Issue with SpyShelter Premium, Zemana AntiLogger, and other security software

[YvesStrassburg]

Salut Meinard !

This morning i started deleting Malwarebytes' Anti-Malware 1.51.2.1300 with that mbam-clean.exe.(66 kb). Unfortunately, that tool created a error, "Malwarebytes' Anti-Malware - Das system kann den angegebenen pfad nicht finden - The system cannot find the indicated path". Strange this. The tool asked me to shutdown the computer, and i did so. But it did not shutdown to the end, finally i had to push the button CLOSE on my machine.

As the behaviour of mbam-clean.exe (66 ko) did not ensure me that much, i cleaned up with:

- CCEnhancer 2.4 & CCleaner 3.12.1572 five times: Windows (3x), Applications (1x), Registry (1x)

- TuneUp Utilities 2007 one time: RegistryCleaner

- Auslogics BoostSpeed portable 5.1.1.0 twice: Disc cleaner, Registry cleaner

- Ashampoo WinOptimizer 8.13 three times: Drive cleaner, Registry optimizer, Internet cleaner

They found still traces of Malwarebytes' Anti-Malware 1.51.2.1300 and deleted them.

As you wish a MEMORY.DMP of Malwarebytes' Anti-Malware 1.60.0.1800 with SpyShelter 5.40 premium and Zemana AntiLogger 1.9.2.819, I installed first Zemana AntiLogger 1.9.2.819 as it was not installed on the machine.

I looked under System > Erweitert > Starten und wiederherstellen > Einstellungen and saw "Kleines speicherabbild (64 KB) - Small memory image (64 KB)". The installation of Zemana AntiLogger 1.9.2.819 must have changed this! So i rechanged to "Vollständiges speicherabbild [ ] Vorhandene dateien überschreiben - Complete memory image [ ] Overwrite existing files".

The question in "Systemsteuerungsoption ''System - When the pagefile on drive C: has an initial size of less than 2037 MB, the system will perhaps not be able to save any debug-informations, if a "STOP"-error occurs. Nevertheless, do you want to continue the procedure?" I answered with Yes.

I restarted WindowsXP SP3, and got a blue screen (BSOD), and got Mini011712-01.dmp (88 kb).

I restarted WindowsXP SP3 new, and there was nothing of this.

I restarted WindowsXP SP3, and got a blue screen (BSOD), and got Mini011712-02.dmp (88 kb).

I restarted WindowsXP SP3, and got a blue screen (BSOD).

I restarted WindowsXP SP3 new, and there was nothing of this.

I restarted WindowsXP SP3, and got a blue screen (BSOD), and got Mini011712-03.dmp (64 kb).

I restarted WindowsXP SP3, and got a blue screen (BSOD).

And suddenly i saw on drive C: a MEMORY-01.DMP (2086128 kb) > but it is of 2012-01-12 04:12 ! I'm pretty sure this MEMORY-01.DMP (2086128 kb) is of today and not of 2012-01-12 04:12, as i do not trust Windows that much, and i have a good reason believing this:

In the past, when making backups with Actually Acronis True Image Home 2009 12.0.9769.15, the filesize of those backups grew with the number of Windows system restore points which are saved on drive C:. When there was not enough space any more, all of the restore points have been deleted automatically, except the two last one. By this the size of C: went down, around 2 GB, and by this the size of a backup of Actually Acronis True Image Home 2009 12.0.9769.15 as well.

Means: if there came in a new MEMORY.DMP, the filesize of a new Actually Acronis True Image Home 2009 12.0.9769.15-backup would have grown.

But the size of the Actually Acronis True Image Home 2009 12.0.9769.15-backups did ot grow considerably since 2012-01-11. So the MEMORY.DMP must be made today 2012-01-17, right?

The filesize of the last Acronis True Image Home 2009 12.0.9769.15-backup 1600_XPA_C_2012-01-17_03.12_b.tib, made last night, has 9238319 KB.

I cut and pasted all dmp-files from C: to D: for having an idea which will be the size of a new Acronis True Image Home 2009 12.0.9769.15-backup (without MEMORY.DMP).

This new Acronis True Image Home 2009 12.0.9769.15-backup 1600_XPA_C_2012-01-17_12.02_b.tib is actually running, including SpyShelter 5.40 premium and Zemana AntiLogger 1.9.2.819 - but no Malwarebytes' Anti-Malware at all.

I'm not sure which one of SpyShelter 5.40 premium and Zemana AntiLogger 1.9.2.819 is creating those blue screens (BSOD) and Mini...........dmp, and i would like delete one of them, rather Zemana AntiLogger 1.9.2.819 because i did not get blues screens and Mini..........dmp with Malwarebytes' Anti-Malware 1.51.2.1300 and SpyShelter 5.40 premium.

