Possible Problem with Spybot S&D, and Questions

[muffinhead]

Hi, I recently downloaded Spybot Search and destroy from the official spybot website, and am a little worried about something.

I usually have been running defender Pro Antispy to detect spyware. I downloaded Spybot for added protection against spyware.

Before I installed Spybot S&D, my system was completely clean, not a trace of spyware. After I installed Spybot S&D, And ran it, it detected a few things my defender Pro antispy didn't catch.

I then run my Defender Pro antispy, after installing and running spybot, and it detects 250 registry entries presumebly created by spybot, under the registry of Internet explorer such as, xxx toolbar, X dialer, WhenU, SaveNow, and a bunch of other things as well.

I know this is probably not spyware, but rather my Defender pro is detecting the definition files, and registry entries spybot creates to Immunize against spyware, and is detecting and lableing it as spyware.

I would really appreciate it if someone could explain to me, about this because I am very cautious about what I put onto my system, and tend to become worried when I see this sort of thing.

Btw, all the registry entries labled as spyware, By my Defender Pro Antispy,
go away after uninstalling Spybot S&D, so thats why I'm thinking it's not spyware. But I am just asking to be safe.

I appreciate any feedback about this issue, Thank You

[md usa spybot fan]

During immunization Spybot adds registry as described here:

• How Spybot-S&D protects against the installation of Spyware/Malware
  http://forums.spybot.info/showthread.php?t=281

From your description apparently Defender Pro Antispy is falsely identifying some of the registry entries added by Spybot as malware. The actual detections from Defender Pro Antispy would help determine if this is actually the case.

[muffinhead]

I attached a text file containing the log from defender pro Antispy. One of the reasons I don't think it's actual spyware, and Just the Immunization entries for Spybot is because, I haven't notice my sytem behaving funny at all, nor have I been getting popups.

But I just want to check to be safe, cause I tend to become paranoid about these sort of things, so I thank you on any feedback or info you can give me

Btw, if we are not allowed to post logs in this forum, would you kindly move this thread to the appropriate place, Thank You

I only posted the log, as an attachment, because I believe that's what you wanted me to do.

[md usa spybot fan]

There are 197 detections in the following format:

Code:

SpyName :7FaSSt   Identified
Type :
Object : HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{06dfedaa-6196-11d5-bfc8-00508b4a487d}
Description
7FaSSt is an IE toolbar providing a search field which queries the engine 7search.com.Deletion recommended.
Properties:
1)Runs undetected in the background.
2)Hides itself from user.
3)Makes changes to browser settings.

Were {06DFEDAA-6196-11D5-BFC8-00508B4A487D} is a CLSID.

The CLSID for 186 of those 197 detections match entries added by Spybot's immunization process to block the download/execution of ActiveX processes. Example:

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{06DFEDAA-6196-11D5-BFC8-00508B4A487D}]
Compatibility Flags=dword:00000400

The listing that you attach does not show the Compatibility Flags dword of the registry entry that is being detected. From that one can assume that Defender Pro may not be looking at that Compatibility Flags dword and picking up those 186 detections based solely on the CLSID and not inspecting the dword to determine that the entry is actually blocking that ActiveX process.

I would say that it is more than likely at least 186 of the detections are false positives.

[muffinhead]

Now I can verify that those registry entries were not created by Spybot, in fact
they were created by Javacool's Spyware Blaster.

I checked the list in Spyware Blaster under Internet Explorer Protection, on the types of spyware it blocks, and it matches up exactly to what My defender Pro log said.

They are still False Positives Though, so I'm not worried

Anyway, Sorry for the mixup, I should of looked into it a little further

Anyway there's another problem I'm having. Whenever I install software, that modifies the registry or adds values to it, Spybot pops up with a notification, asking me if I want to allow the change.

The problem is when the notification pops up, It does'nt have a button, that I can push to allow or deny the change.

when I right click to close the notification, or click the "x" in the corner, It still denies the change.

How can I allow the registry values to be added for a perfectly safe program, when there's no button to allow or deny the registry change?

Thank You if you can help me on this small problem

[md usa spybot fan]

The problem is when the notification pops up, It does'nt have a button, that I can push to allow or deny the change.

There is currently a bug in TeaTimer 1.4. Portions of TeaTimer's popup dialog overlay the "Allow change" and "Deny change" buttons. On my system the very top edges of the "Allow change" button (on the left) and "Deny change" button (on the right) are showing and I am still able to select the options. I also can check "Remember this decision" since it is visible. If no portion of the "Allow change" and "Deny change" buttons are showing, you can answer TeaTimer's popup dialog (English language version) by pressing "A" on your keyboard for "Allow change" or "D" for "Deny change". Note: If you close the dialog without answering "Allow change" or "Deny change" the registry change is denied.

If you can't deal with the problem that way until it is fixed, you can:

1. Apply one of the workarounds found in the following pinned (Sticky) thread that fixes the pop-up dialog so the buttons are visible:
   
   • Solution to fix the pop-ups in TeaTimer
     http://forums.spybot.info/showthread.php?t=122
   
   
   There are three (3) fixes published in that thread. They are:
   
   
   
   1. The ResHacker fix published by ElPiedra here:
      
      • http://forums.spybot.info/showpost.p...23&postcount=1
   2. The murdo patch published here:
      
      • http://forums.spybot.info/showpost.p...75&postcount=9
      
      Also republished by RuggeR29 (which I have never tried) here:
      
      • http://www.fureyonline.com/downloads/patch.zip
   3. The patch originally by SyreneD that I published here:
      
      • http://forums.spybot.info/showpost.p...0&postcount=38
      
      Also republished by SyreneD himself here:
      
      • http://forums.spybot.info/showpost.p...&postcount=125
   
   
   
2. Disable TeaTimer as follows:
   • Go into Spybot > Mode > Advanced Mode > Tools > Resident.
   • Uncheck the following:
     • Resident "TeaTimer" (Protection of over-all system settings) Active.