vs. SpyBot

  • Thread starter Thread starter AndyManchesta
  • Start date Start date
A

AndyManchesta

Hi Robert

can you open Spybot then go to 'recovery' then list all
the 24 things that was removed by Spybot that MS Antispy
missed.Without that information its impossible to comment,


Andy
 
Are you looking for a list of things it missed? Seems it
missed everything!

I have rerun Spybot and here is the list. This is the
list prior to deleting them


WebTrends live: Tracking cookie (Internet Explorer:
Robert) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer:
Robert) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer:
Robert) (Cookie, nothing done)
Avenue A, Inc.: Tracking cookie (Internet Explorer:
Robert) (Cookie, nothing done)
BDHelper: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-
709549C10000}
BDHelper: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-
709549C10000}
BFast: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
CoreMetrics: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
CoreMetrics: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
FastClick: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
MediaPlex: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)
ShopNav: Browser helper object (Registry key, nothing
done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-
ABED-709549C10000}

ShopNav: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-
709549C10000}

TheGuardian: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
TheGuardian: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj
ValueClick: Tracking cookie (Internet Explorer: Robert)
(Cookie, nothing done)

VX2/a: System file (File, nothing done)
C:\WINDOWS\Downloaded Program
Files\CONFLICT.\IEHelper.dll
VX2/a: Shared DLL (1 apps) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\SharedDlls\C:\WINDOWS\
Downloaded Program Files\CONFLICT.1\IEHelper.dll


--- Spybot - Search && Destroy version: 1.3 ---

2005-04-26 Includes\Cookies.sbi
2005-06-30 Includes\Dialer.sbi
2005-06-30 Includes\Hijackers.sbi
2005-06-23 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-06-30 Includes\Malware.sbi
2005-06-09 Includes\PUPS.sbi
2005-04-27 Includes\Revision.sbi
2005-06-09 Includes\Security.sbi
2005-06-30 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-06-30 Includes\Trojans.sbi
 
Hi Again Rob ,

Most are just cookies which can be easily deleted without
using antispy products just by opening a internet window
then goto tools on the top bar the internet options and
delete cookies .

But there is some issues detected that are not cookies
and thats why i wanted you to post them so that people
can comment on the results and so that MS can include
anything that is missed by MS Antispy

You just seem to have one problem which is shopnav. You
can try using Spybot to remove them but the .dll's are
registered which may prevent spybot removing them untill
you unregister the files.

BDHelper is related to shopnav,if you have this
Click to expand...
installed then it can create all these registry values
and maybe even more :

HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj
@ = "IEHlprObj Class"

HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj\CurVer
@ = "IEHlprObj.IEHlprObj.1"

HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
@ = "IEHlprObj Class"

HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1\CLSID
@ = "{CE7C3CF0-4B15-11D1-ABED-709549C10000}"

HKEY_CLASSES_ROOT\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}
@ = "IEHlprObj Class"

HKEY_CLASSES_ROOT\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32
@ = ""<adware path and file name>""

HKEY_CLASSES_ROOT\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32
ThreadingModel = "Apartment"

HKEY_CLASSES_ROOT\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID
@ = "IEHlprObj.IEHlprObj.1"

HKEY_CLASSES_ROOT\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}
\VersionIndependentProgID
@ = "IEHlprObj.IEHlprObj"

HKEY_CLASSES_ROOT\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}
@ = "IIEHlprObj"

HKEY_CLASSES_ROOT\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid
@ = "{00020424-0000-0000-C000-000000000046}"

HKEY_CLASSES_ROOT\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32
@ = "{00020424-0000-0000-C000-000000000046}"

HKEY_CLASSES_ROOT\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
@ = "{CE7C3CE2-4B15-11D1-ABED-709549C10000}"

HKEY_CLASSES_ROOT\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
Version = "1.0"

HKEY_CLASSES_ROOT\TypeLib\
{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0
@ = "IEHelper 1.0 Type Library"

HKEY_CLASSES_ROOT\TypeLib\
{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32
@ = "<adware path and file name>"

HKEY_CLASSES_ROOT\TypeLib\
{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS
@ = "0"

HKEY_CLASSES_ROOT\TypeLib\
{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR
@ = ""<adware path>""

HKEY_LOCAL_MACHINE\Software\Classes\IEHlprObj.IEHlprObj
@ = "IEHlprObj Class"

HKEY_LOCAL_MACHINE\Software\Classes\IEHlprObj.IEHlprObj\Cu
rVer
@ = "IEHlprObj.IEHlprObj.1"

HKEY_LOCAL_MACHINE\Software\Classes\IEHlprObj.IEHlprObj.1
@ = "IEHlprObj Class"

HKEY_LOCAL_MACHINE\Software\Classes\IEHlprObj.IEHlprObj.1
\CLSID
@ = "{CE7C3CF0-4B15-11D1-ABED-709549C10000}"

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}
@ = "IEHlprObj Class"

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32
@ = "<adware path and file name>\IEHelper.dll"

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID
@ = "IEHlprObj.IEHlprObj.1"

HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}
\VersionIndependentProgID
@ = "IEHlprObj.IEHlprObj"

HKEY_LOCAL_MACHINE\Software\Classes\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}
@ = "IIEHlprObj"

HKEY_LOCAL_MACHINE\Software\Classes\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid
@ = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\Software\Classes\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32
@ = "{00020424-0000-0000-C000-000000000046}"

HKEY_LOCAL_MACHINE\Software\Classes\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
@ = "{CE7C3CE2-4B15-11D1-ABED-709549C10000}"

HKEY_LOCAL_MACHINE\Software\Classes\Interface\
{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\
{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0
@ = "IEHelper 1.0 Type Library"

HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\
{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32
@ = "<adware path and file name>"

HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\
{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS
@ = "0"

HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\
{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR
@ = "<adware path and file name>"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Explorer\Browser Helper Objects\
{CE7C3CF0-4B15-11D1-ABED-709549C10000}

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Dhcp\Parameters
{C4882884-C3EC-4731-AAAC-CA4828E55074}
= "hex:2e,00,00,00,00,00,
00,00,01,00,00,00,00,00,00,00,f4,07,93,41,08,00,00,00,2c,0
0,00,00,
00,00,00,00,08,00,00,00,00,00,00,00,f4,07,93,41,c0,a8,1e,0
7,c0,8a,
1e,08,06,00,00,00,00,00,00,00,08,00,00,00,00,00,00,00,f4,0
7,93,41,
c0,a8,1e,07,c0,a8,1e,08,0f,00,00,00,00,00,00,00,0c,00,00,0
0,00,00,
00,00,f4,07,93,41,76,69,72,75,73,6c,61,62,2e,70,68,00,51,0
0,00,00,
00,00,00,00,03,00,00,00,00,00,00,00,f4,07,93,41,03,ff,ff,0
0,01,00,
00,00,00,00,00,00,04,00,00,00,00,00,00,00,f4,07,93,41,ff,f
f,ff,00,
36,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,f4,07,93,4
1,c0,a8,
1e,07,33,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,f4,0
7,93,41,
00,05,46,00,3b,00,00,00,00,00,00,00,04,00,00,00,00,00,00,0
0,f4,07,
93,41,00,04,9d,40,3a,00,00,00,00,00,00,00,04,00,00,00,00,0
0,00,00,
f4,07,93,41,00,02,a3,00,35,00,00,00,00,00,00,00,01,00,00,0
0,00,00,
00,00,f4,07,93,41,05,00,00,00,"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\NetBT\Parameters
DhcpNodeType = "dword:00000008"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\NetBT\Parameters\Interfaces\
Tcpip_{C4882884-C3EC-4731-AAAC-CA4828E55074}
DhcpNameServerList = "hex
(7):31,39,32,2e,31,36,38,2e,33,30,2e,37,
00,31,39,32,2e,31,33,38,2e,33,30,2e,38,00,00,"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Tcpip\Parameters
DhcpNameServer = "<DHCP servers>"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Tcpip\Parameters
DhcpDomain = "<domain name>"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\
{C4882884-C3EC-4731-AAAC-CA4828E55074}
DhcpNameServer = "<DHCP servers>"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\
{C4882884-C3EC-4731-AAAC-CA4828E55074}
DhcpDomain = "<domain name>"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Tcpip\Parameters\Interfaces\
{C4882884-C3EC-4731-AAAC-CA4828E55074}
DhcpSubnetMaskOpt = "hex
(7):32,35,35,2e,32,35,35,2e,32,35,35,2e,
30,00,00,"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\{C4882884-C3EC-4731-AAAC-CA4828E55074}
\Parameters\Tcpip
DhcpSubnetMaskOpt = "hex
(7):32,35,35,2e,32,35,35,2e,32,35,35,2e,
30,00,00,"


ShopNav:
Click to expand...

