I have been using Spybot for 4+ years and this has never happened. I am using version 1.6. It will not complete a full scan. Program stops dead after 3 or 4 minutes (about 15% through the scan) and the note at the bottom left says "Running bot-check (51291/295344: Win32Agent.pz)" I run Spybot manually every week and immunize, but I do not use teatimer.

I have McAfee Virus scan (& firewall, antimalware, root kits,system guard)- no hits/clean and WinDefender - no hits/clean. However, WinDefender showed a few "warnings" in the Event Viewer (event id 3004) in the last few days about suspicious changes -- c:\windows\system32\drivers\etc\Hosts, also one with a long reg key name ending in "...Internet Explorer\Main\\Startpage."

Can anyone tell me if this is a serious threat and how to get Spybot to work again?

Thanks in advance for any help.

e1fletch

spybot Sandra worked on this problem in this thread
http://forums.spybot.info/showthread.php?t=19884
I DO NOT KNOW IF IT WAS RESOLVED

see post 8 first

quote from post 11

It should also help to deactivate the scanning for usage tracks.
Please run Spybot-S&D and switch to "Advanced mode" via the menu bar item "Mode". Now select "Settings" --> "File Sets" in the navigation bar on the left. The checkboxes in front of "Usage tracking" and "tracks.uti" have to be unticked if you do not want to find usage tracks anymore.

If this does not help please edit the shortcut icon on your desktop that is used to run Spybot-S&D.
Rightclick the icon and choose properties.
Then include a /verbose (with a space tab in front) in it's link location at "Target".
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /verbose
To see how to do that please have a look at this link in our forum:
http://forums.spybot.info/showthread.php?t=23560
Or have a look at this how to flash tutorial.
When you do a scan now, it will show an 8 digit number in the status bar at the bottom, like $1234ABCD.
Please post that information here.
They can use this information to look up where exactly it hangs. Thanks.

Best regards
Sandra
Team Spybot
end of copied post

Thread ends there
can you supply the end of the story
thanks

Thanks wymrider,
I checked the file sets setting and the Usage tracking boxes were already unchecked before this happened. I would have preferred these to be checked as I rely on Spybot to help remove tracking stuff that I don't want! So that hasn't been happening. I also did an online Kaspersky scan and found 2 Trojans in Outlook Express MessageStore inbox -- "paylap.ev" and "fraud.gen" that neither Spybot or my McAfee virus scan detected. (It also found a lot of "win32" type files related to Logmein and UBCD4Win programs which are probably ok.)

I will run Spybot with the vebose setting to see if it still hangs.

Will let you know.

Hello again,
Attempted a Spybot scan again with the /verbose setting. Usage tracking files still unchecked. It still freezes at the same spot. The additional info is $70E19D46. So still can't get more than a 10% scan of my system.

Please advise.

e1fletch

Good work wyrmrider.

e1fletch,
What version of Spybot-SD are you running (Help>about)?
http://www.safer-networking.org/en/faq/52.html

In addition to the link above, have you attempted to clear the cache, temp. files, and cookies from your browsers (along with the temp. files in the system. If it is locked, attempt a reboot and clear them).

last detection update is 9/3/08.

Just ran another McAfee scan -- no real issues. Also SDFix, no problems.
Would still like to have Spybot working again.

Hope that helps.

Hi e1fletch,

How about trying to ignore 'Win32Agent.pz' from scans to see if that makes a difference:

Mode > Advanced Mode > Click 'Yes' > Ignore Products > Select 'Malware.sbi' tab > Scroll down to 'Win32Agent.pz' and check the box

Restart Spybot, then try scanning again


Note. When writing these instructions, I discovered that I had 2 entries listed as 'Win32Agent.pz' - I don't know if this might have anything to do with the problem, but it is strange nonetheless

Hello Honda12,
I had already cleared the cache (does so after closing brower) and I clear the temp folders /cookies regularly. So I tried as you recommended clicking to ignore win32agent.pz and Spybot now moves on. BUT, it now freezes at "65880/295344 Smitfraud-C.ul; $3F3E4ECE". Same symptom as before -- it will not complete the scan. Stops dead. If I click on the X it takes several seconds and I get the "Program not responding... do you want to end?" so I have to do that to close Spybot.

