weird popup

D

Despise_Spyware

New member
every time I start up spybot SD, an internet explorer page pops up that leads to this strange website in german. The website is labeled "Patrick Kolla's Website"

I was wondering if this was normal or if there is something wrong...

:confused: :confused: :confused:
 
Hello,

from which site did you get your version of Spybot-S&D?
Also please tell us the exact url of this site.
 
I got my version of spybot from download.com..which I think was a legit site

also..spybot worked fine for a while..now it doesn't

it's version 1.4

unfortunately..I don't know the exactly name of the website..I didn't really check..and the website doesn't appear on my history list..I dunno why

I can describe the website though..it's a green website..with the spybot logo on it and on the side is a picture of a man's face

the entire webpage is in german. on the top it says "patrick kolla's website"

this used to only happen on one of my computers, but now it's happening on both
 
That's really weird :(

* patrick.kolla.de is my private webseite.
* that logo is my private logo, not the spybot one ;)
* this thing is probably at least a few weeks old - I do not have any Spybot-S&D related page on my website any more. The page you saw was a standard "404" (page not found) error page. I've now replaced it with a page telling people that there's something wrong.
* why would I put a popup to my private site into Spybot? That would be useless - it's even in German so most people wouldn't be able to read anything!

My suspicion:
Some malware is showing those popups when Spybot-S&D is running. This should make people believe that the popup was coming from Spybot-S&D, thus causing them to uninstall Spybot-S&D (to get rid of the popup), so that this malware can run free without being removed by us.

My suggestion:
Find that piece of malware. Either here (e.g. by posting a RunAlyzer or HJT log), or if you don't trust us, at some other respectable place. But in any way, please keep us up to date!
 
well I ran spybot and it found a bunch of tracking cookies and things like that...

after deleting those tracking cookies, the website hasn't popped up...yet

however, it was happening on both of my computers, and it hasn't stopped on the other computer

I'll scan the other comp with HJT soon as possible...
 
Same thing here on Windows NT

I have the same thing. Using Windows NT 4 SP6. Firefox 1.5. The Spybot application was installed when the latest version was released. Only saw it start firefox once. I attached a hijackthis log if that will help.
 
i just got this error too..
fresh winxp install on a machine, avg, then windows rego, then mobo drivers, then ad-aware and spybot, all off the same disc ive been using for the last 2 months or so... first time ive seen it.. :confused:
 
Thanks for the HJT log! It shows C:\CodeRed\CodeRed.exe as a running process. Now I'm not sure which CodeRed this is (that's probably why I prefer RunAlyzer logs - they may be longer if you do not hide the legit entries - but their checksums help *g*)... but the popular meaning of CodeRed is a trojan!

Do you know this file, is this something you intentionally installed?

If you don't know it, it would be nice to mail it to detections@spybot.info . Choose "patrick.kolla.de/spybotsd.html" or something like that as the subject so we'll be able to pick it out asap. There's also a CodeRed removal tool by Symantec (we don't like those guys, but it was the first removal tool I found :D ).

By the way, did you say it started Firefox for that popup even? Hmmm. I've checked my code. http://patrick.kolla.de/spybotsd.html hasn't been used as a link for Spybot-S&D since eons ;) If you intentionally click on my logo, it'll show the main page - but you may have noticed my logo is quite hidden, so you'll never click it by accident.

@Despise_Spyware & bigmoe: please check if you've got the probable CodeRed trojan as well! Just look on the Processes tab of the Windows Taskmanager for a CodeRed.exe.
 
After getting this mysterious popup and not finding CodeRed.exe in my running processes.

I noted this popup also occurs when the blue banner/link shown on the initial screen of spybot version 1.4 is clicked, is this intentional? or a simple cause for this mysterious popup?
 
The blue banner will indeed open a browser that leads to http://www.safer-networking.org/ , or, if you use a skin, a URL that is defined inside the skin. The cursor should change to a hand to show you there's a link behind it.
Old skins may point to http://security.kolla.de/ , but from there you'll get forwarded to http://www.safer-networking.org/ as well. There are only three skins that point to this old address (Reloaded, Cactus, Matrix). I'll have to ask the Team member who should have created a skin page on our own website months ago why it isn't there yet (probably because there have been more important things).

The difference:
* The method - clicking the logo is different from an automated popup.
* The cloaking - according to Despise_Spyware, the page didn't appear in the history - what a click on the logo would do would be a simple open of the page without any hiding. Or maybe he didn't find it ;)
* The URL - unless you use one of these old skins (which are not even available currently), a click on the logo wouldn't get you to that page.


Suggestions:
* Check if you use one of those three skins (Reloaded, Cactus, Matrix)
* If this regularly happens, try to avoid clicking the logo at all cost ;) and see if it still happens :cool:
 
My codered is not the same as the spyware.

PepiMK said:
Thanks for the HJT log! It shows C:\CodeRed\CodeRed.exe as a running process. Now I'm not sure which CodeRed this is (that's probably why I prefer RunAlyzer logs - they may be longer if you do not hide the legit entries - but their checksums help *g*)... but the popular meaning of CodeRed is a trojan!
Click to expand...

