every time I start up spybot SD, an internet explorer page pops up that leads to this strange website in german. The website is labeled "Patrick Kolla's Website"

I was wondering if this was normal or if there is something wrong...

:confused: :confused: :confused:

Hello,

from which site did you get your version of Spybot-S&D?
Also please tell us the exact url of this site.

I got my version of spybot from download.com..which I think was a legit site

also..spybot worked fine for a while..now it doesn't

it's version 1.4

unfortunately..I don't know the exactly name of the website..I didn't really check..and the website doesn't appear on my history list..I dunno why

I can describe the website though..it's a green website..with the spybot logo on it and on the side is a picture of a man's face

the entire webpage is in german. on the top it says "patrick kolla's website"

this used to only happen on one of my computers, but now it's happening on both

okay..I finally got the url of the website

http://patrick.kolla.de/spybotsd.html

That's really weird :(

* patrick.kolla.de is my private webseite.
* that logo is my private logo, not the spybot one ;)
* this thing is probably at least a few weeks old - I do not have any Spybot-S&D related page on my website any more. The page you saw was a standard "404" (page not found) error page. I've now replaced it with a page telling people that there's something wrong.
* why would I put a popup to my private site into Spybot? That would be useless - it's even in German so most people wouldn't be able to read anything!

My suspicion:
Some malware is showing those popups when Spybot-S&D is running. This should make people believe that the popup was coming from Spybot-S&D, thus causing them to uninstall Spybot-S&D (to get rid of the popup), so that this malware can run free without being removed by us.

My suggestion:
Find that piece of malware. Either here (e.g. by posting a RunAlyzer or HJT log), or if you don't trust us, at some other respectable place. But in any way, please keep us up to date!

well I ran spybot and it found a bunch of tracking cookies and things like that...

after deleting those tracking cookies, the website hasn't popped up...yet

however, it was happening on both of my computers, and it hasn't stopped on the other computer

I'll scan the other comp with HJT soon as possible...

I have the same thing. Using Windows NT 4 SP6. Firefox 1.5. The Spybot application was installed when the latest version was released. Only saw it start firefox once. I attached a hijackthis log if that will help.

i just got this error too..
fresh winxp install on a machine, avg, then windows rego, then mobo drivers, then ad-aware and spybot, all off the same disc ive been using for the last 2 months or so... first time ive seen it.. :confused:

Thanks for the HJT log! It shows C:\CodeRed\CodeRed.exe as a running process. Now I'm not sure which CodeRed this is (that's probably why I prefer RunAlyzer logs - they may be longer if you do not hide the legit entries - but their checksums help *g*)... but the popular meaning of CodeRed is a trojan!

Do you know this file, is this something you intentionally installed?

If you don't know it, it would be nice to mail it to detections@spybot.info . Choose "patrick.kolla.de/spybotsd.html" or something like that as the subject so we'll be able to pick it out asap. There's also a CodeRed removal tool by Symantec (http://www.symantec.com/avcenter/venc/data/codered.removal.tool.html) (we don't like those guys, but it was the first removal tool I found :D ).

By the way, did you say it started Firefox for that popup even? Hmmm. I've checked my code. http://patrick.kolla.de/spybotsd.html hasn't been used as a link for Spybot-S&D since eons ;) If you intentionally click on my logo, it'll show the main page - but you may have noticed my logo is quite hidden, so you'll never click it by accident.

@Despise_Spyware & bigmoe: please check if you've got the probable CodeRed trojan as well! Just look on the Processes tab of the Windows Taskmanager for a CodeRed.exe.

After getting this mysterious popup and not finding CodeRed.exe in my running processes.

I noted this popup also occurs when the blue banner/link shown on the initial screen of spybot version 1.4 is clicked, is this intentional? or a simple cause for this mysterious popup?

The blue banner will indeed open a browser that leads to http://www.safer-networking.org/ , or, if you use a skin, a URL that is defined inside the skin. The cursor should change to a hand to show you there's a link behind it.
Old skins may point to http://security.kolla.de/ , but from there you'll get forwarded to http://www.safer-networking.org/ as well. There are only three skins that point to this old address (Reloaded, Cactus, Matrix). I'll have to ask the Team member who should have created a skin page on our own website months ago why it isn't there yet (probably because there have been more important things).

The difference:
* The method - clicking the logo is different from an automated popup.
* The cloaking - according to Despise_Spyware, the page didn't appear in the history - what a click on the logo would do would be a simple open of the page without any hiding. Or maybe he didn't find it ;)
* The URL - unless you use one of these old skins (which are not even available currently), a click on the logo wouldn't get you to that page.


Suggestions:
* Check if you use one of those three skins (Reloaded, Cactus, Matrix)
* If this regularly happens, try to avoid clicking the logo at all cost ;) and see if it still happens :cool:

Thanks for the HJT log! It shows C:\CodeRed\CodeRed.exe as a running process. Now I'm not sure which CodeRed this is (that's probably why I prefer RunAlyzer logs - they may be longer if you do not hide the legit entries - but their checksums help *g*)... but the popular meaning of CodeRed is a trojan!

The codered you see in my log is legit. This machine is in a firehouse and we use Code Red alert system

http://coderedsoftware.com/

I always start Spybot from the desktop shortcut icon. This machine also has Internet Explorer removed :) due to a lack of security updates from our IT department so Firefox is the default browser. I have not had the problem repeat on this machine since the first time I saw it happen yesterday. I have Spybot on another machine in the station.I installed Spybot on the same day and update it always the same date and it has not opened the browser on that machine yet. I have scanned using spybot multiple times and nothing is found on either. No viruses or trojans reported by Norton antivir or AVG.

Hello.

I also get this popup. It links to a page which links me here. I have only gotten it once, but if I click the opening banner, it takes me there again. I use Fx 1.5.0.1, with Spybot: S&D 1.4. I scanned for Codered, but did not find it. This was probably a waste of time, though, because the original Codered alert was a firehouse program... LOL

This does not seem to be an ongoing problem, but if that page is never supposed to be opened, how did it get integrated into S&D's programming? The default skin isn't in the skins directory. Might this just be a bug in the program?

An Alert System? I think too much in malware terms obviously :D
Thanks for the info :)

A long time ago, in a land far far away... hmm... sorry, wrong script :D

Around 2000, Spybot-S&D was just one of a couple of small projects on my private webseite ( http://patrick.kolla.de/spybotsd.html ). When I started to need help, it grew to a project the office helped with ( http://security.kolla.de/ ), and grew larger and larger ( http://www.spybot.info/ ). Then we founded the Safer Networking ( http://www.safer-networking.org/ ).

When I introduced skins (I guess around 1.0), the link may still have been up to date. Back then, it made sense to link to that page for more info. I put the functionality to update the link on that logo into skins (for example I made skins for a spanish security event, which then linked to the website of that event) - but that means that very old skins may still have the old URL. I need to update the skins I guess ;)

The default skin isn't a file, but hard-coded into the application. That one uses ... hey, you're good! Guess that was the proper question. Since the default skin is included in binary format, I couldn't find the URL with a plain text search there. I'll try to look up if that's the case.

Anyway - doesn't explain popups ;) The "splash image" click doesn't get executed anywhere automatically. Only when you click the logo on the first page or on the info page.

I only find it interesting that right now, there are quite a few people having the same, but no one ever told about this in in the past years since that old URL was outdated. Either people didn't care (until now that the old file does no longer exist since I replaced my private site with a completely new one), or it didn't happen before.

I had this popup also, at least I don't remember clicking anything.

I have Spybot, and next to it also ad-aware.
I scanned with ad-aware after this popup and found a registry key 'SpywareNo'

This is the info about it:

Name:SpywareNo
Category:Misc
Object Type:Regkey
Size:0 Bytes
Location:...\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}\
Last Activity:8-02-2006
Relevance:Low
TAC index:7
Comment:
Description:Program masks as doing one thing, but does another by using false positives detections to trick the user into buying the commercial version. Privacy policy not disclosed to the user prior to installation, steatlh install and bundled with 3rd party software and installation is not disclosed to the user.

Don't know if this has to do something with this problem, but I found it very odd to still detect something malicious, since a normally don't detect anything.

I hope this might help you out.

I only have the pop-up when I press for updates, not when I start Spybot. When I press update for a second time I get the normal reaction (i.e. the update). This has happend for the last week - rather strange:shrug:

I only had it happen once. Others have it happen multiple times. Some get it when Update is selected. I had it happen by simply starting the application (Firefox actually launched before Spybot finished its loading window). All reports of this are from this week and if it is malware causing this we can expect to see more. If Malware is on this system and I cannot detect it and If said malware can cause one program to launch another undetected how vulnerable are we? I do not think I will be buying anything on ebay on a Windows box soon.
Has Spybot ever had a feature to launch the default browser for any reason such as alerts, news or product updates?

The only other odd behavior present on both systems here is that when I run Immunization it always reprots a certain number of immunizations are not active and to immunize now. I then run immunize and all seems fine but recheck shows the same number disabled. This is on both machines but both show a different number of immunizations that will not take hold (same database and versions on both). This is not new and seems to happen on all the windows NT boxes we have. I do not think this behaviour is related.

for me it doesn't happen every time...just occasionally

I keep getting spyware update failures with the stated cause "bad checksum". Anyone else experiencing this issue? Solution? Help! Thanks. :scratch:

cyborg4fun:


I keep getting spyware update failures with the stated cause "bad checksum". Anyone else experiencing this issue?
Most people have at one time or another.


Solution?
"Bad Checksum" problems are usually caused by overloaded download servers.

To change download servers and for a workaround for "Bad Checksum" errors please see:
http://forums.spybot.info/showpost.php?p=345&postcount=2

Note: The download server can be changed after the "Search for Updates" and before clicking "Download Updates". So if you find a server that works well, you can start by using that server in the future. Also note that if you want (not necessarily recommended) you can select a server and then right click on the button and "Set this server as the preferred download location". If you do that Spybot will select that sever rather than a random server for future updates.

Additional information:
When updating, why do I get an error message that the "update is forbidden" / "bad checksum!!!"?
http://www.safer-networking.org/en/faq/20.html
How to update the program to the newest version
http://www.safer-networking.org/en/howto/update.html

The blue banner will indeed open a browser that leads to http://www.safer-networking.org/ , or, if you use a skin, a URL that is defined inside the skin. The cursor should change to a hand to show you there's a link behind it.
Old skins may point to http://security.kolla.de/ , but from there you'll get forwarded to http://www.safer-networking.org/ as well. There are only three skins that point to this old address (Reloaded, Cactus, Matrix). I'll have to ask the Team member who should have created a skin page on our own website months ago why it isn't there yet (probably because there have been more important things).

The difference:
* The method - clicking the logo is different from an automated popup.
* The cloaking - according to Despise_Spyware, the page didn't appear in the history - what a click on the logo would do would be a simple open of the page without any hiding. Or maybe he didn't find it ;)
* The URL - unless you use one of these old skins (which are not even available currently), a click on the logo wouldn't get you to that page.


Suggestions:
* Check if you use one of those three skins (Reloaded, Cactus, Matrix)
* If this regularly happens, try to avoid clicking the logo at all cost ;) and see if it still happens :cool:

I use just the default skin, the popup occurred when I was updating. So I figure that it was probably a miss-click on my part that caused it to happen. Still it is odd.

For me the same problem with the default skin. Clicked the logo accidentally.

This sudden strange behaviour also seems to do something else.......

It tries to add: "csx.adservs.com" into your trusted sites list....
Be aware.....

Has anybody already found out what's going on?

