Guest ms Posted June 6, 2008 Posted June 6, 2008 I normally have a very stable W2K system. This AM, I ran a utility that removes all instances of McAfee products, I didn't ever install McAfee, but the program instantly executed and was not able to be stopped. It apparently didn't find anything. But since then, I have a alert utility, and get frequent notices that USERINIT.EXE wants to be added to windows startup. I finally allowed it, rebooted, everything *seems* normal, but I am concerned, as W2K has daily cold booted fine for over 2 years w/o this startup. Below is the report on the USERINIT.EXE now in my system. I don't know if it replaced an earlier version, as I never before had occasion to look at it. The MD5 does not agree with a web site value I found. ----------- File: C:\WINNT\system32\USERINIT.EXE Size: 17680 bytes File Version: 5.00.2195.6612 Modified: Thursday, June 19, 2003, 11:05:04 AM MD5: BF179C5B8A722CC79AEF1CA90D6C7D48 SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C CRC32: 53C3D624 ----------- I searched the net and find 2 opinions, it is normal and leave it alone, (if so why a startup now) or- it is a virus and remove it. (replace with what?) Question What is the correct specs for USERINIT.EXE? If it is wrong, where to locate a good version? Is it a normal startup? And if so, why now? Advice? ms
Guest Pegasus \(MVP\) Posted June 6, 2008 Posted June 6, 2008 Re: USERINIT.EXE - A new startup "ms" <ms@invalid.com> wrote in message news:6ati4dF3854ofU1@mid.individual.net... >I normally have a very stable W2K system. > > This AM, I ran a utility that removes all instances of McAfee products, I > didn't ever install McAfee, but the program instantly executed and was > not able to be stopped. It apparently didn't find anything. > > But since then, I have a alert utility, and get frequent notices that > USERINIT.EXE wants to be added to windows startup. I finally allowed it, > rebooted, everything *seems* normal, but I am concerned, as W2K has daily > cold booted fine for over 2 years w/o this startup. > > Below is the report on the USERINIT.EXE now in my system. I don't know if > it replaced an earlier version, as I never before had occasion to look at > it. The MD5 does not agree with a web site value I found. > ----------- > File: C:\WINNT\system32\USERINIT.EXE > Size: 17680 bytes > File Version: 5.00.2195.6612 > Modified: Thursday, June 19, 2003, 11:05:04 AM > MD5: BF179C5B8A722CC79AEF1CA90D6C7D48 > SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C > CRC32: 53C3D624 > ----------- > > I searched the net and find 2 opinions, it is normal and leave it alone, > (if so why a startup now) > > or- it is a virus and remove it. (replace with what?) > > Question > What is the correct specs for USERINIT.EXE? If it is wrong, where to > locate a good version? > > Is it a normal startup? And if so, why now? > > Advice? > > ms Here are the details of the original Win2000 userinit.exe: --a-- W32i APP ENU 5.0.2159.1 shp 17,168 11-30-1999 userinit.exe The file gets executed each time you log on, i.e. after you have entered your user-ID and password.