The codered you see in my log is legit. This machine is in a firehouse and we use Code Red alert system

http://coderedsoftware.com/

I always start Spybot from the desktop shortcut icon. This machine also has Internet Explorer removed :) due to a lack of security updates from our IT department so Firefox is the default browser. I have not had the problem repeat on this machine since the first time I saw it happen yesterday. I have Spybot on another machine in the station.I installed Spybot on the same day and update it always the same date and it has not opened the browser on that machine yet. I have scanned using spybot multiple times and nothing is found on either. No viruses or trojans reported by Norton antivir or AVG.
 
Just a bug?

Hello.

I also get this popup. It links to a page which links me here. I have only gotten it once, but if I click the opening banner, it takes me there again. I use Fx 1.5.0.1, with Spybot: S&D 1.4. I scanned for Codered, but did not find it. This was probably a waste of time, though, because the original Codered alert was a firehouse program... LOL

This does not seem to be an ongoing problem, but if that page is never supposed to be opened, how did it get integrated into S&D's programming? The default skin isn't in the skins directory. Might this just be a bug in the program?
 
An Alert System? I think too much in malware terms obviously :D
Thanks for the info :)

A long time ago, in a land far far away... hmm... sorry, wrong script :D

Around 2000, Spybot-S&D was just one of a couple of small projects on my private webseite ( http://patrick.kolla.de/spybotsd.html ). When I started to need help, it grew to a project the office helped with ( http://security.kolla.de/ ), and grew larger and larger ( http://www.spybot.info/ ). Then we founded the Safer Networking ( http://www.safer-networking.org/ ).

When I introduced skins (I guess around 1.0), the link may still have been up to date. Back then, it made sense to link to that page for more info. I put the functionality to update the link on that logo into skins (for example I made skins for a spanish security event, which then linked to the website of that event) - but that means that very old skins may still have the old URL. I need to update the skins I guess ;)

The default skin isn't a file, but hard-coded into the application. That one uses ... hey, you're good! Guess that was the proper question. Since the default skin is included in binary format, I couldn't find the URL with a plain text search there. I'll try to look up if that's the case.

Anyway - doesn't explain popups ;) The "splash image" click doesn't get executed anywhere automatically. Only when you click the logo on the first page or on the info page.

I only find it interesting that right now, there are quite a few people having the same, but no one ever told about this in in the past years since that old URL was outdated. Either people didn't care (until now that the old file does no longer exist since I replaced my private site with a completely new one), or it didn't happen before.
 
I had this popup also, at least I don't remember clicking anything.

I have Spybot, and next to it also ad-aware.
I scanned with ad-aware after this popup and found a registry key 'SpywareNo'

This is the info about it:

Name:SpywareNo
Category:Misc
Object Type:Regkey
Size:0 Bytes
Location:...\ext\stats\{72267f6a-a6f9-11d0-bc94-00c04fb67863}\
Last Activity:8-02-2006
Relevance:Low
TAC index:7
Comment:
Description:Program masks as doing one thing, but does another by using false positives detections to trick the user into buying the commercial version. Privacy policy not disclosed to the user prior to installation, steatlh install and bundled with 3rd party software and installation is not disclosed to the user.

Don't know if this has to do something with this problem, but I found it very odd to still detect something malicious, since a normally don't detect anything.

I hope this might help you out.
 
I only have the pop-up when I press for updates, not when I start Spybot. When I press update for a second time I get the normal reaction (i.e. the update). This has happend for the last week - rather strange:shrug:
 
This is odd.

I only had it happen once. Others have it happen multiple times. Some get it when Update is selected. I had it happen by simply starting the application (Firefox actually launched before Spybot finished its loading window). All reports of this are from this week and if it is malware causing this we can expect to see more. If Malware is on this system and I cannot detect it and If said malware can cause one program to launch another undetected how vulnerable are we? I do not think I will be buying anything on ebay on a Windows box soon.
Has Spybot ever had a feature to launch the default browser for any reason such as alerts, news or product updates?

The only other odd behavior present on both systems here is that when I run Immunization it always reprots a certain number of immunizations are not active and to immunize now. I then run immunize and all seems fine but recheck shows the same number disabled. This is on both machines but both show a different number of immunizations that will not take hold (same database and versions on both). This is not new and seems to happen on all the windows NT boxes we have. I do not think this behaviour is related.
 
bad checksum

I keep getting spyware update failures with the stated cause "bad checksum". Anyone else experiencing this issue? Solution? Help! Thanks. :scratch:
 
cyborg4fun:

cyborg4fun said:
I keep getting spyware update failures with the stated cause "bad checksum". Anyone else experiencing this issue?
Click to expand...
Most people have at one time or another.

cyborg4fun said:
Solution?
Click to expand...
"Bad Checksum" problems are usually caused by overloaded download servers.

To change download servers and for a workaround for "Bad Checksum" errors please see:
http://forums.spybot.info/showpost.php?p=345&postcount=2

Note: The download server can be changed after the "Search for Updates" and before clicking "Download Updates". So if you find a server that works well, you can start by using that server in the future. Also note that if you want (not necessarily recommended) you can select a server and then right click on the button and "Set this server as the preferred download location". If you do that Spybot will select that sever rather than a random server for future updates.

Additional information:
 
You must log in or register to reply here.
Back
Top