Jump to content

HellzLittleSpy - The name says it all


macdunn
 Share

Recommended Posts

Aauurrgghh!!!!HellzLittleSpy - The name says it allLet me back up and say that SpyBot 1.5.2.20 does not find it but 1.3 does, both with the 25 June 2008 Updates installed. Also, with the Updates installed, 1.5.2.20 only searches for 169160 'droppings' (as I refer to them) while SpyBot 1.3 searches for 169175. SpyBot classifies it as a Keylogger.I have almost 30 years professional experience in the computer and software development field and this one has me stumped (heck, other things have stumped me as well and in several cases Scot's Newsletter readers have had the answer).System -- Compaq N620c (Pentium M 1.5) laptop with Windows XP installed fresh from QuickRestore CDs and nothing else installed except SpyBot 1.5.2.20 and then 1.3. And, I mean nothing else but the Compaq QuickRestore and SpyBot! (after doing a QuickRestore and restoring all my data and programs twice. Thank goodness I have matched laptops and spare HDDs, so I have not had to wipe out the original HDDs yet)When I run SpyBot 1.3 with the 25 June 2008 Updates, the following is found --HellzLittleSpy: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit!=<$SYSDIR>\userinit.exe,When I tell SpyBot to fix it and then reboot my computer, it goes into a vicious cycle of restarting and then shutting down (warm reboot), restarting and then shutting down (warm reboot), etc., never starting Windows again. I finally have to unplug the power (and in impatience drop the battery). Then, reinstall from scratch.I run SpyBot religiously every week and until this week when the 25 June 2008 Updates came out have had relatively no problems.Because removing HellzLittleSpy puts Windows into this vicious cycle, and, I will admit, I do not work at the Registry level often enough to venture there without advice, I am not sure if I should edit something in the Registry or not.Is this some hoax by SpyBot or ???Though I got my SpyBot 1.3 directly from Safer-Networking.org when it was new, you can get older versions of SpyBot (and other programs) at --http://www.oldversion.com/program.php?n=spybotor just Google for SpyBot 1.3Aauurrgghh!!!!TIA!

Edited by macdunn
Link to comment
Share on other sites

You've heard of "false positives" with AVs right. Well...The current SB knows it's not a problem so why do you care if an outdated version thinks there's something wrong? Why do you think it's outdated? Because it wasn't doing/can't do the job correctly.

Link to comment
Share on other sites

Sure, it could be a 'false positive'. But, then, why did SpyBot add it to their Update last week -- 25 June 2008? That is just as frustrating. And, the newest and 'bluest' is not always a reason to upgrade.Thanks for the input.

You've heard of "false positives" with AVs right. Well...The current SB knows it's not a problem so why do you care if an outdated version thinks there's something wrong? Why do you think it's outdated? Because it wasn't doing/can't do the job correctly.
Link to comment
Share on other sites

When I run SpyBot 1.3 with the 25 June 2008 Updates, the following is found --HellzLittleSpy: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit!=<$SYSDIR>\userinit.exe,When I tell SpyBot to fix it and then reboot my computer, it goes into a vicious cycle of restarting and then shutting down (warm reboot), restarting and then shutting down (warm reboot), etc., never starting Windows again. I finally have to unplug the power (and in impatience drop the battery). Then, reinstall from scratch.
The normal regsitry entry for Windows XP isHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit!=<$SYSDIR>\system32\userinit.exe,

Note: <$SYSDIR> indicates a system variable -
C:\Windows
- on most systems

The fact that the registry is pointing to a file of the same name in a different location doesn't conclusively prove it is malicious, but it is very suspicious.If it were me, I'd

  1. Carefully read, understand and print out the following MS Knowledgebase article -http://support.microsoft.com/kb/307545
  2. Make a registry backup of the current registry
  3. Edit the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit registry entry so that it points to the normal location.
  4. Reboot and see what happens.

If all is well, you're done.If the system reboots and runs well except that something useful/important is now broken, you have a new place to start. (Maybe edit the registry back to the way it was. Find out if the broken program normal inserts a new userinit.exe in the system.)If the system won't reboot, you have your backup of the registry and have the printed article to tell you how to restore it.Good luck.Bob

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...