Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nod32 and S&D won't run at startup


  • This topic is locked This topic is locked
12 replies to this topic

#1 Surpriser

Surpriser

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 04 May 2009 - 05:20 AM

Hello.

It seems I've got another problem. :thumbsup:

Nod32 won't start after rebooting. And so does S&D. If I run them again - they work fine.
Few seconds after restart I got this: generic host process for win32 services has encountered a problem ... I believe there must be something with svchost.exe ...

Everything else works just fine.

I tried this:
- Malwarebyte's scan
- NOD32 scan
- F-Secure online scan
- S&D scan
- Emsi's Soft A-Squared antimalware 4.0

Malwarebytes found "sysguard.exe" and deleted it. Other programs found nothing. And I tried reruning them several times!

I also did:
Upgrade to SP3
Upgrade to IE8
Recheck all updates
Cleaned up the registry with Registry Mechanic
Reinstalled NOD32 (upgraded from version 3 to version 4)

Is there anything I can do?

Thanks!

Edited by Surpriser, 04 May 2009 - 05:41 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:44 AM

Posted 04 May 2009 - 06:39 AM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 04 May 2009 - 06:46 AM

Here is the MBAM log, I shall try the Dr.WebCureIT now.

Malwarebytes' Anti-Malware 1.36
Database version: 2072
Windows 5.1.2600 Service Pack 2

4.5.2009 8:42:51
mbam-log-2009-05-04 (08-42-51).txt

Scan type: Quick Scan
Objects scanned: 99807
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#4 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 04 May 2009 - 06:59 AM

Hmmm ...

Dr.WebCureIT did not find any problems.

Since I have used ATF cleaner - Firefox stopped working correctly. There are no Stylesheets and 50% images are missing!
EDIT: it's working now - I deleted the cache once again in FF options.

Edited by Surpriser, 04 May 2009 - 07:10 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:44 AM

Posted 04 May 2009 - 07:23 AM

Now rescan again with Malwarebytes Anti-Malware but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you cannot boot into safe mode, then perform your scans in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 04 May 2009 - 01:22 PM

Here is the log from SAS in safe mode:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/04/2009 at 03:03 PM

Application Version : 4.26.1002

Core Rules Database Version : 3875
Trace Rules Database Version: 1823

Scan type : Quick Scan
Total Scan Time : 00:20:24

Memory items scanned : 218
Memory threats detected : 0
Registry items scanned : 389
Registry threats detected : 4
File items scanned : 33754
File threats detected : 20

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@media6degrees[1].txt
C:\Documents and Settings\user\Cookies\user@fastclick[2].txt
C:\Documents and Settings\user\Cookies\user@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\user\Cookies\user@adrevolver[2].txt
C:\Documents and Settings\user\Cookies\user@advertising[2].txt
C:\Documents and Settings\user\Cookies\user@zedo[1].txt
C:\Documents and Settings\user\Cookies\user@burstnet[2].txt
C:\Documents and Settings\user\Cookies\user@revsci[1].txt
C:\Documents and Settings\user\Cookies\user@tacoda[1].txt
C:\Documents and Settings\user\Cookies\user@realmedia[2].txt
C:\Documents and Settings\user\Cookies\user@media.adrevolver[1].txt
C:\Documents and Settings\user\Cookies\user@interclick[1].txt
C:\Documents and Settings\user\Cookies\user@c7.zedo[1].txt
C:\Documents and Settings\user\Cookies\user@at.atwola[1].txt
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\user\Cookies\user@atdmt[1].txt
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\user\Cookies\user@tribalfusion[1].txt
C:\Documents and Settings\user\Cookies\user@atwola[1].txt
C:\Documents and Settings\user\Cookies\user@adopt.specificclick[2].txt

Trojan.Agent/Gen-AlerterALG
HKU\S-1-5-21-1708537768-1450960922-682003330-1003\Software\S45
HKLM\Software\S45
HKLM\Software\S45\Par
HKLM\Software\S45\Par#ID

MBAM is still searching ...

#7 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 05 May 2009 - 12:26 AM

MBAM also found nothing. :thumbsup:

When I ran S&D the following log file is created:
Mind that reruning the program works totally fine!


