SpyBot Search and Destroy has a new release: v0.03

http://patrick.kolla.de/software/files/spybotsd.zip

(new separate thread to avoid a clutter).

regards.

paul

i hope this verstion dosent have comet cursoer

mrblaze - I haven't ever found any trace of CC in SpyBotS&D (and a re-scan with AA confirms that just now).

What are you talking about? Pete

*If you don't want SBS&D to find and remove CC, go to the 'Excludes' tab and put a checkmark in front of 'Comet Cursor' so that it won't be removed. Is that what you meant?

MrBlaze, could you please give me some more details?

I don't use AdWatch, but many of my users are cross-checking with other software, and I never heard that anyone has detected CometCursors.
I'm still revising CC, so detection is still not as good as by other software, but I've definitively not included any spy!

Maybe you could mail me the result lists of Spybot-S&D and AdWatch so I may see what you are talking about?

(btw: sorry, my english is that bad that I don't understand sentences with more than 7 typos and no commas in it *::) )


Here's a list of what's new in 0.93:
-{ Quote: "New features:
- select all, none or just one product (in new context-menus of results and recovery)
- save results as textfile or to clipboard (in new context-menu of results)
- the legal stuff message box has a "Don't show again" checkbox
- progressbar while program is checking on start
- progressbar while fixing problems
- correctly repaired problems are now greyed out after fixing
- language select window at program start (instead of regedit popup windows)
- an alert sound can be played if spies are found
- buttons to create/remove the start menu item and desktop icon
- detection of bad cookies as spies
Bugfixes:
- no longer invalid parameters in dos box
- netscape cache directory found if not default
- icons will be only created/asked for if not existent
- icons will be deleted upon uninstall
- uninstall function improved (but still not perfect)
- when installing new languages, program restart is no longer required to show them

New bot-detections:
- CommonName
- Direct TV Icon
- Web3000
- SexTracker
Improved bot-detections:
- Aureate
- BDE Projector
- ClickTillUWin
- Conducent TimeSink
- Gator
- GoHip
- eZula
- New.net
- SaveNow
New usage tracks:
- IE last opened directory
- Virtual Dub recent file list
" }-

ok full story
i have adaware plus and adwatch that came with it.
Idowenloaded spy bot seach and destroy *not this new verstion but the prviouse verstion.

I also dowenloaded to other *programs lol lets just say those programs arnt ummm *legit lol.

any how i install the two programs and no bigy so i thought.

i also install spy bot seach and destroy and said yes to everything it asked me
i ran it and it was every thing it said it was and more it even fixed the windows media player exploit which was hell of cool.

unfoutionitly lol i did it all on my desk top so the short cut wouldnt work when i moved spy bot search and destroy to my documents security folder.

so i went and browesed to link the short cut to spy bot and acdently reinstalled it by accident big mess and it didnt make a correct short cut on my desk top so i uninstalled it.

the main spy bot search and destroy *application was there still except it didnt have all the languages dutch french ect typ stuff so i reinstalled it and it didnt ask me all those languages qustions to say yes or no to.

its default was enghlish i guess which was cool.

and i ran it tomake sure it worked and it said something like congradgulations sytem clean or something to that effect.

and i finaly set it up the way i want it lol desk tip icon and main folder in my secuity folder.

later on that night i guess my dad got on the internet so imidiatly i went to my computer cause im parynoyed any one touching my computer and rightly so he attracts spyware and viruses like candy does kids lol.

i started adwatch v2.3 and found comet curseor makeing mass intrys every time it was deleted ut would remake itself lol it was funny at first watchig the mass entrys

then i ran adalware and it did this it relly did remove comet curseor *but now i had to find out where it came from was it my dad that hit a web site with it?

or was it the two programs that wernt cough legit frome some untrustworthy site lol

so i ran ad watch *v2.3 my system clean i ran the two not legit programs and nothing they came out clean which was surpriseing lol.

at this point i was perty sure it was my dad *i left adwatch v2,3 on

and i ran spybot seach and destroy it gave me the system clean thing and walah as soon as i closed spybot seach and destroy there it was CometCursor *lol i lmao although adalware didnt find the source where CometCursor *came from it is alparent that spybot seach and destroy was unloadig it to my system lol.

i ran this senario a few times and it did it every time after i cleaned the system lol.

if you dont belive me look at the buttom i think some one ether put it in the priogram or some one made a comet curseor infection towards spy bot and its creator much like ants had a targeted viruse problem by some hacker that targeted that paticuler software.

