Author Topic: "GFI Software Anti MalWare Service has stopped working"  (Read 4697 times)

0 Members and 1 Guest are viewing this topic.

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
"GFI Software Anti MalWare Service has stopped working"
« on: June 15, 2012, 11:15:32 AM »
Only I don't have anything from GFI installed!

Running Vista with all current updates; AVG; AdAware; no firewall.  It's a desktop with 6GB RAM and a terabyte HD.

Recently I installed SeaMonkey (since removed), some games off GoG.com (a paid game provider sort of like Steam, only without the overlord approach), Thunderbird, and possibly one other app (legit) that I can't recall off the top of my head.  Also the update from AVG 2011 to 2012, and I accidentally got the 30-day "free trial" version instead of the "free" version (VERY annoying!).  Also updated AdAware.  I can't think of anything else new I've added to the computer.  I removed all old versions of JAVA and installed the new versions (both 32 and 64 bit as I have apps that need each).  To the best of my knowledge I deselected any leechware that was attached to anything I installed.  (I define leechware to include anything packaged with legit software that isn't actually part of that software - stuff like versions of virus scanners like McAfree, all those toolbar thingies, stuff that wants to change your default search engine - even if it comes from a legit source, if its not part of what I'm installing its leechware)

There was some kind of registry checking software that ended up on my desktop, I only noticed it when I accidentally clicked on it and opened it and it started running.  That did say GFI on it but I cancelled it as soon as it started running and immediately went to the Add/Remove programs thing (whatever they call it under Vista) and uninstalled it.  However I continue to get these "GFI failed" messages.

There's nothing in the processes list of the task manager labeled GFI.  I was getting these failure messages before uninstalling the registry checker labeled GFI but only rarely and it was not affecting the actual operation of the PC.  Now the system boots noticeably more slowly, things hang, I can't keep an internet connection for more than a few minutes (when checked with the Windows repair utility it tells me there's nothing wrong yet I can't get out on it).  After about 5 or 10 minutes, I get the GFI FAILED notification, the internet is fried at that point, but as long as I stay off the internet things seem to be OK.  Dropbox still seems to work; but my MOG app (internet Radio) fails, Spotify (another internet radio) seems to work at least for awhile, and if it was started before the crash, uTorrent can download a file (I have not been downloading torrents nor have I opened a file downloaded in this way but I did run that just to check since Dropbox seems unaffected).  Both Chrome and Firefox seem to be blocked however.  (I have Ghostery, BetterPrivacy, and Adaware installed).

At first I assumed GFI had come as leechware with one of my recent legit software installations but looking around their website I didn't see any signs of a stand-alone registry checker, and their only "free trial" version is a business version - not the kind of thing I would expect to be leeched to any home software.  Plus if it were legit, uninstalling should have taken care of the problem.  Instead it seems to have made it much, much worse.

I did a full scan of all files with both AdAware and AVG - AdAware found a few tracking things, AVG found 8 more.  All have been removed.  I set AVG to do a rootkit scan but I don't remember how to trigger the scan on boot.  Both AdAware and AVG are showing the system clean at this point.

The last time I had malware that nobody else had heard of, folks here knew what it was and how to get rid of it.  I'm hoping somebody here will have some helpful ideas this time too.

Thanks.


EDIT:  I remember the other app I installed - DROPBOX!

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #1 on: June 15, 2012, 12:55:11 PM »
Further information : I have contacted GFI software and the person with whom I spoke states that this is not a GFI product, that none of their evaluation software is being leeched to their knowledge, and that none of their software performs any registry checking whatsoever.

So it's looking like it's malware masquerading as a GFI product.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15979
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #2 on: June 15, 2012, 01:39:09 PM »
Hi, Sojourner.

Thank you for the excellent description of the problem.  In order to determine if we are able to assist, please provide the requested logs as indicated in the Log Posting Instructions topic.

Thank you.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #3 on: June 15, 2012, 05:19:36 PM »

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #4 on: June 15, 2012, 05:20:10 PM »

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #5 on: June 15, 2012, 05:20:48 PM »
And finally here is CHECKUP.TXT

 Results of screen317's Security Check version 0.99.41 
 Windows Vista Service Pack 2 x64 (UAC is disabled!) 
 Internet Explorer 9 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Disabled! 
Lavasoft Ad-Aware                 
AVG Anti-Virus Free Edition 2012   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Ad-Aware
 Java(TM) 7 Update 4 
 Adobe Flash Player 10 Flash Player out of date!
 Adobe Reader X (10.1.3)
 Mozilla Firefox 11.0 Firefox out of Date! 
 Mozilla Thunderbird (13.0.)
 Google Chrome 12.0.742.100 
 Google Chrome 12.0.742.91 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Ad-Aware AAWService.exe is disabled!
 Ad-Aware AAWTray.exe is disabled!
 AVG avgwdsvc.exe
 AVG avgtray.exe
 Utilities Ad-Aware Antivirus AdAwareService.exe 
 Utilities Ad-Aware Antivirus SBAMSvc.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````[/u]

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15979
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #6 on: June 15, 2012, 06:02:14 PM »
Hi, Sojourner.