@Pietje: let me guess? Microsoft AntiSpyware is telling you that thing about the trusted sites? Then you're using a veeeery old version of that. That was indeed a false complaint by MS AntiSpyware - Microsoft didn't know the difference between "trusted" and "restricted" sites :D

To those who have the problem with the default skin even: are you long-time Spybot users, and always have installed over previous versions? I'm just trying to think if there was some very old version that had the default skin with a bad URL still shipped as a file instead of having it integrated. Or did you test some beta in the past maybe ('cause I've just checked 1.0, 1.1, 1.1.3, 1.1.4, 1.2, 1.3 and 1.4 and they didn't)?

@ pepiMK: No, its the latest version of Webroot Spy sweeper that's warning me........ The warning pops up directly after launching Spybot.

I included a screencap:
http://i1.tinypic.com/ngr0io.jpg

Furthermore, I first installed Spybot approx 2 months ago and kept it up-to-date. No participation in any beta releases.

I got the same thing here too. O yea this is my first time on this forum but i've been using S&D for years now. Really love the software.

I've seen that the link is taking me to that website too. No adwares, malwares viruses..............nothing. Tried online scans, ad-aware, Bazooka, A2-Online & Personal, Microsoft Antispyware, Bit Defender, Housecall Antivirus scan, MCafee Online Scan, Jotti Online Scan & Just about every other online scan I could find & my system is clean. So I guess its the update to the skin at your end then :)


No website additions or no popups no nothing here. Clean & tidy desktop :)

-Regs
Capndon

on a clean-install - just booted up and only just plugged in to download updates for 2 minutes -
I have installed: Clamwin 0.88, MS AntiSpyware 1.0.701, and then I installed spybot 1.4, and poof - got that 'popup'...
Its funny, usually I install clamwin, spybotSD, then MS AntiSpyware, and I've never had a popup... but this time, I install MS BS first before SpyBotSD and get the popup?...

just thought I would share :)

Interesting james_152........

However, the installation order does not seem to matter in my case.
In my case MS BS has been installed after installation of SpybotSD.

Anyway, It's not old.... it's new, the "problem" or whatever we are talking about....

only started happening to me since january

And it still happens..... but every time with another domain (see screencap)

http://i1.tinypic.com/oaput0.jpg

Every time I start Spybot. :-(
No other program has this problem on my machine at this time.
Rootkitrevealer draws blanks, as does PC-cillin, Webroot spysweeper, Spybot, etc.

What's going on :scratch: ? Any ideas?

Pietje:

The site uvu-channel.com is added to the restricted zone by Spybot during immunization by adding the following Registry entry.


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\uvu-channel.com]
*=dword:00000004
I don’t quite understand how Spy Sweeper:Can misinterpret this entry as a possible threat.
--- and --- Why this pup-up is received "Every time I start Spybot." since that registry entry is only added when you "Immunize" within Spybot (SpybotSD.exe).
I suggest that you contact Webroot and report it as a false positive.

Incidentally Spybot also includes the following two HOSTS file entries in the "Advanced mode" "Hosts file" feature of Spybot) to prevent access to uvu-channel.com related sites:
127.0.0.1 www.uvu-channel.com
127.0.0.1 uvu-channel.com

Pietje

I also have Spysweeper and received the notice regarding "csx.adservs.com"-I allowed the change and checked always take this action as it was my understanding that Spybot was adding "csx.adservs.com" to my restricted sites.

After seeing your post-I checked my restricted sites through IE explorer/properties/security and confirmed that both "csx.adservs.com" and "uvu-channel.com" are there.

I do not remember seeing the "uvu-channel.com" alert-but itmay have come up when I recently reinstalled spysweeper because of other problems.

The notice from Spysweeper does not say that Spybot is trying to add these to trusted sites-it says that Spybot is trying to change the settings for these sites. Spybot is changing the settings to "restricted sites".

I first ran across this type of conflict when installing Spywareblaster and it was adding "0190-dialers" to restricted site-both Spybot and Spysweeper came up with warnings.

Hope this helps.

Thanks for the answers......

