:banghead:
Hi !
Just downloaded and installed Spybot S&D from safer networking server. Version 1.5. After immunizing, my
PC started contacting all sites in the hosts file !!!
This was in turn blocked by my Spysweeper, so no harm done,- but why in H... does it behave like this ? It seems to me that this was exactly the opposite of what it should do... It should block these sites,- not contact them !
I thought this could be a virus in my PC exploiting the hosts file. I then ran complete scan with AVG, Swat it, Adaware and Spysweeper + an online scan with Symantec.
Nothing found..
I have now unistalled Spybot S&D and cleaned the hosts file. I wait with new installation until somebody can tell me what happened !
Until then Spybot S&D is on my malware list !
Any help out there ??

Your PC is not contacting any sites during immunization and SpySweeper is not protecting you from anything.

The fact is that SpySweeper is misidentifying the entries that Spybot is trying to add to your system to protect you from malware.

One solution is to shutdown SpySweeper before immunizing with Spybot as barebear ( http://forums.spybot.info/member.php?u=7628) recommended in this thread:
Can't immunize some items?
http://forums.spybot.info/showthread.php?t=18122

Well...
That could be.. but my Zonealarm showed a lot of network traffic going on..
This could of course be internal traffic over localhost,- detected by ZA as network..(?)
I will do as you say and try to immunize with spysweeper shut down. I will monitor network traffic on my router then, and see what happens..I will also monitor netstat.
Why do you say "spysweeper is not protecting against anything " ? Is that referring to Spysweeper in general or just what actually happened here ?

Why do you say "spysweeper is not protecting against anything " ? Is that referring to Spysweeper in general or just what actually happened here ?
What happened here. You originally indicated:



… This was in turn blocked by my Spysweeper, so no harm done, …
I was trying to indicate that rather than protecting you, Spysweeper was having the opposite affect by blocking entries that are designed to protect you.

Shut down Spysweeper. Opened network monitor. Started immunizing. Loads of external network traffic !
Looked at LAN monitor on router. Looked at WAN monitor on router ( using CDMA accesspoint/router) Loads of external traffic between LAN and WAN. My PC is only one on local net ( protected by WPA2) , so only source of traffic is between my PC and internet.
No other programs running -no updating going on, no other traffic source . For some reason netstat showed nothing...
As I said,- there could be something else exploiting my hosts file.. I am not spesifically pointing to S&D.
As I have classified software on my PC, I now have to block that from net access ( remove external drive....)
and contact our security officer..
I guess he will come up with some anwers and take appropriate action.
Until then-no Spybot S&D here...
Could you please give me some hints as to what kind of infection this could be ? One that will not be found by
AVG, Ad Aware, Swat it , Spysweeper or Symantec ??
Please again note that I am not pointing fingers at S&D.
I just have to keep my hosts file clean until this is solved...

In Spybot 1.5 it appears that SpybotSD.exe, were immunization, scans, etc. are done, no longer connects to TCP/IP. Only the update program SDUpdate.exe appears to.

Hmmm.....
Something fishy is going on.
Uninstall Spybot again- clean hosts file - no traffic.
Install Spybot - Immunize - loads of external traffic-
And, of course, everything slows down . I have seen the remarks about slow-down with firefox after immu . Wonder if they have monitored traffic ?..
I am by the way using IE7.
Uninstalled AVG,- installed NOD32 - full scan - still nothing
found. Manual entries to hosts done . Should activate a possible exploit. But nothing happens !
Install Spybot again,- loads of external traffic. Should indicate that the problem is in Spybot. Had it been another infection it should exploit the manually generated hosts file also. It did not ! So this time logic will point to Spybot S&D . When a manually generated hosts file is in place and nothing bad happens before s&D is installed I can find no other answers. By the way: Spysweeper was uninstalled during last test.
Your answer was, by the way, not very helpful to me...
Pure logic tells me : This time I am VERY worried about Spybot v1.5 !

Install Spybot again,- loads of external traffic. Should indicate that the problem is in Spybot.
But you haven't indicated from who or what the internet traffic is from and evidentially don't believe me when I tell you is not from SpybotSD.exe 1.5.x.xx.


Your answer was, by the way, not very helpful to me...

Sorry, maybe someone else can help.

Well,- I have no idea really...
another strange thing :
I tried to install again, and tracked traffic when the update manager was up. And here are the sites that Spybot S&D
updated from :
balconblick.com
old.ccrdude.com
TD3.net
servercompetenz.net
If you check these on whois you will find that 2 of them are not registered. At least according to internic . One of them is registered on Bahamas and one in US
!!!!
It is now obvious to me that my Spybot install files have been infected or changed. If this happened on the safer-networking server, or in the transfer process or here, I can not tell you.
This case is now transferred to our security team.
They also got a copy of my install files.I think this is very sad,
I liked Spybot very much. I am sorry.:sad: