Unsupported outdated version: New Defs and Old version cases logon issue

The new definition files released the 25th in combination with v1.3 (I know not supported) detects the valid value of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Userinit as "HellzLittleSpy" and deletes the value leaving it blank.

This causes a logging on user to be immediately logged off until the value is properly restored to c:\windows\system32\userinit.exe,

Problem only seems to occur in v1.3/

Good call on it being 1.3 that causes it. I've seen it randomly and wasn't sure why or how, but every one that I've had to correct this on has 1.3 installed. I'm guessing autoupdate doesn't update the program version but only the definitions. Any chance of that happening?

http://forums.spybot.info/showthread.php?t=30030

Hello,

Malloc said:

Any chance of that happening?

Click to expand...

Spybot-S&D v1.3 is very old, any reason you have not upgraded to v1.5?

Version 1.6 is due shortly.

Regards.

Why upgrade from 1.3 to 1.5 (or 1.6)?

When I run 1.5.2.20 with the 25 June 2008 Updates, it only searches for 169160 items. When I run 1.3, it searches for 169175 items and it finds HellzLittleSpy which 1.5 does not find.

Why upgrade to 1.5 when it does not seem to be as good as 1.3?

Hello,

macdunn said:

When I run 1.5.2.20 with the 25 June 2008 Updates, it only searches for 169160 items. When I run 1.3, it searches for 169175 items and it finds HellzLittleSpy which 1.5 does not find.

Why upgrade to 1.5 when it does not seem to be as good as 1.3?

Click to expand...

1.3 may have given a false positive on HellzLittleSpy. 1.5 has more effective detections and new functions.What is your operating system?

[SIZE=-1]2008-06-25
Total: 663265 fingerprints in 171141 rules for 4049 products.[/SIZE]

Click to expand...

http://forums.spybot.info/showthread.php?t=30020

Regards.

Greetings, I am having this very issue and do not know how to correct it. I've tried safe mode and everything my limited knowledge know to do. What are my options, if any? Thanks.

The new definition files released the 25th in combination with v1.3 (I know not supported) detects the valid value of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Userinit as "HellzLittleSpy" and deletes the value leaving it blank.

This causes a logging on user to be immediately logged off [/B]until the value is properly restored to c:\windows\system32\userinit.exe,

Problem only seems to occur in v1.3/

I contacted Dell support and their solution was to do a system restore that will delete all my data. Are there any other solutions for replacing this file? Any help here would be appreciated. Thanks, Bruce

Coho_Bruce said:

Greetings, I am having this very issue and do not know how to correct it. I've tried safe mode and everything my limited knowledge know to do. What are my options, if any? Thanks.

The new definition files released the 25th in combination with v1.3 (I know not supported) detects the valid value of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Userinit as "HellzLittleSpy" and deletes the value leaving it blank.

This causes a logging on user to be immediately logged off [/B]until the value is properly restored to c:\windows\system32\userinit.exe,

Problem only seems to occur in v1.3/

Click to expand...

Coho_Bruce:

There are other options in the thread referenced by Malloc in post #2 above:

Malloc said:

http://forums.spybot.info/showthread.php?t=30030

Click to expand...

For example:

Malloc said:

I've had this happen on 6 computers so far, but I have them on the network so I can remove registry edit though them.

Here are some other tools that have offline registry edits:

http://home.eunet.no/~pnordahl/ntpasswd/
http://windowsxp.mvps.org/peboot.htm
http://ubcd4win.com/index.htm

Click to expand...

Coho_Bruce said:

I contacted Dell support and their solution was to do a system restore that will delete all my data. Are there any other solutions for replacing this file? Any help here would be appreciated. Thanks, Bruce

Click to expand...

I had the exact same problem this week. Very frustrating. I tried three different utility programs that I could boot from the CD drive. Norton System Works, System Mechanic, and Fix It Utilities 8. Fix It Utilities 8 was the only one that solved the problem. Use it to boot from the CD. Run the "Recovery Commander" then restore a "system restore checkpoint"
Everything is fine now. Works good.

For those who are still fixing this problem I created a BartPE plugin to fix it.

No additional files are needed everything is included already in the PE Build or is in the plugin.

To launch select Programs -> Repair Userinit -> Repair User init

for those who would like to do it on their own

icemannd said:

For those who are still fixing this problem I created a BartPE plugin to fix it.

No additional files are needed everything is included already in the PE Build or is in the plugin.

To launch select Programs -> Repair Userinit -> Repair User init

for those who would like to do it on their own

Code:

@echo off
if exist c:\windows\system32\config\software (
	reg load HKLM\JUNK c:\windows\system32\config\software
	set UserInitPath="C:\windows\system32\userinit.exe,"
) ELSE if exist c:\winnt\system32\config\software (
	reg load HKLM\JUNK c:\winnt\system32\config\software
	set UserInitPath="C:\winnt\system32\userinit.exe,"
) else goto END
for /f "skip=4 delims=" %%i in ('reg query "HKLM\JUNK\Microsoft\Windows NT\currentversion\Winlogon" /v userinit') do (
	for /f "usebackq tokens=1,2,3" %%j in ('%%i') do (
		if "%%l"=="" (
			reg add "HKLM\JUNK\Microsoft\Windows NT\currentversion\Winlogon" /v userinit /t REG_SZ /d %UserInitPath% /f
		)
	)
)

:END
pause

Click to expand...

this doesn't work for me it saying the file is in use, i have also tried safe mode, same thing there aswell.

this has been around for a little while now surely there is a way to remove it??

when spybot v1.4 is installed it doesn't even show up...hmmm ? i thought it would have come up at least then allow you to remove it without causing the log off issue?

can anyone offer some real answers here please

if you can boot into safe mode you don't have the problem described here. The problem described here will not let you remain logged on in safe mode or normal mode. And the plugin and script I posted are both for use from a PE environment.

hello,

due to requests for advice on this issue I entered descriptions for some methods to restore login. I hope this is of some help.
Click me.

Another false positive…?

Another false positive…?

Recent posts have indicated that the 06/25/08 update with SpyBot V1.3 seems to indicate CoolWWWSearch.hjg and HellzLittleSpy as false positives.

After going through the absolute “nightmare” of restoring my home network after letting SpyBot remove the “Userinit” value from the registry, I am wondering, with the new 07/01 and 07/02/08 updates is Win32.Agent.pz likewise a false positive? I am still using v 1.3

No other Spyware/Antivirus program seems to pick it up. I am really not looking forward to doing further restores!


By the way, if anyone is wondering how I managed to get my 3 home network PC set up back when the Userinit reg setting gets wiped out and you can’t even boot into SafeMode, can’t even run a DOS prompt to run any batch program to re-write the registry, etc., etc., well don’t run to reformat!

Go to the big audio/video chain stores and get a product called “Fix It Utilities Professional version 8. It is made by Avanquest, it sells for about $40, and it’s a 3 user license. Pop the cd into your drive, change any bios/boot up settings to allow the pc to boot from the CD rather than the hard drive and let the CD boot. Once it boots, and the interface comes up, run the program called Recovery Commander. Choose the option to restore from a System Restore Checkpoint. Let it run and assuming you do have a series of system checkpoints to choose from, you should be OK, once you reboot. This is a lifesaver! By the way, I do not work for this company, I am not trying to submit an ad, I use this for other stuff, I repeat it is a Lifesaver!

Anyway, back to the original point of the post, more false positives?

Thanks in advance!

drragostea said:

Any reason why you have not upgraded to v.1.5.2.20 yet? This problem seems to be that there is an incompatibility issue with newer updates intended for 1.5.2 on Spybot-SD 1.3.
--
http://forums.spybot.info/showpost.php?p=208640&postcount=2
--

Click to expand...

Up till now, my feelings were .. if it ain't broke don't fix it!, as well as KISS, keep it Super Simple...

Additionally, as Yodama has requested in the post regarding "How to report a false positive", here goes...

Operating System - Windows XP Home Edition ,SP2
HP pavililion a767c
Pentium 4 (540 processor) – 3.2 GHz 1mb L2 cache, 800mhz Front Side Bus
3.0 GB DDR SDRam
Browser and Version - Internet Explorer 6
Version of Spybot S&D and Date of the latest update – 1.3 Updates 7/1/08 & 7/2/08

Where did the false positive occur
Scan result


Log Follows

CooIWWWSearch.hjg: User settings (Registry change, nothing done)
HKEY _ USERS\S-1-5-21-3572884163-1 035437201-1615707650-1 006\Software\Microsoft\Windows\CurrentVersion\lntemet Settings\PrivDiscUiShownl=W=O

CooIWWWSearch.hjg: Settings (Registry change, nothing done)
HKEY _ USERS\S-1-5-21-3572884163-1 035437201-1615707650-
1006\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtI=W=1

HelIzLittleSpy: Settings (Registry change, nothing done)
HKEY _LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NTICurrentVersion\Winlogon\Userinitl=<$SYSDIR>\userinit.exe,

Win32.Agent.pz: Settings (Registry change, nothing done)
HKEY _LOCAL_MACHINE\SYSTEM\ControISet002\Services\SharedAccess\Parameters\FirewaIIPolicy\StandardProfile\EnableFirewalll=W=1
Win32.Agent.pz: Settings (Registry change, nothing done)
HKEY _LOCAL_MACHINE\SYSTEM\ControISetOO1 \Services\SharedAccess\Parameters\FirewaIiPolicy\StandardProfile\EnableFirewalll=W=1

Win32.Agent.pz: Settings (Registry change, nothing done)
HKEY _CURRENT _ CONFIG\Software\Microsoft\windows\CurrentVersion\lnternet Settings\ProxyEnablel=W=1

- Spybot - Search && Destroy version: 1.3
- 2008-06-17 Includes\Adware.sbi
- 2008-06-18 Includes\AdwareC.sbi
- 2008-06-03 Includes\Cookies.sbi
- 2008-06-03 Includes\Dialer.sbi
- 2008-06-24 Includes\DialerC.sbi
- 2008-06-03 Includes\HeavyDuty.sbi
- 2008-06-16 Includes\Hijackers.sbi
- 2008-06-17 Includes\HijackersC.sbi
- 2008-06-25 Includes\Keyloggers.sbi
- 2008-07-02 Includes\KeyloggersC.sbi
- 2004-11-29 Includes\LSP.sbi
- 2008-07-02 Includes\Malware.sbi
- 2008-07-01 Includes\MalwareC.sbi
- 2008-06-17 Includes\PUPS.sbi
- 2008-07-01 Inc1udes\PUPSC.sbi
- 2007-11-07 Includes\Revision.sbi
- 2008-06-10 Includes\Security.sbi
- 2008-07-01 Includes\SecurityC.sbi
- 2008-06-03 Includes\Spybots.sbi
- 2008-06-03 Includes\SpybotsC.sbi
- 2008-06-17Includes\Spyware.sbi
- 2008-06-17 Includes\SpywareC.sbi
- 2008-06-03 lnc1udes\Tracks.uti
- 2008-06-24 Includes\Trojans.sbi
- 2008-07-01 Includes\TrojansC.sbi
- 2007-06-06 Plugins\TCPIPAddress.dll


Once again, hope this helps, thanks in advance

Yodama said:

hello,

due to requests for advice on this issue I entered descriptions for some methods to restore login. I hope this is of some help.
Click me.

Click to expand...

You are either very evil or very stupid, or possibly both.

Firstly, this early version of the software is constantly given the opportunity to download the latest from your server....therefore, who would think that it was necessary to remove the early version and download the latest....for something this horrible not to happen?

Next, you have singlehandedly created the worst "virus" situation I have ever encountered.....that being not able to access the desktop at all. No virus in a 34 year history of using computers has ever caused this much trouble. I guess if you are a 16 year old retard, you are to be commended. No Trojan has ever been able to accomplish what you have.

As to your Norwegian fix number 2.....the link to download that particular boot cd doesn't work. Excellent.

You have created a nightmare for people who who used your quirky software. Unfortunately, I trusted that hellzlittlespy was malware and removed it. You should not be in this business if you don't know what you are doing. Maybe selling ice cream would be a better profession for you, as this cannot be your real day job....!!:euro:

Mod, thanks for removing my "foul language" from the post below. Now why not figure out how to download the file necessary to complete option #2 of the brilliant fix? It seems that your server is not working (or maybe something else?). Is it still cold in Norway?....maybe an electrical connection is frozen......well you just froze my computer...so why not!!

walker said:

You are either very evil or very stupid, or possibly both.

Firstly, this early version of the software is constantly given the opportunity to download the latest from your server....therefore, who would think that it was necessary to remove the early version and download the latest....for something this horrible not to happen?

Next, you have singlehandedly created the worst "virus" situation I have ever encountered.....that being not able to access the desktop at all. No virus in a 34 year history of using computers has ever caused this much trouble. I guess if you are a 16 year old retard, you are to be commended. No Trojan has ever been able to accomplish what you have.

As to your Norwegian fix number 2.....the link to download that particular boot cd doesn't work. Excellent.

You have created a nightmare for people who who used your quirky software. Unfortunately, I trusted that hellzlittlespy was malware and removed it. You should not be in this business if you don't know what you are doing. Maybe selling ice cream would be a better profession for you, as this cannot be your real day job....!!:euro:

Click to expand...

This answer is a classic. Why would I upgrade to the current version when no mention of it occurs??...and the software continually accesses the current available downloads.

tashi said:

Hello,


Spybot-S&D v1.3 is very old, any reason you have not upgraded to v1.5?

Version 1.6 is due shortly.

Regards.

Click to expand...

Reference AIK...it's supposed to be for the below....but option #3 in your fix doesn't say this. Is AIK plus your other 2 downloads good for Win. 2000 Pro?






System Requirements
Supported Operating Systems: Windows Server 2008; Windows Vista


Windows Vista

Windows Vista Service Pack 1

Windows Server 2008

Windows Server 2003 Service Pack 1 with KB926044

Windows Server 2003 Service Pack 2

Windows XP Service Pack 2 with KB926044

What do you mean no mention of the new version?
What do you think main update means?
It gets shown in every update.

It seems to have been an error to not force new versions like other software do.

If you want help, we are willing to help but if you just want to let off steam you are at the wrong place.

As to your Norwegian fix number 2.....the link to download that particular boot cd doesn't work. Excellent.

Click to expand...

I do not see the link not working, it worked yesterday and it works now, approx 50 min. after your post. Of course there can never be a guarantee that links always work. As of now netcraft does not show any downtime on that server.