weird popup

[Pepster]

The blue banner will indeed open a browser that leads to http://www.safer-networking.org/ , or, if you use a skin, a URL that is defined inside the skin. The cursor should change to a hand to show you there's a link behind it.
Old skins may point to http://security.kolla.de/ , but from there you'll get forwarded to http://www.safer-networking.org/ as well. There are only three skins that point to this old address (Reloaded, Cactus, Matrix). I'll have to ask the Team member who should have created a skin page on our own website months ago why it isn't there yet (probably because there have been more important things).

The difference:
* The method - clicking the logo is different from an automated popup.
* The cloaking - according to Despise_Spyware, the page didn't appear in the history - what a click on the logo would do would be a simple open of the page without any hiding. Or maybe he didn't find it
* The URL - unless you use one of these old skins (which are not even available currently), a click on the logo wouldn't get you to that page.


Suggestions:
* Check if you use one of those three skins (Reloaded, Cactus, Matrix)
* If this regularly happens, try to avoid clicking the logo at all cost and see if it still happens

I use just the default skin, the popup occurred when I was updating. So I figure that it was probably a miss-click on my part that caused it to happen. Still it is odd.

 

[Pietje]

For me the same problem with the default skin. Clicked the logo accidentally.

This sudden strange behaviour also seems to do something else.......

It tries to add: "csx.adservs.com" into your trusted sites list....
Be aware.....

Has anybody already found out what's going on?

 

[PepiMK]

@Pietje: let me guess? Microsoft AntiSpyware is telling you that thing about the trusted sites? Then you're using a veeeery old version of that. That was indeed a false complaint by MS AntiSpyware - Microsoft didn't know the difference between "trusted" and "restricted" sites

To those who have the problem with the default skin even: are you long-time Spybot users, and always have installed over previous versions? I'm just trying to think if there was some very old version that had the default skin with a bad URL still shipped as a file instead of having it integrated. Or did you test some beta in the past maybe ('cause I've just checked 1.0, 1.1, 1.1.3, 1.1.4, 1.2, 1.3 and 1.4 and they didn't)?

 

[Pietje]

@ pepiMK: No, its the latest version of Webroot Spy sweeper that's warning me........ The warning pops up directly after launching Spybot.

I included a screencap:

Furthermore, I first installed Spybot approx 2 months ago and kept it up-to-date. No participation in any beta releases.

 

[Capndon]

Ditto with the default skin

I got the same thing here too. O yea this is my first time on this forum but i've been using S&D for years now. Really love the software.

I've seen that the link is taking me to that website too. No adwares, malwares viruses..............nothing. Tried online scans, ad-aware, Bazooka, A2-Online & Personal, Microsoft Antispyware, Bit Defender, Housecall Antivirus scan, MCafee Online Scan, Jotti Online Scan & Just about every other online scan I could find & my system is clean. So I guess its the update to the skin at your end then


No website additions or no popups no nothing here. Clean & tidy desktop

-Regs
Capndon

 

[james_152]

Thought i should share...

on a clean-install - just booted up and only just plugged in to download updates for 2 minutes -
I have installed: Clamwin 0.88, MS AntiSpyware 1.0.701, and then I installed spybot 1.4, and poof - got that 'popup'...
Its funny, usually I install clamwin, spybotSD, then MS AntiSpyware, and I've never had a popup... but this time, I install MS BS first before SpyBotSD and get the popup?...

just thought I would share

 

[Pietje]

Interesting james_152........

However, the installation order does not seem to matter in my case.
In my case MS BS has been installed after installation of SpybotSD.

Anyway, It's not old.... it's new, the "problem" or whatever we are talking about....

 

[Despise_Spyware]

only started happening to me since january

 

[Pietje]

And it still happens..... but every time with another domain (see screencap)

Every time I start Spybot. :-(
No other program has this problem on my machine at this time.
Rootkitrevealer draws blanks, as does PC-cillin, Webroot spysweeper, Spybot, etc.

What's going on :scratch: ? Any ideas?

 

[md usa spybot fan]

Pietje:

The site uvu-channel.com is added to the restricted zone by Spybot during immunization by adding the following Registry entry.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\uvu-channel.com]
*=dword:00000004

I don’t quite understand how Spy Sweeper:

1. Can misinterpret this entry as a possible threat.
   --- and ---
2. Why this pup-up is received "Every time I start Spybot." since that registry entry is only added when you "Immunize" within Spybot (SpybotSD.exe).

I suggest that you contact Webroot and report it as a false positive.

Incidentally Spybot also includes the following two HOSTS file entries in the "Advanced mode" "Hosts file" feature of Spybot) to prevent access to uvu-channel.com related sites:

• 127.0.0.1 www.uvu-channel.com
• 127.0.0.1 uvu-channel.com

 

[stevek]

Pietje

I also have Spysweeper and received the notice regarding "csx.adservs.com"-I allowed the change and checked always take this action as it was my understanding that Spybot was adding "csx.adservs.com" to my restricted sites.

