SpybotSD and NEW.NET

[Ozidave]

It will remove the spyware, New.net is the most common offender

Somehow! New.net and Mysearch is infiltrating and excluding themselves from Spybot's 'Ignore Products' list by checking the approriate boxes.I recall 'dropping' the LSP entry in there some time ago and did not check any further until now that nlinecomputers has given me cause to. It's not back in the LSP exemptions, but there are some entries that I missed.REMEDY: Start SpybotSD, Click: Mode / Advanced / Ignore Products / and check every page for New.NET, Mysearch and any other box that is checked, and 'Un-Check' them.... UNLESS you have 'PERSONALLY' told SpybotSD to ignore them. I have not re-run Spybot yet to provide any more info, but I suspect Ad-Aware would not have ignored it, if it was there. This could also be the results of those @&^%# programmes that want to scan your computer for so-called problems and run whether you click Y or N. So beware! Ozi.

[nlinecomputers]

Somehow! New.net and Mysearch is infiltrating and excluding themselves from Spybot's 'Ignore Products' list by checking the approriate boxes.

Yikes. Thanks for that heads up. More things to check at client sites. >_<D*** scumware hackers.....shooting them is too good for them. Time to tie an ankle to the bumpers of opposite moving cars and make a wish.

[striker]

Ozidave

Somehow! New.net and Mysearch is infiltrating and excluding themselves from Spybot's 'Ignore Products' list by checking the approriate boxes.

I can confirm this.Even after a clean install of SD 1.3 w/ updated refs this is happening.There's even more :The DSO-exploit (which is a bug in SD) still shows up.Kazaa.World bot shows up : never heard of Kazaa,never been there,never used any P2P and never downloaded any music or any other multimedia content.A thorough registry search shows absolutely nothing of Kazaa ,no traces in the whole registry or OS. (How could there be any : Kazaa is blocked w/ all thinkable manners, IE is blocked,NO ActiveX,NO java and NO javascript and scripting is blocked. Don't even use IE.)I did some further investigating on this "Kazaa" thing and I have been perusing some forums on the net in where this entry is highly suspected as a FP (false positive) .You can google yourself and have a look at it...Installed SpywareGuard,SpywareBlaster and a²-free. Downloaded TDS 3 and holding this on standby... Did a a²-free scan and nothing was found.BTW : AAW w/ all updates detects nothing of the above malware.

[Ozidave]

The DSO-exploit (which is a bug in SD) still shows up.Kazaa.World bot shows up : never heard of Kazaa,never been there, never used any P2P.

Hi Striker,You're right about DSO and I believe they're working on it.This is a long shot re: Kaaza.world. Delete all your internet Temp Files and cookies and see if Kaaza still turns up.We'll pick it up from there unless someone comes up with a REMEDY. Btw, A2-Free, what is it and where can I get it to have a look at it? Ozi.

[Guest Paracelsus]

Muchas Gracias, likewise, for the Heads Up, Dave!!!I haven't bothered to look at the "Exceptions" for quite a while.And sure enough...The ones you mentioned were checked :thumbsdown:Fortunately, when I scanned, nothing untoward was detected,I'll be reviewing Exception more closely in the Future

[nlinecomputers]

The only thing on my system that was setup as exception was new.net. I recall this morning but forgot before that Spybot does that now by default because it has problems properly removing that Trojan without killing the winsock. I'd rather have a dead winsock then new.net on the system. Lesson learned is always scan with more then one scanner.

[Ozidave]

I recall this morning but forgot before that Spybot does that now by default because it has problems properly removing that Trojan without killing the winsock. 

Hi Nline,I was beginning to suspect that this was a furphy, I installed SpybotSD (off CD) on my other computer, New.net is there also and that computer has never been on line apart from upgrading to XP SP2 and Re-registering my AV, as it's a spare should this one keel over. Was waiting for a reply from Kolla before I said anything further. The grey-matter, it takes some jogging at times, I'm glad yours kicked into gear and put this one to bed. Ozi.

[striker]

Ozi,Ozidave

Delete all your internet Temp Files and cookies and see if Kaaza still turns up.

I'll clean them all after each and every internet session for years.So there's nothing in there,except legitimate cookies I need to enter some sites, mainly banking and forums :total of 4 cookies.Other caches are (as said) emptied after each and every internet session.

Btw, A²-Free, what is it and where can I get it to have a look at it?

