Should I delete userinit.exe?[False Positive]

_cat · December 18, 2007, 10:21pm

No worries Vader, even if USERINIT.EXE was deleted it would restore at boot as it is a system file.

nevill3 · December 18, 2007, 10:33pm

Hi
I too received this pop up (with the 13.33 update installed) I clicked ok to delete the userinit.exe because as cat has said it would be restored at boot up. If you have a look at your event viewer under ‘system’ you would see an entry that confirms that this is a protected sytem file and would automatically be restored (only if you clicked yes to delete it).

any news on whether this is an FP?

riggers · December 18, 2007, 10:36pm

The malware known about is DLDR-AGENT.AGF

This is very similar so hopefully just a fp but will everyone running boclean get this or is it linked to anything?

Regards Matty

Vader · December 18, 2007, 10:52pm

Hi, cat!

Actually, it’s not userinit.exe that worries me, but if a dll was trying to load through userinit.exe, that it might have been deleted… am I worrying for nothing?

_cat · December 18, 2007, 11:11pm

If your logs don’t show any deletions I’d say you have no worries.

Rednose · December 18, 2007, 11:14pm

Same FP here I am sure it will be fixed with the next update

Temporary fix :

Good that you remember us about CBOCleans Program Excluder m8

Greetz, Red.

MikeTon · December 19, 2007, 12:16am

I’ve re-built 2 XP Pro PCs in last week or so. First used only for Browsing and second only connects to email and a few more “trusted” sites.

One PC is showing the message regarding “userinit.exe” but the other is not.

Both have same level of XP patches (up to date minus one problem patch).
Both use same Comodo products Firewall, AntiVirus and BOCLean.
Both have recent updates (BOClean 2007-12-18 13:33:48).

However, the email PC is showing the message whilst other one isn’t (yet).

I’ve been in and out of Admin accounts on both PCs, run diagnostics, checked logs etc.
No idea yet why one is showing the message but other isn’t. That would tend to make me think it may not be a false positive. However, number of reports does tend to support FP.

If is is infected it have managed to slip past all patches, Comodo S/W locked down working accounts plus 2 h/w firewalls and some other bits & bobs. Good trick and tricky to track down source.

I’ll keep an eye on this thread an post an update if other PC develops same problem or I work out what’s happening.
Thanks

_cat · December 19, 2007, 12:21am

Hi MikeTon,
Welcome to the CBOC forums!
Have you rebooted the machine after pulling the latest update?

bazza3000 · December 19, 2007, 12:48am

Hi People, Definately a false Positive according to joti, i have added it to my excluder, hopefully this problem will be fixed in the next update!! Cheers Bazza

[attachment deleted by admin]

MikeTon · December 19, 2007, 12:57am

Thanks for that, I’ve re-booted (several times). I created a new account on PC showing problem and no message so far on tha account. I’ll just use the new account meantime and try the old day-day account daily until FP fixed.

BillD · December 19, 2007, 1:52am

First of all, let me say I wanted to submit a ticket for this question but was blocked by the need to submit an “order number or domain name”. As a registered user of BO Clean for something like 5 years, I find this to be extremely annoying and unnecessary. I’d like to know if there is a way around this question or if there is some generic information I can fill in to get around this unnecessary requirement.

Now to my actual question: Beginning this evening, BO Clean has been reporting and attempting to delete a Windows file: Userinit.exe which it says is releasing a trojan. Here is the exact message:

12/18/2007 19:23:37: DLDR-AGENT.AQF MALWARE STOPPED by BOCLEAN!
Trojan horse was found in memory.
C:\WINDOWS\SYSTEM32\USERINIT.EXE contained the trojan.
Active trojan horse WAS shut down. System now safe.
Logged in user: User

This has occured on three consecutive bootups and I can see no reason why it won’t continue to occur each time I boot up.

Something is obviously wrong but I have no idea what. Can you help?

Thank you.

llgomezg · December 19, 2007, 2:04am

MikeTon, it’s exactly what happened to me, but the machine that showed the problem belongs to a Windows Domain, while the XP Machine that didn’t show the problem didn’t belong to a domain, is this your case?

waeylander · December 19, 2007, 2:51am

Bill,

Apparently this is a false positive. If you check out this link you will see that you are not the only person with this issue.
https://forums.comodo.com/comodo_boclean_antimalware/should_i_delete_userinitexefalse_positive-t17328.0.html

Hope this helps.

Regards,
Michael

system · December 19, 2007, 3:13am

I too have this problem, got this warning 30 mins ago, first time ever that I have seen any type of malware warning pop up like this. I just ran Windows Defender on full scan and it shows “all clean”. Looking like an FP; either that, or WE ALL ARE INFECTED by a buggy set to run TODAY. Hope Comodo investigates promptly. (V)

system · December 19, 2007, 3:27am

With all due respect, what worries me is that after about 11 hours it hasn’t been fixed nor that an official answer was posted from someone representing Comodo-BOClean.

The first posting there at:
Today at 10:41:15 AM

Reply # 51 there at:
Today at 10:13:53 PM

Every scanner might give at some moment a FP.
We all know that.
But try to make a procedure to get it fixed as soon as possible.
And try to make a procedure where someone of Comodo BOClean do post about it.

gaslad · December 19, 2007, 5:46am

Add me to the list.

VirusTotal says it’s clean, so I added it to the excluded list.

Gave me a bit of a start, since I’ve had no malware in years…

grayhair · December 19, 2007, 6:32am

Not sure if this will help clear this up, or make it as clear as mud, but here goes. I initially did not have the problem, even though I had the 2007-12-18-13:33:48 update. I thought this a bit odd as so many in this thread with this update did have the problem. I did a clean uninstall/install of BOC, using a new install file from the Comodo website. After rebooting I also had the Trojan reference. I did two rootkit scans, and scanned the supposed “infected” file with McAfee both before and after this clean re-install. Everything came up clean, except BOCleaner. I next rolled back my update, which in my case took it back to 2007-11-26-14:04:33. After rebooting the reference to the Trojan did not show. Once again I did all the scans–all clean. Either it is a False Positive, or a real one (which BOCleaner shutdown anyway). I am sure there is no need to panic. Just wait for the solution in an upcoming update.
I should add that my original install file from Comodo was from October. Maybe something changed in the install file between Oct. and now.
Or, maybe our friends at Microsoft changed this “infected” file just a bit in one of their recent security updates.

 (:WIN)

Baskar · December 19, 2007, 7:36am

Hi,

It was a False positive and it has been fixed in the latest updates. Apologies for any inconvenience caused.

Regards,
Baskar.

grayhair · December 19, 2007, 7:44am

Just got the latest update. Rebooted, and the false positive is gone. Thanks Baskar.

(:CLP)

Origin · December 19, 2007, 9:41am

I just got the same alert as you guys.

The last update is from 2007-12-19 06:19:18