
Problem with Spybot
Started by
CyberRaptor
, Jul 25 2004 03:29 PM
11 replies to this topic
#1
Posted 25 July 2004 - 03:29 PM
What's up with Spybot? Supposedly this a useful little tool for removing spyware. If this is true, why did it screw up Windows on two different computers? It said something about an extension hijack and if you try to fix it, it removes .exe as a known file type! WTF.
#2
Posted 26 July 2004 - 08:41 AM
I've just got done using it on my 4 PCs without any problems and installed it on a PC it was never on before and ran it perfectly (found 834 suspects).
I could see if your PC was already infected with some trash that was written to be nastly to anti-spyware how this could happen.
I did have one PC that would not run Spybot at all until I used ad-aware and removed hundreds of bad files. And to be fair, I've the the exact reverse happen. Guess that's why we need to keep both weapons in our toolboxes.
Try installing ad-aware6 and see what it does. If that fails, move this subject over the the help area for infections and post a 'hijack this' log.
WT
I could see if your PC was already infected with some trash that was written to be nastly to anti-spyware how this could happen.
I did have one PC that would not run Spybot at all until I used ad-aware and removed hundreds of bad files. And to be fair, I've the the exact reverse happen. Guess that's why we need to keep both weapons in our toolboxes.
Try installing ad-aware6 and see what it does. If that fails, move this subject over the the help area for infections and post a 'hijack this' log.
WT
#3
Posted 26 July 2004 - 12:45 PM
Adaware came up with the same entry. I've tried removing it before with Adaware but it always comes back. It's been on my computer for a while. I don't think it's anything special. I've seen this same thing on my computer at home, and on two computers at work. If I try to use Spybot to fix it, it messes up the computer. I can't explain why it does that. At any rate, here is my hijackthis log. Looks clean to me
---------------------------------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 1:43:12 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Venom\Desktop\My Junk\Programs\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8058.6222685185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
----------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 1:43:12 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Venom\Desktop\My Junk\Programs\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8058.6222685185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
----------------------------------------------------------------------------------------------
#4
Posted 26 July 2004 - 02:28 PM


#5
Posted 26 July 2004 - 04:53 PM
Well that's GREAT for you. I'm SOOOO happy for you. Thanks a lot.
#6
Posted 26 July 2004 - 05:17 PM
Raptor calm down.
What is the name of the "entry" from Ad-aware and Spybot?
What is the name of the "entry" from Ad-aware and Spybot?
#7
Posted 26 July 2004 - 09:22 PM
It says:
Vendor: Windows
Type: RegData
Category: Vulnerability
Object: HKEY_CLASSES_ROOT:exefile\shell\open\command"" ()
Comments: Possible virus infection, executable file extension compromised
Vendor: Windows
Type: RegData
Category: Vulnerability
Object: HKEY_CLASSES_ROOT:exefile\shell\open\command"" ()
Comments: Possible virus infection, executable file extension compromised
#8
#9
Posted 27 July 2004 - 01:57 AM



#10
Posted 27 July 2004 - 11:13 AM
Well, maybe I was a bit harsh with you, but it sounded to me like you were saying: "Oh well that's too bad. It works fine on my computer. Sucks for you."
Edited by CyberRaptor, 27 July 2004 - 11:14 AM.
#11
Posted 27 July 2004 - 09:21 PM
Thank you for telling me about that .exe file fix. But can someone PLEASE tell me why Spybot is doing this? My problem is not exactly solved.
#12
Posted 27 July 2004 - 10:26 PM
You'll probably get more and better answers at the Spybot SD forum. Link is in my signature, below.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE