Spybot findings

Discussion in 'other security issues & news' started by eyespy, Sep 23, 2004.

Thread Status:
Not open for further replies.
  1. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Hi all,
    seeing these results in a friend's PC..........

    After running Spybot's search and destroy, it found two problems.

    Under the heading Unknown, there were two files. One was:

    Ras Profile
    HKEY_USERS\S-1-5-18\RemoteAccess\Profile\DIDI

    The other was:

    Ras Profile
    HKEY_USERS\Default\RemoteAccess\Profile\DIDI.

    After attempting to fix the problem (s), Spybot gave me the following:

    "Some problems couldn't be fixed. Reasons could be associate files are still in use (in memory). This could be fixed after start-up"

    I've rebooted and ran Spybot again only to get the same.

    I scanned with updated AV software and AT software and no malware found.
    Is this RAS key really malware??

    Thanks and regards,
    bill :)
     
  2. slammer_JvA

    slammer_JvA Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    1,588
    Location:
    Below sea-level. Safe and sound behind our dikes:
    Remarkable:
    I was just about to post a simular experience I also had today after scanning and re-scanning with Spybot S&D; same entries, other names of file.

    Very curious about further (expert-) replies to this one; keep an eye on this thread.

    Regards,
    slam
     
  3. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hm... Searching around a bit out of curiousity I find "ras profile spybot" several times - always with different filenames.. but most people seem to determine that they've found some kind of dialer or another. No more info here - but thought it might be a little helpful for what direction to look.
     
  4. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    False positive maybe?
    Is RAS needed if using non-dialup networking, internet, etc.??

    Regards,
    bill :)
     
  5. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Well, could be - but some of them were porn dialers, etc - but the final file in those ended with "xxx..." so I would certainly not assume yours is the same.

    Did you also scan with AdAware?
     
  6. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    I ran into "DIDI" quite a while back in the form of a dialer (this was before I had resident protection from SG, and close-enough-to-resident from SB). It did manage to connect a couple of times before I cleaned it out -- interestingly, the connections were domestic 900-calls to what sounded like psychic-reading outfits, rather than the more usual overseas porn thing.

    Total charge for the two was something like $5 Cdn, and Bell (who locally, at least, are quite knowledgeable about dialers) was quite cooperative and wrote off the charges.
     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hello,

    Try scheduling SpyBot to run a scan on system start up once. See sceenshot.
     

    Attached Files:

  8. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Yes,
    That's been done 3 times!!
    Thanks and regards,
    bill :)
     
  9. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Mike,
    so you were using "Dial-Up" at the time?

    Thanks,
    bill :)
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi eyespy,

    Just to clarify, did you do like above in your first post (reboot and then run SpyBot), or did you let SpyBot run on system restart which will run SpyBot before any programs load up? I just ask this because it sounds like SpyBot cannot do the deletion because the file is in use.
     
  11. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    After running Spybot, I get the "Some items could not be removed. Do you want Spybot to run on next re-boot?"
    It does run on next boot with the same results!
    If, in fact, these regkeys are Dialer related,

    Ras Profile
    HKEY_USERS\S-1-5-18\RemoteAccess\Profile\DIDI

    Ras Profile
    HKEY_USERS\Default\RemoteAccess\Profile\DIDI


    I could simply delete them using RegEdit.
    But I'm not sure if they are needed for any other RAS apps that the user may use, which he says is nil!

    Thanks,
    bill :)
     
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hello eyespy,

    I am sorry for the confusion as I just wanted to clarify what you said.

    I am on cable, Win XP Pro SP2, am set up for dial up but do not use it except for an occasional fax. I do not have either registry entry in fact I do not even have the RemoteAccess section. Perhaps someone on dial up could check and see if they have those keys.
     
  13. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Thanks Puff!

    Regards,
    bill :)
     
  14. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Hi bill -- yes, I was then and still am. Actually, to clarify my original posting slightly, this wasn't junk that was laying around undetected; picking up the dialer and the two connections it made were during a single session online and I cleaned up immediately afterwards. And of course SB's been a great help since then -- and avast doesn't hurt either.
     
  15. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Thanks Mike!!

    Regards,
    bill :)
     
Loading...
Thread Status:
Not open for further replies.