spybot 1.4 scan result

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Using the above to scan it gives the following
1/ Microsoft windows.Avtive Desktop
2/ Microsoft Windows IE FirewallByPass
3/ SURFSPY (DELETED)

Do I let Spybot "fix the problem" for item 1 & 2? Please advice.

As from yesterday, it seems to take a long time for this newsgroup dialog to
appear. Just wonder if it is due to Surfspy as this is the first time S&B
detected it....thanks
 
alexxchris said:
Using the above to scan it gives the following
1/ Microsoft windows.Avtive Desktop
2/ Microsoft Windows IE FirewallByPass
3/ SURFSPY (DELETED)

Do I let Spybot "fix the problem" for item 1 & 2? Please advice.

As from yesterday, it seems to take a long time for this newsgroup dialog to
appear. Just wonder if it is due to Surfspy as this is the first time S&B
detected it....thanks
Click to expand...

Hi Again Alex & Chris,
I think your machine badly infected, try to run these cleaning steps below
and send your HijackThis log to one of any of these forums list below.
Microsoft windows.Avtive Desktop
http://www.f-prot.com/virusinfo/descriptions/redlof.htm
http://www.symantec.com/security_response/writeup.jsp?docid=2002-041614-1254-99&tabid=2
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=99476
Microsoft Windows IE FirewallByPass
http://forums.spybot.info/showthread.php?t=15458
SURFSP
http://www.symantec.com/security_response/writeup.jsp?docid=2004-071412-1348-99&tabid=2
go through these cleaning steps to see or get a clear opinion on how
clean your machine is:
= Click Start >> Control Panel>>Network and Internet Connections >> Double
click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced.
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
[ ] Disable script Debugging (internet Explorer) <= check this box
[ ] Disable Script Debugging (Other) <= check this box

Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.

2.... And also for malware from here:
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm
http://www.lavasoft.com/products/ad-aware_se_personal.php
http://www.safer-networking.org ; for Spybot S&D

Run a scan from here on-line:
http://www.sophos.com
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
Download Avast Cleaner from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Lots of tools to download and disinfect your machine:
http://www.bitdefender.co.uk/site/Downloads/browseFreeRemovalTool/
http://free.grisoft.com/doc/5390/lng/us/tpl/v5
=How to perform a clean boot procedure to prevent background programs from
interfering with a game or a program that you currently use
http://support.microsoft.com/kb/331796
Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting:
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) is
the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to:
http://www.spywareinfo.com/~merijn/downloads.html
http://www.bleepingcomputer.com/tutorials/tutorial42.html
http://www.bleepingcomputer.com/forums/
http://www.webuser.co.uk/forums/postlist.php/Cat/0/Board/hijackthis
http://forums.whatthetech.com/forums.html
http://www.security-forums.com/viewforum.php?f=48
http://www.virusvault.co.uk/fusionbb/showforum.php?fid/15/
http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7
http://www.lavasoftsupport.com/index.php?showforum=36
http://forums.techguy.org/54-malware-removal-hijackthis-logs/
, or other appropriate
forums for expert analysis, not here.
HTH.
nass
 
AlexChris

Are you running Spybot in Standard or Advanced mode? Do you scan for tracks too?

Too many people will spit their dummies if you post the logs here, but if you
configure Outlook Express as your newsgroup reader
(http://support.microsoft.com/kb/171190/en-us) & 'attach' the logs I will be
only too pleased to look through them for you.

------------------

Spybot have their own forums

There maybe 2 or 3 Windows Firewall detections that maybe red. My advice is to
right-click them & EXCLUDE FROM FUTURE DETECTIONS because if you delete them the
next time your machine is started you will have that annoyance in the System
Tray regarding this issue & when you fix the error Spybot will pick the same
entries up again. That's why the EXCLUDE option is a good idea

Some Malware install wallpaper on the Active Desktop. This is probably why
Spybot S & D picked it up

Nass recommended that you post the HiJackThis log but unless you know what you
are doing it won't do any good. He forgot to mention you should create a
directory say C:\HiJackThis (for example) to run the application in as you
should never run it from the Desktop. The developers say this is very important

Also, about HiJackThis. Its a great program but it fails to delete files that
are in use for obvious reasons. So, even though you do a system scan & delete
checked when you scan again its still there. Furthermore, it fails to detect
rootkits
 
Sorry to come back so late as we were busy with our work. Many thanks for all
those who responded and we are working through it. On the Spybot we scan
under the Standard mode. Have a look at the Advance mode what shall we do
there and what do you mean by "tracks' ? Thanks
 
AlexChris,

In advanced mode:

Basically, you have some tabs on the left. One of them says SETTINGS & on there
is FILE SETS. Scroll to the bottom of the file sets & tick the TRACKS.uti under
USAGE TRACKS

In the Spybot scan results you will see many that are green. You can safely tick
any of them but the LOGS cannot be deleted if Schedule Tasks service is running.
So, you can disregard it. Technically, there are only 2 logs that cannot be
deleted when the Schedule Task service is running
With the Explorer entry you may want to expand & right-click the autocomplete &
exclude etc.

Click the TOOLS tab this is what I recommend you have selected:

ACTIVEX
BHO
BROWSER PAGES
IE TWEAKS
HOSTS FILE
SYSTEM STARTUP

ActiveX - what's listed in [Drive letter]\Windows\Downloaded Program Files

Clicking each one will show you if it legit or malware... Experience tells me
though

BHO - I will only ever keep one in here & that is the Spybot one & always delete
the others. Crap like Adobe BHO should be deleted

Browser Pages - this is a list of search pages, homepage... If you install
Windows Live, Google, Yahoo Messenger they like to change these settings

My searches are set to:
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch & the homepage to
what you want

IE Tweaks - Tick the top one (Lock Hosts File Read-Only as Protection Against
Hijackers)
If you want to type anything in the Current User/All Users IE Custom Title then
do so. It just replaces that Microsoft Internet Explorer in the IE title bar

Hosts File - normally contains just one entry:

localhost 127.0.0.1

System Startup - This is your machine programs basic startup (doesn't include
some locations)
Things like Abobe Speed Launcher, Real Update, Quicktime Task are safe to remove
but this is where you'll find virus software or the odd nasty file too

It will say 'System.ini', but they are actually WinLogon\Notify

System Startup Registry Keys used by Spybot System Startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Spybot System.ini Location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify

When cleaning Spybot & it says some entries cannot be removed & do you want to
do it on next startup, say no or it will take around 30 mins to do it. Besides,
these entries are Direct 3D log files, Schedule Task log files... not worth
deleting

If you use Outlook Express as your newsreader. I posted how to set it up in my
previous post then you can add the reports (like attachments) to your reply & I
can look through the logs & advise you what to delete, if you like

How to export a log:

Click ActiveX under the TOOLS tab. In the right pane right-click | Export. Do
the same for the others; BHO, STARTUP...

Note: There is a bug in Spybot & I have told them about this since starting from
beta testing version 1.2, 1.3 & 1.4 & release versions but they won't fix it for
some reason although it happens to everyone I know using it.

When you export a log it will be something like 'Spybot.bho report' & the filter
will be '.textfiles', but it doesn't save as a txt file. So in the filename add
'.txt' to the end before clicking the save button.

Spybot updates are out at the moment every Wednesday afternoon. After each
update make sure you IMMUNIZE within Spybot
 
When we update spybot 1.4, do we have to include TCP/IP Settings Plugin?
What/how does it do/help? Thanks

Newbie Coder said:
AlexChris,

In advanced mode:

Basically, you have some tabs on the left. One of them says SETTINGS & on there
is FILE SETS. Scroll to the bottom of the file sets & tick the TRACKS.uti under
USAGE TRACKS

In the Spybot scan results you will see many that are green. You can safely tick
any of them but the LOGS cannot be deleted if Schedule Tasks service is running.
So, you can disregard it. Technically, there are only 2 logs that cannot be
deleted when the Schedule Task service is running
With the Explorer entry you may want to expand & right-click the autocomplete &
exclude etc.

Click the TOOLS tab this is what I recommend you have selected:

ACTIVEX
BHO
BROWSER PAGES
IE TWEAKS
HOSTS FILE
SYSTEM STARTUP

ActiveX - what's listed in [Drive letter]\Windows\Downloaded Program Files

Clicking each one will show you if it legit or malware... Experience tells me
though

BHO - I will only ever keep one in here & that is the Spybot one & always delete
the others. Crap like Adobe BHO should be deleted

Browser Pages - this is a list of search pages, homepage... If you install
Windows Live, Google, Yahoo Messenger they like to change these settings

My searches are set to:
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch & the homepage to
what you want

IE Tweaks - Tick the top one (Lock Hosts File Read-Only as Protection Against
Hijackers)
If you want to type anything in the Current User/All Users IE Custom Title then
do so. It just replaces that Microsoft Internet Explorer in the IE title bar

Hosts File - normally contains just one entry:

localhost 127.0.0.1

System Startup - This is your machine programs basic startup (doesn't include
some locations)
Things like Abobe Speed Launcher, Real Update, Quicktime Task are safe to remove
but this is where you'll find virus software or the odd nasty file too

It will say 'System.ini', but they are actually WinLogon\Notify

System Startup Registry Keys used by Spybot System Startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Spybot System.ini Location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify

When cleaning Spybot & it says some entries cannot be removed & do you want to
do it on next startup, say no or it will take around 30 mins to do it. Besides,
these entries are Direct 3D log files, Schedule Task log files... not worth
deleting

If you use Outlook Express as your newsreader. I posted how to set it up in my
previous post then you can add the reports (like attachments) to your reply & I
can look through the logs & advise you what to delete, if you like

How to export a log:

Click ActiveX under the TOOLS tab. In the right pane right-click | Export. Do
the same for the others; BHO, STARTUP...

