• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6635
  • Last Modified:

Spybot-Search and Destroy Error during check!

I am using Spybot - Search and Destroy recently.  I used it yesterday and this did not turn up.  Today however I get this result on the first scan:

Error during check!: Cabrotor (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
 

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-21-790525478-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


When I attempt to scan again I get the following error:

Error during check!: InterFun (Datei C:\WINDOWS\system.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
 

Congratulations!: No immediate threats were found. ()

I know that Cabrotor is a backdoor Trojan, but I do not know how to remove it form the system.  I am also unaware of how to remove the DSO exploit; I have not found a fix or software solution for it.  I do not know how to interpret the final error from the rescan attempt, starting with Interfun.  Any advice, fixes and solutions you can provide regarding these problems would be greatly appreciated.
0
Athanman
Asked:
Athanman
  • 12
  • 4
  • 2
  • +1
1 Solution
 
CarlWarnerCommented:
I got that same first error tonight and just dismissed it as a false positive.

I tried another PC and the file winnt.ini was shown instead of the win.ini file.

I'll rerun on those two PCs, one Win98 and the other WinXP and see what gives.

BTW, I ran AdAware on both and got no unusual discoveries.
0
 
AbacusOnsiteCommented:
For the removal of the DSO exploit, look here:

http://www.experts-exchange.com/Security/Win_Security/Q_21054787.html
0
 
CarlWarnerCommented:
It's appears to be a known issue with this latest update to SpyBot.

See: http://forums.net-integration.net/index.php?showtopic=23997&st=0&#entry110939

Posted: Oct 26 2004, 08:43 PM  

Group: Staff Administrators
Posts: 3055
Member No.: 1
Joined: 19-February 02

It appears there are several folks getting error messages during Spybot-S&D scans after downloading and installing the latest updates. If you are getting error messages similar to those below there are a couple things you can do.

You can ignore it for now and wait for the update fix in a final version, or you can download and install a beta version of Spybot-S&D designed to address these errors. You can download the application from Net-Integration; Spybot-S&D 1.3.1 TX

or Safer-Networking;
Spybot-S&D 1.3.1 TX

Should you decide to download and install the TX version please be sure to run the integrated updater before scanning and then send a bug report to Safer-Networking after conducting a scan whether the error message stops or not. There is a feature in Spybot-S&D for sending bug reports directly to them.  

http://forums.net-integration.net/index.php?showtopic=23940&st=0&#
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
CarlWarnerCommented:
BTW, my faster WinXP running SpyBot shows an issue with wininit.ini and labels the problem as one that is BackOrifice.B.

Again, AdAware SE 1.05 does NOT detect this.
0
 
AthanmanAuthor Commented:
I am also trying to figure out where these nefarious files came from.  I also ran Ad-Aware, it does not return any errors.  I have had this error on one PC.  Earlier I found a keystroke logger on this particular machine using Spybot as well:

C:\WINDOWS\system32\H@KeysH@@k.DLL

I deleted this file.  Later research shoed that it probably came from a game trainer that was downloaded to this machine and then clicking on the .nfo file downloaded with those files.  As far as I could see no download were done since that time and these errors were not present at that time.  So I am still trying to track where and how they got on the machine.    
0
 
CarlWarnerCommented:
Despite the WinXP having a problem with that one file, it did fix the DSO exploit issue anyway.

I am going to run it one more time and see whether or not it throws out yet another odd message.
0
 
CarlWarnerCommented:
I reran a SpyBot session and it still shows the DSO exploit files (5) and shows that it fixes them.  But, they still show up again.  I'd say SpyBot needs to get a new release out on this.

My Win98 PC is still running.  It is slow.

I'm running SpyBot on two other WinXP PCs to see if anything different shows up.  I doubt it.  I think the SpyBot folks have a bad update that just doesn't cut it as far fixing this one thing that AdAware SE 1.05 doesn't show.
0
 
CarlWarnerCommented:
Win98 returns that Cabrotor label and only 1 registry change reference.

I have 3 WinXP Pcs that return 5 registry change references, two with the BackOrifice.B and one with Cabrotor like on the Win98 PC.  I see no particular pattern and I'm not convinced I am infested with anything but just a few entries that are only possible exploits that they are trying to remove.

Maybe next SpyBot release.
0
 
AbacusOnsiteCommented:
Carl,

Look at the second response from the top (the one directly under your own).  There is a known fix for the DSO exploit problem.  The DSO "exploit" is not spyware or adware.... it's only a security hole.

Read more about it, and fix it.  Follow the link.
0
 
CarlWarnerCommented:
Again, I am not convinced by what this bad release from SpyBot is showing that I have a DSO exploit problem.  And on four different PCs to boot.
0
 
CarlWarnerCommented:
The other link here at EE basically says the DSO exploit IS removed, but there are some registry entries that exist behind the scenes that SpyBot does not remove.  So, I am correct in my assumption I don't have the DSO exploit.  All I have is some dead registry entries that could be associated with the DSO exploit.  If I choose to hack the registry, I can remove them.  Right now, I'm not worried about them.  Maybe SpyBot will get their act together and actually have their next update remove those dead entries for me.
0
 
CarlWarnerCommented:
Just for grins, I went into the registry and deleted those dead registry entries that were labelled DSO exploit.  In the registry you could tell even Windows considered them dead showing an icon with no real color like the others around it and the fact the registry entry had no value stored in it.

I re-ran SpyBot with them gone and SpyBot now reported nothing related to the DSO exploit.

But that whacky message referring to the wininit.ini that it could not open is still there, and just like before and totally unrelated to any DSO exploit, the reference to BackOrifice.B is there on one WinXP PC and the reference to Calrotor is still there on the other WinXP PC.  I still think these are false positives and the spyBot people have work to do on their software to straighten it out.  There is no DSO exploit problem in any of this.

But, I am not going to sweat those dead registry enties on the other PCs nor am I worried about BackOrofice.B or Calrotor.
0
 
AthanmanAuthor Commented:
Thanks for the advice, this worked out really well.  I am glad I put in the DSO exploit part of this.  My guess is that you are right CarlWarner.  Spybot is just popping up with a warning about the registry entries for the DSO exploit which does not exist on these systems.  However I have been seeing this issue for a long time now.  It is doubtful therefore that the programmer will address this issue in the near future.  In addition I downloaded the

Spybot-S&D 1.3.1 TX Beta version

From:

www.softpedia.com/public/cat/10/17/10-17-21.shtml

and this has solved the other issue so that I am now able to complete a full scan.  So it is safe to assume that the Cabrotor Trojan horse is not on these systems either. Killed two birds with one stone, got to love it.  
0
 
CarlWarnerCommented:
That is not the correct answer for your SpyBot problem.  I'm glad I could help.
0
 
AthanmanAuthor Commented:
Look at it again, it's all the same thing.
0
 
CarlWarnerCommented:
It corrects the non-existent Cabrotor trojan?  Incredible.
0
 
CarlWarnerCommented:
If you download the latest updates for your copy of SpyBot, you'll see that the Cabrotor trojan reference is no longer showing up.  Evidently, they got enough feedback (complaints) where they fixed it.
0
 
ivandpCommented:
spybot sucks
0
 
AthanmanAuthor Commented:
Thought you really had something to offer ivandp.  People who really have something to offer can usually back up their offering, and offer alternatives.  That's my challenge to you.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 12
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now