>> ms
>>>
>>>
>> Thanks to all.
>>
>> I had in Winnt\NT Service Pack Uninstall folder:
>> userinit.exe 2195.3649 17,680 7/22/02
>>
>> In Winnt\Service Pack\386 folder:
>> userinit.exe 2195.6612 17,680 6/17/03
>>
>> Neither is exactly the one mentioned in Pegasus's post.
>
> *** This is probably due to mine being the original CD version
> *** whereas yours has been updated by service packs.
>
>> Which one is better to use in C:\WINNT\system32\ ?
>
> *** Use the one you have. It is most likely the current version.
>
>> I did not understand this in that post: --a-- W32i APP ENU, is this a
>> location on the CD?
>
> *** It is what filever.exe reports. "W32i" probably means "Windows
> *** 32 bits Intel", "App" I don't know and "ENU" is probably
> *** "English Update".
>
>> The other question remains: if this is updated every time I log in,
why
>> was it suddenly a startup when never before? and is that OK?
>
> *** What makes you think it gets updated each time you log on?
> *** What do you mean with "it was suddenly a startup"?
>
>> Thanks
>
> *** You're welcome.
>
>
I mis-spoke. You said:
"The file gets executed each time you log on, i.e. after you have
entered your user-ID and password."

In my OP:
"But since then, I have a alert utility, and get frequent notices that
USERINIT.EXE wants to be added to windows startup. I finally allowed it,
rebooted, everything *seems* normal, but I am concerned, as W2K has daily
cold booted fine for over 2 years w/o this startup. "

If it was not a *startup* entry for about 3 years, and is a normal file,
why now?. I notice it is a running service. (Autoruns) I don't see it in
any of my startup process utilities.

ms
 

> I mis-spoke. You said:
> "The file gets executed each time you log on, i.e. after you have
> entered your user-ID and password."
>
> In my OP:
> "But since then, I have a alert utility, and get frequent notices that
> USERINIT.EXE wants to be added to windows startup. I finally allowed it,
> rebooted, everything *seems* normal, but I am concerned, as W2K has daily
> cold booted fine for over 2 years w/o this startup. "
>
> If it was not a *startup* entry for about 3 years, and is a normal file,
> why now?. I notice it is a running service. (Autoruns) I don't see it in
> any of my startup process utilities.
>
> ms

Sorry, I cannot comment on your observation. I am not familiar
with your "alert" facility but I suspect that it is alerting you about
a non-existent danger.
 
"Pegasus \(MVP\)" <I.can@fly.com.oz> wrote in
news:OUy1hYSyIHA.5472@TK2MSFTNGP06.phx.gbl:

>
>> I mis-spoke. You said:
>> "The file gets executed each time you log on, i.e. after you have
>> entered your user-ID and password."
>>
>> In my OP:
>> "But since then, I have a alert utility, and get frequent notices
>> that USERINIT.EXE wants to be added to windows startup. I finally
>> allowed it, rebooted, everything *seems* normal, but I am concerned,
>> as W2K has daily cold booted fine for over 2 years w/o this startup.
>> "
>>
>> If it was not a *startup* entry for about 3 years, and is a normal
>> file, why now?. I notice it is a running service. (Autoruns) I don't
>> see it in any of my startup process utilities.
>>
>> ms
>
> Sorry, I cannot comment on your observation. I am not familiar
> with your "alert" facility but I suspect that it is alerting you about
> a non-existent danger.
>
>
>
At this point, user logon is normal, else is normal. My startup utilities
don't recognize anything unusual, so I guess OK.

BTW, my "alert" utility is WinPatrol, a fine process control application.

Thank you for the help in this thread. My only remaining task in W2K/SP4
is to save my data and then finally install the old rollup patch. Due to
my browsing habits, missing security patches haven't caused problems.

ms
 
Pegasus wrote
> *** It is what filever.exe reports. "W32i" probably means "Windows
> *** 32 bits Intel", "App" I don't know and "ENU" is probably
> *** "English Update".

Actually, "ENU" stands for English (USA) - "ENG" would be English (GB),
and so on...

Cheers

--
Steph
 
Back
Top