Had a bit of a strange one.

Using vista home premium sp1.
Spybot 1.6.0 claimed I had the Win32 GGDoor nicety.

Proceeded to modify my registry to compensate? On reboot the desktop would not start. Unable to run sys restore and had to run a new explorer task to be able to view desktop.

Took me about half hour to suss out what had happened and fix it.

Restored the so called malware using spybot restore function then checked the registry.


AVG found nothing, yet spybot did?


Not completely convinced I checked the registry which correctly reported userinit.exe in the correct key. Also checked the modification date of the userinit.exe which is Jan 08.

Given that neither of these appear to hav been modified, I can only assume spybot got it wrong???

Unless it fixed it and didnt restore it properly.

Most odd?

Hello,

Please follow the instructions here How to report False Positives (http://forums.spybot.info/showthread.php?t=19117)

Best regards.

Windows Vista SP1
Internet Explorer 7
Version of Spybot S&D 1.6.0
where did the false positive occur = Scan result

--- Report generated: 2008-08-14 15:12 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Win32.GGDoor: [SBI $AA2036A2] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

DoubleClick: Tracking cookie (Internet Explorer: Graham) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-08-11 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-08-05 Includes\Adware.sbi (*)
2008-08-12 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-08-05 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-07-30 Includes\Hijackers.sbi (*)
2008-08-12 Includes\HijackersC.sbi (*)
2008-08-05 Includes\Keyloggers.sbi (*)
2008-08-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-08-05 Includes\Malware.sbi (*)
2008-08-12 Includes\MalwareC.sbi (*)
2008-08-05 Includes\PUPS.sbi (*)
2008-08-12 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-08-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-08-12 Includes\Spyware.sbi (*)
2008-08-12 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-08-05 Includes\Trojans.sbi (*)
2008-08-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

As stated after restoring from back up. userinit.exe in registry was correct and file version located in system32 folder had not been modified since Jan.

hello,

this appears to be a false positive, though the reasons for this appear to be more complicated.
This


Win32.GGDoor: [SBI $AA2036A2] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

is not supposed to be found alone. In other words there is a control mechanism that checks other parameters first ensures that certain malicious files need to be present. Additionally Spybot S&D should have restored the default data in the registry for the Userinit value.

Please navigate to this folder:

C:\ProgramData\Spybot - Search & Destroy\Logs
and attach the latest fixes log files to your next post, if they should be too large you can also send them via email to detections@spybot.info with a reference to this thread.

If you restart Spybot S&D and do a scan is the scan result with Win32.GGDoor still the same?