Solved

Spybot-Search and Destroy Error during check!

Posted on 2004-10-26
6,588 Views
Last Modified: 2011-09-20
I am using Spybot - Search and Destroy recently.  I used it yesterday and this did not turn up.  Today however I get this result on the first scan:

Error during check!: Cabrotor (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
 

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-21-790525478-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


When I attempt to scan again I get the following error:

Error during check!: InterFun (Datei C:\WINDOWS\system.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
 

Congratulations!: No immediate threats were found. ()

I know that Cabrotor is a backdoor Trojan, but I do not know how to remove it form the system.  I am also unaware of how to remove the DSO exploit; I have not found a fix or software solution for it.  I do not know how to interpret the final error from the rescan attempt, starting with Interfun.  Any advice, fixes and solutions you can provide regarding these problems would be greatly appreciated.
0
Question by:Athanman
    19 Comments
     
    LVL 33

    Expert Comment

    by:CarlWarner
    I got that same first error tonight and just dismissed it as a false positive.

    I tried another PC and the file winnt.ini was shown instead of the win.ini file.

    I'll rerun on those two PCs, one Win98 and the other WinXP and see what gives.

    BTW, I ran AdAware on both and got no unusual discoveries.
    0
     
    LVL 2

    Accepted Solution

    by:
    For the removal of the DSO exploit, look here:

    http://www.experts-exchange.com/Security/Win_Security/Q_21054787.html
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    It's appears to be a known issue with this latest update to SpyBot.

    See: http://forums.net-integration.net/index.php?showtopic=23997&st=0&#entry110939

    Posted: Oct 26 2004, 08:43 PM  

    Group: Staff Administrators
    Posts: 3055
    Member No.: 1
    Joined: 19-February 02

    It appears there are several folks getting error messages during Spybot-S&D scans after downloading and installing the latest updates. If you are getting error messages similar to those below there are a couple things you can do.

    You can ignore it for now and wait for the update fix in a final version, or you can download and install a beta version of Spybot-S&D designed to address these errors. You can download the application from Net-Integration; Spybot-S&D 1.3.1 TX

    or Safer-Networking;
    Spybot-S&D 1.3.1 TX

    Should you decide to download and install the TX version please be sure to run the integrated updater before scanning and then send a bug report to Safer-Networking after conducting a scan whether the error message stops or not. There is a feature in Spybot-S&D for sending bug reports directly to them.  

    http://forums.net-integration.net/index.php?showtopic=23940&st=0&#
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    BTW, my faster WinXP running SpyBot shows an issue with wininit.ini and labels the problem as one that is BackOrifice.B.

    Again, AdAware SE 1.05 does NOT detect this.
    0
     
    LVL 1

    Author Comment

    by:Athanman
    I am also trying to figure out where these nefarious files came from.  I also ran Ad-Aware, it does not return any errors.  I have had this error on one PC.  Earlier I found a keystroke logger on this particular machine using Spybot as well:

    C:\WINDOWS\system32\H@KeysH@@k.DLL

    I deleted this file.  Later research shoed that it probably came from a game trainer that was downloaded to this machine and then clicking on the .nfo file downloaded with those files.  As far as I could see no download were done since that time and these errors were not present at that time.  So I am still trying to track where and how they got on the machine.    
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    Despite the WinXP having a problem with that one file, it did fix the DSO exploit issue anyway.

    I am going to run it one more time and see whether or not it throws out yet another odd message.
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    I reran a SpyBot session and it still shows the DSO exploit files (5) and shows that it fixes them.  But, they still show up again.  I'd say SpyBot needs to get a new release out on this.

    My Win98 PC is still running.  It is slow.

    I'm running SpyBot on two other WinXP PCs to see if anything different shows up.  I doubt it.  I think the SpyBot folks have a bad update that just doesn't cut it as far fixing this one thing that AdAware SE 1.05 doesn't show.
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    Win98 returns that Cabrotor label and only 1 registry change reference.

