Spybot was changed on install [Archive]

View Full Version : Spybot was changed on install

NaeMo

2006-11-15, 20:01

Okay, I'm calm. I'm out of my league here.

FIRST: WIN2K, Firefox browser

Second: My Avast was altered, so we ran a scan, machine went to BSOD, rebooted, changes took effect. :mad:

I came here, so far upgraded spybot from 1.3 to 1.4. Spybot alerted me that it was changed on the first run. It SAID we were clean, but I don't trust any of the software anymore.

now usb keyboard is wonky.

Runnign Housecall right now - it will be a while.

Let me knwo what you want tosee.

NaeMo

2006-11-15, 20:39

Logfile of HijackThis v1.99.1
Scan saved at 1:35:04 PM, on 11/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Kerio\Personal Firewall

4\kpf4ss.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kerio\Personal Firewall

4\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall

4\kpf4gui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Viewpoint\Viewpoint

Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe
C:\Program Files\802.11 Wireless LAN\802.11b

Wireless CardBus & PCI Adapter HW.11

V1.10\WlanCU.exe
C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and

Settings\administrator\Desktop\HijackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.freerepublic.com/focus/f-news/browse
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page_bak = about:blank
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) -

{A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager]

mobsync.exe /logon
O4 - HKLM\..\Run: [avast!]

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program

Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"

/minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program

Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

-reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program

Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Wireless Configuration

Utility.lnk = C:\Program Files\802.11 Wireless

LAN\802.11b Wireless CardBus & PCI Adapter HW.11

V1.10\WlanCU.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk

= C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft

Excel -

res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Microsoft AntiSpyware helper -

{F631F9FF-F0BC-465F-9D57-205BAA630739} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware

helper - {F631F9FF-F0BC-465F-9D57-205BAA630739} -

(no file)
O12 - Plugin for .spop:

C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}

(PCPitstop Utility) -

http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98}

(Measurement Services Client v.3.11) -

http://gameadvisor.futuremark.com/global/msc311.cab
O23 - Service: avast! iAVS4 Control Service

(aswUpdSv) - Unknown owner - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner -

C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner -

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe"

/service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner -

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe"

/service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware

Development a.s. - C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative

Service (dmadmin) - VERITAS Software Corp. -

C:\WINDOWS\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG -

C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) -

Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) -

Kerio Technologies - C:\Program Files\Kerio\Personal

Firewall 4\kpf4ss.exe

NaeMo

2006-11-15, 21:09

Okay, trend micro never finished, it hung up. It did show a greyware item (analogxproxy, IIRC) Tried another scan site, then got the blue screen again. *sigh*

The infected one is my husband's machine, and he's ready to fdisk it. Maybe we ought to.

Sorry if I posted this in the wrong place... :oops: Please forgive, I've been trying to figure this out since yesterday, and it just keeps getting worse.

What a week I'm having! :laugh:

md usa spybot fan

2006-11-15, 21:25

NaeMo:

I'm sorry but HijackThis log are not analyzed in the forum. See:
Please do NOT post hjt logs in the Spybot forum, see here for link to malware removal
http://forums.spybot.info/showthread.php?t=1266
But before you post there or this thread moved to that forum, please bear with me for a minute.

I don't quite understand gist of your original post. Are you getting a message similar to the following when you attempt to run Spybot?

This application has been changed since it was created.
Since Spybot-S&D does not change itself, we recommend you check your system for malware and viruses instantly!
If so, that message has been caused in the past by failing memory (RAM) and I suggest that you consider running a memory diagnostic program. If your system didn't come with diagnostic routines including a memory test there is one here:
http://www.memtest.org/
If not, could you restate the problem that you are having running Spybot-S&D, including the sequence of events and the exact content of any messages that you are receiving.

On the other hand, if you truly that think that malware is the cause of the problem you are having, please read the following instructions for running preliminary scans, producing logs and posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system:
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D http://forums.spybot.info/showthread.php?t=288

NaeMo

2006-11-15, 21:33

This application has been changed since it was created.
Since Spybot-S&D does not change itself, we recommend you check your system for malware and viruses instantly!

That is exactly what it said. Thank you. It goes to blue screen often, dumping phys. memory. I'll check the memory.

NaeMo

2006-11-15, 23:24

Totally, utterly, and completely failed the memtest! Is it silly to feel happy about that? LOL

Thanks for pointing me in the right direction, md usa spybot fan.

md usa spybot fan

2006-11-15, 23:48

Your welcome, but now the real diagnosis problem begins. Although it is most likely just a failing memory chip/board, it could be contact problem with the socket on the mother board or even a PSU (Power Supply Unit) problem.

Good luck in isolating and fixing the problem.

Best wishes,
md usa spybot fan

upvar

2006-11-26, 12:58

I just want to say 'thanks' for this thread.:wub: I installed and updated SpyBot SD tonight and that message window popped up. Scared me a little thinking that some wretched beast of a virus had commandeered a rescue tool and again robbed me of my right to a clean computer. Once I'd read through the whole thread I was able to relax again. If all the problem is is a simple memory burnout, well, at least that much I can fix on my own. :beerbeerb:

Cheers