Updating Pop-up

[humberlad]

I have today done a clean install of version 1.5, all went fine until I started a manual download of updates when I got a pop-up saying malware had been added to the application and that I should run an antivirus programme. After running my AV and doing various other scans nothing has been detected and as far as I can see my system is clean. What caused this warning to appear? after running Spybot S&D the only entry was for the Windows Firewall bypass which I have excluded from further checks as I use a 3rd party (Comodo) firewall.

[spybotsandra]

Hello,

Probably you got this message: "the application has been changed since it was created since spybot does not change itself we recommend you check your sytem for malware and viruses instantly."

This is a little bug.

That message has been caused in the past by failing memory (RAM) and I suggest that you consider running a memory diagnostic program. If your system didn't come with diagnostic routines including a memory test there is one here:
http://www.memtest.org/

This links in our forum might also help:
http://forums.spybot.info/showthread.php?t=258
http://forums.spybot.info/showthread.php?t=10606

Best regards
Sandra
Team Spybot

[PepiMK]

Could you please let me know the exact message you received?

There are actually two different ones, one about the (SpybotSD.exe) file itself which already was a protection that 1.4 used, and the other one is a new protection mechanism to detect other applications trying to inject code into Spybot-S&D while it is running.

Message 1:

his application has been changed since it was created.
Since Spybot-S&D does not change itself, we recommend you check your system for malware and viruses instantly!

Message 2:

An outsider did inject malicious code into this application! It is strongly recommended that you do a full check-up of your system, including anti-malware and anti-virus scans.

[humberlad]

Many thanks for your speedy replies. It was message 2 that came up when I was downloading updates. I have done a full malware check and all scans have shown nothing untoward.

[humberlad]

Just to add i have now downloaded todays Spybot updates and run a scan and have not encountered any problems or malware detected. Could the message that popped up yesterday just have been a bug that has now ironed itself out

[humberlad]

re the following message:


Quote:
An outsider did inject malicious code into this application! It is strongly recommended that you do a full check-up of your system, including anti-malware and anti-virus scans.


Would it be possible to clarify why this message appears. Many thanks.

[MichaelGilbert]

Im getting the second message too.

here is a screenshot



scanned with nod32 clean

scanned with spybot received a firewall warning with is my fault as i use another option.

scanned with spyware doctor gives redhost infection..

spybot doesnt see redhost trojan... any reason why?


Michael..

[spybotsandra]

Hello,

This is a microsoft message.
We have implemented this tool as it should be needed for the vista certification.
But it shows to be buggy and does not make any sense, so we have already deleted it.

Here is the download file for the fix - the new Spybot beta:
http://www.safer-networking.org/file...15he-beta1.exe

Best regards
Sandra
Team Spybot

[PepiMK]

That message was added as part of our attempts to get Certified for Vista, and the reason why we didn't want that certification in the end.

Microsoft requires software to crash at this point - which we did not want, displaying just a warning.

The point here is that some kind of other application has tried to execute code as part of Spybot-S&D. This kind of code injection is usually done by bad software (e.g. to crash something), but sometimes also used by good software.
Spybot-S&D itself for example does something similar when you try to unload modules or handles on the process list - which usually is a bad thing if done automatically by software.
I've seen traffic analyzers (the analysis, non-spyware variant) that do inject themselves into running applications to monitor traffic.

So in the end, while this behaviour has been morally "banned" by Microsoft (and we do it only on request), it's not beyond reality that some other good software (antivirus, firewall, etc.) might use code injection for good purposes as well.

We've removed this error handling (since we decided to use a different error reporting system than Windows Error Reporting anyway) in beta 1.5.1.16 I think