I do not want to continue to have it "ignore" malware to make it work -- that defeats the whole purpose of the program. Why is it not identifying and "detecting" these items and finishing the program?

Still wondering what the problem is.
e1fletch.

As noted -- still having the problem with Spybot freezing - now just at a different place. I am not the only one having this problem. I was scanning the other sections of the forum and noticed someone else has had this exact same problem. See copy of post below.
E1fletch

The post was in the General forum and I copied it (it is also from yesterday -- 09/05/2008):

Thread: Spybot Locking Up? View Single Post
Yesterday, 09:58 #13
cibrlx01
Junior Member

Join Date: Sep 2008
Posts: 2

--------------------------------------------------------------------------------

i went into settings and noticed that i could uncheck the file win32.agent.pz
after that it kept going until 65880/295344 smitfraud.c.ul


cibrlx01

E1fletch, I have the same problem you and cibrlx01 have. Each time Spybot stopped I recorded the result, checked the Malware.sbi item, and ran Spybot again, until I was able to complete a scan. The complete set is as follows:

51291/295344;Win32Agent.pz;$70E19D46
65880/295344;Smitfraud-C.ul;$3F3E4ECE
110768/295344;Haxdoor.hm;$31E81190
121359/295344;Win32Agent.frl;$27F1A0FA
264942/295344;ZlobDNSChanger.RTK;$CA1FF945
268743/295344;zlob.rtk;$AE9C4A8E

I have never really looked before, but I'm guessing that the 295344 number changes with each set of updates. If so, it appears that each of us is using the most recent update set. And each of us got stopped at the same first two points. I'll bet that if you kept checking the relevant Malware.sbi items you would have gotten the same results for the remaining four stop points.

I don't think this is happening to everyone or there would be more posts.
I'm using Spybot 1.6.0.30 with last detection update of 9/3/2008 so I think we are both at the same level.

I hope someone with knowledge of Spybot's workings can use this information.

I temporarily replaced the Spybot folder in Program Files with one from my last hard drive backup (with detection updates to 8/27 I think). I got stopped at Haxdoor.hm, and I know I ran a complete scan with the backed up version last week, so it is NOT just the detection updates.

@ e1fletch - Thanks, the aim of ignoring the product causing the problem was to highlight if it was a specific detection problem or a wider problem. I think the latter is the case :sad:

Unfortunately, I can't help any further, I don't have the knowledge of Spybot's 'inner' workings

It would be better for a member of Team Spybot to assist you further

Thanks

AndTheWolf,
Thanks for pointing this out. I thought I would try to ignore the same 5 items and see if I could get Spybot to finish, but I do not have the exact same items under "Malware.sbi". For instance, I have 2 Smitfraud -- Smitfraud-C.Antifirewall and Smitfraud-C.Deskbar -- but not a Smitfraud-C.ul to check to ignore under Malware.sbi. Also, I have a Haxdoor.Ki, but not a Haxdoor.hm in Spybot under Malware.sbi. And no Zlob* entries. Are these under a different tab?? I want to identify if I can "ignore" the exact same items and get it to finish. That might help the Team Spybot folks figure this out.

... awaiting any feedback.

e1fletch

My error, e1fletch. I had to kill Spybot and restart it many times during my test, and did not realize that I was using the "All products" tab after my first cycle. (I think because I found "Win32Agent.pz" on my first restart I assumed that "Ignore Products" was opening at the last used tab and did not even notice I was on "All products".) "All products" contains, i think, every entry on the other tabs in collated order, so though it is a much longer list, it is easier to use when looking for a specific entry than trying to work out which specific tab it belongs to. Try looking there. Let me know how it goes.

Unchecking the five items is temporary workaround, not really satisfactory. I'm hoping someone from the the Spybot team can use the information for diagnostics.

Since not everyone has the problem (three people who posted, and an unknown number who have not found the forum), I wonder what we have in common. How often to you run a Spybot scan? I usually run mine weekly. Do you know of any changes to your system between you last successful scan and the scan that froze on Win32Agent.pz?

Hi AndTheWolf, By the way, your list has SIX item (my mistake, not 5) Yes, I am trying to figure out what has caused this. I also run Sbybot about 1 time per week. I was running it on 9/5 or 9/6 when this happened.

I was very concerned that I might have gotten a Trojan and I can't afford to lose my desktop system. As I just now look back over the past week, I notice in EventViewer that WinDefend showed a warning on 9/3 that it "took action to protect this machine from spyware or other potentially unwanted software". The EV note did not have much info, so I just went to Defender and looked what could have been quarantined. It is a an entry called "RemoteAccess:Win32/RemotelyAnywhere". It says "if you do not trust the publisher consider blocking or removing the software" -- so I'm not sure what it did! I am not sure if this has ANYTHING to do with Spybot hanging, it is just something that has not showed up before..

i will keep looking , but it is a bit distressing that of the SIX tems that SPYBOT hangs on on both of our system, FIVE of them are trojans. Yet my McAfee says I have no threats, SDFix said I had no threats and MalWareBytes (yes I have even run that) says there are no hits. Only an online Kaspersky scan showed something, and it of course did not give me any info on how to remove. I would feel a lot better if SPYBOT would actually RUN, even if it detects nothing.

..still hoping TEAM SPYBOT will help us figure out how to get SPYBOT to work again

e1fletch

Hello,

It hangs at a NTFile rule, so it seems that the advcheck.dll could not be found.
Probably you have installed the new version 1.6 in a different folder and the registry points to an old folder.

Editing the registry should help.
regedit:
HKEY_CURRENT_USER\Software\Safer Networking Limited\SpybotSnD\

Under path you have to enter the file path for the 1.6 version, which you will get from the desktop link.

Best regards
Sandra
Team Spybot

THANK YOU Spybotsandra!! That was the problem. I'm guessing the registry got rewritten when I was trying to created a UBCD4WIN CD that included the Spybot plugin (When I tried to configure the plugin it tried to update the plugin to 1.6, and failed, but it did rewrite that registry key to "E:\UBCD4Win\plugin\AntiSpyware\Spybot\files\" .

e1fletch, I notice you referred to UBCD4WIN earlier in this thread. Perhaps that is the source of your problem too.

... but it was not that I updated Spybot in a new folder -- 1.6 was in the same directory as the previous version: C:\Program Files\Spybot - Search & Destroy\. And advcheck.dll was there.

Last week I was using UBCD4Win (Ultimate Backup CD for Windows) to try and create a bootable cd with the operating system. It uses plugins for other software to run spyware/virus checks if your computer cannot boot from your hard drive. Apparently, in creating such a disk and running it from the cd drive, it went to update Spybot and changed the registry entry regarding the location path. That apparently was the cause. It looks like this was also the problem for some others on this thread.

Thanks again for the help!!!! Spybot is working fine now. It is a great program and you have terrific folks on this forum.

e1fletch

I was going to suggest a SAFE MODE scan
but under this scenario it would not complete either
I think PepiMK gave the details about moving folders in a post somwhere

The way I remember it the format between 1.3 -1.4 and 1.5-1.6 changed
this is why I recommend a complete uninstall and use of the removal tool
(search for "small fix" or see the stickie on removing Spybot
when upgrading Spybot
upgrading by writing over 1.5 with 1.6 should work but many do not remember all the prior versions they have had

The last two updates have been huge
Spybot has been finding malware missed by other well known apps
good work - but also a good reason to keep updated

(did I get the above anywhere close to right?)

spybotsandra,

I too also experienced the same symptoms as the other poster in this thread, after reading your answer mentioning UBCD4WIN, I checked my registry setting and the path was pointing to C:\UBCD4Win directory. I changed it to match the path from the desktop link and the scan now continues. Thanks for a great solution..

davepjcx