After seeing your post-I checked my restricted sites through IE explorer/properties/security and confirmed that both "csx.adservs.com" and "uvu-channel.com" are there.

I do not remember seeing the "uvu-channel.com" alert-but itmay have come up when I recently reinstalled spysweeper because of other problems.

The notice from Spysweeper does not say that Spybot is trying to add these to trusted sites-it says that Spybot is trying to change the settings for these sites. Spybot is changing the settings to "restricted sites".

I first ran across this type of conflict when installing Spywareblaster and it was adding "0190-dialers" to restricted site-both Spybot and Spysweeper came up with warnings.

Hope this helps.

 

[Pietje]

Thanks for the answers......

But, indeed. Spysweeper reports the attempted change, as soon as I double-click the Spybot Icon. Just to launch Spybot. So, even before I start a sweep, or even more, before I see the Spybot initial screen.

Is this normal behaviour?

 

[stevek]

Pietje

I do not know if Spybot andSpywarebalster work the same-but I used to get a popup from Spysweeper about the 0190-dialer every time I opened spywareblaster-until I allowed and checked always take this action.

I thought they had resolved the adservs in an update-they seem to be a little behind everybody on adding restricted sites.

 

[Pietje]

Thanks for the answers guys.
I'm somewhat less concerned now.

Really appreciate it.

 

[Pete (FI)]

<snip>
By the way, did you say it started Firefox for that popup even? Hmmm. I've checked my code. http://patrick.kolla.de/spybotsd.html hasn't been used as a link for Spybot-S&D since eons If you intentionally click on my logo, it'll show the main page - but you may have noticed my logo is quite hidden, so you'll never click it by accident.
<snip>

Have intermittently experienced the same as the other posters.

It would appear that the launch of the default Internet browser targeting for URL http://patrick.kolla.de/spybotsd.html is caused by clicking the GUI of Spybot S & D in a specific, particular position.

Motivation: Have experienced the phenomenon several times (intermittently). Every time I have experienced it, I have clicked Spybot's GUI, either accidentally, or deliberately in order to refresh Spybot's GUI on top of GUIs for other SW on the desktop. The other program's GUI in my case is usually that of SpywareBlaster.

The speculations about malware causing the phenomenon are possibly more exciting than this straight forward rational cause of the phenomenon.

However, am happy to make a bet on the correct explanation for the phenomenon at least on my system.

Have a clean system, and the launch of the default Internet browser targeting for the URL http://patrick.kolla.de/spybotsd.html only occurs when clicking the GUI of Spybot S & D in a specific place.

Hence, the reason for the phenomenon should be simple and clear.

Please research once more the Spybot S & D's code for the explanation.


"Everything must be taken seriously, nothing dramatically."
Louis Adolphe Thiers (1797-1877); French statesman, historian

 

[md usa spybot fan]

Please research once more the Spybot S & D's code for the explanation.


"Everything must be taken seriously, nothing dramatically."
Louis Adolphe Thiers (1797-1877); French statesman, historian

The following text string is in the code for SpybotSD.exe (File version: 1.4.0.3) at 003160C4:

http://patrick.kolla.de/spybotsd.html

Much Ado About Nothing
Comedy by William Shakespeare.

 

[Pete (FI)]

Case closed. (Not to say there was any.)

The following text string is in the code for SpybotSD.exe (File version: 1.4.0.3) at 003160C4:

http://patrick.kolla.de/spybotsd.html

Much Ado About Nothing
Comedy by William Shakespeare.

Ditto! :laugh:


"Take nothing on its looks: take everything on evidence.
There's no better rule."
Charles Dickens (1812-1870); English novelist, dramatist.

 

[edm_tech]

What is this?

res://msscsi.dll/RC/104

That is where my browser is directing the popup to initially.

 

[Pete (FI)]

What is this?

res://msscsi.dll/RC/104

That is where my browser is directing the popup to initially.

Sorry for the late reply.

Do you use Mozilla Firefox as you browser?

If you do, could it be you are infected (with NSIS Media)?

Please look at, e.g. http://kichik.net/2006/12/09/more-evil-files/ and

(and http://forums.mozillazine.org/viewtopic.php?t=432846).

Best of luck!

-Pete

"They believe that nothing will happen
because they have closed their doors."
Maurice Maeterlinck (1862-1949); Belgian author.

 

[r godfrey]

weird thoughts

Happened to me today; first time. Which led me to this interesting discussion. I am amused by the appropriate literary references.
My thought is more philosophical than technical analysis. I have wondered about the limits of the internet. If it is infinite than I suppose it's a non-issue. On the other hand if it is finite, the statistical liklihood of collisions & other undesirable interactions will increase. I wonder if this "crowding" is worsened by redundancy; ie. do "updates" replace or do they exist of themselves? If a program is written on a particular platform does it inadvertantly include residual "marks", like the unique "tool marks" on a machined part? In some future Asimovian world will sophisticated "AI" have "dna"?