Who do I believe? spybot+ad-aware vs SAS+AVG AS

Discussion in 'other anti-malware software' started by argus tuft, Apr 30, 2007.

Thread Status:
Not open for further replies.
  1. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Hi,
    last night I tried to scan with spybot. The first time, i left the computer for a bit, and when I returned I found a "windows has closed this program to protect your computer" DEP dialogue box. I saw that it had detected, among other things, CWS, Sgrunt, Media motor, smitfraud c, and guardian monitor.

    I put spybot in the DEP ignore list, and ran another scan. Again, I left the pc, and came back a bit later to find that spybot had disappeared. No process in task manager.
    I scanned once more, and watched spybot scan (quite boring), saw the list of detections rise, and then spybot vanished again! No "spybot has encountered an error and needs to close" error box, nothing.

    Getting a little worried, I then scanned with SAS, which didn't even find a cookie, then with AVG AS, which also found nothing.
    By this time I had read on spybots forums that there was a false positive with guardian monitor, but found no mention of the others as being FP's.

    I then ran ad-aware, which found 46 "possible browser hijack attempts".
    the comment for each detection was "trusted zone presumably compromised".

    I looked at the sites listed in IE's trusted zone, and found nothing there.

    I ran HJT, which found 2 entries that I think may be suspect, they weren't there last time I ran it.

    F3- REG:win.ini:LOAD=
    F3- REG:win.ini:RUN=

    The other day when I updated spyware blaster, I noticed that "protection for restricted sites" had somehow become disabled, when I checked it today it was alright though.

    So, basically I've got spybot and ad-aware saying one thing, (and I know that one of spybots is an fp), and SAS and AVG AS saying another, with HJT adding more confusion to the mix.
    Is it possible to hide part of an entry from HJT?
    I mean, is it possible for HJT to detect the part that says "run", but not the part that says "this program.exe"?

    There are no strange processes in process explorer, no strange alerts from comodo FW, and IE most definitely has not been hijacked.
    The only "strange" behaviour at all is spybot disappearing before it can finish scanning.

    If it weren't for the fact that spybot crashes before it can complete a scan (Which it has NEVER done before), and that ad-aware also finds 46(!) "possible browser hijack attempts. I'd just go with what SAS and AVG AS are saying.
    But now I'm not at all sure.

    So, who should I believe? What else can I try to determine whether I've got an infection or not?

    Thanks, argus.
     
  2. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
  3. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Have you reported the problems you are having with Spybot at their forum?There is a similar problem with Spybot "quitting" posted there.
     
  4. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    After some suggestions from spybots forum, I removed spybots immunization, which then fixed what ad-aware was finding. I find it odd, because ad-aware has never detected spybots immunization before.

    It also seems that the things spybot detected were also spybots immunization o_O so something got screwed up somewhere.

    Now i just have to get spybot to complete a scan, and I'll be happy.

    Thanks for your replies.
     
  5. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    With me Spybot does not detect anything. After clean reinstall it detects only those items that I had previously excluded. (i.e. that Windows Disable notify stuff - I don't use Security Center - plus Teknum which is basically a fp.)
    Anyway, scans after reinstall go right up to the end (more or less the last Zlob) and that's it. Spybot GUI and associated process terminate. Maybe Labour Day :D maybe conflicts with some other security software. ..but this is a first for me (only after 25/4 update). Have contacted 'Spybot Team' support on this. Will give it a few more days before calling it quits with Spybot. :'(
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    With regard to the HJT F3 entry for win.ini; if there are no file paths given after the '=' (equals) sign, then there is nothing that will load or run at bootup. You would only need to worry if it said something like:-

    [windows]
    load=malware.exe
    run=malware.exe

    which would run the 'malware.exe' file everytime you boot.

    To be sure, you can open the win.ini file in notepad to see what it says in the [windows] section of the file. Or, more simply, you can run the System Configuration Editor (Sysedit.exe) to inspect and edit win.ini (or system.ini); you just click Start button > Run > type sysedit and press Enter to bring up sysedit.exe. If you look at the [windows] section and see load or run without any file after them you may as well delete the entry (and if there is a file check it carefully, since the win.ini file isn't generally used anymore these things are now done via the registry; thus you may not even have a [windows] section in win.ini).

    I've just run Spybot to see what would happen, but on my system all was O.K.
     
  7. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    Hi, Ocky, mine also quits on zlob videoaccessActiveX object (63889), and I now think it's the same problem as the Tester posted about, it was all the detections which threw me. I read in spybots forum that if you exclude malware.sbi the scan will run successfully, but that's not very useful. Someone also thought it was related to the latest update of advcheck.dll. (I think it was)

    @ TopperID, thanks for the info about the F3 hjt entries, that does put my mind at rest. Did you update spybot before scanning?
     
  8. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I did update Spybot before running the scan. The scan ran just fine and I closed Spybot down without event. Then, a few minutes later, when I clicked a link here at Wilders, my machine suddenly rebooted for no apparent reason! :mad:

    It is extremely unusual for my system to spontaneously reboot, so I'm wracking my brains trying to think whether running Spybot could somehow caused that to happen. I really don't see the connection - but who knows. o_O
     
  9. argus tuft

    argus tuft Registered Member

    Joined:
    Sep 20, 2006
    Posts:
    280
    Location:
    Australia
    In a post about a similar problem on spybots forums, someone mentioned that spybot may be unhappy with hyperthreaded cpu's. I find it strange that that would be the problem after all this time though. Spybot has run fine up til now, I've had this pc since xmas.
    Is your pc HT?

    re what happened to you, I can't see any connection either... if spybotSD.exe had closed, I wouldn't have thought it could force a reboot. o_O
     
  10. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Hello argus. Interesting have a look at mottoman's post in Spybot forums.
    I did what he did i.e. removed the directory I had placed in setting>directories>download directory.....and now the damn thing works as before (completes the scan). I ran a chkdsk /r/f about 2 weeks ago and it was OK. Please try if you have time and see if it is the same with you.
    Will try later with a different directory ..

    Regards.

    EDIT: Reply from Spybot Team and further observation.

    My reply:

     
    Last edited: May 2, 2007
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If Spybot worked properly in the past, than it has nothing to do with hyperthreaded cpu's.
    Did you already try a complete uninstall of Spybot + cleaning registry, followed by reinstall and updating of signatures ?
    I would solve such a problem with rollback, but that's too late for you.
     
Loading...
Thread Status:
Not open for further replies.