Is Spybot adding, not removing spyware?

G

Guest

On a brand new Gateway desktop computer which came with Vista, per Consumer
Reports recommendation, I installed TrendMicro Internet Security (which
uninstalled the McAfee app which came with the computer) and I just now
downloaded (from one of the spybot.com "mirror" sites) and ran Spybot. I did
this because CR says to run a 2nd anti-spyware application since none of them
catch all spyware.

BEFORE running Spybot, TrendMicro found no spyware.

I ran Spybot "Check for problems", resulting in "Congratulations, No
immediate threats were found"

AFTER running Spybot, TrendMicro now finds 13 Trojans (eg. aaasexypics.com),
98 Adwares (eg. adult-friends-finder.net), all from -->127.0.0.1

Nothing but Spybot was run between the two TrendMicro runs. Can Spybot
really be responsible for adding all this spyware? It was recommended by
Consumer Reports which is my consumers bible. Has anyone else run into this?
TrendMicro Internet Security is a paid-for product written by a for-profit
company, Spybot is "free-ware". Is this a case of "you get what you pay for"?

(FYI: Although I worked in the CAD/CAM software field years ago, I am a
total novice regarding PC's, the internet, downloading, Vista, security
software, etc. - and this is not a good initial experience, I must say!)
 
V

vanilla

I don't think you got the REAL Spybot Search & Destroy ... I just did a
search and, from all the choices listed, could not determine where the REAL
Spybot Search & Destroy home page is found ... none of the search results
was for a spybot dot com ... I have to get to work and I hope one of the
MVPs will see your post and help you tonight.

I hope you told TM to delete all of that stuff (hope even more it is set to
do so automatically) ... then you need to delete the version of Spybot
Search & Destroy that you downloaded ... I truly do not believe you got the
real thing. If you did go to the correct URL and spybot dot com is the
official website, then I hope we all get an answer as to how all of this
showed up on your computer. Perhaps the link to that 'mirror' site is bogus.
Don't know ... sorry I can't help you.

Keep running scans with TM to see if anything else shows up ... good luck
.... vanilla
 
S

Seth

vanilla said:
I don't think you got the REAL Spybot Search & Destroy ... I just did a
search and, from all the choices listed, could not determine where the REAL
Spybot Search & Destroy home page is found ... none of the search results
was for a spybot dot com ... I have to get to work and I hope one of the
MVPs will see your post and help you tonight.
Click to expand...

Here's the real site for SpyBot S&D
http://www.safer-networking.org/
 
M

Mark Veldhuis

=?Utf- said:
AFTER running Spybot, TrendMicro now finds 13 Trojans (eg. aaasexypics.com),
98 Adwares (eg. adult-friends-finder.net), all from -->127.0.0.1
Click to expand...

Looks like Spybot S&D added entries to these websites to your HOSTS
file, basically to prevent your computer from visiting these malicious
sites.
Now, if your browser, or any other program, tries to go to e.g. adult-
friends-finder.net, instead of going to the real site, it will try to
connect to 127.0.0.1, whis is known as "local host", a.k.a. your own
computer. That particular site, as well as anu other sites that are
redirected to 127.0.0.1 in your HOSTS file, won't be able to show bad
content or install malware on your computer.
Looks like the alarms of TrendMicro get triggered by the names of the
sites that are blocked in your HOSTS file.
 
K

Kayman

On a brand new Gateway desktop computer which came with Vista, per Consumer
Reports recommendation, I installed TrendMicro Internet Security (which
uninstalled the McAfee app which came with the computer) and I just now
downloaded (from one of the spybot.com "mirror" sites) and ran Spybot. I did
this because CR says to run a 2nd anti-spyware application since none of them
catch all spyware.

BEFORE running Spybot, TrendMicro found no spyware.

I ran Spybot "Check for problems", resulting in "Congratulations, No
immediate threats were found"

AFTER running Spybot, TrendMicro now finds 13 Trojans (eg. aaasexypics.com),
98 Adwares (eg. adult-friends-finder.net), all from -->127.0.0.1

Nothing but Spybot was run between the two TrendMicro runs. Can Spybot
really be responsible for adding all this spyware? It was recommended by
Consumer Reports which is my consumers bible. Has anyone else run into this?
TrendMicro Internet Security is a paid-for product written by a for-profit
company, Spybot is "free-ware". Is this a case of "you get what you pay for"?

(FYI: Although I worked in the CAD/CAM software field years ago, I am a
total novice regarding PC's, the internet, downloading, Vista, security
software, etc. - and this is not a good initial experience, I must say!)
Click to expand...

Download David H. Lipman's MULTI_AV.EXE from the URL:
http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
Further information can be found here:
http://www.elephantboycomputers.com/page2.html#Multi-AV
Additional Instructions:
http://pcdid.com/Multi_AV.htm
 
G

Guest

Vista Novice said:
Can Spybot really be responsible for adding all this spyware?
Click to expand...

Thanks for the very prompt responses to my question (and all of them
relevant, ie. no gratuitous replies or graffiti). This is my first
experience with the "Windows Vista Community" and it was a good one - I'll be
back!

A "thank you" particularly goes to Mark Veldhuis who provided the answer,
but others provided useful information as well, so thanks to all!

There was nothing on "HOSTS files" in the local Vista "help" (which I have
found to be pretty spotty), but through the "Knowledge Base" I found that the
host file is located at c:Windows\System32\drivers\etc. I took the "risk" of
running Spybot again (trusting Mark) and sure enough a "hosts" file was
produced with the following entries:

127.0.0.1 localhost
::1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 010402.com
....
(over 7,200 entries!)
....

I will send an email to TrendMicro suggesting that they should "skip" such
entries since they are not spyware, nor actual links to malicious websites.
And they should expect that other customers - at least fellow readers of
Consumer Reports ;-) would be running Spybot in addition to TrendMicro.

Also, my faith in Spybot (and Consumers Reports) is restored. It is truely
impressive that Spybot as amassed a list of over 7,200 such websites and also
a bit strange that TrendMicro flags such a small number as spyware.

Thanks again for the help.

- Vista Novice
 
V

vanilla

Thanks, Seth, for the correct link ... will save for future reference ...
vanilla
 
V

vanilla

duh ... I forgot all about the hosts file ... mine is locked and I never
even think about it anymore ... when I didn't see spybot dot com in the
search results, I thought he didn't get the real thing.

Is 127.0.0.1 only the hosts file? I ask because I was going to make a note
"127.0.0.1 = hosts file" but this might be a simplistic assumption. Thanks
for any reply ... vanilla
 
M

Mark Veldhuis

Is 127.0.0.1 only the hosts file? I ask because I was going to make a note
"127.0.0.1 = hosts file" but this might be a simplistic assumption. Thanks
for any reply ... vanilla
Click to expand...

No. It's kinda like an IP address, 127.0.0.1 is what your computer knows
as itself, so it's also called "localhost".
When you browse to a website, you connect to the IP address of a
webserver. Domain names like www.google.com exist because it's easier to
remember names than numbers. A DNS server, in most cases that of the
Internet Provider you use, converts those names to the numbers (IP
addresses). In the case of www.google.com, it will connect you to
64.233.183.104 .
Now, if you'd put the following line in the HOSTS file

127.0.0.1 www.google.com

your computer would try to connect to 127.0.0.1 every time you'd try to
surf to www.google.com. It would try to connect to your own PC. You
likely aren't running a webserver at that address, and it isn't Google
anyway. So, you won't be able to connect to www.google.com if that line
is present in the HOSTS file.

With the info above, and the line below, think of what the HOSTS file
can do to protect your computer:

127.0.0.1 malicious.site.com

:)
 
V

vanilla

Thanks very much ... vanilla

Mark Veldhuis said:
No. It's kinda like an IP address, 127.0.0.1 is what your computer knows
as itself, so it's also called "localhost".
When you browse to a website, you connect to the IP address of a
webserver. Domain names like www.google.com exist because it's easier to
remember names than numbers. A DNS server, in most cases that of the
Internet Provider you use, converts those names to the numbers (IP
addresses). In the case of www.google.com, it will connect you to
64.233.183.104 .
Now, if you'd put the following line in the HOSTS file

127.0.0.1 www.google.com

your computer would try to connect to 127.0.0.1 every time you'd try to
surf to www.google.com. It would try to connect to your own PC. You
likely aren't running a webserver at that address, and it isn't Google
anyway. So, you won't be able to connect to www.google.com if that line
is present in the HOSTS file.

With the info above, and the line below, think of what the HOSTS file
can do to protect your computer:

127.0.0.1 malicious.site.com

:)
--


Kind regards,
Mark Veldhuis.
Click to expand...
 
N

netlink_blue

Mark said:
No. It's kinda like an IP address, 127.0.0.1 is what your computer knows
as itself, so it's also called "localhost".
Click to expand...


Good luck trying to manually add/edit an entry in Vista HOSTS file.
Vista has it locked.

Since I'm new to Vista's "take possesion" game, it took many
nano-seconds for me to explore the various buttons and dialog boxes
before I could save my edited HOSTS file.

I thought about resetting permissions back ...(raucous laughter)

/netlink
 
M

Mark Veldhuis

Good luck trying to manually add/edit an entry in Vista HOSTS file.
Vista has it locked.
Click to expand...

I use Hostsman from http://www.abelhadigital.com/ to manage my HOSTS
file.
To edit and update the file, the program needs to be run as
Administartor. The interface of the program provides an option for that.
Never a problem...
 
N

netlink_blue

Mark said:
I use Hostsman from http://www.abelhadigital.com/ to manage my HOSTS
file.
To edit and update the file, the program needs to be run as
Administartor. The interface of the program provides an option for that.
Never a problem...
Click to expand...

Thanks for the link and info. This morning I did a quick search, and
found this "sweet fix" posted by someone.

Right-click on your desktop, and create a Shortcut. Copy/paste this
link into said shortcut ...

C:\Windows\System32\notepad.exe C:\Windows\System32\drivers\etc\hosts

Once shortcut is created (which causes Notepad to open HOSTS file)
right-click shortcut icon and open "Properties". Click Advanced button
and check-box "Run as Administrator".

Worked a treat for me.

over the river, and through the woods
to granny's we go ... beautiful vistas there,

/netlink
 
V

Vista Novice

Please see my new post (12/6/2007 2:25 AM PST) "Did I put a hole in my Trend
Micro security wall?"

Thanks!

Charlie (Vista Novice)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Can share files with one WinXP PC but not another 1
Erratic movements everywhere after 10 minutes 5
Problems with internet connection either wireless or DSL 1
No viruses, but web browsing is insanely slow 5
MS's Spyware program missed a lot 1
infected XP PC - can't get to security sites or run security tools 4
Spybot, Vista and KB 931768 2
False positive due to Spybot S&D immunization 1

Top