Results 1 to 9 of 9

Thread: Dangerous bug or hacked install or ??

  1. #1
    Junior Member
    Join Date
    Oct 2007
    Posts
    5

    Default Dangerous bug or hacked install or ??


    Hi !
    Just downloaded and installed Spybot S&D from safer networking server. Version 1.5. After immunizing, my
    PC started contacting all sites in the hosts file !!!
    This was in turn blocked by my Spysweeper, so no harm done,- but why in H... does it behave like this ? It seems to me that this was exactly the opposite of what it should do... It should block these sites,- not contact them !
    I thought this could be a virus in my PC exploiting the hosts file. I then ran complete scan with AVG, Swat it, Adaware and Spysweeper + an online scan with Symantec.
    Nothing found..
    I have now unistalled Spybot S&D and cleaned the hosts file. I wait with new installation until somebody can tell me what happened !
    Until then Spybot S&D is on my malware list !
    Any help out there ??

  2. #2
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Your PC is not contacting any sites during immunization and SpySweeper is not protecting you from anything.

    The fact is that SpySweeper is misidentifying the entries that Spybot is trying to add to your system to protect you from malware.

    One solution is to shutdown SpySweeper before immunizing with Spybot as barebear recommended in this thread:

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  3. #3
    Junior Member
    Join Date
    Oct 2007
    Posts
    5

    Default

    Well...
    That could be.. but my Zonealarm showed a lot of network traffic going on..
    This could of course be internal traffic over localhost,- detected by ZA as network..(?)
    I will do as you say and try to immunize with spysweeper shut down. I will monitor network traffic on my router then, and see what happens..I will also monitor netstat.
    Why do you say "spysweeper is not protecting against anything " ? Is that referring to Spysweeper in general or just what actually happened here ?

  4. #4
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Quote Originally Posted by methusalem View Post
    Why do you say "spysweeper is not protecting against anything " ? Is that referring to Spysweeper in general or just what actually happened here ?
    What happened here. You originally indicated:

    Quote Originally Posted by methusalem View Post
    … This was in turn blocked by my Spysweeper, so no harm done, …
    I was trying to indicate that rather than protecting you, Spysweeper was having the opposite affect by blocking entries that are designed to protect you.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  5. #5
    Junior Member
    Join Date
    Oct 2007
    Posts
    5

    Default Still loads of traffic when immunizing

    Shut down Spysweeper. Opened network monitor. Started immunizing. Loads of external network traffic !
    Looked at LAN monitor on router. Looked at WAN monitor on router ( using CDMA accesspoint/router) Loads of external traffic between LAN and WAN. My PC is only one on local net ( protected by WPA2) , so only source of traffic is between my PC and internet.
    No other programs running -no updating going on, no other traffic source . For some reason netstat showed nothing...
    As I said,- there could be something else exploiting my hosts file.. I am not spesifically pointing to S&D.
    As I have classified software on my PC, I now have to block that from net access ( remove external drive....)
    and contact our security officer..
    I guess he will come up with some anwers and take appropriate action.
    Until then-no Spybot S&D here...
    Could you please give me some hints as to what kind of infection this could be ? One that will not be found by
    AVG, Ad Aware, Swat it , Spysweeper or Symantec ??
    Please again note that I am not pointing fingers at S&D.
    I just have to keep my hosts file clean until this is solved...

  6. #6
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    In Spybot 1.5 it appears that SpybotSD.exe, were immunization, scans, etc. are done, no longer connects to TCP/IP. Only the update program SDUpdate.exe appears to.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  7. #7
    Junior Member
    Join Date
    Oct 2007
    Posts
    5

    Default

    Hmmm.....
    Something fishy is going on.
    Uninstall Spybot again- clean hosts file - no traffic.
    Install Spybot - Immunize - loads of external traffic-
    And, of course, everything slows down . I have seen the remarks about slow-down with firefox after immu . Wonder if they have monitored traffic ?..
    I am by the way using IE7.
    Uninstalled AVG,- installed NOD32 - full scan - still nothing
    found. Manual entries to hosts done . Should activate a possible exploit. But nothing happens !
    Install Spybot again,- loads of external traffic. Should indicate that the problem is in Spybot. Had it been another infection it should exploit the manually generated hosts file also. It did not ! So this time logic will point to Spybot S&D . When a manually generated hosts file is in place and nothing bad happens before s&D is installed I can find no other answers. By the way: Spysweeper was uninstalled during last test.
    Your answer was, by the way, not very helpful to me...
    Pure logic tells me : This time I am VERY worried about Spybot v1.5 !

  8. #8
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Quote Originally Posted by methusalem View Post
    Install Spybot again,- loads of external traffic. Should indicate that the problem is in Spybot.
    But you haven't indicated from who or what the internet traffic is from and evidentially don't believe me when I tell you is not from SpybotSD.exe 1.5.x.xx.

    Quote Originally Posted by methusalem View Post
    Your answer was, by the way, not very helpful to me...
    Sorry, maybe someone else can help.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  9. #9
    Junior Member
    Join Date
    Oct 2007
    Posts
    5

    Default

    Well,- I have no idea really...
    another strange thing :
    I tried to install again, and tracked traffic when the update manager was up. And here are the sites that Spybot S&D
    updated from :
    balconblick.com
    old.ccrdude.com
    TD3.net
    servercompetenz.net
    If you check these on whois you will find that 2 of them are not registered. At least according to internic . One of them is registered on Bahamas and one in US
    !!!!
    It is now obvious to me that my Spybot install files have been infected or changed. If this happened on the safer-networking server, or in the transfer process or here, I can not tell you.
    This case is now transferred to our security team.
    They also got a copy of my install files.I think this is very sad,
    I liked Spybot very much. I am sorry.
    Last edited by methusalem; 2007-10-08 at 00:47.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •