PDA

View Full Version : SpyHunter/SpyNoMore detect Spybot immunise database as malware



redice
2007-01-22, 23:11
I recently noticed that my desktop icons had their names changed to 666. This prompted me to download various anti spyware scanners, looking for the malware that caused the change. Nothing more sinister than cookies were found by most of them, except SpyHunter and SpyNoMore who "found" various Zlob codecs and some dialler programs in my registry, under: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\

To cut a long story short, I finally discovered that they were detecting Spybot's immunisation database in the registry and reporting it as malware (asking for $$$ to remove it!).

Here is the thread for further info:

http://forums.spybot.info/showthread.php?t=10339

p.s. and if anyone can figure out the mystery desktop icon renaming thing, I will be mighty impressed and very grateful.

spybotsandra
2007-01-23, 12:45
Hello,

At first it is not recommendable to use SpyHunter or SpyNoMore.

Spybot - Search & Destroy detects this software as malware:
There are anti-spyware tools like 1stAntivirus, AdArmor, Ad-Protect, AdsAlert, ADS-Remover, AdwareAlert, AdwareBazooka, Adware-Patrol, AdWare Pro, AdwarePunisher, Adware Remover, AdwareSheriff, AdwareSpy, AdwareX Eliminator, AgentSpyware, Alfacleaner, Antispywaresoldier, AntiVerMinsPro, Antivirus Gold, AntiVirusPro, BPS Spyware Remover, BreakSpyware, Contra-Spy, CyberDefender, DiaRemover, Doctor-Adware-Pro, DriveCleaner2006, Easy-Spyware-Killer, ErrorGuard, EDT-Security-Scanner, ErrorSafe, EyeSpyNow, Goodbye-Spy, KillSpy, MalwareAlarm, MrAntispy, MySpyProtector, NoAdware, PC-Health-Plan, Pestbot, PSGuard, PurityScan, Registry Cleaner, Repair Registry Pro, ScanSpyware, Spionfrei, SpyAxe, SpyBlocs, SpyCleaner, Spycontra, Spydeface, SpyDefence, SpyDestroy-Pro, SpyFalcon, SpyGuard, SpyHeal, Spyhunter, SpyMarshall, SpyNoMore, SpyOnThis, SpySherrif, SpySpotter, SpywareBomber, SpywareBot, SpywareCleaner, SpywareNO!, SpywareSheriff.FakeAlert, SpywareSoftStop, SpywareStormer, SpywareStrike, SpywareQuake, SpyQuake, SystemDoctor2006, Trek Blue Error Nuker, Trojan-Guarder, TrueSword, Virusblast, VirusBurst, VirusRescue, WareOut, WinAntivirusPro2006, WinFixer, WinHound, WinSoftware.Winsoftware.WinAntiSpyware2006, WorldAntispy, X-Con-Spyware-Destroyer, X-Spyware, XSRemover, YourSoft-AntiVS or YourSoft-AntiVT which have a very dubious or bad character. They state to be an anti-spyware tool but employ questionable advertising methods: In the form of a PopUp they offer a scan of your system. They refer you to an infection of viruses and spyware on your system which is actually not true, because the listed items are not really on your pc. After downloading the software you can only scan for the threats. If the threats (pseudo-infections) are detected you have to register first and pay (up to $30) in order to remove them. Some of these dubious anti-spyware tools do also create a toolbar in IE and create recurring PopUps.

Screenshots are availible at: http://board.protecus.de/showtopic.php?threadid=15694

More dubious anti-spyware tools you will find here:
http://spywarewarrior.com/rogue_anti-spyware.htm

So...do you still have the icon renaming?

Best regards
Sandra
Team Spybot

redice
2007-01-23, 14:12
Thanks for replying.

I am aware of SpyHunter's and SpyNoMore's dubious past (and by the look of things, present as well). The main reason for posting this was to inform Spybot users who may be using those two programs that their positive findings are questionable to say the least. I did notice at least one person on the "remove malware" forum have the same problem.

With regards to the 666 desktop icon renaming, they are still there. If you look at my first post in this thread
http://forums.spybot.info/showthread.php?t=10339
you'll see a more detailed description of what happened with the icon renaming. I don't seem to have any specific problems other than the rather unusually renamed icons, my main concern was that this was a symptom of something more worrying like e.g. a keylogger. However, a malicious program would hardly "advertise" its presence though?

redice
2007-01-23, 16:21
I might add that both Spyhunter and SpyNoMore are currently not on Spywarrior's rogue anti spyware list, with both having been removed from the suspect list.

With regards to the icon renaming, it seems to have happened as a "one-off". I am in control of the icons and can move them, rename them and delete them. It was just that they were renamed in that rather sinister way, which would seem to indicate some kind of malicious software was involved. However, all reputable scans came back negative for significant malware, as documented in the linked thread above from the malware removal forum.

tashi
2007-01-23, 17:37
I might add that both Spyhunter and SpyNoMore are currently not on Spywarrior's rogue anti spyware list, with both having been removed from the suspect list.

http://www.spywarewarrior.com/rogue_anti-spyware.htm#notes

Most recent additions: Ad Armor (1-9-07), Fixer AntiSpy (1-9-07), Spy Analyst (1-9-07), Spy Officer (1-9-07), Spyware Knight (12-28-06), SpySoldier (12-28-06), ContraVirus (12-26-06), BreakSpyware (12-26-06), CurePCSolution (12-26-06), SpyMarshal (12-26-06), SpyBuster (12-26-06), Mr.AntiSpy (12-26-06), MalwareWiped (12-26-06), MalwareAlarm (12-26-06), AntiSpy Advanced (12-26-06), AntiVermins (11-12-06), MySPyProtector (11-12-06), VirusBursters (11-12-06), PestCapture (10-5-06), DIARemover (10-5-06), VirusBurst (10-5-06), Spy Defence (10-5-06), SpyNoMore (10-5-06), CleanX (10-5-06), Spyware Remover (alwaysfreealways.com) (10-5-06) Bolding mine.

As to Spyhunter, it may have been removed from the Rogue list but it is not on the recommended list nor trusted by many in the security community.

redice
2007-01-24, 01:25
From the same website, next paragraph down.

Most recent de-listings: TrueSword (12-26-06), 1-2-3 Spyware Free (12-26-06), Maxion Spy Killer & MaxNetShield (12-26-06), SpyNoMore (11-10-06), Easy SpyRemover (11-10-06), PCSafe Adware Filter (11-10-06), SpywareBeGone & SpywareVanisher (10-5-05)

I don't know why I am posting this to be honest, you are making me look like I am defending those programs. I originally started this thread to warn about Spyhunter and SpyNoMore detecting false positives from Spybot's immunisation database.

tashi
2007-01-24, 05:27
Oh dear I missed that, sorry. :oops: But we do realise you are giving us a heads up and it is much appreciated. :bigthumb:

redice
2007-01-24, 17:47
No problem. :) Happy if I can help.

By the way, has anyone had a look at the linked thread and does anyone have an idea as to what may have changed my icons to 666? As I said before, I am not too bothered about the actual icons, as I can rename them. I am more concerned that something sinister might be lurking in the background.