weird popup - Safer-Networking Forums

Despise_Spyware · 2006-02-06, 02:42

every time I start up spybot SD, an internet explorer page pops up that leads to this strange website in german. The website is labeled "Patrick Kolla's Website"

I was wondering if this was normal or if there is something wrong...

MacSurf · 2006-02-06, 14:10

Hello,

from which site did you get your version of Spybot-S&D?
Also please tell us the exact url of this site.

Despise_Spyware · 2006-02-07, 00:12

I got my version of spybot from download.com..which I think was a legit site

also..spybot worked fine for a while..now it doesn't

it's version 1.4

unfortunately..I don't know the exactly name of the website..I didn't really check..and the website doesn't appear on my history list..I dunno why

I can describe the website though..it's a green website..with the spybot logo on it and on the side is a picture of a man's face

the entire webpage is in german. on the top it says "patrick kolla's website"

this used to only happen on one of my computers, but now it's happening on both

Despise_Spyware · 2006-02-07, 03:21

okay..I finally got the url of the website

http://patrick.kolla.de/spybotsd.html

**PepiMK** · 2006-02-07, 11:36

That's really weird :(

* patrick.kolla.de is my private webseite.
* that logo is my private logo, not the spybot one

* this thing is probably at least a few weeks old - I do not have any Spybot-S&D related page on my website any more. The page you saw was a standard "404" (page not found) error page. I've now replaced it with a page telling people that there's something wrong.
* why would I put a popup to my private site into Spybot? That would be useless - it's even in German so most people wouldn't be able to read anything!

My suspicion:
Some malware is showing those popups when Spybot-S&D is running. This should make people believe that the popup was coming from Spybot-S&D, thus causing them to uninstall Spybot-S&D (to get rid of the popup), so that this malware can run free without being removed by us.

My suggestion:
Find that piece of malware. Either here (e.g. by posting a RunAlyzer or HJT log), or if you don't trust us, at some other respectable place. But in any way, please keep us up to date!

Despise_Spyware · 2006-02-08, 02:00

well I ran spybot and it found a bunch of tracking cookies and things like that...

after deleting those tracking cookies, the website hasn't popped up...yet

however, it was happening on both of my computers, and it hasn't stopped on the other computer

I'll scan the other comp with HJT soon as possible...

Zoraster · 2006-02-08, 02:15

I have the same thing. Using Windows NT 4 SP6. Firefox 1.5. The Spybot application was installed when the latest version was released. Only saw it start firefox once. I attached a hijackthis log if that will help.

bigmoe · 2006-02-08, 06:30

i just got this error too..
fresh winxp install on a machine, avg, then windows rego, then mobo drivers, then ad-aware and spybot, all off the same disc ive been using for the last 2 months or so... first time ive seen it..

**PepiMK** · 2006-02-08, 10:52

Thanks for the HJT log! It shows C:\CodeRed\CodeRed.exe as a running process. Now I'm not sure which CodeRed this is (that's probably why I prefer RunAlyzer logs - they may be longer if you do not hide the legit entries - but their checksums help *g*)... but the popular meaning of CodeRed is a trojan!

Do you know this file, is this something you intentionally installed?

If you don't know it, it would be nice to mail it to

. Choose "patrick.kolla.de/spybotsd.html" or something like that as the subject so we'll be able to pick it out asap. There's also a CodeRed removal tool by Symantec (we don't like those guys, but it was the first removal tool I found :D ).

By the way, did you say it started Firefox for that popup even? Hmmm. I've checked my code. http://patrick.kolla.de/spybotsd.html hasn't been used as a link for Spybot-S&D since eons

If you intentionally click on my logo, it'll show the main page - but you may have noticed my logo is quite hidden, so you'll never click it by accident.

@Despise_Spyware & bigmoe: please check if you've got the probable CodeRed trojan as well! Just look on the Processes tab of the Windows Taskmanager for a CodeRed.exe.

Pepster · 2006-02-08, 14:18

After getting this mysterious popup and not finding CodeRed.exe in my running processes.

I noted this popup also occurs when the blue banner/link shown on the initial screen of spybot version 1.4 is clicked, is this intentional? or a simple cause for this mysterious popup?

2006-02-06, 02:42	#1
Despise_Spyware Junior Member Join Date: Jan 2006 Posts: 15	weird popup every time I start up spybot SD, an internet explorer page pops up that leads to this strange website in german. The website is labeled "Patrick Kolla's Website" I was wondering if this was normal or if there is something wrong...

