PDA

View Full Version : Problems in Spybot S&D Includes-trojanC



krishmura11
2008-04-23, 05:50
Hello,

I am using Spybot S&D for over 4 years now without any problems. I am using only Spybot S&D 1.4 Version as 1.5.2 at the time of Installation, starts Downloading further Files which is Dead slow and so far I am not successful.

From the last 5 days after I downloading latest updates of 17/19 April, 2008, I am getting a Dialogue Box(Warning) at the fag end of Scanning(When I svan my Computer with Spybot S&D, almost when the scanning is about to complete)which says that there are problems in Includes/TrojanC file or some thing like that. I Uninstalled Spybot and again Downloaded it afresh and installed it and updated and immunised it. Then I started Scanning and again at the fag end of Scanning, I am getting the same warning. I repeated Uninstalling and again Installing for 3 Times, but that waning keeps coming.

What should I do?

krishmura11
2008-04-23, 08:38
I tried the methods suggested in the thread:
http://forums.spybot.info/showthread.php?p=184966#post184966
but could not get my problem solved. My problam is still there.

Yodama
2008-04-23, 08:40
hello,

this is an issue related to new detection rules which are not compatible with Spybot S&D 1.4 , however this will not hamper the current working of Spybot S&D 1.4. The best way to deal with this is to update to Spybot S&D 1.5.2.

Edit:
please download all plugins for Spybot 1.5.20, the TCP/IP settings plugin is not enough.

Edit 2:
to be more precisely, install the root kit plugin, if you have Spybot S&D 1.5.2 , do not install it if your version is earlier

krishmura11
2008-04-23, 08:45
hello,

this is an issue related to new detection rules which are not compatible with Spybot S&D 1.4 , however this will not hamper the current working of Spybot S&D 1.4. The best way to deal with this is to update to Spybot S&D 1.5.2.

Edit:
please download all plugins for Spybot 1.5.20, the TCP/IP settings plugin is not enough.

Hi Yodama,

Thanks for the prompt reply. I very much want to upgrade to Spybot S&D 1.5.2.but not able to. But I am ver happy to know that "however this will not hamper the current working of Spybot S&D 1.4.". This means that inspit of getting that waning my Spybot is doing its duty and my Computer is safe.

Thanks

Lancer
2008-04-25, 04:54
I have to stay with 1.4 for now too, Krish. 1.5.2 slows me down too much.:sad:

laxkwalaams
2008-04-25, 10:35
I HAVE 1.4,AN THE LAST WEEK OR SO WHEN I WOULD PUT ON SCAN, SEE INCLUDE ERRORS LOG WOULD POP UP,CLICK ON LINKS AN FOLLOWED INSTRUCTIONS,AFTER DOWNLOADING TCP/IP SETTINGS PLUG IN,SCANNED IT AGAIN AN IT HAPPENED AGAIN SEE ERRORS LOG ,ETC,ETC.SO WHAT CAN I DO ????:scratch:

Terminator
2008-04-25, 11:56
See HERE (http://forums.spybot.info/showthread.php?t=27184).

GEEWIZ
2008-04-25, 20:44
Lancer I agree with you re: 1.5 too slow caused me problems.

One would think the brilliant team behind Spybot S&D could tinker with 1.4 so as to make 1.4 compatible with latest detection rules.

I thank krishmura11 for bringing this topic up as I have been very concerned.

For Yodama thanks for helping the people who ask questions.
I would like to know despite this warning window about Trojans on 1.4. Is my computer safe? Is the scanning looking for everything?
If 1.5.2 had been workable I would use it but 1.4 has been a joy and works well on my older computer.

Michael @ S+D
2008-04-26, 13:35
I'm in the same boat with v1.4, with one more problem - the first time I got this error (right after I updated), I also actually had a trojan. It said that I should remove it and disconnect from the internet while I reboot, since it attached something to XP's 'login' as well.

I followed Spybot's instructions, since it has never lead me astray before, and running it again says that there are now no problems found, but I wanted to confirm that everyone else is getting *two* errors about trojans when they run the updated v1.4 - one more than 3/4 of the way through and one right at the end. I hope that's what everyone's getting, because that's what I'm getting on my second computer that hopefully wasn't infected (but is on my network)...

spybotsandra
2008-04-26, 16:21
Hello,

And you do not upgrade to Spybot version 1.5.2 because of....?

Best regards
Sandra
Team Spybot

PepiMK
2008-04-26, 20:16
One would think the brilliant team behind Spybot S&D could tinker with 1.4 so as to make 1.4 compatible with latest detection rules.

Well, you can download the manual installer for the newest anti-rootkit plugins and install them on 1.4 as well. They do have a compatibility mode when loaded by 1.4, but not with official support ;)

Ken895
2008-04-27, 15:37
I'm in the same boat with v1.4, with one more problem - the first time I got this error (right after I updated), I also actually had a trojan. It said that I should remove it and disconnect from the internet while I reboot, since it attached something to XP's 'login' as well.

I followed Spybot's instructions, since it has never lead me astray before, and running it again says that there are now no problems found, but I wanted to confirm that everyone else is getting *two* errors about trojans when they run the updated v1.4 - one more than 3/4 of the way through and one right at the end. I hope that's what everyone's getting, because that's what I'm getting on my second computer that hopefully wasn't infected (but is on my network)...

To confirm I am also receiving two Warning messages ¾ way through scan at 125671/149078 (…\Includes\Trojan.sti) and at the end 138085/149078 (….\Includes\TrojanC.sti) with the wording ’Please wait scanning download directories’ Closing the warning window sets the scan off again with no problems found at end of scan. This occurred after download on 24/4/08. As with you two lap tops are in use on local network. One is running XP2 the other Vista Business. Both have Spybot Version 1.5.1.15 (oh! but so slow to load up against 1.4) and both have now the identical problem when scanning with Spybot. When time permits will download version 1.5.20. onto one to try it. Glad to know that this is new problem and scan still works but very annoying bug for novice users.

Lancer
2008-04-28, 04:13
Well, you can download the manual installer for the newest anti-rootkit plugins and install them on 1.4 as well. They do have a compatibility mode when loaded by 1.4, but not with official support ;)
Thanks PepiMK. Installing the anti-rootkit plugin worked for me (stopped the error message).:)

vegaspat
2008-04-28, 20:29
So, where do you get the anti-rootkit plugin?

And where is the "Includes errors.log?

Thanks.

md usa spybot fan
2008-04-28, 22:39
vegaspat:

On the following Web page:
Downloads - The home of Spybot-S&D!
http://www.spybot.info/en/download/index.html
This item:
Anti rootkit plugins 1.0 - product description
md5: EE7278BC89D4557CFD7127EACC37EE70

Supported only for version 1.5.2 or above!
This adds improved capabilities to find rootkits. Only needed if you do not want to use the update function integrated into Spybot-S&D.
Please note: Supported only for version 1.5.2 or above!

The direct download link is: http://www.spybotupdates.com/files/spybotsd_plugins.exe
________

You can view the "Include errors.log" using either of these two methods:
Method 1: Go into Spybot > Mode > Advanced mode > Tools > View Reports.
Click the View previous reports button on the top of the right hand pane.
Look for the "include errors" file
Highlight it and click open (or double click on it).
Method 2: Using Windows Explorer, navigate to the "Include errors.log" located in one of the following directories: Windows 95 or 98:
C:\Windows\Application Data\Spybot - Search & Destroy\Logs
Windows ME:
C:\Windows\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows NT, 2000 or XP:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
Windows Vista:
C:\ProgramData\Spybot - Search & Destroy\Logs
Double click on the file and it should open with Notepad.

vegaspat
2008-04-28, 22:58
Thanks so much for the prompt response and info.

terrypin
2008-05-01, 14:09
I have to stay with 1.4 for now too, Krish. 1.5.2 slows me down too much.:sad:

I've just upgraded to 1.5 and running first scan now. Can you or anyone else give more information about 1.5 slowness please? Any comparative data?

--
Terry, East Grinstead, UK

GEEWIZ
2008-05-06, 18:20
Well, you can download the manual installer for the newest anti-rootkit plugins and install them on 1.4 as well. They do have a compatibility mode when loaded by 1.4, but not with official support ;)

The root analyzer page has mentioned some problems is it a separate uninstall or would one have to uninstall the 1.4 to remove that add on?

Secondly the error that is subject of this thread, is it just a glitch that doesn't affect security or is it a security hazard, also does the root analyzer merely correct the error window or does it fix a real problem?

Bottom line for me is: Does 1.4, even with that error window popping up, do its security job. I.E. are our computers secure using the 1.4 with or without the rootkit analyzer add on?

Thanks to S&D team for all their good works and their help on this forum.

PepiMK
2008-05-06, 19:05
Not sure which RootAlyzer page mentions problems - I haven't seen any Spybot-S&D plugin related reports there, and while these two use the same technology, they do use a different approach in that RootAlyzer shows everything detected as hidden, while the plugins would only detect stuff known as bad.

Removal would work through removing the files in the Plugins\ that are named after kinds of tea, but as I wrote before: you cannot simply deduce errors/problems in one from those in the other.

And the subject of this thread: it's neither a "glitch" nor a "hazard": it's simply that the scan will not be as thorough in older versions. It "does its job", minus those new rootkit detections (which doesn't mean that no rootkits would be detected, just not the ones that would be detected using these plugins).

md usa spybot fan
2008-05-06, 19:58
GEEWIZ:

Some added thoughts/information to what PepiMK (http://forums.spybot.info/member.php?u=1) wrote:


The root analyzer page has mentioned some problems is it a separate uninstall or would one have to uninstall the 1.4 to remove that add on?
By the "root analyzer page" I assume are referring to the RootAlyzer (http://forums.spybot.info/forumdisplay.php?f=46) forum. The RootAlyzer.exe program is a standalone utility that scans your system looking for all hidden objects. The detection rules that use the Anti rootkit plugins during a Spybot "Check for problems" are looking for specific known rootkits.

The three (3) current Anti rootkit plugins (Chai.dll, Fennel.dll and Mate.dll) are stored in the following folder and deleting them would remove them without uninstalling:
C:\Program Files\Spybot - Search & Destroy\Plugins

Bottom line for me is: Does 1.4, even with that error window popping up, do its security job. I.E. are our computers secure using the 1.4 with or without the rootkit analyzer add on?
The bottom line is that using Spybot 1.4 without the Anti rootkit plugins you are not taking advantage of the rootkit scans (We've got great, new plugins for Spybot and a complete new tool - the RootAlyzer! (http://www.safer-networking.org/en/news/2008-03-19.html)) and not upgrading to Spybot 1.5.2 you are not taking advantage of many other improvements (Welcome to Spybot - Search & Destroy 1.5 (http://www.safer-networking.org/en/spybotsd15/index.html)).

md usa spybot fan
2008-05-06, 20:40
PepiMK


... that are named after kinds of tea, ...
I was curious about the names Chai.dll, Fennel.dll and Mate.dll but not curious enough to think about doing a search for Chai, Fennel and Mate. Sure enough, the tea theme continues.

raging
2008-05-07, 22:31
I am getting the same weird error message and then when I go to finish the scan, i.e. finish and fix selected problems, as soon as i do that, my computer goes blank, shuts itself down and restarts. Then I get a message from Microsoft telling me the comp. has suffered a major error. Microsoft directed me to the help centre and advised that it was some sort of driver error due to new hardware being installed and advised a system restore; I did that and it still has not fixed anyhting. S&D has never caused me a problem before; ever... The issue appears to be when it comes time to cleanout the "usage tracks" (GREEN), specifically in the Log section (in fact, after doing hundreds of scans, this is the first time I've ever seen those usage tracks).

Is it a bug? A virus on my PC? i tried updating $&D and rerunning. I also immunised (separate issue; i can't immunize everything and usually I can) Is there something fatally wrong with my S&D since my last update (yesterday) Should i simply uninstall???? Help, please..I hate computers

GEEWIZ
2008-05-08, 07:49
PepiMK and md usa spybot fan you have been most helpful.
I have been so impressed with the kindness and patience of the team here at Spybot. So many people who are inexperienced, unknowledgeable feel so lost and to have such helpful human beings on board is so refreshing and so relieving. I hope not to need your help in future but I feel calmer knowing you are all here. God bless.

hans_g
2008-05-19, 18:24
Excuse me for jumping in but I am having the same Trojan problem as well as the Update Problem.

I have version 1.5.1.15 running under Vista Home Premium and I can't update because after searching for updates I get a message that no updates are available.

spybotsandra
2008-05-19, 18:25
Hello,

You seem to be using a dated version of Spybot-S&D.
Please download our current version Spybot - Search & Destroy 1.5.2. That should fix it.
You will find links to several download locations for this new version on our web site:
http://www.safer-networking.org/en/mirrors/index.html
Please search for new updates after installing Spybot-S&D 1.5.2.

Best regards
Sandra
Team Spybot

hans_g
2008-05-19, 19:26
Hello,

You seem to be using a dated version of Spybot-S&D.
Please download our current version Spybot - Search & Destroy 1.5.2. That should fix it.
You will find links to several download locations for this new version on our web site:
http://www.safer-networking.org/en/mirrors/index.html
Please search for new updates after installing Spybot-S&D 1.5.2.

Best regards
Sandra
Team Spybot


I followed your suggestion and it worked. Thanks. I guess the moral is "don't believe everything you read" especially if it's from the Upgrade site.

GEEWIZ
2008-05-30, 00:40
I have 1.4 and would like to keep it, I installed the root kit plugin at the time of my last post and it had fixed the problem. Now after the May 28 update there is a new error message. What plugin can solve this latest bug?

The reason I use 1.4 is that when I used the update feature in January to advance to 1.5.2 I had a problem thereafter with having to start computer in SAFE MODE and also my antivirus program would no longer uninstall, so I went back to 1.4 which I really like. I hope there is a way to solve this latest issue with 1.4 the root kit was easy and worked.

md usa spybot fan
2008-05-30, 00:49
GEEWIZ:


... there is a new error message. What plugin can solve this latest bug?
There are no newer plugins that I am aware of. What is the error message?

Lancer
2008-05-30, 19:44
I have 1.4 and would like to keep it, I installed the root kit plugin at the time of my last post and it had fixed the problem. Now after the May 28 update there is a new error message. What plugin can solve this latest bug?

The reason I use 1.4 is that when I used the update feature in January to advance to 1.5.2 I had a problem thereafter with having to start computer in SAFE MODE and also my antivirus program would no longer uninstall, so I went back to 1.4 which I really like. I hope there is a way to solve this latest issue with 1.4 the root kit was easy and worked.
Same problem here. 1.4 was working fine after installing the plugins until the May 28 updates.

md usa spybot fan
2008-05-30, 22:38
Lancer:

It is difficult to help you. You indicated "Same problem here". Assuming that you are referring to GEEWIZ (http://forums.spybot.info/member.php?u=39820)'s post, neither you nor GEEWIZ (http://forums.spybot.info/member.php?u=39820) have indicated what the error message you are getting nor the content of the "Include errors.log" if that is applicable to the error message.

The only thing that I can offer is that using Spybot 1.5.2.20 there have been no new plugins offered for downloading and using the current 2008-05-29 detection rule updates the scan seems to run fine.

Lancer
2008-05-31, 02:31
Lancer:

It is difficult to help you. You indicated "Same problem here". Assuming that you are referring to GEEWIZ (http://forums.spybot.info/member.php?u=39820)'s post, neither you nor GEEWIZ (http://forums.spybot.info/member.php?u=39820) have indicated what the error message you are getting nor the content of the "Include errors.log" if that is applicable to the error message.

The only thing that I can offer is that using Spybot 1.5.2.20 there have been no new plugins offered for downloading and using the current 2008-05-29 detection rule updates the scan seems to run fine.
Error message = "There were problems in the include file C:\Program Files\Spybot - Search Destroy\Includes\TrojansC.sbi"

My Include errors.log:

C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys

Where can I get the May 29, 2008 update? The program says I am up to date with May 28, 2008, which is the same as what is listed at http://spybot.info/en/updatehistory/index.html

md usa spybot fan
2008-05-31, 07:01
Lancer:

My mistake. The latest updates were 2008-05-28.

__________

The rule set for the Delf.Spool.cn detection does not appear to use the Anti-rootkit plugins. You can try to eliminate the error by running the scan without scanning for "Delf.Spool.cn":
Go into Spybot > Mode > Advanced mode > Settings > Ignore products.
Locate the item that you what to exclude from the scan ("Delf.Spool.cn") and check it.

Lancer
2008-05-31, 14:53
Thank you md, I will try it.

Lancer
2008-06-01, 14:27
Excluding Delf.Spool.cn stops the error. I'll be watching the "Detection rules for Delf.Spool.cn and/or the file ntdoss04.sys" thread in False Positives for new information. Thank you md.

hokiewolf
2008-06-01, 18:13
I am getting the message about TrojansC.sbi or something similar and it tells me to check my Includes errors.log I am using Spybot 1.4 with the latest definitions and don't recall getting these messages when I ran a scan about a month ago(4/26/08 to be precise).

C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Zlob.DNSChanger | (85\.255\.11[0-9]\.[1-2]?[0-9]{1,2}[,]?\s?)+(85\.255\.11[0-9]\.[1-2]?[0-9]{1,2}[,]?\s?)+
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Zlob.DNSChanger | (85\.255\.11[0-9]\.[1-2]?[0-9]{1,2}[,]?\s?)+(85\.255\.11[0-9]\.[1-2]?[0-9]{1,2}[,]?\s?)+
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_SYSTEM>
C:\Program Files\Spybot - Search & Destroy\Includes\Trojans.sbi | Win32.Agent.frl | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger | <$FILE_EXE>
C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Zlob.DNSChanger.rtk | <$FILE_EXE>

md usa spybot fan
2008-06-01, 19:28
hokiewolf:

Upgrading to Spybot 1.5.2 will solve the problem (Mirror selection - The home of Spybot-S&D! (http://www.spybot.info/en/mirrors/index.html)).

The current errors with the Trojans.sbi and TrojansC.sbi files that started with the 2008-04-09 updates are caused by new detection rules that are incompatible with versions of Spybot prior to 1.5.2. These new detection rules use the new Anti-Rootkit plugins #1, #2 and #3 that only have been offered as updates to Spybot 1.5.2. If you upgrade to Spybot 1.5.2 you will not only eliminate the error messages but in also will be performing rootkit searches while doing a Spybot "Check for problems".

If there is a reason that you cannot upgrade to Spybot 1.5.2, you can try the Anti-Rootkit plugins #1, #2 and #3 with Spybot 1.4, but they are not officially supported. From post #11 (http://forums.spybot.info/showpost.php?p=186129&postcount=11) in the following thread:
Problems in Spybot S&D Includes-trojanC
http://forums.spybot.info/showthread.php?t=27194

Well, you can download the manual installer for the newest anti-rootkit plugins and install them on 1.4 as well. They do have a compatibility mode when loaded by 1.4, but not with official support ;)
Note: "... but not with official support ;)".

The downloads for the Anti-Rootkit plugins are on the following Web page:
Downloads - The home of Spybot-S&D!
http://www.spybot.info/en/download/index.html
This item:
Anti rootkit plugins 1.0 - product description
md5: EE7278BC89D4557CFD7127EACC37EE70

Supported only for version 1.5.2 or above!
This adds improved capabilities to find rootkits. Only needed if you do not want to use the update function integrated into Spybot-S&D.
Please note: Supported only for version 1.5.2 or above!

The direct download link is: http://www.spybotupdates.com/files/spybotsd_plugins.exe
__________

Note: If you continue to run Spybot 1.4, the following error most likely will not be corrected with the plugins:


C:\Program Files\Spybot - Search & Destroy\Includes\TrojansC.sbi | Delf.Spool.cn | <$SYSDIR>\ntdoss04.sys
To prevent that error for the time being you can exclude it from the scan. See this post (http://forums.spybot.info/showpost.php?p=197415&postcount=32).