But, indeed. Spysweeper reports the attempted change, as soon as I double-click the Spybot Icon. Just to launch Spybot. So, even before I start a sweep, or even more, before I see the Spybot initial screen.

Is this normal behaviour?

Pietje

I do not know if Spybot andSpywarebalster work the same-but I used to get a popup from Spysweeper about the 0190-dialer every time I opened spywareblaster-until I allowed and checked always take this action.

I thought they had resolved the adservs in an update-they seem to be a little behind everybody on adding restricted sites.

Thanks for the answers guys.
I'm somewhat less concerned now.

Really appreciate it.

<snip>
By the way, did you say it started Firefox for that popup even? Hmmm. I've checked my code. http://patrick.kolla.de/spybotsd.html hasn't been used as a link for Spybot-S&D since eons ;) If you intentionally click on my logo, it'll show the main page - but you may have noticed my logo is quite hidden, so you'll never click it by accident.
<snip>



Have intermittently experienced the same as the other posters.

It would appear that the launch of the default Internet browser targeting for URL http://patrick.kolla.de/spybotsd.html is caused by clicking the GUI of Spybot S & D in a specific, particular position.

Motivation: Have experienced the phenomenon several times (intermittently). Every time I have experienced it, I have clicked Spybot's GUI, either accidentally, or deliberately in order to refresh Spybot's GUI on top of GUIs for other SW on the desktop. The other program's GUI in my case is usually that of SpywareBlaster.

The speculations about malware causing the phenomenon are possibly more exciting than this straight forward rational cause of the phenomenon.

However, am happy to make a bet on the correct explanation for the phenomenon at least on my system. ;)

Have a clean system, and the launch of the default Internet browser targeting for the URL http://patrick.kolla.de/spybotsd.html only occurs when clicking the GUI of Spybot S & D in a specific place.

Hence, the reason for the phenomenon should be simple and clear.

Please research once more the Spybot S & D's code for the explanation.


"Everything must be taken seriously, nothing dramatically."
Louis Adolphe Thiers (1797-1877); French statesman, historian

Please research once more the Spybot S & D's code for the explanation.


"Everything must be taken seriously, nothing dramatically."
Louis Adolphe Thiers (1797-1877); French statesman, historianThe following text string is in the code for SpybotSD.exe (File version: 1.4.0.3) at 003160C4:


http://patrick.kolla.de/spybotsd.html
Much Ado About Nothing
Comedy by William Shakespeare.

The following text string is in the code for SpybotSD.exe (File version: 1.4.0.3) at 003160C4:


http://patrick.kolla.de/spybotsd.html
Much Ado About Nothing
Comedy by William Shakespeare.


Ditto! :laugh:


"Take nothing on its looks: take everything on evidence.
There's no better rule."
Charles Dickens (1812-1870); English novelist, dramatist.

What is this?

res://msscsi.dll/RC/104

That is where my browser is directing the popup to initially.

What is this?

res://msscsi.dll/RC/104

That is where my browser is directing the popup to initially.

Sorry for the late reply.

Do you use Mozilla Firefox as you browser?

If you do, could it be you are infected (with NSIS Media)?

Please look at, e.g. http://kichik.net/2006/12/09/more-evil-files/ and

(and http://forums.mozillazine.org/viewtopic.php?t=432846).

Best of luck!

-Pete

"They believe that nothing will happen
because they have closed their doors."
Maurice Maeterlinck (1862-1949); Belgian author.

Happened to me today; first time. Which led me to this interesting discussion. I am amused by the appropriate literary references.
My thought is more philosophical than technical analysis. I have wondered about the limits of the internet. If it is infinite than I suppose it's a non-issue. On the other hand if it is finite, the statistical liklihood of collisions & other undesirable interactions will increase. I wonder if this "crowding" is worsened by redundancy; ie. do "updates" replace or do they exist of themselves? If a program is written on a particular platform does it inadvertantly include residual "marks", like the unique "tool marks" on a machined part? In some future Asimovian world will sophisticated "AI" have "dna"?