Hi,
last night I tried to scan with spybot. The first time, i left the computer for a bit, and when I returned I found a "windows has closed this program to protect your computer" DEP dialogue box. I saw that it had detected, among other things, CWS, Sgrunt, Media motor, smitfraud c, and guardian monitor.

I put spybot in the DEP ignore list, and ran another scan. Again, I left the pc, and came back a bit later to find that spybot had disappeared. No process in task manager.
I scanned once more, and watched spybot scan (quite boring), saw the list of detections rise, and then spybot vanished again! No "spybot has encountered an error and needs to close" error box, nothing.

Getting a little worried, I then scanned with SAS, which didn't even find a cookie, then with AVG AS, which also found nothing.
By this time I had read on spybots forums that there was a false positive with guardian monitor, but found no mention of the others as being FP's.

I then ran ad-aware, which found 46 "possible browser hijack attempts".
the comment for each detection was "trusted zone presumably compromised".

I looked at the sites listed in IE's trusted zone, and found nothing there.

I ran HJT, which found 2 entries that I think may be suspect, they weren't there last time I ran it.

F3- REG:win.ini:LOAD=
F3- REG:win.ini:RUN=

The other day when I updated spyware blaster, I noticed that "protection for restricted sites" had somehow become disabled, when I checked it today it was alright though.

So, basically I've got spybot and ad-aware saying one thing, (and I know that one of spybots is an fp), and SAS and AVG AS saying another, with HJT adding more confusion to the mix.
Is it possible to hide part of an entry from HJT?
I mean, is it possible for HJT to detect the part that says "run", but not the part that says "this program.exe"?

There are no strange processes in process explorer, no strange alerts from comodo FW, and IE most definitely has not been hijacked.
The only "strange" behaviour at all is spybot disappearing before it can finish scanning.

If it weren't for the fact that spybot crashes before it can complete a scan (Which it has NEVER done before), and that ad-aware also finds 46(!) "possible browser hijack attempts. I'd just go with what SAS and AVG AS are saying.
But now I'm not at all sure.

So, who should I believe? What else can I try to determine whether I've got an infection or not?

Thanks, argus.

You may want to try an online scan-

kaspersky's

http://usa.kaspersky.com/services/free-virus-scanner.php

trend micro's housecall

http://housecall.trendmicro.com/

Have you reported the problems you are having with Spybot at their forum?There is a similar problem with Spybot "quitting" posted there.

After some suggestions from spybots forum, I removed spybots immunization, which then fixed what ad-aware was finding. I find it odd, because ad-aware has never detected spybots immunization before.

It also seems that the things spybot detected were also spybots immunization ??? so something got screwed up somewhere.

Now i just have to get spybot to complete a scan, and I'll be happy.

Thanks for your replies.

With me Spybot does not detect anything. After clean reinstall it detects only those items that I had previously excluded. (i.e. that Windows Disable notify stuff - I don't use Security Center - plus Teknum which is basically a fp.)
Anyway, scans after reinstall go right up to the end (more or less the last Zlob) and that's it. Spybot GUI and associated process terminate. Maybe Labour Day ;D maybe conflicts with some other security software. ..but this is a first for me (only after 25/4 update). Have contacted 'Spybot Team' support on this. Will give it a few more days before calling it quits with Spybot. :'(

With regard to the HJT F3 entry for win.ini; if there are no file paths given after the '=' (equals) sign, then there is nothing that will load or run at bootup. You would only need to worry if it said something like:-

[windows]
load=malware.exe
run=malware.exe

which would run the 'malware.exe' file everytime you boot.

To be sure, you can open the win.ini file in notepad to see what it says in the [windows] section of the file. Or, more simply, you can run the System Configuration Editor (Sysedit.exe) to inspect and edit win.ini (or system.ini); you just click Start button > Run > type sysedit and press Enter to bring up sysedit.exe. If you look at the [windows] section and see load or run without any file after them you may as well delete the entry (and if there is a file check it carefully, since the win.ini file isn't generally used anymore these things are now done via the registry; thus you may not even have a [windows] section in win.ini).

