gmwrick

I bought Spybot search & Destroy- I got a 16-digit reciept # and tried to use that to register the product, but it tells me it's an invalid code. Now I'm out $48, can't get a response to my emails & can't really use the program. Is there any other product out there that does the same thing that will give me what I pay for?

MJ

koala

Where did you purchase Spybot from? It's fully functional FREEWARE available to download from http://www.safer-networking.org/en/download/index.html. I've never seen it for sale anywhere and as far as I know has always been free, although they do accept donations.

gmwrick

http://www.search-and-destroy.com/spybot.html - I haven't opened a dispute with paypal- geez, I used it because it came up at thge top of the search. Hope this guy gets popped for doing this...

koala

I can't get your link to open in my browser, possibly because my security software or hosts file is blocking it. If anyone else can check it out, I'd be interested to see the contents.

McAfee Site Advisor doesn't have any details on search-and-destroy.com, which is unusual, just one user review: " This is a bogus malware remover taking advantage of Spybot Search and Destroy's good name. Its probably a phishing site as well." (03/02/2008)

You need to get your computer checked out as soon as possible. Don't use the computer to go online, especially not for anything like online banking or shopping if your personal details have already been stolen. As well as PayPal, you will need to inform your bank and credit card company.

Please follow the instructions here (5 pages) and then post all the requested logs in a new thread here for the security analysts to look at. If you have any trouble running any of the scans, leave them and move onto the next.

The security forum is always busy, so please be patient and you will receive a reply as soon as possible. If you go to Thread Tools > Subscribe at the top of your new thread you will receive an email as soon as a reply is posted.

Glaswegian

I was able to view the site - looks OK, yet familiar to some other well known scams of this nature. I checked on Spyware Warrior but I can't find it listed - at least not yet. I would say this is definitely a scam, using the Spybot name as bait.

Glaswegian

Hehe - noticed their use of English is slightly off..
Edit:- Image for those that can't get there...

koala

Thanks, Iain. Do you have any more advice for gmwrick about staying offline until his logs have been analysed, or who to contact to safeguard his personal details (and money) after a phishing scam?

Glaswegian

@gmwrick

If you can, get to a known clean PC and change all passwords, logins etc. It may also be wise to advise any Banks or other organisations you use for online transactions that your card details may have been compromised.

Although you don't need to stay off the web, I would visit only safe known sites until we get your system clean.

tetonbob

To anyone else who happens upon this thread....do NOT install this product, Search and Destroy, and do NOT confuse it with the well known and respected Spybot Search & Destroy.

This Search and Destroy is definitely a rogue/scamware application.

http://www.malwarebytes.org/forums/i...showtopic=3819

VirusTotal results for the installer:

http://www.virustotal.com/analisis/b...45b2f50a60f8cd

Edit to note:

Malwarebytes' AntiMalware has a free version,

http://www.malwarebytes.org/mbam.php

which among other things will remove this trash:

Malwarebytes' Anti-Malware 1.07
Database version: 470

Scan type: Quick Scan
Objects scanned: 25311
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\MPMFC1 (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\search and destroy5.2 (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchAndDestroyMFC (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\Search And Destroy (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy\Uninstall (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob\Start Menu\Programs\Search And Destroy (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Bob\Desktop\SearchAndDestroy.exe (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\WINDOWS\Search And Destroy\uninstall.exe (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy\Search And Destroy.exe (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy\Uninstall\uninstall.dat (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy\Uninstall\uninstall.xml (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy\Uninstall\IRIMG1.JPG (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy\Uninstall\IRIMG2.JPG (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\Search And Destroy\Uninstall\IRIMG3.JPG (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob\Start Menu\Programs\Search And Destroy\Search And Destroy.lnk (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob\Start Menu\Programs\Search And Destroy\Uninstall Search And Destroy.lnk (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\WINDOWS\Search And Destroy Setup Log.txt (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob\Desktop\Search And Destroy.lnk (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.

gmwrick

Here's what I got (saved it in notepad)- I sure can't find them with my AVG (always updated, and spybot s&d. I also went into docs & settings and can't find them- yes, I was tempted to try to delete if I could... My updates are current and other than these critters, I should be clean.

MJ


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bravenet[1].txt
Spyware:Cookie/Tribalfusion

gmwrick

I got to paypal in time and got my $$- will change my card # tomorrow. except for 4 items the panda scan found, I'm clean, so at least I feel fortunate to have brought attention to this phony spybot- maybe it will save someone else from an even worse fate...
MJ

tetonbob

Thanks for the update MJ -

Good to know you got your funds returned. Give MBAM a run, it's free and fast.

gmwrick

Malwarebytes' Anti-Malware 1.07
Database version: 471

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 70800
Time elapsed: 37 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
This is what the malware bytes anti-malware found and removed. I think I'll run the panda one again to see if there's any difference.
MJ



HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SearchAndDestroyMFC (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{1A2A66B4-8B84-4912-A00B-83E58B33F6E4}\RP438\A0109869.exe (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1A2A66B4-8B84-4912-A00B-83E58B33F

tetonbob

As it turns out, our colleague Grinler at Bleeping Computer has a removal guide for this rogue, which includes the use of MBAM.

http://www.bleepingcomputer.com/malw...archanddestroy

tetonbob

Panda is finding only cookies, and MBAM took out what was left. You should be fine. No need for threads in the HJT forum in this case.

gmwrick

Did another panda scan & it found nothing- I think I'm good now- we'll see...
MJ

tetonbob

Take a look here, and make sure your system is appropriately protected:

PC Safety and Security--What Do I Need?

wondermelmo

I'm very glad you got your money back - unfortunately I wasn't so lucky! I've fileed a claim with paypal but they've said there's nothing they can do...feh.

gmwrick

Well- I haven't gotten the $$ back yet... They say they will... live & learn!