Beware of the latest Webroot Spysweeper definitions

Generally, I'm a great believer in using many security applications, since there are many good ones out there, but no single app will provide your PC with full protection. You can only have one resident anti-virus program and having more than one firewall running can be too much of a headache to be worth it, but there are no limits to the number of on-demand anti-trojan scanners you can have on your system.

There are quite a number of excellent anti-trojan progs out there, and here are some that you should probably get if you don't have them already:

• Spysweeper S&D (free and thorough)
• MalwareBytes (very deep clean)
• Xoftspy SE (fast and deep cleansing - not free)
• Spysweeper (slow, but very comprehensive - not free)

There are some anti-trojan programs that do more harm than good. Webroot's Spysweeper would never have fallen into that category for me in the past, but yesterday afternoon... Well, unfortunately for me, it did. Most emphatically.

I'd been getting tired with the gradual slowdown on my old workhorse of a laptop, despite all the maintenance I'd been carrying out:
Diskeeper was set to defragment on the fly; disk space was freed up as often as possible; AV scans were run weekly in addition to the real-time protection; all startup entries were viewed with suspicion and regularly checked to remove unnecessary ones from the list; Spysweeper and Xoftspy SE were run at least once a week each to keep a look out for any new parasites that might be sapping system resources.

Not having run Spysweeper for quite some time (a few months, in fact), I thought it was time to fire it up, update it and see if the latest definitions would detect anything.
It wasn't too surprising to see the results of the scan showing up some trojans and malwares, since I had a few keygens on my system (don't ask me why ;-), so I selected these for quarantine, in addition to the usual tracker cookies. I was alarmed by one or two of the other entries:

• C:\WINDOWS\System32\skypecomm.dll (part of adware-bho.gen.x)
  
• C:\WINDOWS\msnsrv.exe (worm.gen.x)

The first in the list stood out, considering that I don't have Skype installed - and this one turned out to be a known nasty, a backdoor trojan that opens a port on your system. I wasn't too worried, because I never startup IE, and since this was a BHO (browser helper object), it would need IE to be running for it to be active.
The second one is a bit of a mystery. Nobody seems to know what it actually does, but it's still considered to be about a 70% threat on most security sites. I was happy to quarantine it, anyway.

So, after creating a System Restore point, I confirmed that Spysweeper could proceed with quarantining the files and corresponding run registry entries and rebooted the laptop.

I logged in. Windows was particularly slow loading the desktop, and when it did, that's all it did and for quite a while, too. I hovered over where the taskbar would usually be, but nothing. And then, suddenly, Windows started to log off, displaying the "logging off" message followed by "saving your settings". I found myself back a the Welcome screen, a little bit puzzled.
I tried again. Same thing happened. I tried for another user, thinking that maybe my user settings had become corrupted, but no luck, same result. It was the same for Administrator too.
"Time for safe mode", I thought. So, I rebooted and tapped the F8 key to bring up the boot menu. Last known good configuration didn't help, and unfortunately, neither did safe mode. Under no circumstances could I log in completely, even though Windows seemed to get past the "loading your personal settings" stage.

I had made a system restore point, but I had no way of getting to it. Recovery Console with an XP disk didn't work, because it got me no further than the login screen before exiting.

So, I went upstairs to my PC to download and burn the latest versions of UBCD4Win and Hiren's BootCD, thinking that I could at least get my latest data (that I didn't have a backup of, which amounted to about 4 weeks worth) off the laptop and onto a USB stick or my external HDD.

However, while grabbing the latest ones by torrent or direct download I had a few minutes to kill, so I went searching for my issue on Google and found quite a few hits, and this one at http://forums.techarena.in/windows-xp-support/1140791.htm was the most useful.
It seems that there is a trojan that can set wsaupdater.exe as the program pointed to in the Userinit registry subkey entry for:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Normally this Winlogon key will have the subkey:
Userinit
With the value:
C:\Windows\System32\Userinit.exe,
(yes, the comma is intentional ;-)

Apparently some anti-trojan apps will delete the wsaupdate.exe file, but will not fix the registry key, leaving you with no means of logging in to your PC.

Sure enough, when I built my UBCD4Win boot disk and booted it up on my laptop I was able to browse the registry hives and see that there was indeed a problem with the Winlogon key and Userinit subkey. However, the problem was that this subkey wasn't there!
Obviously, Spysweeper had identified it as a threat, I hadn't spotted this and had quarantined it.

After manually adding the subkey Userinit with the value:
C:\Windows\System32\Userinit.exe,
I was able to reboot and finally log in to my account.

After looking through the Spysweeper quarantine, I found that it had identified:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ || Userinit
and
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ || Shell
as threats. Since I was curious if they had been set to something dodgy, I decided to recover them from the quarantine and much to my surprise, they turned out to be perfectly valid values:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ || Userinit was:
C:\Windows\System32\Userinit.exe,
While HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ || Shell was:
explorer.exe
Which are the correct values. So, why did Spysweeper identify them as a threat?

Either it is
a) a problem of false positives introduced in the latest definitions, or
b) a problem where both userinit.exe and explorer.exe are non-default or trojan/virus files that have replaced the normal system files. They work perfectly well, doing everything userinit and explorer do, but secretly perform some other malicious task, unbeknownst to the unsuspecting user (that would be me).

Having done a file comparison (md5 hash check included) using Beyond Compare 3 to the files in my recovery directory, C:\I386, I can see no difference. I also can't see any difference to the ones on my XP Pro SP2 machine (this laptop is SP3, but I don't think there were any changes here). So, I think that scenario a) is the more likely.

If you believe this is the case, then you might want to be extra careful to what you agree to quarantine in Spysweeper now and in the future. But I think that it would be better to be extra careful in all cases (as I normally am - just not yesterday :P ) when you run these tools and scrutinize every result, google it and judge if it's real or just a false positive. Most of the time, deleting or quarantining one of these false positives isn't going to cause you as much trouble as I ran into yesterday, but it's still worth remembering not to get too trusting just because an application has never been short of excellent in the past.