PDA

View Full Version : Spybot Background Update Service SDFSSvc.exe causes Antivirus Action


simionov
2014-10-15, 22:09
Hello,
today out of the blue my Antivirus (Avast) had to block several attempts from the SDFSSvc.exe Spybot Background Update process to access (apparently) malicious webpages. I'm a bit confused about how this is possible? Could it be a virus/trojan on my computer that masks itself as a different process?
However, after I removed spybot the attempts and warnings stopped?
Here are the related logs from avast:
15.10.2014 21:36:52 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:52 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:52 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:53 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:53 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:54 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:55 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:55 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:55 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:56 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:57 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:57 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:58 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:58 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:59 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:36:59 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:37:00 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:37:01 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:37:01 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:37:02 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:00 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:00 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:02 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:03 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:04 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:05 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:06 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:09 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:35 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:36 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:39 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:40 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]
15.10.2014 21:48:43 Network Shield: blocked access to malicious site http://joxidpzd.pornowater.com/snbwgzpw.php?002219D64A44 ([193.105.134.197]:80) [ C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe ( 9500 ) ]

I would be grateful if anyone could tell me what is going on there?
simionov
2014-10-15, 22:27
Small Mistake: I actually mean the Spybot Scanner Service which is SDFSSvc.exe not the Update Service
Zenobia
2014-10-17, 22:24
Hi,there. :)

There was a similar post about SDFSSvc.exe here:
http://forums.spybot.info/showthread.php?69728-SDFSSvc-exe-Gone-Rogue
And possibilities of what might be happening listed here:
http://forums.spybot.info/showthread.php?69728-SDFSSvc-exe-Gone-Rogue&p=447427&viewfull=1#post447427

I'm not sure of the solution,so I'll link you to the Spybot support forms:
http://www.safer-networking.org/support/