Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Spybot-Search and Destroy Error during check!

Posted on 2004-10-26
19
Medium Priority
?
6,623 Views
Last Modified: 2011-09-20
I am using Spybot - Search and Destroy recently.  I used it yesterday and this did not turn up.  Today however I get this result on the first scan:

Error during check!: Cabrotor (Datei C:\WINDOWS\win.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
 

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-21-790525478-1326574676-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


When I attempt to scan again I get the following error:

Error during check!: InterFun (Datei C:\WINDOWS\system.ini kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()
 

Congratulations!: No immediate threats were found. ()

I know that Cabrotor is a backdoor Trojan, but I do not know how to remove it form the system.  I am also unaware of how to remove the DSO exploit; I have not found a fix or software solution for it.  I do not know how to interpret the final error from the rescan attempt, starting with Interfun.  Any advice, fixes and solutions you can provide regarding these problems would be greatly appreciated.
0
Comment
Question by:Athanman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 4
  • 2
  • +1
19 Comments
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12418103
I got that same first error tonight and just dismissed it as a false positive.

I tried another PC and the file winnt.ini was shown instead of the win.ini file.

I'll rerun on those two PCs, one Win98 and the other WinXP and see what gives.

BTW, I ran AdAware on both and got no unusual discoveries.
0
 
LVL 2

Accepted Solution

by:
AbacusOnsite earned 500 total points
ID: 12418146
For the removal of the DSO exploit, look here:

http://www.experts-exchange.com/Security/Win_Security/Q_21054787.html
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12418179
It's appears to be a known issue with this latest update to SpyBot.

See: http://forums.net-integration.net/index.php?showtopic=23997&st=0&#entry110939

Posted: Oct 26 2004, 08:43 PM  

Group: Staff Administrators
Posts: 3055
Member No.: 1
Joined: 19-February 02

It appears there are several folks getting error messages during Spybot-S&D scans after downloading and installing the latest updates. If you are getting error messages similar to those below there are a couple things you can do.

You can ignore it for now and wait for the update fix in a final version, or you can download and install a beta version of Spybot-S&D designed to address these errors. You can download the application from Net-Integration; Spybot-S&D 1.3.1 TX

or Safer-Networking;
Spybot-S&D 1.3.1 TX

Should you decide to download and install the TX version please be sure to run the integrated updater before scanning and then send a bug report to Safer-Networking after conducting a scan whether the error message stops or not. There is a feature in Spybot-S&D for sending bug reports directly to them.  

http://forums.net-integration.net/index.php?showtopic=23940&st=0&#
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 33

Expert Comment

by:CarlWarner
ID: 12418193
BTW, my faster WinXP running SpyBot shows an issue with wininit.ini and labels the problem as one that is BackOrifice.B.

Again, AdAware SE 1.05 does NOT detect this.
0
 
LVL 1

Author Comment

by:Athanman
ID: 12418201
I am also trying to figure out where these nefarious files came from.  I also ran Ad-Aware, it does not return any errors.  I have had this error on one PC.  Earlier I found a keystroke logger on this particular machine using Spybot as well:

C:\WINDOWS\system32\H@KeysH@@k.DLL

I deleted this file.  Later research shoed that it probably came from a game trainer that was downloaded to this machine and then clicking on the .nfo file downloaded with those files.  As far as I could see no download were done since that time and these errors were not present at that time.  So I am still trying to track where and how they got on the machine.    
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12418235
Despite the WinXP having a problem with that one file, it did fix the DSO exploit issue anyway.

I am going to run it one more time and see whether or not it throws out yet another odd message.
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12418276
I reran a SpyBot session and it still shows the DSO exploit files (5) and shows that it fixes them.  But, they still show up again.  I'd say SpyBot needs to get a new release out on this.

My Win98 PC is still running.  It is slow.

I'm running SpyBot on two other WinXP PCs to see if anything different shows up.  I doubt it.  I think the SpyBot folks have a bad update that just doesn't cut it as far fixing this one thing that AdAware SE 1.05 doesn't show.
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12418343
Win98 returns that Cabrotor label and only 1 registry change reference.

I have 3 WinXP Pcs that return 5 registry change references, two with the BackOrifice.B and one with Cabrotor like on the Win98 PC.  I see no particular pattern and I'm not convinced I am infested with anything but just a few entries that are only possible exploits that they are trying to remove.

Maybe next SpyBot release.
0
 
LVL 2

Expert Comment

by:AbacusOnsite
ID: 12418372
Carl,

Look at the second response from the top (the one directly under your own).  There is a known fix for the DSO exploit problem.  The DSO "exploit" is not spyware or adware.... it's only a security hole.

Read more about it, and fix it.  Follow the link.
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12418397
Again, I am not convinced by what this bad release from SpyBot is showing that I have a DSO exploit problem.  And on four different PCs to boot.
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12418455
The other link here at EE basically says the DSO exploit IS removed, but there are some registry entries that exist behind the scenes that SpyBot does not remove.  So, I am correct in my assumption I don't have the DSO exploit.  All I have is some dead registry entries that could be associated with the DSO exploit.  If I choose to hack the registry, I can remove them.  Right now, I'm not worried about them.  Maybe SpyBot will get their act together and actually have their next update remove those dead entries for me.
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12418660
Just for grins, I went into the registry and deleted those dead registry entries that were labelled DSO exploit.  In the registry you could tell even Windows considered them dead showing an icon with no real color like the others around it and the fact the registry entry had no value stored in it.

I re-ran SpyBot with them gone and SpyBot now reported nothing related to the DSO exploit.

But that whacky message referring to the wininit.ini that it could not open is still there, and just like before and totally unrelated to any DSO exploit, the reference to BackOrifice.B is there on one WinXP PC and the reference to Calrotor is still there on the other WinXP PC.  I still think these are false positives and the spyBot people have work to do on their software to straighten it out.  There is no DSO exploit problem in any of this.

But, I am not going to sweat those dead registry enties on the other PCs nor am I worried about BackOrofice.B or Calrotor.
0
 
LVL 1

Author Comment

by:Athanman
ID: 12419024
Thanks for the advice, this worked out really well.  I am glad I put in the DSO exploit part of this.  My guess is that you are right CarlWarner.  Spybot is just popping up with a warning about the registry entries for the DSO exploit which does not exist on these systems.  However I have been seeing this issue for a long time now.  It is doubtful therefore that the programmer will address this issue in the near future.  In addition I downloaded the

Spybot-S&D 1.3.1 TX Beta version

From:

www.softpedia.com/public/cat/10/17/10-17-21.shtml

and this has solved the other issue so that I am now able to complete a full scan.  So it is safe to assume that the Cabrotor Trojan horse is not on these systems either. Killed two birds with one stone, got to love it.  
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12419049
That is not the correct answer for your SpyBot problem.  I'm glad I could help.
0
 
LVL 1

Author Comment

by:Athanman
ID: 12419896
Look at it again, it's all the same thing.
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12419910
It corrects the non-existent Cabrotor trojan?  Incredible.
0
 
LVL 33

Expert Comment

by:CarlWarner
ID: 12420281
If you download the latest updates for your copy of SpyBot, you'll see that the Cabrotor trojan reference is no longer showing up.  Evidently, they got enough feedback (complaints) where they fixed it.
0
 
LVL 1

Expert Comment

by:ivandp
ID: 12637355
spybot sucks
0
 
LVL 1

Author Comment

by:Athanman
ID: 12644384
Thought you really had something to offer ivandp.  People who really have something to offer can usually back up their offering, and offer alternatives.  That's my challenge to you.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question