PDA

View Full Version : ABetterInternet false positive?



MattJ
2007-01-14, 16:27
Hi,

I am using S&D ver 1.3 and I update my defs files and scan often. Yesterday, after updating all my defs to the latest, the scan found something called "ABetterInternet", which had 4 registry entries (sorry, I didn't save
the exact details of those 4 entries).

I proceeded to fix that issue, then I rebooted and rescanned. I was surprised to see "ABetterInternet" was back. The reistry value in question this time was:

========================
ABetterInternet: Autorun settings (NvCplDaemon) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
========================

I did more research into ABetterInternet, and found some sites that list what files/reg entries to remove in order to manually remove this spyware. I had none of the listed culprits.

Although this does appear to be a valid autorun entry, I won't have peace of mind until I know if this is indeed a false positive.

Thanks!
Matt

Buster
2007-01-15, 08:23
Hello Matt,

please take a look at Spybot´s logs folder to find out which entries have been deleted by Spybot. Usually the logs folder can be found at "C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs" or "C:\Documents and Settings\your user name\Application Data\Spybot - Search & Destroy\Logs".
Which operating system do you run?

MattJ
2007-01-15, 15:09
Hi,

Here is the pertinent info from the log. Please let me know if you need more. I am running WinXP Pro SP2. Thanks! :)

ABetterInternet: Autorun settings (NvMediaCenter) (Registry value, fixed)
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter

ABetterInternet: Autorun settings (NvCplDaemon) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon

ABetterInternet: Autorun settings (NvMediaCenter) (Registry value, fixing failed)
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter

ABetterInternet: Autorun settings (NvMediaCenter) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter

JPRainman
2007-01-16, 00:51
Hi Forum!

Ever since a recent download of definitions, etc..., when Spybot is run, it finds "ABetterInternet" cleans it, then after reboot finds it again. First time I ran Spybot after the download, there were two Reg entries:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
&
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon

Now only the ...\Run\NvCplDaemon continues to reappear after reboot.

Really tired of trying to fix this (Google search: ABetterInternet) brings up a lot of sites, many of which say they analyze and fix the problem, then after scan, they want money to buy their 'fixit' part. (Censored Scream!)

How about the SpyBot gurus? Can you identify files or Reg values that initiate the replacement of the NvCplDaemon and associated files, in a soon to be released update, or at least help us identify files or Reg values to manually delete? tried several 'solutions' found on the search engine, but so far, nothing has worked. Even did a system restore from early December (hoping whatever got in here was before that), but after updates, the damn thing reappeared. I've spent over 20 hours going nowhere. Please advise?

Win XP Pro SP2

JP

ray87801
2007-01-16, 06:11
Hi,
I also had Spybot version 1.3 start detecting the following very recently:

ABetterInternet: Autorun settings (NvCplDaemon) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon

Registry value is RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

I don't have the Nvidia media center installed, so no complaints about that registry setting.

Nothing was detected by another scanner. I uninstalled Spybot version 1.3 and installed version 1.4 and updated it. I no longer get this detection.

P.S. I should also note that I upgraded my Nvidia drivers to 93.71 recently.

ray87801
2007-01-16, 06:34
Hi again,
Oops, I forgot to mention that I believe NvCpl.dll is the NVIDIA Display Properties Extension (for the control panel).

JPRainman
2007-01-16, 16:33
Thanks for the solution! Upgraded to 1.4 (was somewhat reluctant to do so as it seems there are less settings options as in 1.3) but SpyBot no longer detects "ABetterInternet". Checked Regedit and the NvCplDaemon still exists, with values RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup, but I do have NVIDIA GEForce4MX 440 with AGP8X graphics card, so I guess it's all good now. What an excellent product + an excellent forum for solving problems. Thanks to the SpyBot staff and forum contributors!

Peace...

JP

tashi
2007-01-17, 01:14
Thank you for letting us know. :bigthumb:

physicsgrl
2007-01-17, 06:25
Is that official verification that this is a false positive? I'd prefer not to go on someone's guess if someone on the spybot team could possibly verify.

Buster
2007-01-17, 11:47
@mattj: Do you use Spybot 1.4 or an older version? If you don´t use Spybot 1.4 ,please update.

MattJ
2007-01-18, 01:56
I use 1.3, but I'll upgrade to 1.4 ASAP. Thanks for the info, all. :)

-Matt