Started registry scan
======================
Aureate key:HKEY_LOCAL_MACHINE\software\radiate\
(Ignored)
CometCursor key:Software\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM\comet.dll


Started deep registry scan
===========================
CometCursor key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\moduleusage\C:/WINDOWS/SYSTEM/comet.dll


Registry scan result:
Suspicious keys found :3


Started folder scan
====================
Now processing drive (C), 0 remaining.
Aureate folder:C:\WINDOWS\Application Data\Software\Radiate
(Ignored)
Finished examining drive(C), 3151 Folders total so far

Folder scan result:
Folders processed:3151
Suspicious folders found:1


Started file scan
==================
CometCursor file:C:\WINDOWS\SYSTEM\comet.dll

File scan result:
Suspicious files found:1



Scan complete
==============
Suspicious modules found:0
Suspicious keys found :3
Suspicious folders found:1
Suspicious files found:1
=========================
Spyware components ignored:2
Spyware components found total:3


Removing selected components:
==============================
Deleting:CometCursor,3,file,2,,C:\WINDOWS\SYSTEM\comet.dll,
Deleting:CometCursor,1,HKEY_LOCAL_MACHINE,2,Software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/SYSTEM/comet.dll,,
Initializing:CometCursor,2,HKEY_LOCAL_MACHINE,2,Software\Microsoft\Windows\CurrentVersion\SharedDLLs,C:\WINDOWS\SYSTEM\comet.dll,

Task completed on10:56:27 AM
Done.

by the way i love your software it does stuff that adalware is missing lots of cool extras keep up the good work maybe your program was infected by my computer could be a new verstion of comet curseor where it attatchs itself to a program to hide itself makeing it imposiable to detect.

until you run the infected program and close it i dont know iseriousely doubt you put it there.

SpyBot S & D v0.93 released
=( ok i dowenloaded it.
first blaze did a viruse scan with updated defs.
then i did adalware for spy ware.
then trojan check with two anto trojan programs
then looked for worms.
used internet sweeper to clean out cokies.

evrything came out clean.

i turn on adwatch everything ok till..............................
installed SpyBot S & D v0.93 released on instilation this happend.

Lavasoft Ad-watch v2.3
logfile generated on Tuesday,March,12,2002 11:00AM
Referencefile loaded.
Referencefile version-stamp : 142-24.11.2001
Ignorelist (2 items) loaded ok.

11:01:16 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:18 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:20 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:22 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:23 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:25 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:27 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:30 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:31 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:33 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:34 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:36 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:37 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:39 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:40 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:42 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:43 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:45 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:46 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:48 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:49 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:51 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:52 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:54 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:56 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:57 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

11:01:59 AM Warning! COMETCURSOR Key detected: HKEY_CLASSES_ROOT\clsid\{1678f7e1-c422-11d0-ad7d-00400515caaa}

Scan initialized on 12/30/2001 10:52:28 AM.
(AAW release 5.6 Plus, referencefile 142-24.11.2001)
=====================================================
*Threads:1
* *ProcID:4291232307
* *ParentProcID:4290931815
* *BasePriority:Normal

Memory scan result:
Total modules found:31
Suspicious modules found:0


Started registry scan
======================
Aureate key:HKEY_LOCAL_MACHINE\software\radiate\
(Ignored)
CometCursor key:Software\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM\comet.dll


Started deep registry scan
===========================
CometCursor key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\moduleusage\C:/WINDOWS/SYSTEM/comet.dll


Registry scan result:
Suspicious keys found :3


Started folder scan
====================
Now processing drive (C), 0 remaining.
Aureate folder:C:\WINDOWS\Application Data\Software\Radiate
(Ignored)
Finished examining drive(C), 3151 Folders total so far

Folder scan result:
Folders processed:3151
Suspicious folders found:1


Started file scan
==================
CometCursor file:C:\WINDOWS\SYSTEM\comet.dll

File scan result:
Suspicious files found:1



Scan complete
==============
Suspicious modules found:0
Suspicious keys found :3
Suspicious folders found:1
Suspicious files found:1
=========================
Spyware components ignored:2
Spyware components found total:3


Removing selected components:
==============================
Deleting:CometCursor,3,file,2,,C:\WINDOWS\SYSTEM\comet.dll,
Deleting:CometCursor,1,HKEY_LOCAL_MACHINE,2,Software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/SYSTEM/comet.dll,,
Initializing:CometCursor,2,HKEY_LOCAL_MACHINE,2,Software\Microsoft\Windows\CurrentVersion\SharedDLLs,C:\WINDOWS\SYSTEM\comet.dll,

Task completed on10:56:27 AM
Done.

snif snif the program you made looks so cool i love it and it even found stuff that i never heard of and offerd to fix it but why comet curseor and what is comet curseor and what does it do ?

spy search in destroy infecteted with coet curseor pleas fix this software to kick ase to be infected=( i want to keep it so bad cause the new program you made looks so good but i dont want the spyware snif snif=(

a paul if you reading this i think i deserve a extra star to my title for finding it wink eye lol

Hmm. Eat my words time, I guess! :)

Got back over here on the W98SE computer (the only one that has the 'Preview' on it still), d/l'ed the latest version of AA (my bad) and this is what I got:

Gator file:C:\WINDOWS\Downloaded Program Files\IEGator.inf
* *FileSize : 0 kb
* *FileCreation time : 01/09/2002 4:47:52 PM
* *Last accessed : 03/12/2002
* *Build :
* *OS : No executable

Gator file:C:\Program Files\spybotsd.preview\Spybot - Search & Destroy 0.93 preview\Recovery\Gator1\IEGator.dll
* *FileSize : 220 kb
* *FileCreation time : 03/11/2002 2:03:29 PM
* *Last accessed : 03/12/2002
* *Build : 3.0.6.1
* *OS : No executable
* *Description:Gator installer plugin for Internet Explorer
* *Version: 3.0.6.1
* *ProductName:GAIN

Gator file:C:\Program Files\spybotsd.preview\Spybot - Search & Destroy 0.93 preview\Recovery\Gator2\GatorPlugin.log

So the question now is: what to do about it? False positive by AA? Applies only to the 'Preview' version? Let AA remove it? Un-install the 'Preview' version and forget it? I cna let AA try to remove it and see if it cripples the 'Preview' version, if you like. Pete
* *FileSize : 2 kb
* *FileCreation time : 03/11/2002 2:03:29 PM
* *Last accessed : 03/12/2002
* *Build :
* *OS : No executable

Okay, I let AA remove all the keys it found on the old computer, shut it down and re-started it, ran the 'Preview' version again (which still worked,BTW), then ran AA again and this time it came out clean.

Way over my head here with this. Pete

mrblaze - Are you saying you don't know what Comet Cursor is? If you have it and don't want it, it can be found in Add/Remove Programs (unless it's something new).

You DO have 'Enable Install on Demand' UN-checked in your browser settings, correct? It will be constantly re-installed by various websites automatically if you don't have your settings correctly set. Pete

i have no form of commet curseor i have adalware and adwatch v2.3 fully updated

i belive gator is *or might be unrelated you might have had that from a prviouse share ware application *or program that uses it.

what you need is adware fully updarted refrences *and youll see it lol.

also if you have adwatch v2.3 you can see the whole thing happend it funny when you first see it lol.

first uninstall spy bot search and destroy then clean out your system make sure its all good.

then get adalware and update its refrences run it and make sure your system clean .

no spy ware good.

now reinstall spy bot search and destroy *now run adalware algain walah comet curseor lol.

if you have adwatch fully updated v2.3 *have it on *and *go get a bag of popcorn and soda *sit dowen have adwatch display on your desk top now install spy bot search and destroy (''LETS GET READY TO RUMMMMMMMMMBBBBBBLLLLEEE")you can watch *an infinit number of comet curseors *picking a fight with adwatch going back and forth adwatch delets it and it reapers lol back and forth *back and forth dukeing it out *ITS PERTY COOL LOL.

Hey i cant help it im a security junky ask paul and fan j im always here trying to get all the new toys first lol.

blaze makes a wl with finghere wilders for life baby.

lol oh ps this form of comet curseor does not show up in add and remove nor reg cleaner its trying to be sneaky lol.

also it does it after you run spy bot search and destroy after the program is closed lol.

perty nifty i might say makesits source inposiable to find except if you have adwatch on you know then as you close it where it came from.

now its time for blazes conspiracy theory lol.

i belive *there are people makeing share ware applications that if you use to make something like a utlity it has spy ware in it.

for example i use a share ware aplication to make a trojan detector *the share ware program is a unpacker to install soft ware now the aplication i made with it has spyware in it.

companys are secretly puting spyware in *[rograms that make utlitys so when you distupet it every one gets spy ware.

those dirty mofos lol.

thats it for another parnoyed blaze theory lol.

I have run further AA (latest program version and reflist) scans on both the old (W98SE) and this (WinMe) computer, both with SBS&D not running and running - and I'm not getting any further hits from AA on anything, either the 'Preview' or the latest version of SBS&D (v0.93).

I don't have or use AdWatch, so my first thought would be a malfunction in that rather than SBS&D.

It could very well be false-alarming on what SBS&D uses to detect Comet Cursor. Pete

First the easy part, spy1:
Gator file:C:\Program Files\spybotsd.preview\Spybot - Search & Destroy 0.93 preview\Recovery\Gator1\IEGator.dll
See the part 'Recovery' in the path? When Spybot-S&D removes Gator, it makes a backup of the files it deletes. So AA was correct, this is a Gator file, but it's no longer of any harm. Anyway, once you see that your system runs safely without Gator, you can simple go the the 'Recovery' page inside Spybot-S&D and purge those recoveries. I'm thinking of making those backups optional, or at least a checkbox in the settings to choose wether to create backups or not.

