Results 1 to 4 of 4

Thread: Userinit.exe issue

  1. #1
    Junior Member
    Join Date
    Aug 2008
    Posts
    2

    Default Userinit.exe issue

    Had a bit of a strange one.

    Using vista home premium sp1.
    Spybot 1.6.0 claimed I had the Win32 GGDoor nicety.

    Proceeded to modify my registry to compensate? On reboot the desktop would not start. Unable to run sys restore and had to run a new explorer task to be able to view desktop.

    Took me about half hour to suss out what had happened and fix it.

    Restored the so called malware using spybot restore function then checked the registry.


    AVG found nothing, yet spybot did?


    Not completely convinced I checked the registry which correctly reported userinit.exe in the correct key. Also checked the modification date of the userinit.exe which is Jan 08.

    Given that neither of these appear to hav been modified, I can only assume spybot got it wrong???

    Unless it fixed it and didnt restore it properly.

    Most odd?
    Last edited by croatoan; 2008-08-15 at 16:11.

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,777

    Default

    Hello,

    Please follow the instructions here How to report False Positives

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  3. #3
    Junior Member
    Join Date
    Aug 2008
    Posts
    2

    Default

    Windows Vista SP1
    Internet Explorer 7
    Version of Spybot S&D 1.6.0
    where did the false positive occur = Scan result

    --- Report generated: 2008-08-14 15:12 ---

    Hint of the Day: Click the bar at the right of this to see more information! ()


    Win32.GGDoor: [SBI $AA2036A2] Settings (Registry change, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

    DoubleClick: Tracking cookie (Internet Explorer: Graham) (Cookie, fixed)



    --- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

    2008-07-07 blindman.exe (1.0.0.8)
    2008-07-07 SDFiles.exe (1.6.0.4)
    2008-07-07 SDMain.exe (1.0.0.6)
    2008-07-07 SDShred.exe (1.0.2.3)
    2008-07-07 SDUpdate.exe (1.6.0.8)
    2008-07-07 SDWinSec.exe (1.0.0.12)
    2008-07-07 SpybotSD.exe (1.6.0.30)
    2008-07-07 TeaTimer.exe (1.6.0.20)
    2008-08-11 unins000.exe (51.49.0.0)
    2008-07-07 Update.exe (1.6.0.7)
    2008-07-07 advcheck.dll (1.6.1.12)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2008-07-07 SDHelper.dll (1.6.0.12)
    2008-06-19 sqlite3.dll
    2008-07-07 Tools.dll (2.1.5.7)
    2008-08-05 Includes\Adware.sbi (*)
    2008-08-12 Includes\AdwareC.sbi (*)
    2008-06-03 Includes\Cookies.sbi (*)
    2008-06-03 Includes\Dialer.sbi (*)
    2008-08-05 Includes\DialerC.sbi (*)
    2008-07-23 Includes\HeavyDuty.sbi (*)
    2008-07-30 Includes\Hijackers.sbi (*)
    2008-08-12 Includes\HijackersC.sbi (*)
    2008-08-05 Includes\Keyloggers.sbi (*)
    2008-08-12 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2008-08-05 Includes\Malware.sbi (*)
    2008-08-12 Includes\MalwareC.sbi (*)
    2008-08-05 Includes\PUPS.sbi (*)
    2008-08-12 Includes\PUPSC.sbi (*)
    2007-11-07 Includes\Revision.sbi (*)
    2008-06-18 Includes\Security.sbi (*)
    2008-08-12 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2008-08-12 Includes\Spyware.sbi (*)
    2008-08-12 Includes\SpywareC.sbi (*)
    2008-06-03 Includes\Tracks.uti
    2008-08-05 Includes\Trojans.sbi (*)
    2008-08-12 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    As stated after restoring from back up. userinit.exe in registry was correct and file version located in system32 folder had not been modified since Jan.

  4. #4
    Senior Member Yodama's Avatar
    Join Date
    Oct 2005
    Location
    Buchenheim
    Posts
    1,110

    Default

    hello,

    this appears to be a false positive, though the reasons for this appear to be more complicated.
    This
    Code:
    Win32.GGDoor: [SBI $AA2036A2] Settings (Registry change, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    is not supposed to be found alone. In other words there is a control mechanism that checks other parameters first ensures that certain malicious files need to be present. Additionally Spybot S&D should have restored the default data in the registry for the Userinit value.

    Please navigate to this folder:
    Code:
    C:\ProgramData\Spybot - Search & Destroy\Logs
    and attach the latest fixes log files to your next post, if they should be too large you can also send them via email to detections@spybot.info with a reference to this thread.

    If you restart Spybot S&D and do a scan is the scan result with Win32.GGDoor still the same?
    born in the shadow to die in the shadow, that is the fate of the shinobi

    Spybot S&D Downloads

    Please help us improve Spybot and download our distributed testing client.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •