PDA

View Full Version : Spybot will not complete scan



Trapper38
2007-08-31, 18:37
It keeps stopping at 6052 CoolWWWSearch and will not complete a scan

I have tried various solutions, all of the suggestions on this thread and it still won't compleate a scan.

http://forums.spybot.info/showthread.php?t=14322&highlight=freezes+coolwww

Also I have tried a clean reinstall, this made no differance either.

I'd be grateful if someone would help me fix this problem. thanks

chi-va
2007-08-31, 20:59
Please try my suggestion:;)
http://forums.spybot.info/showthread.php?t=17397

Trapper38
2007-08-31, 21:20
Please try my suggestion:;)
http://forums.spybot.info/showthread.php?t=17397

Thanks for your response. I've tried your first suggestion and File mon will not open , it keeps on saying that this file is already in place, do you want to replace it and then whichever choice I make nothing happens.

chi-va
2007-08-31, 23:26
Do you have extracted the download before? Please always post the exact error message because this makes it easier to find out from where it comes. A screen shot could help as well. My problem now is that I don't know exactly if this is something that is reported in the Filemon log or if this is an error message that you couldn't start Filemon.

If this is a Filemon starting error then please try the
tool Process Monitor.
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx

It is a package which contains Filemon as well. You haven't posted any information about your system yet so I hope that you use a system that is supported in Process Monitor. If this tool didn't work as well even if it is supported then we have a really serious problem. Without any logs it is almost impossible to tell you where the problem is.

If Filemon does actually work(see Filemon screen shot in the previous link) then please tell us where(which files) the problems are(probably access denied messages?). This could give us a hint which processes could block the access.

Apart from that, you should try the rootkit tool as well. Hiding files is only one of tricky rootkits features.

Last but not least please also poste a Hijackthis log in the malware removal forum:
http://forums.spybot.info/showthread.php?t=288

Please follow Tashis' instructions but skip the part about Spybot-S&D. Seeing some system information is always helpful.;)

Trapper38
2007-09-01, 00:45
Managed to download and Filemon working now, screen shot enclosed.

Also do still need me to post Hijackthis log in the malware removal forum?

Trapper38
2007-09-01, 17:53
I think I made an error with the previous screen shot and it's too small to read.

http://img209.imageshack.us/img209/4642/untitledzm5.jpg

md usa spybot fan
2007-09-01, 18:42
Trapper38:

It would probably be easier to interpret the output if you saved it to a file, zipped (archived) the file and attached that to a post.

chi-va
2007-09-01, 20:09
Hello Trapper38! Good work!:bigthumb: Now we can read it but I'm afraid it is still not what we want to see. Do you agree Md usa spybot fan? Thank you for joining us!;)

Or was this already the point where Spybot-S&D was freezing? As long as you can see that Spybot-S&D is opening something then it is still scanning. By regarding your screen shot the last entry is telling me that Spybot-S&D has sucessfully close the last opened file/directory. So it is unlikely that this is the point where Spybot-S&D was freezing. With other words I'm looking for the last entry of Spybot-S&D during a scan which does not change even after more than 5 minutes.

P.S.: I'm agree that a log file of Filemon does help but this is not necessary here. Apart from that Filemon creates awfully long log files. So I prefer posting the last Spybot-S&D entries or just make a screen shot of the last Spybot-S&D entries. By the way, if you have found it please enlarge the frame for "Path" in Filemon so that we can see the full entry of it.

P.P.S.: Posting in the malware removal forum is not necessary yet. Maybe later. Do you already have tried Blacklight?

Trapper38
2007-09-01, 21:05
Thanks for your reply. Sorry, I did post a log in the malware forum before getting this latest reply.

I have not tried backlight , also I'm not really sure exactly what you require concerning Spybot entries, if you could explain please.

md usa spybot fan
2007-09-01, 21:58
chi-va:

I agree that if Filemon is going to help reveal the cause of the problem, the file system activity by SpybotSD immediately prior to the hang is the most important. From the location of the vertical scroll bar and the count of the entries displayed, I don't believe that the screen shot was of the file system activity by SpybotSD immediately prior to the hang.

Trapper38:

Please try again. After the SpybotSD scan hangs and before you take any action to terminate the process, make sure that you are still at the bottom of the Filemon listing before taking the screen shot.

ps:

chi-va:

I also hope that a screen shot of the last activity displayed will actually be the last file system activity by SpybotSD. I have noted in the past that Filemon (and Regmon as well) has a tendency to skip the recording of portions of activity from fast running processes. Although the entry number of the output generally reflects this skip of it occurs in the middle of a process, you can not tell if it happens at the end of a process.

pps:

Trapper38:

Thanks for taking the time to try and help determine the cause of the problem. Many people look for a quick fix and aren't willing to expend an effort to find that fix.

Trapper38
2007-09-01, 22:55
Lets hope this is the part of the file that you require, spybot was operating and hanging at CoolWeb, though I'm not sure if the snap shot was taken at the correct point.

http://img504.imageshack.us/img504/668/3rdtimeluckybs8.jpg

chi-va
2007-09-01, 23:39
Not exactly but almost I think.;) I have add some comments in your screen shot. 15:43:14 is the last entry which I can see from Spybot-S&D(red marked process). Your system clock is showing the same time so it is difficult to tell if it is really freezing or not. Please wait at least minutes at the point where you think that Spybot-S&D is freezing. Then take a look again in Filemon. If there are no more Spybot-S&D activity listed then it is really freezing. If you can see more log entries with the Spybot-S&D process then it is not freezing but just scanning slowly.

If it is really freezing then scroll back to the last Spybot-S&D log file entry and please enlarge the frame for the "Path". At the moment I can only see "C:\Documents and Settings\Kenny\Lo...". For locating the file you have to enlarge the frame so that we can read the full path.

P.S.: Posting in the malware removal forum was good because I have found some minor problems in your reports. I hope our experts there will help you as soon as possible.

Trapper38
2007-09-02, 00:47
Hope this image is correct, I don't think spybot is freezing actually it just hangs at Coolweb and never completes the scan


http://img129.imageshack.us/img129/5190/73881591rs9.jpg

chi-va
2007-09-02, 02:43
Yeah, I'm agree. It seems it is still scanning and not really freezing at Coolweb. Please ensure that there are no files in the temp folder left. The files there are not really necessary so no need to wait for Spybot-S&D to scan them. Just delete them and you will spare a lot of time. Here you can find an instruction for cleaning the temp folder:
http://www.helpwithwindows.com/WindowsXP/howto-16.html

After that please take a look in the temp folder in order to ensure that it is really empty. Sometimes the cleaning does not work correctly which could cause problems. So controlling the folder size couldn't be wrong as well. I have seen systems where no visible files could be found in the temp folder but the folder size was over 1000 MB. Obviously caused by tools which didn't delete the files correctly.

Some system only need 10 minutes for a scan others need much longer. Not need to worry just let it doing its job as long as this is not taking forever. With Filemon you can normally ensure if is hanging freezing or whatever. I hope we was able to clarify that Spybot-S&D is still scanning. Be free to ask me if you need to know something else.

Trapper38
2007-09-02, 04:01
Not having much luck with these temporary files. I have been deleting them with Ccleaner, plus IE tools options and via Firefox. Also found a few more with your attachment advice however, the problem still remains:sad:

The only thing I can think of is the secure shreader on Spybot, there are never any temp files to bring down and if I then click chop away Spybot does freeze up and then I have to use task manager to end the process. The shredder does work ok for cookie and cache files though. Hope this info' helps a little more.

chi-va
2007-09-02, 14:02
Which version of CCleaner do you use? In version 1.41.544 you can analyse the temp files. What size does they have all together? Please only select the temporary system files for the analyse. There several bugs in CCleaners' versions history mentioned which apply to the temporary files. Just in case that there are damaged files left. Please run the tool CHKDSK:

http://support.microsoft.com/kb/315265/EN-US/

A secure tool for deleting files is the tool Eraser:
http://www.heidi.ie/eraser/download.php

Please use it if you have problems to delete the temporary files. It might help if you delete the temporay files in Windows safe mode:
http://www.computerhope.com/issues/chsafe.htm

How long do you have wait before you have cancelled the Spybot-S&D scan? Was it at least 60 minutes?

Trapper38
2007-09-02, 18:55
I'm running Ccleaner version 1.41.544 and have set it just to delete temp files, it deleted 476 temp files 2.12MB.

I have run the tool CHKDSK: again, which makes three times in total to no avail.

Spybot has been left running for well over an hour and will not complete.

I have downloaded the eraser tool, but not used it yet. It doesn't look that user friendly at first glance and I don't know how to remove temp files with it? if indeed this is the problem?

fixet
2007-09-02, 20:34
Background
Spybot 1.4 worked great for me for a long time untill suddenly I had the below mentioned problems and then Spybot was simply unusable. Nothing in all previous posts would fix this. Other registry scanning programs such as adaware and misc registry cleaners would have the same problems.

Problem
spybot will not complete a scan.
spybot becomes unresponsive and freezes at different points of scan.
system internals freezes during scan.

Solution
1. you will need to download two programs
AVG 7.5 Antispyware (used to be ewido) which is here->http://www.grisoft.com/doc/31/us/crp/0?prd=asw
and Blacklight Rootkit revealer which is here ->http://www.f-secure.com/blacklight/try_blacklight.html

2. a)install and start the avg7.5 antispyware
avg7.5 antispyware will not fix this problem but will simply detect the rootkit in memory before the fix and confirm that the problem is no longer there after the fix. you can keep or uninstall this program when finished.
b) hit the update button and then update by pressing start update..it is pretty much self explanatory
and simply to get most recent definitions of course.
c) then you can hit the scanner button and only need do the memory scan. when the memory scan is complete ( only takes a few minutes or so) there should be a few detections if this your problem.
d)exit avg7.5 antispyware

3. a) run the blacklight rootkit program and get to the scan screen and run a scan. This scan should not take very long as well, maybe 5-10 minutes max. this program will detect the files that are causing the memory problem. in my case it detected one file called csrvu.exe and was located in windows/system32 folder. anyways..click rename and finish and blacklight will rename the file with a different ending.. through explorer find this file and delete it
4. restart computer and run the avg7.5 antispyware memory scan again. there should be no detections and this will indicate fixed.