@MrBlaze: thanks for all that details! My theory would be: there has been a minor change to CC since Lavasoft wrote their detection, so AA detects this CLSID key, but not the dll that creates it. Without removing the dll, the key will be recreated each time the dll tries to access it.
Spybot-S&D's detection of CC is still in revision, take a look at the beta forum to see when I've finished it.

Gotta go, will be bacl later, hopefully with some bugfixes ;)

why it only show up when i install spy bot search and destroy.

ok ill go look you know name of .dll so i can locate it and delet it but it only shows up when i install or use spy bot.

I searched my whole program for that key, it didn't even know it until a few minutes ago, when I revised the Comet Cursors detection of Spybot-S&D.

Come over to my forum at http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi?s=3c8f93e80059ffff;act=ST;f=24;t=17 and download the newest beta if you want.

lol im sorry i didnt mean to sound like i was complaining i *do love your program just was wondering why comet curseor shows up on install.

sorry dont take it personal i have a great deal of respect for you could never put together a program as yours.

but thx for listining it shows you care.

I love the new spy bot search and destroy the newest one you made and i love its simplicity.

but even your latest verstion seems to be makeing a false key of comet curseor that dosent exsist a false alarm for those with adalware.

i would put a small warning with spybot search and destroy that those with adalware will recive a false warning of comet curseor and to just ighnore it and go ahead and remove it with adalware.

other then that this software is comeing out real good heres what it done for me so far.


Alexa: Interface (Registry Key)
*HKEY_CLASSES_ROOT\Interface\{E6E17E8C-DF38-11CF-8E74-00A0C90F26F8}

Alexa: Interface (Registry Key)
*HKEY_CLASSES_ROOT\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}

Radiate: Global settings (Registry Key)
*HKEY_LOCAL_MACHINE\Software\Radiate

Common Dialogs: history (374 files) (Registry Key)
*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Internet Explorer: browser cache (1 files) (Directory)
*C:\WINDOWS\Temporary Internet Files\Content.IE5

Internet Explorer: cookies (4 cookies) (Directory)
*C:\WINDOWS\Cookies

Internet Explorer: Last used directory (C:\WINDOWS\Desktop\) (Registry Value)
*HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Save Directory

Log: Activity (OEWABLog.txt) (Backup file)
*C:\WINDOWS\OEWABLog.txt

Log: Install (wmsetup.log) (Backup file)
*C:\WINDOWS\wmsetup.log

Log: Install (setupapi.log) (Backup file)
*C:\WINDOWS\setupapi.log

Log: Install (Directx.log) (Backup file)
*C:\WINDOWS\Directx.log

Log: Install (Active Setup Log.txt) (Backup file)
*C:\WINDOWS\Active Setup Log.txt

MS Media Player: Recent file list (9 files) (Registry Key)
*HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\RecentFileList

MS Media Player: Recent open directory (C:\WINDOWS\Desktop\Go!Zilla Downloads) (Registry Value)
*HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir

MS Office 9.0: Recently used files (45 files) (Directory)
*C:\WINDOWS\Application Data\Microsoft\Office\Recent

MS Paint: Recent file list (4 files) (Registry Key)
*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List

MS Wordpad: Recent file list (4 files) (Registry Key)
*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

Windows Explorer: program run history (1 entries) (Registry Key)
*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: recently opened files (644 links) (Directory)
*C:\WINDOWS\Recent

it finds alot of cool stuff and kills it

Hello to the forum!

My name is Tracy and I am John Little's wife. *All of this fascinates me very much. In fact, it was computer security that initially brought us together; that's a long story. In "real life" I am an English teacher.

I wanted to write today because I have read posts from Mr. Blaze and have seen a couple of responses that mention his spelling and other problems with the written word. Well, I just wanted to write and tell Mr. Blaze to KEEP ON WRITING! I happen to admire very much someone who has difficulty writing for one reason or the other (disability, poor education, etc.) and doesn't let their weakness stop them from writing. It takes a very strong and courageous person to not shrink away when the spelling and grammatical errors are pointed out. John and I have both noticed that Mr. Blaze just keeps on keepin' on!

That's all. I only wanted to thank Mr. Blaze for posting and tell him of my admiration for continuing to post - despite the notes that seem to make fun of his writing skills. Not knowing your situation, nobody should ever make fun of such a thing. Here, the content is what counts and you seem to have a good grasp on many of these topics.

best wishes,
Tracy Little

Welcome Tracy, that was a nice ray of sunshine in an otherwise cloudy time. I am one of MRBLAZE's biggest fans also. Read his post about the virus maker, *it will explain everything.

http://www.security-pro.co.uk/yabb/YaBB.pl?board=tenforward;action=display;num=1015638087

my favorite thread.