Hi everyone! I'm new to Spybot (just installed two days ago) and I'm not that familiar with IT, so an explanation with plain English would be lovely.

Anyway, I got some problems with spywares few days ago and found out about Spybot. After getting my laptop checked for problems and immunised, now there are some sites that seem to be inaccessible. These include: Yahoo, Facebook, Friendster. I can go to the main page of Google, but the search engine won't work. I can also go to the login page to Yahoo mail, but after logging in it would load and stop.

Yesterday I read the FAQs and found out about Hosts file that blocks some websites. I tried to modify it but I couldn't find the URL of either Yahoo or other sites mentioned being blocked, so I left it just the way it is.

Now, I start thinking maybe it's because of the immunisation.

Anyone can tell me the reason behind this and how to make those websites accessible again?

Thanks in advance, your help will be much appreciated!

AngelicDevil:

Are you using Internet Explorer?

AngelicDevil:

Are you using Internet Explorer?


Yes, I also downloaded Opera but the same problem occured so I removed it.

Did I do something wrong? *puzzled*

Sry for the double posting.

FYI, I use Internet Explorer 7.

I had Firefox (and downloaded Opera) but same problem occured so I removed both.

AngelicDevil:

Actually I'm a little stumped. I use Google all the time without any problems.

I initially suspected the "SDHelper" Browser Help Object which blocks advertizing URLs because people have reported problems using Yahoo under certain conditions. But since "SDHelper" only works with Internet Explorer and you indicated problems with other browsers as well, it has to be something else.

Try doing an immunization "Undo" and see if that help full allow access to the sites you are having problems with.

AngelicDevil:

Actually I'm a little stumped. I use Google all the time without any problems.

I initially suspected the "SDHelper" Browser Help Object which blocks advertizing URLs because people have reported problems using Yahoo under certain conditions. But since "SDHelper" only works with Internet Explorer and you indicated problems with other browsers as well, it has to be something else.

Try doing an immunization "Undo" and see if that help full allow access to the sites you are having problems with.

Addendum - further instructions (AngelicDevil did say "I'm new to Spybot (just installed two days ago) and I'm not that familiar with IT, so an explanation with plain English would be lovely")

STEP1:
You need to go into "immunize" click on the button on the left in the main page of SpyBot (SB).

You will find profiles in that screen with mulitple items probably saying are "protected".

IMPORTANT: You have said that you have installed and later uninstalled both Opera and Firefox. In that case you should ONLY see profiles for Internet Explorer (IE7). The IE7 profiles will all have the IE icon showing in front of the profiles listed. No other icons should be present on your profile list.

You can right click with your mouse on one of these profiles and a context menu will allow you to "select all" or "deselect all" (I can't use SB1.5.2 so I can't check the "exact wording" so this is maybe not exactly what you see but you will get the idea).

Or you can just click on each profile individually to "select" or "deselect". This places or removes a "check mark" in front of each depending upon what is whether the "check mark" is there at the time or not. Many will refers to these "check marks" as "ticks" btw.

If a "checkmark" is present then you are selecting this profile and only those profiles checked will be impacted by anything you do as far as changes.

STEP2:
With all profiles "checked" you then click the "undo" to "unprotect" all profiles as was suggested by this post.

Now that all profiles are "unprotected" see if you still have the problems you speak of.

If this solves your problem you can add web page addresses (URL's) to a "Whitelist" so that they will not be impacted by SB.

With URL's in the Whitelist you can then "immunize" the profiles again by clicking the "immunize" button and hopefully the Whitelist entries will help to avoid the problems with those web sites from here on out.

I just tried what you suggested. So, now my browser is not protected at all. And I also checked the hosts file has already reset to 1kb only. But the problem stays! :sad:

I still can't open Yahoo, Friendster, or Facebook :sad:

Well, probably I'll just uninstall Spybot and see how it goes. Then re-install Spybot.

Please somebody help me... :sad::sad:

My last message was for Spybot_Fan, I'm gonna try what you suggested caterwaul! Thx in advance! :laugh:

I was just reiterating what md usa spybot fan has posted as far as doing an "undo" for immunization.


Try doing an immunization "Undo" and see if that help full allow access to the sites you are having problems with.

If this is what you did then what I have posted is not any different... I was just elaborating with detailed instructoins on how to do this.

I would think by not having any immunization "on" (no "profiles" protected) then SpyBot would not be the problem.

If you do re-install you will need to do an uninstall first.

Link: http://www.safer-networking.org/en/howto/uninstall.html

I was just reiterating what md usa spybot fan has posted as far as doing an "undo" for immunization.



If this is what you did then what I have posted is not any different... I was just elaborating with detailed instructoins on how to do this.

I would think by not having any immunization "on" (no "profiles" protected) then SpyBot would not be the problem.

If you do re-install you will need to do an uninstall first.

Link: http://www.safer-networking.org/en/howto/uninstall.html

I've uninstalled Spybot (with the help from your link) and the problem stays. The weird thing is, after checking my problems with Spybot for the first time, I could open any websites. But after immunisation, some sites just don't work.

Another thing is, even though I removed opera and firefox, when I clicked Spybot there are still Opera and Firefox icons!

Is it because of Spybot? Or new virus?? Or my laptop? This annoys me because I don't know where the problem is. Would the older version of Spybot do any better? Thx in advance!


p.s. you mentioned about whitelists, how can I access whitelists?

I've uninstalled Spybot (with the help from your link) and the problem stays. The weird thing is, after checking my problems with Spybot for the first time, I could open any websites. But after immunisation, some sites just don't work.

Another thing is, even though I removed opera and firefox, when I clicked Spybot there are still Opera and Firefox icons!

Is it because of Spybot? Or new virus?? Or my laptop? This annoys me because I don't know where the problem is. Would the older version of Spybot do any better? Thx in advance!


p.s. you mentioned about whitelists, how can I access whitelists?

You should not have any "immunization profiles" at ALL for Firefox or Opera. :nono: ....when you looked at the immunization screen (that is after you had uninstalled both of these browsers).

What that says is that SpyBot still considers your computer to have both browsers installed... :hair:

But since you have now "uninstalled" SpyBot then this should not be a problem anyway.

Are you sure you have REALLY uninstalled both of the other browsers (FF and Opera)?

Have you installed any other security software along with SpyBot?

If you are sure then I would re-install SpyBot again. But I would do everything that the uninstall web link I posted tells you to do.

I presume you used the add/remove function for your Operating system to uninstall SpyBot.

I would recommend you delete the "hidden" files that would be on your computer left behind by SpyBot. (instructions on the uninstall link) - for XP the path is C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy. (be carefull and ONLY DELETE THIS FOLDER (Spybot - Search & Destroy). (Remember the folder is probably hidden - there are instructions for that as well.)... it is best to put the "hidden" option back on afterward.

If you are reticent to do this it will probably be okay to leave but by deleting the files it just gets rid of one more thing that could be a problem.

Once you do that I would install again Spybot1.5.2.2 (I am assuming this is the version you had installed before). Even so I would try this version this time.

Again once you have installed SpyBot1.5.2.2 you should not see any icons in the immunization screen other than IE7.

As far as Whitelists this can be accessed various ways, the "hellp" for this in SpyBot should be enough to get you by. I an unable to use any versions beyond SB1.3 so I cannot advise on Whitelists incase there have been changes on newer versions. But to clarify any items you place in Whitepages should be ignored by immunization which theoretically then would block any protection and problems that would be caused by immunization.

Here is a link on whitelists you asked about (in regards to teatimer):

http://www.spybot.info/en/faq/5.html

I've re-installed SpyBot (1.5.2 indeed) and still can't access those websites. About the whitelists, I managed to get into those four settings (allowed registry changes, etc.) but there was nothing in the list.

Basically, I'm now just desperate.

Anyway, I just found out about this. There is an icon for Spybot on the toolbar on the bottom-right side of my desktop. Whenever I move my pointer over the icon, I'll see this info:

Spybot-SD Resident
75078 processes blacklisted.

Now, this is maybe the reason. How can I remove the blacklist? I wish it was as easy as typing the URL of Yahoo into the white list. But as far as I know, there was nothing listed in allowed/blocked registry changes nor in allowed/blocked processes.

This is making me insaaaaaaaaaanee...

Thanks so much for all the suggestions though. Much appreciated.

Angel, rest assured that Yahoo! and Facebook is not in it. Why? Because they are not directly running processes on the computer. They interact within the browser.

Angel, rest assured that Yahoo! and Facebook is not in it. Why? Because they are not directly running processes on the computer. They interact within the browser.

Do you mean in the whitelist/black list? That is the problem, I opened the black list/white list just as the FAQ suggests, and the four settings (allowed registry changes, blocked registry changes, allowed processes, blocked processes) don't list anything.

Or did I misunderstand your advice? I don't know how the icon shows "75078 processes blacklisted" even though I have all my files unprotected.

Can anyone tell me where I can find these blacklisted processes and edit it? I thought it was through the Hosts file, but it's at 1kb now since I did not immunise my files this time around. (I've uninstalled and reinstalled my Spybot).

Thx in advance. Desperately need your help :sad:

What SpyBot (SB) does (as well as SpywareBlaster) is add what ever you do in SB into the specific browser. What "immunization" does is place "undesriable" or what SB considers "bad sites" into the "restricted sites" in your browser(s). Whatever you have in your SB "whitelist" will be placed in the "trusted sites" of your browser(s). I agree with you that if you are "unprotected", as far as I understand it, SB should be removing those sites from the "restricted sites" of your browser(s). What I have found with SB is that if you use the "immunization" in SB it "immunizes" even when you would expect it would not (at least this is the case for the FF browser).

You can apply changes directly to these settings in the browser by going to either the "trusted sites" or the "restricted sites" of your browser(s) security setting.

I don't use Internet Explorer 7 (IE7) but I do use IE6. For IE6 it is Tools>Internet Options>"Security" tab> at that point the user can select either "trusted" or "restricted" sites which are equivelent to "blacklist" or "whitelist" in SB, respectively. As I understand it SB is a "passive firewall" for "undesirable" or "risky" sites that are considered potential "spyware" which is basically supplying the user an interface to use the database that SB has created to access the "security" settings in their respective browser(s). Without SB the user would have no idea which web sites were "bad" and would thus be at risk of visiting any one of them before they could know they were "bad" in the first place.

Using IE6 when the user selects for example "restricted sites" there is then a button that is "enabled" which allows the user to access these sites. At that point the user can "add" or "remove" these sites. By selecting an site (clicking on it) the "remove" button is enabled and the user can remove the site by clicking on the remove button. (the sites are alphabtical thus easy to find).

Check and see if these web sites you are having trouble with are in this "blacklist".

The "blacklist" can also be accessed using SB which in turn does the same thing as either "adding" or "removing" web sites to the list "blacklist" in your browser(s) just as you can also do in the "whitelist" in SB as well as far as making changes to your browser "whitelists".

It entirely up to you if you want to use SB to access the "white lists" or "black lists" which is probably better to do since you are using SB. But in the case of a problem the user can get right to the source by accessing these lists directly in their browser(s). Remember that if you do anything with SB as far as "immunization" is concerned it may then change whatever you have done directly in your brower(s) settings directly in the "white" or "black" lists.

I HAVE DESCRIBED MY BROWSER WHICH IS IE6 TO GIVE YOU AN IDEA HOW what you are asking about works. In your case as far as IE7 the security settings will be different but the concept as far as of how it works about the same.

You can take a look at this link (it is probably the best bet for you at this point): http://pcsupport.about.com/od/fixtheproblem/ht/ie7securitydef.htm

Basically it describes a way to reset your IE7 SECURITY SETTINGS:


Resetting Internet Explorer 7 security settings to their default levels.
Here's How:
Open Internet Explorer 7.

From the Internet Explorer 7 command bar, choose Tools and then Internet Options.

In the Internet Options window, click on the Security tab.

Below the Security level for this zone area, and directly above the OK, Cancel, and Apply buttons, click the Reset all zones to default level button.

Click OK on the Internet Options window.

Close and then reopen Internet Explorer 7.

Try again to visit the web sites that were causing your problems to see if resetting the Internet Explorer 7 security settings on your computer helped.

You can also take a look at this link provided by MS: http://support.microsoft.com/kb/923737

There is much more detail available but again part of this links talks about "RESETING" the security setting on IE7. Note that this link speaks of how to "recover" IE7 back to "original" settings as also described in the link above as well.


Windows Internet Explorer 7 for Microsoft Windows XP and Windows Internet Explorer 7 in Microsoft Windows Vista have many security enhancements that make Internet Explorer 7 less susceptible to spyware and to malware. Typically, badly written add-ons can affect the browsing experience in Internet Explorer 7. RIES enables Internet Explorer 7 to recover from such situations.

To use RIES in Internet Explorer 7, follow these steps:1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.
Note If you cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.

RIES restores the default settings of the following features:
• Home pages
• Search scopes
• Browsing history
• Form data
• Passwords
• Appearance settings
• Toolbars
• ActiveX controls


You asked about "hosts" file.... let me touch on that as well....

Another approach you could take is to address your "hosts" file. But I would say that usually when the "hosts" file is "corrupted" the problem shows itself by not accessing the web site at all rather than just changing the web site. However if a web site has similar "linked" sites that have an address matching the "corrupted" web site I suppose maybe it could appear like the web site has changed simply because it is "addressing" another "related" URL address.

As far as the "hosts" file this file keeps track of the URL addresses of web sites that you have visited. In each operating system (OS) it is located in a different path. I use WIN98SE and it is located in the directory path of Windows> where you find the "hosts" file. In my OS there is no extention on the file, that is to say you will only see "hosts" as opposed to how other files will look i.e. word: myfile.doc. The "doc" is the extention to the file, the "hosts" file has no extention. If you find files with "extentions" that are named "hosts" these are NOT the hosts file that your system uses.

The location of "hosts" for Windows NT/2000/XP/2003/Vista: %SystemRoot%\system32\drivers\etc\ is the default location, which may be changed. The actual directory is determined by the Registry key \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath.


Another option you can take if all else fails is to "rename your hosts file", say to "savehosts" or "oldhosts" for example (it doesn't matter as long as you know the name and it is different than "hosts"). This will retain your host file in the system incase you want to "rename" it back to host so the system can use it again in the event this does not solve your problem. If the system has created another "hosts" file when you have renamed it you would do the same thing rename that file to another name FIRST and then rename the one you had change the name of back to "hosts" (at which point your back to where you were originally in the event it made no difference and you would like to revert back to the way things were). By renaming the hosts file the system will ultimately create a new hosts file to use thus no problem with doing this but what it does is create the file from scratch thus if your original "hosts" file is "corrupted" then it could help solve the problem possibly.

My laptop finally got back to NORMAL!!! :eek::eek::eek::laugh::laugh:

As I have mentioned before, I had tried to modify Hosts file before and it did not work. Yesterday I clicked some buttons on my IE7 here and there. And, as far as I remember, I also reset and restart the browser--but it did not solve the problem because somehow the settings did not change even though I reset & restart. (I also restarted my laptop few times).

After trying all the suggestions I had got, I finally gave up and turned off my computer. I turned it on again after getting back from work. During startup, Spybot asked me to allow/deny a change. It was the change of my browser's homepage from default to blank (which I did YESTERDAY). So I allowed it and opened IE7. While I was browsing the sites I could open, I hopelessly tried to open Yahoo once again. And it worked just like that!

Weird, but am thankful :red:

Thank you for all the suggestions you guys have posted! They helped me a lot! (especially in getting more familiar with TECHNOLOGY lol :laugh:)

Cheers~

(p.s. now I'm applying the trusted/restricted sites in IE7 as caterwaul has told me. your explanation is much appreciated :D)

what the...

I just got Windows Update and it suggested me to restart my laptop. So I did, and the problem came back...

what is happening to my computer system???? :mad::sad::sad::sad:

FYI,

my browser homepage got back again to DEFAULT (as follows):

http://runonce.msn.com/runonce2.aspx

instead of just BLANK.

And in the "Allowed registry changes" there is the change I allowed (from default to blank).

Any ideas??

what the...

I just got Windows Update and it suggested me to restart my laptop. So I did, and the problem came back...

what is happening to my computer system???? :mad::sad::sad::sad:

FYI,

my browser homepage got back again to DEFAULT (as follows):

http://runonce.msn.com/runonce2.aspx

instead of just BLANK.

Any ideas??

go to start-all programs-accessories-system tools-system restore. restore to the day everything was fixed.if there is no restore point for that day, try the steps again that you used to fix the problem. Also, are you sure you are clean??

Update all your security software first!! make sure everything is updated.

Then Try scanning with your antiviruis and other antispyware programs in safe mode.

to scan in safe mode:

How to boot into safe mode:

Reboot your computer into SafeMode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, begin tapping F8.
* Instead of Windows loading as normal, a menu should appear.
* Select the first option, to run Windows in Safe Mode.
* Once windows loads, launch spybot and do a complete scan. remove anything found. Launch other security software (such as antiviruis, etc.) and scan with them as well, remove anything found.
*restart your machine, you are now using windows in normal mode.*

Does that help? I hope so. Let me know if you need further assistance.

I'm pretty sure I'm clean. After that problem occured again, I click Spybot icon on the System Tray and I chose "show log". Soon after that, my Avira antivirus detected this: (my Avira had just downloaded an update)

Virus or unwanted program 'TR/Vundo.EUQ [trojan]'
detected in file 'C:\WINDOWS\system32\vewdruqv.dll.


However, since I have read somewhere that Spybot is sometimes detected as Trojan (or virus or whatever..), I thought it was Spybot being falsely detected. So, I pressed Ignore. Then I restarted my laptop. (I didn't go to safe mode).

During the first loading for desktop, Avira automatically started. Again, it detected the same Trojan virus. This time I chose "Delete" instead of "Ignore". A confirmation about an error occured: it was about something cannot find the vewdruqv file. Then, I opened my browser. Somehow it worked. And I'm still browsing now. This is *beep*ing strange!!!

AngelicDevil:


... After that problem ... I click ... I chose "show log". Soon after that, my Avira antivirus detected this: (my Avira had just downloaded an update)

Virus or unwanted program 'TR/Vundo.EUQ [trojan]'
detected in file 'C:\WINDOWS\system32\vewdruqv.dll.
...
How "Soon after that"?

What else were you doing?

I use Avira "antivir" and never had any indication that a problem was detected because of something related to the use of Spybot (particularly something as mundane a "show log").


I'm pretty sure I'm clean. ...
The file detected (vewdruqv.dll) looks suspiciously like a randomly generated .dll name and may be indicative of malware changing file names to avoid detection and/or removal.

For safety sake, I suggest that you seriously consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum, making sure to post the logs produced from the above instructions.


I'm pretty sure I'm clean. ...

I defiantly agree with spybot fan, you need to really consider posting in the malware removal forum. Did you try the safe mode method like i suggested? If you follow that and remove anything found, and try your system again.......see if those problems remain. If they remain, post in the malware removal forums immediately!! Good luck and get back to us! :police:

Sorry for the late reply everyone. My laptop has been normal since last time I post.

I did try the safe-mode suggestion, and as far as I remember it did not solve the problem (I tried scanning in the safe-mode for several times).

Anyway, now whenever I turn on my laptop, during the desktop loading, there will be an error saying that it cannot find the file 'C:\WINDOWS\system32\vewdruqv.dll.' But that is all, the laptop works as well as before.

I don't think that's a problem, no? Or should I do something about it?

AngelicDevil:


... I don't think that's a problem, no? Or should I do something about it?


AngelicDevil:

...

The file detected (vewdruqv.dll) looks suspiciously like a randomly generated .dll name and may be indicative of malware changing file names to avoid detection and/or removal.

For safety sake, I suggest that you seriously consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system. ...

I defiantly agree with spybot fan, you need to really consider posting in the malware removal forum. ...