Removal

Open the registry (click 'Start', choose 'Run', and
type 'regedit'), and find the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run.

In the list of values on the right, delete the 'srng'
entry.


Next, open a DOS command prompt window (from Start>run
and type cmd ) and enter the following commands:


cd "%WinDir%\System"

regsvr32 /u "\Program Files\Srng\SearchHook.dll"
regsvr32 /u "\Program Files\Srng\IEHelper.dll"


Restart the machine and you should be able to delete
the 'Srng' and 'kugoo' folder inside the Program Files
folder. You can also open the registry (Start->Run-
regedit) and delete key
Click to expand...
HKEY_LOCAL_MACHINE\SOFTWARE\Srng, and delete
the 'words.lst' file in the Windows folder.

Finally, restore the normal search settings (Internet
Options->Programs->Reset Web Settings).


TheGuardian: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1
Click to expand...


As above remove shopnav and it will fix this



VX2/a: System file (File, nothing done)
C:\WINDOWS\Downloaded Program
Files\CONFLICT.\IEHelper.dll
Click to expand...


Im not sure why this has been identified as VX2 because
its connected to shopnav



If you think Spybot is removing these then try removing
all the entries using that and see if they come back if
they do its because the .dll's are registered so try
running scans in safe mode or unregister the .dll files
that you know are connected to shopnav.


I appreciate why you are unhappy that MS isnt removing
these but it doesnt scan for cookies and if you can get
rid of shopnav it will remove the other problems you
posted. Im not sure how well MS does with Shopnav so you
are best using Spybot or manually removing the files if
MS Antispy is showing clear when you scan



http://securityresponse.symantec.com/avcenter/venc/data/sp
yware.shopnav.html


http://securityresponse.symantec.com/avcenter/venc/data/sp
yware.shopnav.dl.html


http://securityresponse.symantec.com/avcenter/venc/data/sp
yware.2020search.html





Good Luck

Andy
 
Thank you for your complete reply. SpyBot gets them all
and eliminates some upon reboot.

Opinion: Microsoft should provide a complete solution,
cookies and all. If I have to use Spybot to remove
cookies, I might as well use spybot to remove everything
else while I am doing it and not bother installing,
updating and maintaining yet another product.

Thanks for your assistance.
 
Hi Rob

Nice to hear Spybot cleared it for you

You make a very valid point and i agree it should be a
complete solution but i believe when its released it will
be .

With this being a beta test, people like yourself are
helping Microsoft to improve the product before release
time and im sure they will appreciate the feedback. Its
still very early in the beta test to make a final
judgement on MSAS and it will probably change alot over
the next 6 months and id imagine Cookies will be detected
by MSAS at some stage but nothing has been confirmed on
that.

I first tried MS Antispy in January and uninstalled it
after a few weeks because of a few bugs but i downloaded
it again when the extended version was released and im
really pleased with it now,It changed abit in that time
and the bugs i noticed have all been fixed so its safe to
say Microsoft is improving this program all the time.

I use Spybot/Adaware/Spysweeper but im happy to include
MS Antispy into my protection products and take part in
the beta testing as i think it has some great
features.The real time protection in itself is enough of
a reason for me to use it as its extra layer of
protection for my system and it works well.

Dont give up on MSAS yet you never know when it might
stop something that your other removers miss.I ran a test
on Claria last week and MSAS found over 3100 traces and
spybot found 20 traces which really suprised me plus it
gave repeated warnings that i was downloading Adware
before it would let it run so its made me believe its a
great addition to my protection products but i appreciate
others may not share this view

Its good you got your system clean and hopefully you will
post again if you have any other problems as it all helps
Microsoft build the complete solution you mention.


All the best


Andy


Not a MVP
Not a MS-MVP
Not nothing just a good ole boy ;)
 
Back
Top