Let's say: I will already upload the files to my server, awaiting the end of creating Acronis True Image Home 2009 12.0.9769.15-backup 1600_XPA_C_2012-01-17_12.02_b.tib, and if there is no answer of you when Acronis True Image Home 2009 12.0.9769.15-backup 1600_XPA_C_2012-01-17_12.02_b.tib has finished, i will install Malwarebytes' Anti-Malware 1.60.0.1800.

Acronis True Image Home 2009 12.0.9769.15-backup 1600_XPA_C_2012-01-17_12.02_b.tib has a size of 9 262 053 kb, so the MEMORY.DMP must be made today 2012-01-17, right?

Please drop me a line before installing.

[YvesStrassburg]

Salut Meinard !

All files are uploaded now.

In the evening, i might continue installing Malwarebytes' Anti-Malware 1.60.0.1800 after having read your answer.

mardi 17 janvier, 2012 - 14:51:16

Thank you

[YvesStrassburg]

Salut Meinard,

Today i remained and worked in WindowsXP with SpyShelter 5.40 premium and Zemana AntiLogger 1.9.2.819 without any Malwarebytes' Anti-Malware for more than 12 hours without any blue screen (BSOD) or dmp-file.

This evening I installed Malwarebytes' Anti-Malware 1.60.0.1800.

When installed, the program froze, i couldn't use the tabs.

I wanted to move WindowsXP down, but this didn't work, so i had to hit the CLOSE-button.

I restarted WindowsXP three times, but it didn't load all programs and froze, so i had to hit the CLOSE button again, as WindowsXP wouldn't go down in normal way.

After having rebooted, this time there came up a blue screen (BSOD). I had to hit the CLOSE-button down, went into Safe mode, and cut/pasted the new MEMORY-02.DMP (= MEMORY-02.zip) and Mini011712-04.dmp from C: to D:.

You will find them on my server, as well the BSOD-screenshot 201201171141.jpg.

By Acronis True Image Home 2009 12.0.9769.15-backup, i went back to Malwarebytes' Anti-Malware 1.51.2.1300 with SpyShelter 5.40 premium - and all works fine again.

Best regards

[Mainard]

Hello YvesStrassburg,

I appreciate the full memory dump

Why are you using Acronis True Image Home 2009? Acronis True Image Home is at 2012. Any reason for not upgrading to their latest version?

Thank you.

[YvesStrassburg]

Hello Meinard,

if you appreciate the full memory download, you should download it this night and now - it's 00:21:56 AM here right now. Specially for this case i let my laptop run whole over the night.

Indeed, there is a special reason why I'm using Acronis True Image Home 2009. I like very much Acronis True Image Home 2008 as well, as both versions may run in the background with deep priority and highest compression, and you can work without being disturbed. When there is no action on the computer, Acronis True Image Home 2009 and 2008 instantly take more recources on the CPU, and the backup-file will be done quicklier. This is extremely comfortable. Normally i make my daily backup-file by night when i'm in bed, but it occurs that i have to make one during daylight while i'm working.

I have as well Acronis True Image Home 2006, 2007, 2010, 2011 and 2012. 2006 seems to be somehow outdated, and the 2010, 2011, and 2012-versions do not have any longer the nice behavour i was speaking of above.

If you are using Internet Explorer for the dmp-download, you cannot click onto the filename in my server-website: you must copy and paste the URL into the browserfield. Then it works as well on Internet Explorer.

Ah, i see now, it's loading with 50 KB/s, and you are downloading MEMORY-01.zip: This is the *.dmp-file with Spyshelter and Zemana, but without Malwarebytes. It says ~ "2h30m" downloadtime.

MEMORY-02.zip contains Spyshelter and Zemana and Malwarebytes, as i described it above.

Best regards

[Mainard]

Does only Spyshelter and MBAM PRO work together and not cause a BSOD?

Does only Zemana and MBAM PRO work together and not cause a BSOD?

Thank you.

[YvesStrassburg]

SpyShelter 5.40 premium works with Malwarebytes' Anti-Malware 1.51.2.1300: no problems at all.

SpyShelter 5.40 premium does not work with Malwarebytes' Anti-Malware 1.60.0.1800: plenty of BSOD, same for Zemana AntiLogger 1.9.2.819 with Malwarebytes' Anti-Malware 1.60.0.1800.

Thank you

[YvesStrassburg]

Hello Meinard,

....

Ah, i see now, it's loading with 50 KB/s, and you are downloading MEMORY-01.zip: This is the *.dmp-file with Spyshelter and Zemana, but without Malwarebytes. It says ~ "2h30m" downloadtime.

MEMORY-02.zip contains Spyshelter and Zemana and Malwarebytes, as i described it above.

Best regards

Why didn't you download the MEMORY-02.zip as well ?

[YvesStrassburg]

The problem with Zemana AntiLogger ist solved: in only two weeks Zemana created the new version 1.9.2.938 which works fine now with SpyShelter 5.40 premium and Malwarebytes' Anti-Malware 1.51.2.1300.

The new version is announced at http://zemana.com/whatsnew.aspx and can be downloaded by http://dyn.zemana.co...r_1.9.2.938.exe .

Zemana appreciates the patience and understanding in this matter, as token of their appreciation for the patience, i got an activation key which can be used for 2 years, free of charge.

That's nice .

For the moment, i use Malwarebytes' Anti-Malware 1.51.2.1300 with the following settings, as it has still problems with SpyShelter 5.40 premium:

[YvesStrassburg]

Since installing today Malwarebytes Anti-Malware 1.60.1.1000 over the old version 1.51.2.1300 (with installed Zemana AntiLogger 1.9.2.938 and SpyShelter Premium 5.40), i have no longer blue screens (BSOD) or other problems.

Well done !

[YvesStrassburg]

Well, all the problems described above came back with the versions which followed that one which i have installed now here, Malwarebytes' Anti-Malware Pro 1.62.0.1300, so that i could not update that one. I would not restart the old procedure once again.

But the reason why i'm writing you here is a very strange behaviour of Malwarebytes' Anti-Malware 1.62.0.1300.

As i was not interested keeping the Microsoft Windows XP-feature "Search", i introduced a new entry in the registry:

Den Eintrag 'Suchen' entfernen / Deleting the entry 'Search'

http://www.winfaq.de/faq_html/Content/tip1000/onlinefaq.php?h=tip1367.htm

Mit diesem Wert können Sie festlegen, dass der Eintrag "Suchen" im Startmenü und dem Kontextmenü des Startmenüs entfernt wird. Es wird auch über die Windows-Tastenfunktion "Windows-Taste + F" und F3 deaktiviert.

Starten Sie den Registryeditor und ändern Sie in der Registry die Einträge wie beschrieben ab.

Aufrufen von REGEDIT.EXE (alle Betriebssysteme) oder REGEDT32.EXE (nur Windows NT/2000)

Wenn der Pfad zum Schlüssel nicht vorhanden ist, müssen Sie die nötigen Schlüssel selber hinzufügen. Rechtsklick auf den letzten Schlüssel (links im Tree) aus dem Kontextmenü "Neu" -> "Schlüssel" auswählen, und die fehlenden Schlüssel mit den angegebenen Namen anlegen.

Unter:

[für den Anwender / for the user]

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer

> [für das System (alle Anwender) / all users]

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer

Erstellen Sie hier einen neuen Wert mit dem Namen "NoFind" als Datentyp REG_DWORD. Setzen Sie den Wert auf:

Create a new entry with the name "NoFind" as type REG_DWORD. Set the value to:

1 Eintrag wird nicht angezeigt / Entry will not show

gelöscht Eintrag wird angezeigt (Standard) / deleted Enry will show (Standard)

> You need to restart your Windows XP and the entry 'Search' has gone.

Indeed, the entry 'Search" will not show any longer after this procedure. All worked fine, i made several examinations during several months.

Up to now.

Today Malwarebytes' Anti-Malware 1.62.0.1300 tells me, that there is a bad "PUM.Hijack.Find". Please look the mbam-log-2013-01-06 (22-59-18).txt:

Malwarebytes Anti-Malware (PRO) 1.62.0.1300

www.malwarebytes.org

Datenbank Version: v2013.01.06.03

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

yves :: BESITZER-30983A [Administrator]

Schutz: Aktiviert

2013-01-06 19:09:08

mbam-log-2013-01-06 (22-59-18).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)

Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM | P2P

Deaktivierte Suchlaufeinstellungen:

Durchsuchte Objekte: 355883

Laufzeit: 3 Stunde(n), 23 Minute(n), 11 Sekunde(n)

Infizierte Speicherprozesse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0

(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoFind (PUM.Hijack.Find) -> Bösartig: (1) Gut: (0) -> Keine Aktion durchgeführt.

Infizierte Verzeichnisse: 0

(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0

(Keine bösartigen Objekte gefunden)

(Ende)

This means, the entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoFind is infected and bad? I don't believe this.

Where is the problem ?

[shadowwar]

It means that u have changed it from the default xp setting. Malware often does this and we have no way to tell if malware did it or you did it on purpose. PUM. means potentially unwanted modification. If its a modification you want then you can simply add it to the ignore list and it will no longer be detected.

[YvesStrassburg]

After my posting, i saw that sg09 on http://forums.malwarebytes.org/index.php?showtopic=100744 had the same question.

OK, i will do so.

Thanks shadowwar ;-)