Guest David H. Lipman Posted June 6, 2008 Posted June 6, 2008 Re: USERINIT.EXE - A new startup From: "ms" <ms@invalid.com> | I normally have a very stable W2K system. | | This AM, I ran a utility that removes all instances of McAfee products, I | didn't ever install McAfee, but the program instantly executed and was | not able to be stopped. It apparently didn't find anything. | | But since then, I have a alert utility, and get frequent notices that | USERINIT.EXE wants to be added to windows startup. I finally allowed it, | rebooted, everything *seems* normal, but I am concerned, as W2K has daily | cold booted fine for over 2 years w/o this startup. | | Below is the report on the USERINIT.EXE now in my system. I don't know if | it replaced an earlier version, as I never before had occasion to look at | it. The MD5 does not agree with a web site value I found. | ----------- | File: C:\WINNT\system32\USERINIT.EXE | Size: 17680 bytes | File Version: 5.00.2195.6612 | Modified: Thursday, June 19, 2003, 11:05:04 AM | MD5: BF179C5B8A722CC79AEF1CA90D6C7D48 | SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C | CRC32: 53C3D624 | ----------- | | I searched the net and find 2 opinions, it is normal and leave it alone, | (if so why a startup now) | | or- it is a virus and remove it. (replace with what?) | | Question | What is the correct specs for USERINIT.EXE? If it is wrong, where to | locate a good version? | | Is it a normal startup? And if so, why now? | | Advice? | | ms | Unless it has been Trojanized (patched) it is legitimate. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Guest ms Posted June 7, 2008 Posted June 7, 2008 Re: USERINIT.EXE - A new startup ms <ms@invalid.com> wrote in news:6ati4dF3854ofU1@mid.individual.net: > I normally have a very stable W2K system. > > This AM, I ran a utility that removes all instances of McAfee > products, I didn't ever install McAfee, but the program instantly > executed and was not able to be stopped. It apparently didn't find > anything. > > But since then, I have a alert utility, and get frequent notices that > USERINIT.EXE wants to be added to windows startup. I finally allowed > it, rebooted, everything *seems* normal, but I am concerned, as W2K > has daily cold booted fine for over 2 years w/o this startup. > > Below is the report on the USERINIT.EXE now in my system. I don't know > if it replaced an earlier version, as I never before had occasion to > look at it. The MD5 does not agree with a web site value I found. > ----------- > File: C:\WINNT\system32\USERINIT.EXE > Size: 17680 bytes > File Version: 5.00.2195.6612 > Modified: Thursday, June 19, 2003, 11:05:04 AM > MD5: BF179C5B8A722CC79AEF1CA90D6C7D48 > SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C > CRC32: 53C3D624 > ----------- > > I searched the net and find 2 opinions, it is normal and leave it > alone, (if so why a startup now) > > or- it is a virus and remove it. (replace with what?) > > Question > What is the correct specs for USERINIT.EXE? If it is wrong, where to > locate a good version? > > Is it a normal startup? And if so, why now? > > Advice? > > ms > > Thanks to all. I had in Winnt\NT Service Pack Uninstall folder: userinit.exe 2195.3649 17,680 7/22/02 In Winnt\Service Pack\386 folder: userinit.exe 2195.6612 17,680 6/17/03 Neither is exactly the one mentioned in Pegasus's post. Which one is better to use in C:\WINNT\system32\ ? I did not understand this in that post: --a-- W32i APP ENU, is this a location on the CD? The other question remains: if this is updated every time I log in, why was it suddenly a startup when never before? and is that OK? Thanks ms
