weird popup

[PepiMK]

The blue banner will indeed open a browser that leads to http://www.safer-networking.org/ , or, if you use a skin, a URL that is defined inside the skin. The cursor should change to a hand to show you there's a link behind it.
Old skins may point to http://security.kolla.de/ , but from there you'll get forwarded to http://www.safer-networking.org/ as well. There are only three skins that point to this old address (Reloaded, Cactus, Matrix). I'll have to ask the Team member who should have created a skin page on our own website months ago why it isn't there yet (probably because there have been more important things).

The difference:
* The method - clicking the logo is different from an automated popup.
* The cloaking - according to Despise_Spyware, the page didn't appear in the history - what a click on the logo would do would be a simple open of the page without any hiding. Or maybe he didn't find it
* The URL - unless you use one of these old skins (which are not even available currently), a click on the logo wouldn't get you to that page.


Suggestions:
* Check if you use one of those three skins (Reloaded, Cactus, Matrix)
* If this regularly happens, try to avoid clicking the logo at all cost and see if it still happens

[Zoraster]

Thanks for the HJT log! It shows C:\CodeRed\CodeRed.exe as a running process. Now I'm not sure which CodeRed this is (that's probably why I prefer RunAlyzer logs - they may be longer if you do not hide the legit entries - but their checksums help *g*)... but the popular meaning of CodeRed is a trojan!

The codered you see in my log is legit. This machine is in a firehouse and we use Code Red alert system

http://coderedsoftware.com/

I always start Spybot from the desktop shortcut icon. This machine also has Internet Explorer removed due to a lack of security updates from our IT department so Firefox is the default browser. I have not had the problem repeat on this machine since the first time I saw it happen yesterday. I have Spybot on another machine in the station.I installed Spybot on the same day and update it always the same date and it has not opened the browser on that machine yet. I have scanned using spybot multiple times and nothing is found on either. No viruses or trojans reported by Norton antivir or AVG.

[The Digital Pioneer]

Hello.

I also get this popup. It links to a page which links me here. I have only gotten it once, but if I click the opening banner, it takes me there again. I use Fx 1.5.0.1, with Spybot: S&D 1.4. I scanned for Codered, but did not find it. This was probably a waste of time, though, because the original Codered alert was a firehouse program... LOL

This does not seem to be an ongoing problem, but if that page is never supposed to be opened, how did it get integrated into S&D's programming? The default skin isn't in the skins directory. Might this just be a bug in the program?

[PepiMK]

An Alert System? I think too much in malware terms obviously :D
Thanks for the info

A long time ago, in a land far far away... hmm... sorry, wrong script :D

Around 2000, Spybot-S&D was just one of a couple of small projects on my private webseite ( http://patrick.kolla.de/spybotsd.html ). When I started to need help, it grew to a project the office helped with ( http://security.kolla.de/ ), and grew larger and larger ( http://www.spybot.info/ ). Then we founded the Safer Networking ( http://www.safer-networking.org/ ).

When I introduced skins (I guess around 1.0), the link may still have been up to date. Back then, it made sense to link to that page for more info. I put the functionality to update the link on that logo into skins (for example I made skins for a spanish security event, which then linked to the website of that event) - but that means that very old skins may still have the old URL. I need to update the skins I guess

The default skin isn't a file, but hard-coded into the application. That one uses ... hey, you're good! Guess that was the proper question. Since the default skin is included in binary format, I couldn't find the URL with a plain text search there. I'll try to look up if that's the case.

Anyway - doesn't explain popups The "splash image" click doesn't get executed anywhere automatically. Only when you click the logo on the first page or on the info page.

I only find it interesting that right now, there are quite a few people having the same, but no one ever told about this in in the past years since that old URL was outdated. Either people didn't care (until now that the old file does no longer exist since I replaced my private site with a completely new one), or it didn't happen before.

[Skyrider]

I had this popup also, at least I don't remember clicking anything.

I have Spybot, and next to it also ad-aware.
I scanned with ad-aware after this popup and found a registry key 'SpywareNo'

This is the info about it:

Name:SpywareNo
Category:Misc
Object Type:Regkey
Size:0 Bytes
Location:...\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}\
Last Activity:8-02-2006
Relevance:Low
TAC index:7
Comment:
Description:Program masks as doing one thing, but does another by using false positives detections to trick the user into buying the commercial version. Privacy policy not disclosed to the user prior to installation, steatlh install and bundled with 3rd party software and installation is not disclosed to the user.

Don't know if this has to do something with this problem, but I found it very odd to still detect something malicious, since a normally don't detect anything.

I hope this might help you out.

[rosie]

I only have the pop-up when I press for updates, not when I start Spybot. When I press update for a second time I get the normal reaction (i.e. the update). This has happend for the last week - rather strange

[Zoraster]

I only had it happen once. Others have it happen multiple times. Some get it when Update is selected. I had it happen by simply starting the application (Firefox actually launched before Spybot finished its loading window). All reports of this are from this week and if it is malware causing this we can expect to see more. If Malware is on this system and I cannot detect it and If said malware can cause one program to launch another undetected how vulnerable are we? I do not think I will be buying anything on ebay on a Windows box soon.
Has Spybot ever had a feature to launch the default browser for any reason such as alerts, news or product updates?

The only other odd behavior present on both systems here is that when I run Immunization it always reprots a certain number of immunizations are not active and to immunize now. I then run immunize and all seems fine but recheck shows the same number disabled. This is on both machines but both show a different number of immunizations that will not take hold (same database and versions on both). This is not new and seems to happen on all the windows NT boxes we have. I do not think this behaviour is related.

[Despise_Spyware]

for me it doesn't happen every time...just occasionally

[cyborg4fun]

I keep getting spyware update failures with the stated cause "bad checksum". Anyone else experiencing this issue? Solution? Help! Thanks.

[md usa spybot fan]

cyborg4fun:

I keep getting spyware update failures with the stated cause "bad checksum". Anyone else experiencing this issue?

Most people have at one time or another.

Solution?

"Bad Checksum" problems are usually caused by overloaded download servers.

To change download servers and for a workaround for "Bad Checksum" errors please see:
http://forums.spybot.info/showpost.p...45&postcount=2

Note: The download server can be changed after the "Search for Updates" and before clicking "Download Updates". So if you find a server that works well, you can start by using that server in the future. Also note that if you want (not necessarily recommended) you can select a server and then right click on the button and "Set this server as the preferred download location". If you do that Spybot will select that sever rather than a random server for future updates.

Additional information:

• When updating, why do I get an error message that the "update is forbidden" / "bad checksum!!!"?
  http://www.safer-networking.org/en/faq/20.html
• How to update the program to the newest version
  http://www.safer-networking.org/en/howto/update.html