Is Spybot adding, not removing spyware?

Discussion in 'Windows Vista Security' started by Vista Novice, Nov 7, 2007.

  1. Vista Novice

    Vista Novice Guest

    On a brand new Gateway desktop computer which came with Vista, per Consumer
    Reports recommendation, I installed TrendMicro Internet Security (which
    uninstalled the McAfee app which came with the computer) and I just now
    downloaded (from one of the spybot.com "mirror" sites) and ran Spybot. I did
    this because CR says to run a 2nd anti-spyware application since none of them
    catch all spyware.

    BEFORE running Spybot, TrendMicro found no spyware.

    I ran Spybot "Check for problems", resulting in "Congratulations, No
    immediate threats were found"

    AFTER running Spybot, TrendMicro now finds 13 Trojans (eg. aaasexypics.com),
    98 Adwares (eg. adult-friends-finder.net), all from -->127.0.0.1

    Nothing but Spybot was run between the two TrendMicro runs. Can Spybot
    really be responsible for adding all this spyware? It was recommended by
    Consumer Reports which is my consumers bible. Has anyone else run into this?
    TrendMicro Internet Security is a paid-for product written by a for-profit
    company, Spybot is "free-ware". Is this a case of "you get what you pay for"?

    (FYI: Although I worked in the CAD/CAM software field years ago, I am a
    total novice regarding PC's, the internet, downloading, Vista, security
    software, etc. - and this is not a good initial experience, I must say!)
     
    Vista Novice, Nov 7, 2007
    #1
    1. Advertisements

  2. Vista Novice

    vanilla Guest

    I don't think you got the REAL Spybot Search & Destroy ... I just did a
    search and, from all the choices listed, could not determine where the REAL
    Spybot Search & Destroy home page is found ... none of the search results
    was for a spybot dot com ... I have to get to work and I hope one of the
    MVPs will see your post and help you tonight.

    I hope you told TM to delete all of that stuff (hope even more it is set to
    do so automatically) ... then you need to delete the version of Spybot
    Search & Destroy that you downloaded ... I truly do not believe you got the
    real thing. If you did go to the correct URL and spybot dot com is the
    official website, then I hope we all get an answer as to how all of this
    showed up on your computer. Perhaps the link to that 'mirror' site is bogus.
    Don't know ... sorry I can't help you.

    Keep running scans with TM to see if anything else shows up ... good luck
    .... vanilla
     
    vanilla, Nov 7, 2007
    #2
    1. Advertisements

  3. Vista Novice

    Seth Guest

    Here's the real site for SpyBot S&D
    http://www.safer-networking.org/
     
    Seth, Nov 7, 2007
    #3
  4. Looks like Spybot S&D added entries to these websites to your HOSTS
    file, basically to prevent your computer from visiting these malicious
    sites.
    Now, if your browser, or any other program, tries to go to e.g. adult-
    friends-finder.net, instead of going to the real site, it will try to
    connect to 127.0.0.1, whis is known as "local host", a.k.a. your own
    computer. That particular site, as well as anu other sites that are
    redirected to 127.0.0.1 in your HOSTS file, won't be able to show bad
    content or install malware on your computer.
    Looks like the alarms of TrendMicro get triggered by the names of the
    sites that are blocked in your HOSTS file.
     
    Mark Veldhuis, Nov 7, 2007
    #4
  5. Vista Novice

    Kayman Guest

    Download David H. Lipman's MULTI_AV.EXE from the URL:
    http://www.pctipp.ch/downloads/sicherheit/35905/multi_av_scanning_tool.html
    Further information can be found here:
    http://www.elephantboycomputers.com/page2.html#Multi-AV
    Additional Instructions:
    http://pcdid.com/Multi_AV.htm
     
    Kayman, Nov 8, 2007
    #5
  6. Vista Novice

    Vista Novice Guest

    Thanks for the very prompt responses to my question (and all of them
    relevant, ie. no gratuitous replies or graffiti). This is my first
    experience with the "Windows Vista Community" and it was a good one - I'll be
    back!

    A "thank you" particularly goes to Mark Veldhuis who provided the answer,
    but others provided useful information as well, so thanks to all!