<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="SpybotSD.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="advcheck.dll" SIZE="1287000" CHECKSUM="0xEDF492E8" BIN_FILE_VERSION="1.6.2.15" BIN_PRODUCT_VERSION="1.6.0.0" PRODUCT_VERSION="1, 6, 0, 0" FILE_DESCRIPTION="Dateiüberprüfungs-Bibliothek" COMPANY_NAME="Safer Networking Limited" PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="1, 6, 2, 15" ORIGINAL_FILENAME="advcheck.dll" INTERNAL_NAME="advtools" LEGAL_COPYRIGHT="© 2003-2008 Safer Networking Limited. Alle Rechte vorbehalten." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x149C22" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.6.2.15" UPTO_BIN_PRODUCT_VERSION="1.6.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="aports.dll" SIZE="34472" CHECKSUM="0x4C0FBB09" BIN_FILE_VERSION="2.1.0.0" BIN_PRODUCT_VERSION="2.1.0.0" PRODUCT_VERSION="2, 1, 0, 0" FILE_DESCRIPTION="Maps TCP and UDP ports to the owning processes" COMPANY_NAME="SmartLine Inc." PRODUCT_NAME="Active Ports" FILE_VERSION="2, 1, 0, 0" ORIGINAL_FILENAME="aports.dll" INTERNAL_NAME="aports" LEGAL_COPYRIGHT="Copyright © 2000-2005 SmartLine Inc." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x14009" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.1.0.0" UPTO_BIN_PRODUCT_VERSION="2.1.0.0" LINK_DATE="05/14/2005 08:15:35" UPTO_LINK_DATE="05/14/2005 08:15:35" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="blindman.exe" SIZE="428888" CHECKSUM="0xB25ED3FA" BIN_FILE_VERSION="1.0.0.8" BIN_PRODUCT_VERSION="1.6.0.0" PRODUCT_VERSION="1, 6, 0, 0" FILE_DESCRIPTION="Dummy" COMPANY_NAME="Safer Networking Limited" PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="1, 0, 0, 8" ORIGINAL_FILENAME="blindman.exe" INTERNAL_NAME="" LEGAL_COPYRIGHT="© 2002-2008 Safer Networking Limited. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x71847" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.8" UPTO_BIN_PRODUCT_VERSION="1.6.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="DelZip179.dll" SIZE="255392" CHECKSUM="0xFF6B686F" BIN_FILE_VERSION="1.79.11.1" BIN_PRODUCT_VERSION="1.79.11.1" PRODUCT_VERSION="1.79.11.01" FILE_DESCRIPTION="Freeware Zip/Unzip" COMPANY_NAME="DelphiZip" PRODUCT_NAME="DelphiZip" FILE_VERSION="1.79.11.01" ORIGINAL_FILENAME="DelZip179.dll" INTERNAL_NAME="DelZip.dll" LEGAL_COPYRIGHT="Copyright © 2008, Russell Peters" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3EA70" LINKER_VERSION="0x40000" UPTO_BIN_FILE_VERSION="1.79.11.1" UPTO_BIN_PRODUCT_VERSION="1.79.11.1" LINK_DATE="04/19/2008 22:29:06" UPTO_LINK_DATE="04/19/2008 22:29:06" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="SDFiles.exe" SIZE="1757696" CHECKSUM="0x44117C0A" BIN_FILE_VERSION="1.6.1.7" BIN_PRODUCT_VERSION="1.6.1.7" PRODUCT_VERSION="1.6.0.3" FILE_DESCRIPTION="Single file on-demand scanner" COMPANY_NAME="Safer Networking Limited" PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="1.6.1.7" ORIGINAL_FILENAME="SDFiles.exe" INTERNAL_NAME="SBSDAbominog" LEGAL_COPYRIGHT="© 2000-2008 Safer Networking Limited. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.6.1.7" UPTO_BIN_PRODUCT_VERSION="1.6.1.7" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (Ireland) [0x1809]" />
<MATCHING_FILE NAME="SDHelper.dll" SIZE="1879896" CHECKSUM="0xECB42658" BIN_FILE_VERSION="1.6.2.14" BIN_PRODUCT_VERSION="1.6.0.0" PRODUCT_VERSION="1, 6, 0, 0" FILE_DESCRIPTION="SBSD IE Protection" COMPANY_NAME="Safer Networking Limited" PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="1, 6, 2, 14" ORIGINAL_FILENAME="sdhelper.dll" INTERNAL_NAME="SDHelper" LEGAL_COPYRIGHT="© 2000-2008 Safer Networking Limited. Alle Rechte vorbehalten." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1D2AD3" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.6.2.14" UPTO_BIN_PRODUCT_VERSION="1.6.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="SDMain.exe" SIZE="414552" CHECKSUM="0xDADBFCD5" BIN_FILE_VERSION="1.0.0.6" BIN_PRODUCT_VERSION="1.6.0.0" PRODUCT_VERSION="1, 6, 0, 0" FILE_DESCRIPTION="Spybot-S&amp;D Security Center launcher" COMPANY_NAME="Safer Networking Ltd." PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="1, 0, 0, 6" ORIGINAL_FILENAME="SDMain.exe" INTERNAL_NAME="SDMain" LEGAL_COPYRIGHT="© 2006-2008 Safer Networking Limited. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x0" MODULE_TYPE="WIN32" PE_CHECKSUM="0x73138" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.6" UPTO_BIN_PRODUCT_VERSION="1.6.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (Ireland) [0x1809]" />
<MATCHING_FILE NAME="SDShred.exe" SIZE="2005504" CHECKSUM="0xA9B26386" BIN_FILE_VERSION="1.0.2.5" BIN_PRODUCT_VERSION="1.0.2.5" PRODUCT_VERSION="1.9.0.0" FILE_DESCRIPTION="File shredder formerly integrated into Spybot-S&amp;D" COMPANY_NAME="Safer Networking Limited" PRODUCT_NAME="Secure Shredder" FILE_VERSION="1.0.2.5" ORIGINAL_FILENAME="SDShred.exe" INTERNAL_NAME="SecureShredder" LEGAL_COPYRIGHT="© 2007-2008 Safer Networking Limited. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.2.5" UPTO_BIN_PRODUCT_VERSION="1.0.2.5" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (Ireland) [0x1809]" />
<MATCHING_FILE NAME="SDUpdate.exe" SIZE="1740632" CHECKSUM="0x64FC902D" BIN_FILE_VERSION="1.6.0.12" BIN_PRODUCT_VERSION="1.6.0.12" PRODUCT_VERSION="1, 5, 2, 0" FILE_DESCRIPTION="Updater for Spybot-S&amp;D" COMPANY_NAME="Safer Networking Limited" PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="1.6.0.12" ORIGINAL_FILENAME="SDUpdate.exe" INTERNAL_NAME="SDUpdate" LEGAL_COPYRIGHT="© 2007-2008 Safer Networking Limited. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1AD641" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.6.0.12" UPTO_BIN_PRODUCT_VERSION="1.6.0.12" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (Ireland) [0x1809]" />
<MATCHING_FILE NAME="SpybotSD.exe" SIZE="5365592" CHECKSUM="0x966486AA" BIN_FILE_VERSION="1.6.2.46" BIN_PRODUCT_VERSION="1.6.2.0" PRODUCT_VERSION="1, 6, 2, 0" FILE_DESCRIPTION="Spybot - Search &amp; Destroy" COMPANY_NAME="Safer Networking Limited" PRODUCT_NAME="SpyBot-S&amp;D" FILE_VERSION="1, 6, 2, 46" ORIGINAL_FILENAME="SpyBotSD.exe" INTERNAL_NAME="SpyBotSD" LEGAL_COPYRIGHT="© 2000-2009 Safer Networking Limited. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x5267CE" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.6.2.46" UPTO_BIN_PRODUCT_VERSION="1.6.2.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="sqlite3.dll" SIZE="333288" CHECKSUM="0xA45CFBB8" MODULE_TYPE="WIN32" PE_CHECKSUM="0x53A99" LINKER_VERSION="0x0" LINK_DATE="08/26/2007 20:05:19" UPTO_LINK_DATE="08/26/2007 20:05:19" />
<MATCHING_FILE NAME="TeaTimer.exe" SIZE="2260480" CHECKSUM="0xF072D3A5" BIN_FILE_VERSION="1.6.6.32" BIN_PRODUCT_VERSION="1.6.2.0" PRODUCT_VERSION="1, 6, 2, 0" FILE_DESCRIPTION="System settings protector" COMPANY_NAME="Safer-Networking Ltd." PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="1, 6, 6, 32" ORIGINAL_FILENAME="TeaTimer.exe" INTERNAL_NAME="TeaTimer" LEGAL_COPYRIGHT="© 2000-2009 Safer-Networking Ltd. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.6.6.32" UPTO_BIN_PRODUCT_VERSION="1.6.2.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="Tools.dll" SIZE="1303896" CHECKSUM="0xC86CA76" BIN_FILE_VERSION="2.1.6.10" BIN_PRODUCT_VERSION="1.6.0.0" PRODUCT_VERSION="1, 6, 0, 0" FILE_DESCRIPTION="Library for Spybot-S&amp;D" COMPANY_NAME="Safer Networking Limited" PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="2, 1, 6, 10" ORIGINAL_FILENAME="tools.dll" INTERNAL_NAME="" LEGAL_COPYRIGHT="© 2003-2008 Safer Networking Limited. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x13FE8E" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="2.1.6.10" UPTO_BIN_PRODUCT_VERSION="1.6.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="unins000.exe" SIZE="696200" CHECKSUM="0xF1F8B3B8" BIN_FILE_VERSION="51.49.0.0" BIN_PRODUCT_VERSION="0.0.0.0" FILE_DESCRIPTION="Setup/Uninstall" FILE_VERSION="51.49.0.0" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0xB561D" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="51.49.0.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="UninsSrv.dll" SIZE="204160" CHECKSUM="0x1E7ACC47" BIN_FILE_VERSION="1.0.0.0" BIN_PRODUCT_VERSION="1.0.0.0" PRODUCT_VERSION="2.0.0" FILE_DESCRIPTION="Uninstallation survey" COMPANY_NAME="Safer-Networking Ltd." PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="2.0.0.0" ORIGINAL_FILENAME="UninsSrv" INTERNAL_NAME="" LEGAL_COPYRIGHT="© 2009 Safer-Networking Ltd. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x3E446" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.0" UPTO_BIN_PRODUCT_VERSION="1.0.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="English (Ireland) [0x1809]" />
<MATCHING_FILE NAME="Update.exe" SIZE="464728" CHECKSUM="0xE262990" BIN_FILE_VERSION="1.6.0.7" BIN_PRODUCT_VERSION="1.6.0.0" PRODUCT_VERSION="1, 6, 0, 0" FILE_DESCRIPTION="External updater" COMPANY_NAME="Safer Networking Limited" PRODUCT_NAME="Spybot - Search &amp; Destroy" FILE_VERSION="1, 6, 0, 7" ORIGINAL_FILENAME="update.exe" INTERNAL_NAME="" LEGAL_COPYRIGHT="© 2000-2008 Safer Networking Limited. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x7BB15" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.6.0.7" UPTO_BIN_PRODUCT_VERSION="1.6.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="Dummies\dummy.cd_clint.dll" SIZE="54440" CHECKSUM="0xFAA605B1" BIN_FILE_VERSION="1.0.0.0" BIN_PRODUCT_VERSION="1.0.0.0" PRODUCT_VERSION="1.0.0.0" FILE_DESCRIPTION="DLL (GUI)" COMPANY_NAME="CEXX Labs - www.cexx.org" PRODUCT_NAME="CEXX.ORG Spyware Condom (CYDOOR-Compatible)" FILE_VERSION="1.0.0.0" ORIGINAL_FILENAME="project1.dll" INTERNAL_NAME="ProjectOne" LEGAL_COPYRIGHT="CEXX Labs + Mike Dombrowski" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x1B18D" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.0.0" UPTO_BIN_PRODUCT_VERSION="1.0.0.0" LINK_DATE="01/12/2002 18:06:00" UPTO_LINK_DATE="01/12/2002 18:06:00" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="Plugins\Chai.dll" SIZE="790392" CHECKSUM="0x665C95AC" MODULE_TYPE="WIN32" PE_CHECKSUM="0xCAEF7" LINKER_VERSION="0x0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="Plugins\Fennel.dll" SIZE="795520" CHECKSUM="0x82EA3752" MODULE_TYPE="WIN32" PE_CHECKSUM="0xC4EBF" LINKER_VERSION="0x0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="Plugins\Mate.dll" SIZE="717176" CHECKSUM="0x10AE34C" MODULE_TYPE="WIN32" PE_CHECKSUM="0xBA2C0" LINKER_VERSION="0x0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="Plugins\TCPIPAddress.dll" SIZE="121344" CHECKSUM="0x231C4D7B" MODULE_TYPE="WIN32" PE_CHECKSUM="0x0" LINKER_VERSION="0x0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" />
<MATCHING_FILE NAME="Updates\teatimer166.exe" SIZE="1065888" CHECKSUM="0xB2D9476F" BIN_FILE_VERSION="1.6.6.0" BIN_PRODUCT_VERSION="0.0.0.0" PRODUCT_VERSION="1.6.6 " FILE_DESCRIPTION="TeaTimer (Spybot - Search &amp; Destroy) " COMPANY_NAME="Safer Networking Limited " PRODUCT_NAME="TeaTimer (Spybot - Search &amp; Destroy) " FILE_VERSION="1.6.6 " LEGAL_COPYRIGHT="© 2000-2009 Safer Networking Limited. All rights reserved. " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x110054" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="1.6.6.0" UPTO_BIN_PRODUCT_VERSION="0.0.0.0" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Language Neutral [0x0]" />
</EXE>
<EXE NAME="kernel32.dll" FILTER="GRABMI_FILTER_THISFILEONLY">
<MATCHING_FILE NAME="kernel32.dll" SIZE="989696" CHECKSUM="0x2D998938" BIN_FILE_VERSION="5.1.2600.5781" BIN_PRODUCT_VERSION="5.1.2600.5781" PRODUCT_VERSION="5.1.2600.5781" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.5781 (xpsp_sp3_gdr.090321-1317)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xFE572" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.5781" UPTO_BIN_PRODUCT_VERSION="5.1.2600.5781" LINK_DATE="03/21/2009 14:06:58" UPTO_LINK_DATE="03/21/2009 14:06:58" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>