    I have 3 WinXP Pcs that return 5 registry change references, two with the BackOrifice.B and one with Cabrotor like on the Win98 PC.  I see no particular pattern and I'm not convinced I am infested with anything but just a few entries that are only possible exploits that they are trying to remove.

    Maybe next SpyBot release.
    0
     
    LVL 2

    Expert Comment

    by:AbacusOnsite
    Carl,

    Look at the second response from the top (the one directly under your own).  There is a known fix for the DSO exploit problem.  The DSO "exploit" is not spyware or adware.... it's only a security hole.

    Read more about it, and fix it.  Follow the link.
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    Again, I am not convinced by what this bad release from SpyBot is showing that I have a DSO exploit problem.  And on four different PCs to boot.
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    The other link here at EE basically says the DSO exploit IS removed, but there are some registry entries that exist behind the scenes that SpyBot does not remove.  So, I am correct in my assumption I don't have the DSO exploit.  All I have is some dead registry entries that could be associated with the DSO exploit.  If I choose to hack the registry, I can remove them.  Right now, I'm not worried about them.  Maybe SpyBot will get their act together and actually have their next update remove those dead entries for me.
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    Just for grins, I went into the registry and deleted those dead registry entries that were labelled DSO exploit.  In the registry you could tell even Windows considered them dead showing an icon with no real color like the others around it and the fact the registry entry had no value stored in it.

    I re-ran SpyBot with them gone and SpyBot now reported nothing related to the DSO exploit.

    But that whacky message referring to the wininit.ini that it could not open is still there, and just like before and totally unrelated to any DSO exploit, the reference to BackOrifice.B is there on one WinXP PC and the reference to Calrotor is still there on the other WinXP PC.  I still think these are false positives and the spyBot people have work to do on their software to straighten it out.  There is no DSO exploit problem in any of this.

    But, I am not going to sweat those dead registry enties on the other PCs nor am I worried about BackOrofice.B or Calrotor.
    0
     
    LVL 1

    Author Comment

    by:Athanman
    Thanks for the advice, this worked out really well.  I am glad I put in the DSO exploit part of this.  My guess is that you are right CarlWarner.  Spybot is just popping up with a warning about the registry entries for the DSO exploit which does not exist on these systems.  However I have been seeing this issue for a long time now.  It is doubtful therefore that the programmer will address this issue in the near future.  In addition I downloaded the

    Spybot-S&D 1.3.1 TX Beta version

    From:

    www.softpedia.com/public/cat/10/17/10-17-21.shtml

    and this has solved the other issue so that I am now able to complete a full scan.  So it is safe to assume that the Cabrotor Trojan horse is not on these systems either. Killed two birds with one stone, got to love it.  
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    That is not the correct answer for your SpyBot problem.  I'm glad I could help.
    0
     
    LVL 1

    Author Comment

    by:Athanman
    Look at it again, it's all the same thing.
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    It corrects the non-existent Cabrotor trojan?  Incredible.
    0
     
    LVL 33

    Expert Comment

    by:CarlWarner
    If you download the latest updates for your copy of SpyBot, you'll see that the Cabrotor trojan reference is no longer showing up.  Evidently, they got enough feedback (complaints) where they fixed it.
    0
     
    LVL 1

    Expert Comment

    by:ivandp
    spybot sucks
    0
     
    LVL 1

    Author Comment

    by:Athanman
    Thought you really had something to offer ivandp.  People who really have something to offer can usually back up their offering, and offer alternatives.  That's my challenge to you.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Prepare to Pass the CompTIA A+ 900 Series Exam

    CompTIA aims to adapt its A+ Certification to reflect the most current knowledge and skills needed by today's IT professionals--and this year's 2016 exam is harder than ever. This certification is one of the most highly-respected and sought after in IT.

    We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
    It is only natural that we all want our PCs to be in good working order, improved system performance, so that is exactly how programs are advertised to entice. They say things like:            •      PC crashes? Get registry cleaner to repair it!    …
    This video Micro Tutorial is the first in a two-part series that shows how to create and use custom scanning profiles in Nuance's PaperPort 14.5 (http://www.experts-exchange.com/articles/17490/). But the ability to create custom scanning profiles al…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now