    There was nothing on "HOSTS files" in the local Vista "help" (which I have
    found to be pretty spotty), but through the "Knowledge Base" I found that the
    host file is located at c:Windows\System32\drivers\etc. I took the "risk" of
    running Spybot again (trusting Mark) and sure enough a "hosts" file was
    produced with the following entries:

    127.0.0.1 localhost
    ::1 localhost
    # Start of entries inserted by Spybot - Search & Destroy
    127.0.0.1 007guard.com
    127.0.0.1 www.007guard.com
    127.0.0.1 010402.com
    ....
    (over 7,200 entries!)
    ....

    I will send an email to TrendMicro suggesting that they should "skip" such
    entries since they are not spyware, nor actual links to malicious websites.
    And they should expect that other customers - at least fellow readers of
    Consumer Reports ;-) would be running Spybot in addition to TrendMicro.

    Also, my faith in Spybot (and Consumers Reports) is restored. It is truely
    impressive that Spybot as amassed a list of over 7,200 such websites and also
    a bit strange that TrendMicro flags such a small number as spyware.

    Thanks again for the help.

    - Vista Novice
     
    Vista Novice, Nov 8, 2007
    #6
  7. Vista Novice

    vanilla Guest

    Thanks, Seth, for the correct link ... will save for future reference ...
    vanilla
     
    vanilla, Nov 8, 2007
    #7
  8. Vista Novice

    vanilla Guest

    duh ... I forgot all about the hosts file ... mine is locked and I never
    even think about it anymore ... when I didn't see spybot dot com in the
    search results, I thought he didn't get the real thing.

    Is 127.0.0.1 only the hosts file? I ask because I was going to make a note
    "127.0.0.1 = hosts file" but this might be a simplistic assumption. Thanks
    for any reply ... vanilla
     
    vanilla, Nov 8, 2007
    #8
  9. No. It's kinda like an IP address, 127.0.0.1 is what your computer knows
    as itself, so it's also called "localhost".
    When you browse to a website, you connect to the IP address of a
    webserver. Domain names like www.google.com exist because it's easier to
    remember names than numbers. A DNS server, in most cases that of the
    Internet Provider you use, converts those names to the numbers (IP
    addresses). In the case of www.google.com, it will connect you to
    64.233.183.104 .
    Now, if you'd put the following line in the HOSTS file

    127.0.0.1 www.google.com

    your computer would try to connect to 127.0.0.1 every time you'd try to
    surf to www.google.com. It would try to connect to your own PC. You
    likely aren't running a webserver at that address, and it isn't Google
    anyway. So, you won't be able to connect to www.google.com if that line
    is present in the HOSTS file.

    With the info above, and the line below, think of what the HOSTS file
    can do to protect your computer:

    127.0.0.1 malicious.site.com

    :)
     
    Mark Veldhuis, Nov 8, 2007
    #9
  10. Vista Novice

    vanilla Guest

    Thanks very much ... vanilla

     
    vanilla, Nov 9, 2007
    #10
  11. Vista Novice

    netlink_blue Guest


    Good luck trying to manually add/edit an entry in Vista HOSTS file.
    Vista has it locked.

    Since I'm new to Vista's "take possesion" game, it took many
    nano-seconds for me to explore the various buttons and dialog boxes
    before I could save my edited HOSTS file.

    I thought about resetting permissions back ...(raucous laughter)

    /netlink
     
    netlink_blue, Nov 15, 2007
    #11
  12. I use Hostsman from http://www.abelhadigital.com/ to manage my HOSTS
    file.
    To edit and update the file, the program needs to be run as
    Administartor. The interface of the program provides an option for that.
    Never a problem...
     
    Mark Veldhuis, Nov 15, 2007
    #12
  13. Vista Novice

    netlink_blue Guest

    Thanks for the link and info. This morning I did a quick search, and
    found this "sweet fix" posted by someone.

    Right-click on your desktop, and create a Shortcut. Copy/paste this
    link into said shortcut ...

    C:\Windows\System32\notepad.exe C:\Windows\System32\drivers\etc\hosts

    Once shortcut is created (which causes Notepad to open HOSTS file)
    right-click shortcut icon and open "Properties". Click Advanced button
    and check-box "Run as Administrator".

    Worked a treat for me.

    over the river, and through the woods
    to granny's we go ... beautiful vistas there,

    /netlink
     
    netlink_blue, Nov 16, 2007
    #13
  14. Vista Novice

    Vista Novice Guest

    Please see my new post (12/6/2007 2:25 AM PST) "Did I put a hole in my Trend
    Micro security wall?"

    Thanks!

    Charlie (Vista Novice)
     
    Vista Novice, Dec 6, 2007
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.