Spybot and Domestic Germany

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Jess, Aug 8, 2004.

  1. Jess

    Jess Private E-2

    When I do a Spybot search and destroy it identifies two spyware files called Domestic Germany. When I select the option to remove them, the program says they cannot be removed because they may be in use in memory (or something like that) and asks if Spybot can be started upon rebooting the machine. However, the spyware doesn't get removed even when Spybot starts when the machine reboots- and the entire repair circle starts over again. I have the latest version of Spybot, 1.3, as well as all the updates....Anyone have any ideas?
     
    Jess, Aug 8, 2004
    #1
  2. Jess

    Jess Private E-2

    I tried running Spybot both in safe mode and with no programs running in the background but neither condition worked to remove the identified Domestic Germany files. Is it ever advisable to try to delete the files by hand using the registry pathway that Spybot provides?
     
    Jess, Aug 8, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Run thru the tutorial link AbbySue has given you. In addition read this information of setting up Ad-aware for a "fullscan" (it is a special config) and then run Ad-aware fullscan after booting your PC in safe mode. http://www.lavahelp.net/howto/fullscan/index.html

    After running thru the tutorial and doing the fullscan, tell us where you are at. If still getting the message from SpyBot, tell us the exact names of the files and where they are located and any other information given to you from SpyBot.

    By the way, where did you download your copy of SpyBot S&D from.
     
    chaslang, Aug 9, 2004
    #3
  4. Jess

    Jess Private E-2

    I ran through the full scan in Ad Aware but Spybot turned up the same two Domestic Germany files after the full Ad Aware scan. I tried to run Ad Aware in safe mode but the program didn't seem to be available in that mode. Spybot was available but not Ad Aware. Is there some setting I have to tweak in Ad Aware to make it available in safe mode?...Also, I downloaded Spybot from cnet download.com


     
    Jess, Aug 9, 2004
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I repeat, "If still getting the message from SpyBot, tell us the exact names of the files and where they are located and any other information given to you from SpyBot."

    If you click on SpyBot's Help, About menu selections what is the Last detection update you have?

    I'm not sure why you cannot find Ad-aware in safe mode.
     
    chaslang, Aug 9, 2004
    #5
  6. Jess

    Jess Private E-2

    I went back to safe mode and this time for some reason Ad Aware was available so I ran the full Ad Aware scan in safe mode, after which I ran SpyBot in safe mode. Spybot turned up the same two Domestic Germany files and, as usual, when I tried to remove them gave me this message: "Some problems couldn't be fixed; the reason could be that associated files are still in use (in memory). One thing I haven't done is to disable System Restore, as that is not a feature I want to lose.

    Spybot gives the following information about the two files:

    RAS Profile HKey-users\S-1-5-18\RemoteAccess\Profile\XXXDial
    RAS Profile HKey-users\Default\RemoteAccess\Profile\XXXDial

    I am running Spybot 1.3. Last detection update is 7-28-04


     
    Jess, Aug 9, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Information from McAfee:

    This is a porn dialer application that copies itself to the WINDOWS directory and creates shortcuts on the DESKTOP and START MENU. A porn dialer is simply a program that is used to dial into a pornographic "service". Some porn dialers do not advertise that extremely high phone bills may result from using their service. PornDial-101 is not considered to be malicious as it does not conceal its presence in any way. However, /PROGRAM detection is being added for this "potentially unwanted application". The current command-line scanner makes use of such detections, as does VirusScan 7. When run, several registry keys are created by this application.
    • HKEY_CURRENT_USER\RemoteAccess\Addresses "XXXDIAL"
    • HKEY_CURRENT_USER\RemoteAccess\Profile\XXXDIAL "IP"
    • HKEY_CURRENT_USER\RemoteAccess\Profile\XXXDIAL "User"
    The program copies itself to the WINDOWS (%WinDir%) directory and creates shortcuts in the \START MENU and \DESKTOP directories.

    You can try deleting the XXXDial registry entires. You may want to look in c:\windows for
    hotxxx.exe

    if found, delete it.

    Also look for and kill (using Task Manager) the process sexpass.exe if found.

    Then delete these files:
    desktopdir+\sexpass.lnk
    profilepath+\start menu\sexpass.lnk
    systemroot+\sexpass.exe

    You have never even menioned your OS yet. It may be better if you search your PC for any or the above files and delete them. You may need to boot in safe mode to delete them.
     
    chaslang, Aug 9, 2004
    #7
  8. Jess

    Jess Private E-2

    I am running Windows XP Pro, There is no obvious indication that this program created shortcuts on the Desktop and Start menu. I searched for hotxxx.exe and sexpass.exe using the search engine in XP Pro but didn't find anything. When I searched for XXXDial all I found were zipped files in the Spybot directory....I wonder, do you know if this search engine searches the registry on my hard drive or do I have to do something special to get it to search in the registry?...Thanks for all the information


     
    Jess, Aug 9, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They most likely would not be obvious. You have to go to those directories and look manually using Windows Explorer. You have to have the viewing of hidden files and folders enabled: http://forums.majorgeeks.com/showthread.php?t=37650

    The search you ran does not search the registry. You must use regedit or another registry editing/searching tool. Those lines SpyBot gave:
    RAS Profile HKey-users\S-1-5-18\RemoteAccess\Profile\XXXDial
    RAS Profile HKey-users\Default\RemoteAccess\Profile\XXXDial

    are in your registry. Search the registy for XXXDial

    Also when you searched your hard disk for files did you use advanced search options to search hidden file and folders and system folders too? If not, you did not look where they may be hiding.
     
    chaslang, Aug 9, 2004
    #9
  10. Jess

    Jess Private E-2

    Thanks- I used regedit to search the registry and deleted the xxxDial files. I then ran Spybot and the search and destroy came back clean.



     
    Jess, Aug 9, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Good news! So I guess we are finished. Unless you have other issues?
     
    chaslang, Aug 9, 2004
    #11
  12. Jess

    Jess Private E-2

    No other issues- at least for now. Thanks again for your help on this!


     
    Jess, Aug 9, 2004
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds