macdunn Posted June 28, 2008 Share Posted June 28, 2008 (edited) Aauurrgghh!!!!HellzLittleSpy - The name says it allLet me back up and say that SpyBot 1.5.2.20 does not find it but 1.3 does, both with the 25 June 2008 Updates installed. Also, with the Updates installed, 1.5.2.20 only searches for 169160 'droppings' (as I refer to them) while SpyBot 1.3 searches for 169175. SpyBot classifies it as a Keylogger.I have almost 30 years professional experience in the computer and software development field and this one has me stumped (heck, other things have stumped me as well and in several cases Scot's Newsletter readers have had the answer).System -- Compaq N620c (Pentium M 1.5) laptop with Windows XP installed fresh from QuickRestore CDs and nothing else installed except SpyBot 1.5.2.20 and then 1.3. And, I mean nothing else but the Compaq QuickRestore and SpyBot! (after doing a QuickRestore and restoring all my data and programs twice. Thank goodness I have matched laptops and spare HDDs, so I have not had to wipe out the original HDDs yet)When I run SpyBot 1.3 with the 25 June 2008 Updates, the following is found --HellzLittleSpy: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit!=<$SYSDIR>\userinit.exe,When I tell SpyBot to fix it and then reboot my computer, it goes into a vicious cycle of restarting and then shutting down (warm reboot), restarting and then shutting down (warm reboot), etc., never starting Windows again. I finally have to unplug the power (and in impatience drop the battery). Then, reinstall from scratch.I run SpyBot religiously every week and until this week when the 25 June 2008 Updates came out have had relatively no problems.Because removing HellzLittleSpy puts Windows into this vicious cycle, and, I will admit, I do not work at the Registry level often enough to venture there without advice, I am not sure if I should edit something in the Registry or not.Is this some hoax by SpyBot or ???Though I got my SpyBot 1.3 directly from Safer-Networking.org when it was new, you can get older versions of SpyBot (and other programs) at --http://www.oldversion.com/program.php?n=spybotor just Google for SpyBot 1.3Aauurrgghh!!!!TIA! Edited June 28, 2008 by macdunn Quote Link to comment Share on other sites More sharing options...
Ed_P Posted June 28, 2008 Share Posted June 28, 2008 You've heard of "false positives" with AVs right. Well...The current SB knows it's not a problem so why do you care if an outdated version thinks there's something wrong? Why do you think it's outdated? Because it wasn't doing/can't do the job correctly. Quote Link to comment Share on other sites More sharing options...
macdunn Posted June 28, 2008 Author Share Posted June 28, 2008 Sure, it could be a 'false positive'. But, then, why did SpyBot add it to their Update last week -- 25 June 2008? That is just as frustrating. And, the newest and 'bluest' is not always a reason to upgrade.Thanks for the input. You've heard of "false positives" with AVs right. Well...The current SB knows it's not a problem so why do you care if an outdated version thinks there's something wrong? Why do you think it's outdated? Because it wasn't doing/can't do the job correctly. Quote Link to comment Share on other sites More sharing options...
zlim Posted June 28, 2008 Share Posted June 28, 2008 I see you posted in the forumhttp://forums.spybot.info/showthread.php?p=207252that's what I do. If my program flags something, I head to the users forum to see if I'm infected or simply getting bitten with a false positive.Since others appear to have the same problem - it probably is a false positive. Quote Link to comment Share on other sites More sharing options...
rbdietz Posted June 28, 2008 Share Posted June 28, 2008 When I run SpyBot 1.3 with the 25 June 2008 Updates, the following is found --HellzLittleSpy: Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit!=<$SYSDIR>\userinit.exe,When I tell SpyBot to fix it and then reboot my computer, it goes into a vicious cycle of restarting and then shutting down (warm reboot), restarting and then shutting down (warm reboot), etc., never starting Windows again. I finally have to unplug the power (and in impatience drop the battery). Then, reinstall from scratch.The normal regsitry entry for Windows XP isHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit!=<$SYSDIR>\system32\userinit.exe,http://www.runscanner.net/files/exe/userin...erinit.exe.aspxNote: <$SYSDIR> indicates a system variable - C:\Windows - on most systems The fact that the registry is pointing to a file of the same name in a different location doesn't conclusively prove it is malicious, but it is very suspicious.If it were me, I'd Carefully read, understand and print out the following MS Knowledgebase article -http://support.microsoft.com/kb/307545 Make a registry backup of the current registry Edit the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit registry entry so that it points to the normal location. Reboot and see what happens. If all is well, you're done.If the system reboots and runs well except that something useful/important is now broken, you have a new place to start. (Maybe edit the registry back to the way it was. Find out if the broken program normal inserts a new userinit.exe in the system.)If the system won't reboot, you have your backup of the registry and have the printed article to tell you how to restore it.Good luck.Bob Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.