Take a look here :http://www.emsisoft.com/en/software/free/I use the free version;After installing,an internet connection will be needed to register (free,just a password and username to get at your updates) and say NO to any newsletter subscription unless you want it.This apllication was recommended by another Highlander, so I downloaded it and installed it , after a thorough inspection ...it runs fine here.I've got quit an "arsenal" by now, pity all of this is needed nowadays to show up on the net without getting screwed up within one lousy minute.Well, it's 2004 I guess.I do have a linux install ready for take off on hdd2, so maybe I'm going to switch over for a while.

[striker]

nlinecomputers

The only thing on my system that was setup as exception was new.net. I recall this morning but forgot before that Spybot does that now by default because it has problems properly removing that Trojan without killing the winsock. I'd rather have a dead winsock then new.net on the system.

Well, that winsock piece of the puzzle can be repaired.In previous posts you told about it already.And anyway, putting back a known working and good Ghost image is just taking me 20 minutes.I have them UNchecked now in exceptions...

[Ed_P]

Wow!!! Interesting thread.With ref to Kazaa wasn't there a lawsuit by Kazaa against some company for classifying them as spyware? Could it have been against Kolla? And could new.net done the same thing? I guess the point I'm trying to get to is are these exceptions being distributed by SpyBot because of legal requirements rather than being due to malware getting onto the pc?

[GolfProRM]

See this forum...http://forum.gladiator-antivirus.com/index...showtopic=14756They exluded them by default due to they're "slowly losing their spyware status"

[Ed_P]

Thanks GolfProRM. Hopefully Ad-aware doesn't go the same route.

[striker]

Update :re. the DSO exploit : I was able to fix it in the registry. Scanned several times w/ SD and no DSO exploit was indicated anymore. I'm doing some more testing now.re. the kazaa puzzle : I've got some news but I'll be back later on.Please stay tuned if you're interested.

[striker]

update : no more problems w/ the DSO exploit.Problem solved.re. the Kazaa puzzle: the story goes on ...You can find some more specific info here : please read first.http://forums.net-integration.net/index.ph...t13\.worldPART 1In my case, the key SD is indicating (HKEY_USERS\S-1-5-21-1275210071-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun)contains absolutely no trace of Kazaa. There are "cscript" and "wscript" in there, which I put in there myself.A little background info : These above two entries are placed in the registries disallow_run key by a little regfile I own : this way no script can run on this machine, if any attempt is made to run a script,a warning dialog from the OS pops up telling me "scripting is currently disabled by the administrator on this machine "Now running SD, it always finds the Kazaa contamination, which in reality isn't there on my machine.A second regfile I have, enables scripting on the machine.After invoking this regfile (enabling scripting), I have to reboot and after that scripts can run on the machine, without any warning. For warning and testing purposes I use a little VBS file,all it does is telling me that if it was a real malicious file,it could have been doing all things to my machine.Now running SD again, (scripting enabled) it finds the Kazaa contamination and letting fix SD this one, cleans it ....Rescan and no Kazaa entry will be found.Now reboot the machine and after that rescan with SD : nothing will be found as the result. I rebooted several times and did a scan : same result : "no immediate threaths were found" .Remember : at this moment scripting is enabled on the machine !PART 2Now I'm going to invoke the disable reg file to stop scripting on the machine, after that I'm going to reboot and do a scan...OK,here we are again : SD found :Kazaa.Irc.Spybot13.World: Settings (Registry value, nothing done) HKEY_USERS\S-1-5-21-1275210071-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun Well, I know the inside and outside of my regfiles,I created them myself.I can assure you, there's no Kazaa in there.So this is definitely a FALSE POSITIVE .I did several HJT scans too but there was nothing unusual in there.There was no Kazaa on this machine,there is no Kazaa on here and it will never be,as long as I can prevent it.Period.FWIW : here are the contents of the 2 regfiles I use.Here's the "allow.reg" file :Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]"NoDriveTypeAutoRun"=dword:00000091"NoRecentDocsMenu"=hex:01,00,00,00"ClearRecentDocsOnExit"=hex:01,00,00,00"NoRecentDocsHistory"=hex:01,00,00,00"NoSMMyDocs"=hex:01,00,00,00"NoSMMyPictures"=hex:01,00,00,00"NoNetworkConnections"=hex:01,00,00,00"DisallowRun"=dword:00000000[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]"1"="wscript.exe""2"="cscript.exe"And here's the : disallow.reg" file :Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]"NoDriveTypeAutoRun"=dword:00000091"NoRecentDocsMenu"=hex:01,00,00,00"ClearRecentDocsOnExit"=hex:01,00,00,00"NoRecentDocsHistory"=hex:01,00,00,00"NoSMMyDocs"=hex:01,00,00,00"NoSMMyPictures"=hex:01,00,00,00"NoNetworkConnections"=hex:01,00,00,00"DisallowRun"=dword:00000001[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]"1"="wscript.exe""2"="cscript.exe"And if you need it for your own testing purposes,here's the "test.vbs" file:Dim fsoSet fso = CreateObject("Scripting.FileSystemObject")msgbox "THIS IS A TEST - If you are viewing this box, without having received a prior warning, you may be at risk of opening a dangerous e-mail attachment, containing a virus. If this would have been a hostile script, you could have been infected with a virus or done other damage to your system.", 64DISCLAIMER : you may use these files at your own risk.I'm not responsible if smoke is coming out of your PC and I'm not going to pay you ,not even 1 lousy cent.ADMIN : If it is not allowed to put these little files over here, please feel free to remove them.Anybody wanting them can PM me and I'll be happy to send them over.Thanks.