I've just run Spybot to see what would happen, but on my system all was O.K.

Hi, Ocky, mine also quits on zlob videoaccessActiveX object (63889), and I now think it's the same problem as the Tester posted about, it was all the detections which threw me. I read in spybots forum that if you exclude malware.sbi the scan will run successfully, but that's not very useful. Someone also thought it was related to the latest update of advcheck.dll. (I think it was)

@ TopperID, thanks for the info about the F3 hjt entries, that does put my mind at rest. Did you update spybot before scanning?

I did update Spybot before running the scan. The scan ran just fine and I closed Spybot down without event. Then, a few minutes later, when I clicked a link here at Wilders, my machine suddenly rebooted for no apparent reason! >:(

It is extremely unusual for my system to spontaneously reboot, so I'm wracking my brains trying to think whether running Spybot could somehow caused that to happen. I really don't see the connection - but who knows. ???

In a post about a similar problem on spybots forums, someone mentioned that spybot may be unhappy with hyperthreaded cpu's. I find it strange that that would be the problem after all this time though. Spybot has run fine up til now, I've had this pc since xmas.
Is your pc HT?

re what happened to you, I can't see any connection either... if spybotSD.exe had closed, I wouldn't have thought it could force a reboot. ???

Hello argus. Interesting have a look at mottoman's post in Spybot forums.
I did what he did i.e. removed the directory I had placed in setting>directories>download directory.....and now the damn thing works as before (completes the scan). I ran a chkdsk /r/f about 2 weeks ago and it was OK. Please try if you have time and see if it is the same with you.
Will try later with a different directory ..

Regards.

EDIT: Reply from Spybot Team and further observation.

{QUOTE-> Hello,

If you have Spybot S&D 1.4 this is a rare situation that hasn't been explained yet.
But you can do the following to get the scan to work, but you'll have to do it each time you use the program.

- Open Spybot-S&D, then leave it alone
- Open Task Manager, and go to the Processes tab
- Right-click on SpybotSD.exe, and choose "Set Priority..."
- On the box that comes up, check/uncheck boxes so that ONLY "CPU 0" is checked.
- Go back to the already-open Spybot-S&D, and run a scan. It should complete without hanging or losing responsiveness.

This can also be done like this:
Please run Spybot-S&D and switch to "Advanced mode" via the menu bar item "Mode".
Now select "Settings" -->"Settings" from the navigation bar on the left.
Under "Main Settings" you will find the point "Scan priority".
There you should choose "Lower" by ticking the checkbox.

--
Best Regards,
Mike
Team Spybot <-QUOTE}

My reply:

{QUOTE-> Thank you for your reply.

There is no difference by running at lower priority.
BTW, I have XP Home, 2Gig memory and Athlon 64X2 4600+

I have noticed the following:
When removing the folder C:\My Downloads in settings>directories>download directory, the scan completes
as in the past (before 25/4). Chkdsk /r is OK. Other directories in C:\ and directories on other partitions do not cause the problem - I have tried several.


Very strange - maybe some incompatibility with one of the executables in my C:\My Downloads folder
(eg. packed executables or whatever) - but this never happened before 25/4 sig. update.
Any more ideas ? Thanks <-QUOTE}

{QUOTE-> In a post about a similar problem on spybots forums, someone mentioned that spybot may be unhappy with hyperthreaded cpu's. I find it strange that that would be the problem after all this time though. Spybot has run fine up til now, I've had this pc since xmas.
Is your pc HT?

re what happened to you, I can't see any connection either... if spybotSD.exe had closed, I wouldn't have thought it could force a reboot. ??? <-QUOTE}
If Spybot worked properly in the past, than it has nothing to do with hyperthreaded cpu's.
Did you already try a complete uninstall of Spybot + cleaning registry, followed by reinstall and updating of signatures ?
I would solve such a problem with rollback, but that's too late for you.