NOTE: if you copy or print any of this, when there are links in the posts on this site, if they are longer they are automatically shortened to save space in the post and are a link to the actual link. If you merely copy the post with the shortened link in it, or print the post with the shortened link in it, the shortened link will not work. You have to click on the shortened link, and copy the address of where it goes to, and paste that into the copy, and you might as well delete the shortened link in the copy at the same time.
......
Found on the web.....
userinit.exe
userinit.exe is located in the folder C:\Windows\System32. Known file sizes on Windows XP are 24576 bytes (69% of all occurrence), 22016 bytes, 21504 bytes, 26112 bytes, 39115 bytes, 39109 bytes, 39150 bytes, 34304 bytes, 28160 bytes, 35840 bytes, 41472 bytes, 37376 bytes, 39146 bytes.
...
It is an essential part of Windows OS and is safe to leave it alone unless it is hooked in the registry to run extra files which are trojans. It can hooked in the registry to run gpmiabp.exe which executes a trojan horse Win32.Qoologic. If you see in the Security Task Manager Userinit.exe,gpmiabp.exe or something added to the Userinit.exe then it is hooked through the registry to run malicious files.
...
Once you log in, it might run for a few seconds. After that, it seems to terminate itself.
....
The DllCache folder (c:\windows\system32\dllcache\) maintains a copy of userinit.exe. Simply copy it to the system32 folder. If not, you may have to expand a copy from the source. (either from the Windows XP CD, or from the ServicePackFiles source path)
.....
More complicated fix
I created a program to run a *.reg file. There are a couple of steps to make this fix/hack work.
http://www.onegeek.com/answers/user...
...................................
dl.exe
The dl.exe file is installed and used by Licum
Licum is an Internet worm that distributes itself to PCs running Windows operating computer with unpatched security flaws. The spyware infects executable files. Its activity severely decreases overall computer performance and Internet connection speed. Licum has the ability to download and install additional malicious files. Consider updating your computer immediately in order to prevent the infection.
How can I get rid of Licum?
The most common spyware removal tactic is to uninstall Licum by using the "Add/Remove Programs" utility. However, as there may still be hidden Licum files, it's possible that Licum will reappear after reboot. Follow the Licum detection and removal methods below.
Licum Manual Removal Instructions
Step 1 : Use Windows File Search Tool to Find Licum Path
Go to Start > Search > All Files or Folders.
In the "All or part of the the file name" section, type in "Licum" file name(s).
To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
When Windows finishes your search, hover over the "In Folder" of "Licum", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Licum in the following manual removal steps. Read more about How to Find Licum with File Search Tool
Step 2 : Use Windows Task Manager to Remove Licum Processes
To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
Click on the "Image Name" button to search for "Licum" process by name.
Select the "Licum" process and click on the "End Process" button to kill it.
Remove the "Licum" processes files:
gaelicum.exe
dl.exe
cback.exe, dl.exe, gaelicum.execback.exe
Read more about How to kill Licum Processes
Step 3 : Detect and Delete Other Licum Files
To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
To change directory, type in "cd name_of_the_folder".
Once you have the file you're looking for type in "del name_of_the_file".
To delete a file in folder, type in "del name_of_the_file".
To delete the entire folder, type in "rmdir /S name_of_the_folder".
Select the "Licum" process and click on the "End Process" button to kill it.
Remove the "Licum" processes files:
gaelicum.exe
dl.exe
cback.exe, dl.exe, gaelicum.execback.exe
http://www.spywareremove.com/remove...
..........................................
Try this .
Boot with the Windows CD, and go to the Recovery Console.
(let the initial Setup files load, press R when it asks if you want to Repair Windows)
When it lists the Windows installations found, if more than one is found, make sure you choose the Windows installation you were booting from, not another one / the other one.
(type the number of the Windows installation, press Enter)
(When you see Password:
- if there are no * characters beside it, there is no password, just press Enter
- if there ARE * characters beside it, the password is the same one you use as Administrator in Windows, then press Enter.)
Search for userinit.exe
dir /s userinit.exe (enter)
(might be different in the Recovery Console)
According to the above info there should by at least one in the dllcache folder.
There be a newer one elsewhere - if there is, if it was installed, in theory it should be the same size as the one in the dllcache, if there is one in the dllcache.
If there is one elsewhere but not one in the dllcache, the newest one found is probably the right one??
Copy userinit.exe to (Drive letter Windows is on):\Windows\System32.
If there is no userinit.exe anywhere,
try expanding the one on the Windows CD.
expand (drive letter CD is in):\I386\userinit.ex_ (Drive letter Windows is on):\Windows\System32\userinit.exe
(all on one line; space after expand and after userinit.ex_)
(If you didn't notice or are not sure which drive letter the Windows CD is on, it's often one letter higher than it is in Windows. In any case you can type the drive letter you think it might be followed by a colon, press Enter, then type dir, press enter - if you see the \I386 folder and a few files that's the right one.
e.g.
Make a note of which drive letter the Windows folder is on - in your case it's probably not C.
Use the drive letter you think the CD is on - if that is F
type: F: (enter)
type: dir (enter)
If you see \I386 that's the right one
If you need to go back to the drive and folder Windows is on,
e.g. if it's on D
type D: (enter)
the Windows folder should be the same one as before you typed another drive letter.)
....
Removing the Licum stuff
Use the removal info above to find the folder and files you are supposed to get rid of and delete them.
Also search for: gpmiabp.exe
They might be in two or more places.
If searching using: dir /s (name) does not work, type: help dir (enter) for use info.
If searching using: dir /s licum finds nothing, try dir /s licum*
or dir /s licum*.*
type: exit (press Enter) to get out of the Recovery Console and reboot.
It should boot normally.
Licum may have installed other malware.
See the third paragraph at the beginning of this post - there might be more as well.
Do a full scan with your anti-malware software.
If it doesn't find anything, try other anti-malware software.
It may help to search the web for info about what else Licum might have loaded, then search to find what removes that.