Note: There is a bug in Spybot & I have told them about this since starting from
beta testing version 1.2, 1.3 & 1.4 & release versions but they won't fix it for
some reason although it happens to everyone I know using it.

When you export a log it will be something like 'Spybot.bho report' & the filter
will be '.textfiles', but it doesn't save as a txt file. So in the filename add
'.txt' to the end before clicking the save button.

Spybot updates are out at the moment every Wednesday afternoon. After each
update make sure you IMMUNIZE within Spybot

--
Newbie Coder
(It's just a name)




alexxchris said:
Sorry to come back so late as we were busy with our work. Many thanks for all
those who responded and we are working through it. On the Spybot we scan
under the Standard mode. Have a look at the Advance mode what shall we do
there and what do you mean by "tracks' ? Thanks
Click to expand...
Click to expand...
 
Repost:

Post your Spybot queries to the above forum, please.
--
~PA Bear
When we update spybot 1.4, do we have to include TCP/IP Settings Plugin?
What/how does it do/help? Thanks

Newbie Coder said:
AlexChris,

In advanced mode:

Basically, you have some tabs on the left. One of them says SETTINGS & on
there is FILE SETS. Scroll to the bottom of the file sets & tick the
TRACKS.uti under USAGE TRACKS

In the Spybot scan results you will see many that are green. You can
safely tick any of them but the LOGS cannot be deleted if Schedule Tasks
service is running. So, you can disregard it. Technically, there are only
2 logs that cannot be deleted when the Schedule Task service is running
With the Explorer entry you may want to expand & right-click the
autocomplete & exclude etc.

Click the TOOLS tab this is what I recommend you have selected:

ACTIVEX
BHO
BROWSER PAGES
IE TWEAKS
HOSTS FILE
SYSTEM STARTUP

ActiveX - what's listed in [Drive letter]\Windows\Downloaded Program
Files

Clicking each one will show you if it legit or malware... Experience
tells
me though

BHO - I will only ever keep one in here & that is the Spybot one & always
delete the others. Crap like Adobe BHO should be deleted

Browser Pages - this is a list of search pages, homepage... If you
install
Windows Live, Google, Yahoo Messenger they like to change these settings

My searches are set to:
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch & the
homepage
to what you want

IE Tweaks - Tick the top one (Lock Hosts File Read-Only as Protection
Against Hijackers)
If you want to type anything in the Current User/All Users IE Custom
Title
then do so. It just replaces that Microsoft Internet Explorer in the IE
title bar

Hosts File - normally contains just one entry:

localhost 127.0.0.1

System Startup - This is your machine programs basic startup (doesn't
include some locations)
Things like Abobe Speed Launcher, Real Update, Quicktime Task are safe to
remove but this is where you'll find virus software or the odd nasty file
too

It will say 'System.ini', but they are actually WinLogon\Notify

System Startup Registry Keys used by Spybot System Startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Spybot System.ini Location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify

When cleaning Spybot & it says some entries cannot be removed & do you
want to do it on next startup, say no or it will take around 30 mins to
do
it. Besides, these entries are Direct 3D log files, Schedule Task log
files... not worth deleting

If you use Outlook Express as your newsreader. I posted how to set it up
in my previous post then you can add the reports (like attachments) to
your reply & I can look through the logs & advise you what to delete, if
you like

How to export a log:

Click ActiveX under the TOOLS tab. In the right pane right-click |
Export.
Do the same for the others; BHO, STARTUP...

Note: There is a bug in Spybot & I have told them about this since
starting from beta testing version 1.2, 1.3 & 1.4 & release versions but
they won't fix it for some reason although it happens to everyone I know
using it.

When you export a log it will be something like 'Spybot.bho report' & the
filter will be '.textfiles', but it doesn't save as a txt file. So in the
filename add '.txt' to the end before clicking the save button.

Spybot updates are out at the moment every Wednesday afternoon. After
each
update make sure you IMMUNIZE within Spybot

--
Newbie Coder
(It's just a name)




alexxchris said:
Sorry to come back so late as we were busy with our work. Many thanks
for
all those who responded and we are working through it. On the Spybot we
scan under the Standard mode. Have a look at the Advance mode what shall
we do there and what do you mean by "tracks' ? Thanks

:

Welcome to Safer Networking Forums:
http://forums.spybot.info/
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin; DTS-L.org

alexxchris wrote:
Using the above to scan it gives the following
1/ Microsoft windows.Avtive Desktop
2/ Microsoft Windows IE FirewallByPass
3/ SURFSPY (DELETED)

Do I let Spybot "fix the problem" for item 1 & 2? Please advice.

As from yesterday, it seems to take a long time for this newsgroup
dialog to
appear. Just wonder if it is due to Surfspy as this is the first time
S&B detected it....thanks
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Cannot download Spybot 1.4 4
strange behaviour after spybot 1.4 scan 1
XP Pro Laptop Turned to Slug 7
spybot 1.4 6
Userinit Logon Application 0
Spybot Freezing Up 7
SpyBot finds problem 5
SynchToy 1.4 crashes after XP SP3 install 1

Back
Top