Having run a Spybot scan I leave all items found selected and click on 'Fix selected', it appears to fix the selected items. However when I run another scan I find those same items are found again. What am I doing wrong?

One of the items found is a SweetIM registry key but that key does not exist in Regedit.

Log of results listed below.

Thanks,
Nick


Spybot results:

SweetIM: [SBI $3C0145EF] Settings (Registry Value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\SweetIM\simapp_id

Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-1151190910-786265436-3763032610-1001\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

Cookie: [SBI $49804B54] Browser: Cookie (2) (Browser: Cookie, nothing done)

Cache: [SBI $49804B54] Browser: Cache (1) (Browser: Cache, nothing done)

History: [SBI $49804B54] Browser: History (6) (Browser: History, nothing done)

Hello,

Which Spybot version do you run?

Best regards
Sandra
Team Spybot

Hello,

Which Spybot version do you run?

Best regards
Sandra
Team Spybot

Hi Sandra,

Spybot SD2, updated to latest definitions.

Rgds,
Nick

Hello,

Did you open Spybot with a right click and choose "run as administrator" (http://www.safer-networking.org/faq/how-can-i-get-administrator-rights-under-windows-vista7/)?

Best regards
Sandra
Team Spybot

Hello,

Did you open Spybot with a right click and choose "run as administrator" (http://www.safer-networking.org/faq/how-can-i-get-administrator-rights-under-windows-vista7/)?

Best regards
Sandra
Team Spybot
Yep tried that but no difference. Even tried running Spybot in safe mode but still the errors persist.

Rgds,
Nick

Hello,

Please run a scan in safe mode (http://www.computerhope.com/issues/chsafe.htm).
That should fix it.

Best regards
Sandra
Team Spybot

Now booted to Linux and deleted all the temporary internet files that I can find manually but still Spybot is listing these errors. It almost seems as if these are nolonger present but spybot is still listing them from a previous scan.

Hello,

Please run a scan in safe mode (http://www.computerhope.com/issues/chsafe.htm).
That should fix it.

Best regards
Sandra
Team Spybot

Hi Sandra,

As per my post above, already tried safe mode and still doesn't delete these items.

Rgds,
Nick

Hello,

Please also install Spybot-S&D 1.6.2 (http://www.safer-networking.org/mirrors16/).
Open it with a rightclick and choose "run as administrator".
Then make a scan and fix the found problems.
Does it make any difference?

Best regards
Sandra
Team Spybot

Thanks Sandra, that worked perfectly.

So I guess the answer is to uninstall Spybot SD2 and just leave the earlier version only on this laptop.

Cheers,
Nick

running version 2.4, updated for 10. found this thread by doing a search of the mysterious registry key (i know EXACTLY where this came from--INTEL, who YESTERDAY issued a patch, but it does not remove anything that did infect...). i had this same problem with my LAST installations--both 8.1 AND 10. The bad part is that i didn't expect the same vulnerabilities in an intel utility--but i guess they snatched the code from elsewhere. i tried the 1.6.2.46 as admin and it found NOTHING. any new ideas, as i am really mad and need this gone.

In your first screenshot of the Spybot scan,Spybot is most likely indicating that some value,etc. is not what it expects at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath in the registry,and wants to change it,perhaps back to a default value.There was a little explanation of the "is not" at the end of your last posts on the forum:
https://forums.spybot.info/showthread.php?72875-question-about-usage-tracks&p=467107&viewfull=1#post467107
It is a usage track.There is more about those here:
https://www.safer-networking.org/faq/usage-tracks/
If these are returning after you scan with Spybot then for some reason Spybot is unable to change that value.However,since it is a usage track,it is not anything of too much concern,and it would probably be safer to just leave it instead of digging around in the registry manually to change it.It is just the drivers installation path. :)

Screenshot 2 is probably a separate issue than the one shown with the Spybot scan.In the malwarebytes scan,it appears that some entries may have been found in your hosts file,removed,and then placed into it's quarantine.This might be because your hosts file actually did have unwanted entries in it,or it also might actually be entries placed in your hosts file for protection by Spybot's immunization or another antispyware program that adds entries to the hosts file.There are instructions at malware bytes on how to view the scan log,if you want more information:
https://support.malwarebytes.org/customer/portal/articles/1835323-how-do-i-access-and-save-logs-from-malwarebytes-anti-malware-?b_id=6438
If you're unsure what they are,you can copy and paste those hosts file entries from the Malwarebytes scan here,and I can probably tell you if they are likely part of immunization or otherwise,depending on what it is. :)

hi, zenobia. well, no--these both appeared immediately after the intel driver utility debacle--which is HP's fault entirely, for not helping with any tech issues past warranty. anyway, i scan religiously with both spybot and malwarebytes every day--if not twice, at least once. after i downloaded the intel driver utility, i kind of knew i shoudn't have, because it was a similar thing that caused it that first time last year. there was a vulnerability in the code of the utility, apparently, which was patched a day or two ago--but too late for me. i do not accept that these "usage tracks" are harmless, and the other entries came from the same place.
i do not understand why there are no such registry keys--there is no HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\Installation Sources if they are being referred to as such. if that is not what they are, why are they detected as such, and/or if they DID exist and were modified, why are they identified as nonexistent keys and not what they were before?? sorry if i sound dense--it just makes no sense to me. if they are there, they are there. if they are somewhere else, why no mention of the current name?? i think you get what i'm saying. i can't seem to understand this...
thanks for your help and any more help you might be able to offer so i can understand this.

You mean this flaw? :)
http://www.pcworld.com/article/3024348/security/serious-flaw-patched-in-intel-driver-update-utility.html
I understand that would be a concern.

Part of Spybot's finding Usage Tracks is clearing mru lists.There's a definition of mru and mru lists here:
http://tinyurl.com/zmld4cr
(Tinyurl because the link is about 40 pages long.) :D
That is probably what Spybot is doing here.
I haven't found it with absolute certainty(I do not have a windows registry to look at,currently,to doublecheck.),but I found this post on Piriform forums:
http://forum.piriform.com/?showtopic=41393
So,I believe it is possible Spybot is just clearing this list:
http://forum.piriform.com/index.php?showtopic=41393&p=251588
If not,then it is probably just clearing out something similar.It is a usage track,and not likely to be caused because of the vulnerability in Intel's Driver Utility.

What is shown in the Malwarebytes quarantine in your second screenshot indicates that Malwarebytes found something in your hosts file,removed it and placed it in quarantine,and is not related to the usage tracks Spybot is finding.


i do not understand why there are no such registry keys--there is no HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\Installation Sources if they are being referred to as such.
Do you mean you looked in your registry,and HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\Installation Sources is not located there?

hi, zenobia. sorry i have taken so long to reply. i actually did a system restore to a time before the driver install, and it worked. i manually installed the driver and, voila--they were back. wonder if the windows update for the driver--which FINALLY came out--would have done the same thing. anyway, to answer your question, NO. there is no such entry in the registry. that is why i was so concerned about the (is not)--for just like in the old post, i cannot locate these in the registry. under HKLM\Software\Microsoft\Wndows\CurrentVersion\Setup, all there is are the following:
DPI
ImageServicingData
OOBE
PnpLockdownFiles
PnpResources
State
Sysprep
SysPrepExteral
WindowsFeatures
nothing else. no \Installation Souces
doesn't seem right, does it??

I'm not sure why Spybot is picking up on:
Windows: [SBI $1E4E2003] Drivers installation paths (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources
if Installation Sources is not in the registry. Perhaps it expects Installation Sources to have a certain value or location listed there, and since HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources is not located there, it is trying to change the value of something that does not exist. That's just a guess on my part, though.

I don't believe this is anything to worry about. It is just a usage track. Ignoring it, if it is found again after a Spybot scan(as far as I'm aware), will cause no harm. :)

thanks, zenobia. i believe you that it's not a problem--it just bugs me and i would love to see them gone. no matter how many times i "fix" this, they come right back in scan results. it's just annoying... you must know the satisfaction of a clear result--and as i said, these just reappear every time. also, it bugs me that they do not exist. that's what i thought the "is not" meant. now i know otherwise. it's just odd is all. that's why i thought there was a problem of some sort.

Yes, it is a bit odd that InstallationSources doesn't exist in the registry yet Spybot is still wanting to change a value(or remove it,whichever the case may be), and I know that Drivers installation paths showing up in the Spybot scan would bug me a bit, too. Nothing at all to worry about, imo, but if you would like to contact support and tell them about it, you could do that if you wish. It's possible this is something that comes up with tracks, and they don't know about it. Support is located here. :)
https://www.safer-networking.org/support/ticket/