Guest Pegasus \(MVP\) Posted June 7, 2008 Posted June 7, 2008 Re: USERINIT.EXE - A new startup See below. "ms" <ms@invalid.com> wrote in message news:6b04o8F39ebdjU1@mid.individual.net... > ms <ms@invalid.com> wrote in news:6ati4dF3854ofU1@mid.individual.net: > >> I normally have a very stable W2K system. >> >> This AM, I ran a utility that removes all instances of McAfee >> products, I didn't ever install McAfee, but the program instantly >> executed and was not able to be stopped. It apparently didn't find >> anything. >> >> But since then, I have a alert utility, and get frequent notices that >> USERINIT.EXE wants to be added to windows startup. I finally allowed >> it, rebooted, everything *seems* normal, but I am concerned, as W2K >> has daily cold booted fine for over 2 years w/o this startup. >> >> Below is the report on the USERINIT.EXE now in my system. I don't know >> if it replaced an earlier version, as I never before had occasion to >> look at it. The MD5 does not agree with a web site value I found. >> ----------- >> File: C:\WINNT\system32\USERINIT.EXE >> Size: 17680 bytes >> File Version: 5.00.2195.6612 >> Modified: Thursday, June 19, 2003, 11:05:04 AM >> MD5: BF179C5B8A722CC79AEF1CA90D6C7D48 >> SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C >> CRC32: 53C3D624 >> ----------- >> >> I searched the net and find 2 opinions, it is normal and leave it >> alone, (if so why a startup now) >> >> or- it is a virus and remove it. (replace with what?) >> >> Question >> What is the correct specs for USERINIT.EXE? If it is wrong, where to >> locate a good version? >> >> Is it a normal startup? And if so, why now? >> >> Advice? >> >> ms >> >> > Thanks to all. > > I had in Winnt\NT Service Pack Uninstall folder: > userinit.exe 2195.3649 17,680 7/22/02 > > In Winnt\Service Pack\386 folder: > userinit.exe 2195.6612 17,680 6/17/03 > > Neither is exactly the one mentioned in Pegasus's post. *** This is probably due to mine being the original CD version *** whereas yours has been updated by service packs. > Which one is better to use in C:\WINNT\system32\ ? *** Use the one you have. It is most likely the current version. > I did not understand this in that post: --a-- W32i APP ENU, is this a > location on the CD? *** It is what filever.exe reports. "W32i" probably means "Windows *** 32 bits Intel", "App" I don't know and "ENU" is probably *** "English Update". > The other question remains: if this is updated every time I log in, why > was it suddenly a startup when never before? and is that OK? *** What makes you think it gets updated each time you log on? *** What do you mean with "it was suddenly a startup"? > Thanks *** You're welcome.
Guest ms Posted June 7, 2008 Posted June 7, 2008 Re: USERINIT.EXE - A new startup "Pegasus \(MVP\)" <I.can@fly.com.oz> wrote in news:ur9XplNyIHA.552 @TK2MSFTNGP06.phx.gbl: > See below. > > "ms" <ms@invalid.com> wrote in message > news:6b04o8F39ebdjU1@mid.individual.net... >> ms <ms@invalid.com> wrote in news:6ati4dF3854ofU1@mid.individual.net: >> >>> I normally have a very stable W2K system. >>> >>> This AM, I ran a utility that removes all instances of McAfee >>> products, I didn't ever install McAfee, but the program instantly >>> executed and was not able to be stopped. It apparently didn't find >>> anything. >>> >>> But since then, I have a alert utility, and get frequent notices that >>> USERINIT.EXE wants to be added to windows startup. I finally allowed >>> it, rebooted, everything *seems* normal, but I am concerned, as W2K >>> has daily cold booted fine for over 2 years w/o this startup. >>> >>> Below is the report on the USERINIT.EXE now in my system. I don't know >>> if it replaced an earlier version, as I never before had occasion to >>> look at it. The MD5 does not agree with a web site value I found. >>> ----------- >>> File: C:\WINNT\system32\USERINIT.EXE >>> Size: 17680 bytes >>> File Version: 5.00.2195.6612 >>> Modified: Thursday, June 19, 2003, 11:05:04 AM >>> MD5: BF179C5B8A722CC79AEF1CA90D6C7D48 >>> SHA1: C2FCBB92026AC10FE1EDFD52ECAE3521375C210C >>> CRC32: 53C3D624 >>> ----------- >>> >>> I searched the net and find 2 opinions, it is normal and leave it >>> alone, (if so why a startup now) >>> >>> or- it is a virus and remove it. (replace with what?) >>> >>> Question >>> What is the correct specs for USERINIT.EXE? If it is wrong, where to >>> locate a good version? >>> >>> Is it a normal startup? And if so, why now? >>> >>> Advice? >>> >>> ms >>> >>> >> Thanks to all. >> >> I had in Winnt\NT Service Pack Uninstall folder: >> userinit.exe 2195.3649 17,680 7/22/02 >> >> In Winnt\Service Pack\386 folder: >> userinit.exe 2195.6612 17,680 6/17/03 >> >> Neither is exactly the one mentioned in Pegasus's post. > > *** This is probably due to mine being the original CD version > *** whereas yours has been updated by service packs. > >> Which one is better to use in C:\WINNT\system32\ ? > > *** Use the one you have. It is most likely the current version. > >> I did not understand this in that post: --a-- W32i APP ENU, is this a >> location on the CD? > > *** It is what filever.exe reports. "W32i" probably means "Windows > *** 32 bits Intel", "App" I don't know and "ENU" is probably > *** "English Update". > >> The other question remains: if this is updated every time I log in, why >> was it suddenly a startup when never before? and is that OK? > > *** What makes you think it gets updated each time you log on? > *** What do you mean with "it was suddenly a startup"? > >> Thanks > > *** You're welcome. > > I mis-spoke. You said: "The file gets executed each time you log on, i.e. after you have entered your user-ID and password." In my OP: "But since then, I have a alert utility, and get frequent notices that USERINIT.EXE wants to be added to windows startup. I finally allowed it, rebooted, everything *seems* normal, but I am concerned, as W2K has daily cold booted fine for over 2 years w/o this startup. " If it was not a *startup* entry for about 3 years, and is a normal file, why now?. I notice it is a running service. (Autoruns) I don't see it in any of my startup process utilities. ms
Guest Pegasus \(MVP\) Posted June 8, 2008 Posted June 8, 2008 Re: USERINIT.EXE - A new startup > I mis-spoke. You said: > "The file gets executed each time you log on, i.e. after you have > entered your user-ID and password." > > In my OP: > "But since then, I have a alert utility, and get frequent notices that > USERINIT.EXE wants to be added to windows startup. I finally allowed it, > rebooted, everything *seems* normal, but I am concerned, as W2K has daily > cold booted fine for over 2 years w/o this startup. " > > If it was not a *startup* entry for about 3 years, and is a normal file, > why now?. I notice it is a running service. (Autoruns) I don't see it in > any of my startup process utilities. > > ms Sorry, I cannot comment on your observation. I am not familiar with your "alert" facility but I suspect that it is alerting you about a non-existent danger.
Guest ms Posted June 8, 2008 Posted June 8, 2008 Re: USERINIT.EXE - A new startup "Pegasus \(MVP\)" <I.can@fly.com.oz> wrote in news:OUy1hYSyIHA.5472@TK2MSFTNGP06.phx.gbl: > >> I mis-spoke. You said: >> "The file gets executed each time you log on, i.e. after you have >> entered your user-ID and password." >> >> In my OP: >> "But since then, I have a alert utility, and get frequent notices >> that USERINIT.EXE wants to be added to windows startup. I finally >> allowed it, rebooted, everything *seems* normal, but I am concerned, >> as W2K has daily cold booted fine for over 2 years w/o this startup. >> " >> >> If it was not a *startup* entry for about 3 years, and is a normal >> file, why now?. I notice it is a running service. (Autoruns) I don't >> see it in any of my startup process utilities. >> >> ms > > Sorry, I cannot comment on your observation. I am not familiar > with your "alert" facility but I suspect that it is alerting you about > a non-existent danger. > > > At this point, user logon is normal, else is normal. My startup utilities don't recognize anything unusual, so I guess OK. BTW, my "alert" utility is WinPatrol, a fine process control application. Thank you for the help in this thread. My only remaining task in W2K/SP4 is to save my data and then finally install the old rollup patch. Due to my browsing habits, missing security patches haven't caused problems. ms
Guest Steph Posted July 7, 2008 Posted July 7, 2008 Re: USERINIT.EXE - A new startup Pegasus wrote > *** It is what filever.exe reports. "W32i" probably means "Windows > *** 32 bits Intel", "App" I don't know and "ENU" is probably > *** "English Update". Actually, "ENU" stands for English (USA) - "ENG" would be English (GB), and so on... Cheers -- Steph
Recommended Posts