Edited August 2, 2004 by striker

[nlinecomputers]

re. the DSO exploit : I was able to fix it in the registry. Scanned several times w/ SD and no DSO exploit was indicated anymore. I'm doing some more testing now.

Details man. Details. Don't you know that you are not supposed to post that fix something with saying HOW?

[-ct-]

hehehe, i must be a genious theni allow anything to do anything, so long as it pops up a warning telling me it's doing somethingi run adaware and s&d once a month, and all it ever finds is a few cookiesnever get virii or trojans - once in a while avg will catch a trojan or virus in email and quarantine it, then i delete itoh yeah, and i have ad and popup blocking so they don't even get the chance to popup and ask me anythinghttp://www.allstars.com/store/index.html AdShield

[striker]

don't cut my head off this fast ! I 'm working on this more than 8 hours now.Am I being allowed a little rest?I'm testing,just hold on.CT :

i must be a genious then

'You must be a happy human!

[striker]

Nathan,You asked for it...the details.[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3][HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3][HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3][HKEY_USERS\S-1-5-21-1275210071-1677128483-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3]These are the 5 keys SD is showing in its result on my machine.To get rid of the bug of "not fixing it" in SandD v.1.3 :1.search for the keys SD shows in your result display one at a time in the registry ; ( for example look for this key : HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 )2.once found Backup the key.3.now see that for each key in the right pane "1004" is a DWORD value...if it's empty or a REG_SZ value, right click on "1004" and delete it.Then in the left pane right click on the "0" subfolder and create a new value DWORD,call it 1004, click OK;Now in the right pane again doubleclick the new 1004 value, and replace the value 0 with a 3 (hex) ; click OK.4.Do this with all the keys SD showed in YOUR result display.(Remember : the above keys are shown in MY results display !)5.Reboot PC.(Logging off and back on didn't do the trick on my rig.)After rebooting the PC do a scan with SD : no more DSO-exploit will be found.DISCLAIMER : Use at your own risk.******* I 'm off getting a sleep now.**********

[Ozidave]

Hi Striker,Excellent stuff. I've found a couple of links which go to describe the why's and the what's on how SD mis-handles this, and also what changing the setting does to IE Security Settings.This URL is the whole article. (not as informative as yours, but helpful). http://forums.net-integration.net/index.ph...hl=dso+exploitsThis one is just the screen shots.http://forums.net-integration.net/index.ph...e=post&id=73663Ozi.

[striker]

Thanks Ozi,I took me some time to get it alright and some time testing it, but I'm happy I've got this one straightened out, at least for me. It works OK on my machine.I just hope it will solve that little problem for others too.BTW, did you have a chance to look at a²? And did you got a reply from mr. Kolla ?

[Grasshopper]

Thanks for the heads up. I checked my Spybot and found those two checked.

[Ozidave]

Hi Striker,a² Yes, thank you for that, was more interested in looking/testing than using it, but am impressed.Kolla, No!, he's probably too busy fending off accusations and explaining to others why he needs to include malaware prevention in his programme and then allow it to pass?Maybe a² will rise to the challenge and surpass the master. I've been blindly following/supporting kolla for a long time but this sort of action does nothing to retain my confidence that SpybotSD will always be a 'leader' in fighting spyware.Ozi.