2006-02-07, 11:36	#5
PepiMK Member of Team Spybot Join Date: Oct 2005 Location: Planet Earth Posts: 3,156 Blog Entries: 15 Rated LASSHes: 9,186	That's really weird :( * patrick.kolla.de is my private webseite. * that logo is my private logo, not the spybot one * this thing is probably at least a few weeks old - I do not have any Spybot-S&D related page on my website any more. The page you saw was a standard "404" (page not found) error page. I've now replaced it with a page telling people that there's something wrong. * why would I put a popup to my private site into Spybot? That would be useless - it's even in German so most people wouldn't be able to read anything! My suspicion: Some malware is showing those popups when Spybot-S&D is running. This should make people believe that the popup was coming from Spybot-S&D, thus causing them to uninstall Spybot-S&D (to get rid of the popup), so that this malware can run free without being removed by us. My suggestion: Find that piece of malware. Either here (e.g. by posting a RunAlyzer or HJT log), or if you don't trust us, at some other respectable place. But in any way, please keep us up to date! __________________ Just remember, love is life, and hate is living death. Treat your life for what it's worth, and live for every breath (Black Sabbath: A National Acrobat)

2006-02-08, 10:52	#9
PepiMK Member of Team Spybot Join Date: Oct 2005 Location: Planet Earth Posts: 3,156 Blog Entries: 15 Rated LASSHes: 9,186	Thanks for the HJT log! It shows C:\CodeRed\CodeRed.exe as a running process. Now I'm not sure which CodeRed this is (that's probably why I prefer RunAlyzer logs - they may be longer if you do not hide the legit entries - but their checksums help g)... but the popular meaning of CodeRed is a trojan! Do you know this file, is this something you intentionally installed? If you don't know it, it would be nice to mail it to . Choose "patrick.kolla.de/spybotsd.html" or something like that as the subject so we'll be able to pick it out asap. There's also a CodeRed removal tool by Symantec (we don't like those guys, but it was the first removal tool I found :D ). By the way, did you say it started Firefox for that popup even? Hmmm. I've checked my code. http://patrick.kolla.de/spybotsd.html hasn't been used as a link for Spybot-S&D since eons If you intentionally click on my logo, it'll show the main page - but you may have noticed my logo is quite hidden, so you'll never click it by accident. @Despise_Spyware & bigmoe: please check if you've got the probable CodeRed trojan as well! Just look on the Processes tab of the Windows Taskmanager for a CodeRed.exe. __________________ Just remember, love is life, and hate is living death. Treat your life for what it's worth, and live for every breath (Black Sabbath: A National Acrobat)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

2006-02-06, 14:10	#2
MacSurf Member Join Date: Oct 2005 Posts: 71 Rated LASSHes: 125,710	Hello, from which site did you get your version of Spybot-S&D? Also please tell us the exact url of this site.

2006-02-07, 00:12	#3
Despise_Spyware Junior Member Join Date: Jan 2006 Posts: 15	I got my version of spybot from download.com..which I think was a legit site also..spybot worked fine for a while..now it doesn't it's version 1.4 unfortunately..I don't know the exactly name of the website..I didn't really check..and the website doesn't appear on my history list..I dunno why I can describe the website though..it's a green website..with the spybot logo on it and on the side is a picture of a man's face the entire webpage is in german. on the top it says "patrick kolla's website" this used to only happen on one of my computers, but now it's happening on both

2006-02-07, 03:21	#4
Despise_Spyware Junior Member Join Date: Jan 2006 Posts: 15	okay..I finally got the url of the website http://patrick.kolla.de/spybotsd.html

2006-02-08, 02:00	#6
Despise_Spyware Junior Member Join Date: Jan 2006 Posts: 15	well I ran spybot and it found a bunch of tracking cookies and things like that... after deleting those tracking cookies, the website hasn't popped up...yet however, it was happening on both of my computers, and it hasn't stopped on the other computer I'll scan the other comp with HJT soon as possible...

2006-02-08, 06:30	#8
bigmoe Junior Member Join Date: Feb 2006 Posts: 1	i just got this error too.. fresh winxp install on a machine, avg, then windows rego, then mobo drivers, then ad-aware and spybot, all off the same disc ive been using for the last 2 months or so... first time ive seen it..

2006-02-08, 14:18	#10
Pepster Junior Member Join Date: Feb 2006 Posts: 2	After getting this mysterious popup and not finding CodeRed.exe in my running processes. I noted this popup also occurs when the blue banner/link shown on the initial screen of spybot version 1.4 is clicked, is this intentional? or a simple cause for this mysterious popup?