11 replies to this topic

[CyberRaptor]

What's up with Spybot? Supposedly this a useful little tool for removing spyware. If this is true, why did it screw up Windows on two different computers? It said something about an extension hijack and if you try to fix it, it removes .exe as a known file type! WTF.

[WaveThemes]

I've just got done using it on my 4 PCs without any problems and installed it on a PC it was never on before and ran it perfectly (found 834 suspects).

I could see if your PC was already infected with some trash that was written to be nastly to anti-spyware how this could happen.

I did have one PC that would not run Spybot at all until I used ad-aware and removed hundreds of bad files. And to be fair, I've the the exact reverse happen. Guess that's why we need to keep both weapons in our toolboxes.

Try installing ad-aware6 and see what it does. If that fails, move this subject over the the help area for infections and post a 'hijack this' log.

WT

[CyberRaptor]

Adaware came up with the same entry. I've tried removing it before with Adaware but it always comes back. It's been on my computer for a while. I don't think it's anything special. I've seen this same thing on my computer at home, and on two computers at work. If I try to use Spybot to fix it, it messes up the computer. I can't explain why it does that. At any rate, here is my hijackthis log. Looks clean to me
---------------------------------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 1:43:12 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Venom\Desktop\My Junk\Programs\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8058.6222685185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

----------------------------------------------------------------------------------------------

[sun]

I have the windows xp "os" as well and have been using Spy bot and Adaware for ...I don't really recall how long ....but find them both very effective.....haven't had any messages come up and they both seem to do the job!!! ciao ....in fact our other computer has both programs installed as well and it is xp as well and again we are in our comfort zone with both programs there as well!

[CyberRaptor]

Well that's GREAT for you. I'm SOOOO happy for you. Thanks a lot.

[KinG]

Raptor calm down.
What is the name of the "entry" from Ad-aware and Spybot?

[CyberRaptor]

It says:

Vendor: Windows
Type: RegData
Category: Vulnerability
Object: HKEY_CLASSES_ROOT:exefile\shell\open\command"" ()
Comments: Possible virus infection, executable file extension compromised

[JG427]

Download and run the EXE file association fix from dougknox.com.

[sun]

Raptor....I thought that these forums were to discuss openly experiences with programs and put forward comments.....I did not anticipate expressions from a member conceivably critical of my satisfaction with their performance......I do not think that this type of dialogue is appropriate when all that is wanted is to work towards the security of our computers as a common goal...is that not what these info exchanges are all about?? .....I hope that I will get bonafide comments on this question from moderators........I like to participate in forums working towards this common goal .... that all vested owners of computers have ...the priority of security.

[CyberRaptor]

Well, maybe I was a bit harsh with you, but it sounded to me like you were saying: "Oh well that's too bad. It works fine on my computer. Sucks for you."

Edited by CyberRaptor, 27 July 2004 - 12:14 PM.

[CyberRaptor]

Thank you for telling me about that .exe file fix. But can someone PLEASE tell me why Spybot is doing this? My problem is not exactly solved.

[cnm]

You'll probably get more and better answers at the Spybot SD forum. Link is in my signature, below.