There is a CounterSpy driver installed on your computer.  I am wondering if it came with the Java update as I understand that the Java installer now provides a check-box for "Optional 3rd-Party Installations" --- without specifying (on that screen) what they are.  Previously, the installer would specify what was being offered, e.g., Google Toolbar.  As atieclxx.exe has been associated with malicious software, it is also possible that a rogue is using a legitimate driver.

That aside, you need to uninstall Ad-Aware since it is also an anti-virus software now.   

I would be negligent if I didn't warn you about uTorrent.   P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #7 on: June 15, 2012, 07:52:38 PM »
uTorrent is rarely used and then only to download compressed text files - which are nonetheless aggressively scanned before being unpacked.  Except for being fired up to see if it could still get out even when the browsers are blocked, it hadn't been run at all in months.  It shares NO files and never has.

I don't use it to pirate software (there's plenty of open source stuff) or to pirate movies or songs (that's what Netflix and MOG are for, not to pirate, but to let me access music and videos).  I strongly doubt I picked this virus up from the GK Chesterton collection I downloaded from a torrent 9 months ago (at which time it was triple-scanned before it was ever even unpacked, then scanned again after unpacking).

At any rate - given AdAware has changed and since it also apparently silently installed leechware, it's been unistalled.  I guess I'll have to hunt up some other anti malware program that won't interfere with AVG.

Be back shortly with the latest results, thanks.

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #8 on: June 15, 2012, 09:39:24 PM »

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #9 on: June 15, 2012, 10:34:40 PM »
You said: "There is a CounterSpy driver installed on your computer. "

Well that explains where the GFI errors were coming from!  That's a defunct GFI product that was discontinued in May of 2011.

I still have no idea where it came from.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15979
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #10 on: June 15, 2012, 11:10:45 PM »
Hi, Sojourner.

Regarding WinZip Registry Optimizer, Windows is a closed source system. Developers of registry cleaners do not have the core code of Windows and are not working on definitive information, but rather they are going on past knowledge and experience. Automatic cleaners will usually have to do some guesswork.

Modifying registry keys incorrectly can cause Windows instability, or make Windows unbootable. No registry cleaner is completely safe and the potential is ever present to cause more problems than they claim to fix.

Registry cleaners cannot distinguish between good and bad. If you run a registry cleaner, it will delete all those keys which are obsolete and sitting idle; but in reality, those keys may well be needed by some programs or windows at a later time.

If you run a registry cleaner and do not know precisely what you are doing, you will have problems down the road. There are no gains to be had from using a registry cleaner and the risk is great.

From Microsoft at Increase PC speed: Optimize your computer, help your PC run faster:

Quote
Note: This article does not address or recommend tinkering with the registry files. Such activities can be detrimental to your computer and should only be attempted by properly trained professionals.

Also see Are registry cleaners necessary?

Should you at any time tinker with the registry, first create a backup.  See Back up the registry



Is "Singing Bowls" part of the GK Chesterton collection?  I note what appears to be registry issues there, which we'll take a look at with the next ComboFix run.  We'll also take care of the left-over GFI software.

There was a previous log with deletions.  Please post a copy of C:\ComboFix-quarantined-files.txt  2012-06-15 22:29 so I can see what ComboFix removed.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #11 on: June 16, 2012, 12:10:11 AM »

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #12 on: June 16, 2012, 12:16:15 AM »
BTW, the "GK Chesterton collection" is a bunch of mobi files originally sourced from Project Gutenberg - etext of 100 year old books, basically.

Offline Sojourner

  • Full Member
  • ***
  • Posts: 30
    • View Profile
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #13 on: June 16, 2012, 01:08:35 AM »
BTW it occurs to me to wonder - about that "Singing Bowls" file or directory or whatever - the MOG desktop application may be responsible for that.  It's flash, and it may be leveraging one of the browsers to run.  I'm trying to find out - have e-mailed MOG trying to find out just exactly what that thing is, since the only thing I can find is a 286 byte file called MOG with no extension.  At any rate, I have a playlist on MOG called "Singing Bowls" which I frequently access - perhaps whatever you are seeing is an artifact of MOG...

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15979
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: "GFI Software Anti MalWare Service has stopped working"
« Reply #14 on: June 16, 2012, 10:52:39 PM »
Hi, Sojourner. 

Since you don't use registry cleaners, it appears that "WinZip Registry Optimizer" was another uninvited install with something you did on June 14:  2012-06-14 05:23 . 2012-06-14 13:27   --------   d-----w-   c:\program files (x86)\WinZip Registry Optimizer.  We'll take care of that and the GFI left-overs.

As long as "Singing Bowls" is working correctly, I'm going to leave that entry alone.  As you indicated it is related to MOG, the unicode in the log may be due to that.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


  • Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:
Code: [Select]
File::
C:\Windows\system32\DRIVERS\SBFWIM.sys
C:\Windows\system32\drivers\sbhips.sys
C:\Windows\system32\DRIVERS\sbwtis.sys

Driver::
SBFWIM.sys
sbhips.sys
sbwtis.sys

Folder::
c:\program files (x86)\WinZip Registry Optimizer
c:\programdata\GFI Software
  • Save this as CFScript.txt and place it on your desktop.
  • Close any open browsers.
  • Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.




  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.