Spybot and the above mentioned programs now run as they should for the first time in months..I hope this fixes your problem too.

chi-va
2007-09-02, 20:43
Are there any reasons why you don't have tried Blacklight yet? It is a small download and the software is still free to try. As written in my first post rootkits could cause that Spybot-S&D don't work correctly as well. This includes freezing or hanging. Please use Blacklight because Filemon is not able to detect rootkits. Apart from a rootkit I don't know what else it could be.

If it is the "Temp" folder then just rename it to "oldTemp" and then create a new folder with the name "Temp" in the same location of the old folder. It is really suspicious that Spybot-S&D open this folder that often even if it is almost empty.

Eraser is simple to use. Start Eraser and then just drag & drop the files/folders which you want to delete.

Trapper38
2007-09-02, 23:57
Well, downloaded and ran blacklight, scan was clean. Renamed temp folder and still the same result, no result.

chi-va
2007-09-03, 01:25
I'm glad that you are still helping us to find the problem.:bigthumb: I'm just curious. Why are you so persistent to use Spybot-S&D even if it obviously doesn't work on your system? Your log files did not show any hints of infections as far as I can say.

It seems that we have already checked all possible troubles caused by troublesome files.

There are still many things left which we could try. First some additional questions. What is your CPU specification? Is it a multicore CPU or does it use Hyper-Threading technology? Missing additional support in Spybot-S&D 1.4 could cause troubles with these CPUs. There are some improvements in Spybot-S&D 1.5 RC 1 for these CPUs.
http://www.safer-networking.org/en/spybotsdbeta/index.html

Before you install it it is recommended to make a real clean installation:
http://www.safer-networking.org/en/howto/uninstall.html

Apart from using the registry patch you should also delete the whole Spybot-S&D program folder.

A second attempt is to locate the problematic file set of the Spybot-S&D detection database. Switch to advanced mode via the menu item "Mode" and then go to "Settings->File Sets".

Try this sequence:

Turn off:

Hijacker.sbi
HijackersC.sbi
Malware.sbi
MalwareC.sbi
Spybot.sbi
SpybotsC.sbi

and make a scan. This time it should pass the scan. If it works add the last two entries and scan again. Repeat this until you can say where the problems are.

chi-va
2007-09-03, 03:38
As you can guess we are now searching for hardware errors. Please use the tool Everest-Home-Edition for an other test:

http://www.softpedia.com/get/System/System-Info/Everest-Home-Edition.shtml

As written before physical damages could cause conflicts as well. E.g. a high temperatur could cause
malfunctions in the CPU and malfunctions in the memory modules. Just use the tool and tell us what is the highest temperature during the Spybot-S&D scan. It is not necessary to post a log this time. Temperatures over 100° Celsius(212° F) are already too high for a stable running of the system.

P.S.: I probably won't be able to answer in the next few days. So be free to make the scan when you have time and if you are in the mood to do this. If the temperature is over the mentioned limit then please don't make anymore scans before you have fixed the hardware problem. Removing the dust has help in similar situations. Again, thank you very much for going through all these troubles.:bow:

Trapper38
2007-09-03, 04:02
Oh dear!!! I tried your second option first, unticked said files and ran a scan. This then hung at 5569/36479Ardamax and would not complete the scan.

Thought I might as well try the 1.5 which was installed as per instructions and ahhhhhhhhhhhhhhh no, it's hanging at exactly the same place, CoolWeb, I don't believe this.

yeah, I do have a lot of patience which is wearing a bit thin now lol, plus I don't like niggles on my computer. I only run Spybot and Ad-aware for spyware, along with Norton Security 2005. I can live without Spybot on my computer, but would prefer to have it functioning. It had crossed my mind that considering all the time used on this irritant it probably would've been quicker for me to do a reformatt however, that seems like taking a sledge hammer to crack a nut.

My cpu is the one that you can set to infinity, already tried that with no success.

Trapper38
2007-09-03, 05:28
By the time I'd finished typing my last reply you'd sneaked in another ;) Anyway I've downloaded the tool Everest-Home-Edition to confirm the temperature (breathes a sigh of relief) it reached 50C.

So enjoy your break and look forward to continuing in a few days :bigthumb:

Trapper38
2007-09-03, 08:03
Wahey chi-va :D: :bigthumb: You were right all along it was temporary files causing a conflict.

Finally got 1.5 working. You won't believe this, I went back to Ccleaner to retick everything and decided to go through deleting everything one tick at a time. On cleaner settings Windows, at the bottom is Advanced with 8 items which are unticked by default and I've never used them. There wasn't much stuff in any of the others until I reached advanced and removed 325MB of whatever, did a reboot and low and behold it worked.:present:

Many thanks for all your time and patience for this frustrating problem.