Edited by Surpriser, 05 May 2009 - 12:57 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:44 AM

Posted 05 May 2009 - 06:49 AM

mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products).

Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.

More effective alternatives are Malwarebytes Anti-Malware and SUPERAntiSpyware Free so I would remove Spybot.

Are you still having issues withNOD32?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 06 May 2009 - 02:44 AM

Hello!

NOD32 troubles seems to be gone - but the error remains when I try to start S&D. Everything else is working fine.

It's not the S&D that bugs me (I'm not even using it, neither the Teatimer), it's just when there are errors with NOD, S&D or similar AV/Anti Malware programs - everything points out for infection.

I really don't know what helped here ... scanning or system updates (SP3 + some other)

Thank you very much for your help!

Edited by Surpriser, 06 May 2009 - 02:44 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:44 AM

Posted 06 May 2009 - 09:14 AM

Well your MBAM log showed your system was infected and the malicious file(s) was removed. Subsequent scans with Dr.Web found nothing and SAS only found cookies and a few registry remnants. If you want to investigate Spybot's behavior more, I suggest you check with Spybot S&D Support.

In the meantime, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Surpriser

Surpriser
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 07 May 2009 - 12:28 AM

Well, i guess this is still not over ... :flowers:
Today the same message (generic host process for win32 services has encountered a problem ...)
Details:

-----

Generic Host Process for Win32 Services

Error signature āā‚¬ā€¯
AppName: svchostexe AppVer:
ModVer: 0.0.0.0 Offset: 00406a49
51.2600.5512
ModNarne: unknown
Reporting Details āā‚¬ā€¯
This error report includes: information regarding the condition of Generic Host Process for Win32 Services when the problem occurred; the operating system version and computer hardware in use; your Digital Product ID, which could be used to identify your license; and the Internet Protocol (IP) address of your computer.
We do not intentionally collect your files, name, address, email address or any other form of personally identifiable information. However, the error report could contain customer-specific information such as data from open files. While this information could potentially be used to determine your identity, if present, it will not be used.
The data that we collect will only be used to fix the problem. If more information is available, we will tell you when you report the problem. This error report will be sent using a secure connection to a database with limited access and will not be used for marketing purposes.
To view technical information about the error report, click here.
To see our data collection policy on the web, felck herej

-----

Few minutes after that NOD32 found a threat in c:\windows\system32\drivers\etc\hosts - win32/qhost trojan.

Something must still causing problems ... :thumbsup:

EDIT: MBAM found nothing, so does NOD32 (after quarantining the threat) ...

Edited by Surpriser, 07 May 2009 - 05:05 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:44 AM

Posted 07 May 2009 - 08:33 AM

This issue will require further investigation. Many of the tools we use in this forum are not capable of detecting all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS/HijackThis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,949 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:44 AM

Posted 08 May 2009 - 09:07 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/225363/possible-infection-trojan/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users