Results 1 to 6 of 6

Thread: AVG and Spybot hang while scanning

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Location
    Auckland, NZ
    Posts
    3

    Unhappy AVG and Spybot hang while scanning

    Hi guys,

    I'd appreciate your advice with this problem. I've started to notice erratic behaviour on my PC over the last week - Mozilla Thunderbird locks up when sending mail, other apps don't run at all. Both Spybot and AVG (Free version) get stuck at certain points while scanning my disks, and I can't access the System32 folder either. :(

    I have attached online virus scan and HJT logs below. Hope they are formatted OK...

    ============================================
    Here is the result from Panda:

    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@112.2o7[2].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@247realmedia[1].txt
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@2o7[1].txt
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@ad.yieldmanager[1].txt
    Spyware:Cookie/BannerBank Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@ad10.bannerbank[1].txt
    Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@ads.addynamix[1].txt
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@adtech[2].txt
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@apmebf[1].txt
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@as-eu.falkag[2].txt
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@as-us.falkag[2].txt
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@as1.falkag[1].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@atwola[2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@belnk[1].txt
    Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@bluestreak[2].txt
    Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@bravenet[1].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@bs.serving-sys[2].txt
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@burstnet[2].txt
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@c5.zedo[2].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@casalemedia[1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@cgi-bin[1].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@cgi-bin[6].txt
    Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@cgi-bin[7].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@com[2].txt
    Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@cs.sexcounter[2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@dist.belnk[2].txt
    Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@fortunecity[1].txt
    Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@hotlog[1].txt
    Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@landing.domainsponsor[1].txt
    Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@maxserving[1].txt
    Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@paycounter[1].txt
    Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@qksrv[1].txt
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@questionmarket[2].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@realmedia[2].txt
    Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@revenue[2].txt
    Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@server.iad.liveperson[2].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@serving-sys[1].txt
    Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@spylog[2].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@statcounter[2].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@terra.com[1].txt
    Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@tradedoubler[2].txt
    Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@trafficmp[1].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@tribalfusion[1].txt
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@xiti[1].txt
    Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@xxxcounter[1].txt
    Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@yadro[2].txt
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@z1.adserver[1].txt
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@zedo[2].txt
    Virus:Trj/Ruins.MB Disinfected C:\RECYCLER\S-1-5-21-1177238915-884357618-839522115-1004\Dc11\xxx[1].jpg
    Virus:Trj/Ruins.MB Disinfected C:\RECYCLER\S-1-5-21-1177238915-884357618-839522115-1004\Dc2.exe
    Adware:Adware/SBSoft Not disinfected C:\RECYCLER\S-1-5-21-1177238915-884357618-839522115-1004\Dc3.dll
    Virus:Trj/Ruins.MB Disinfected C:\WINDOWS\system32\csnqu.exe
    Virus:Trj/Ruins.MB Disinfected C:\WINDOWS\system32\dmuoh.exe
    Adware:Adware/QuickWeb Not disinfected C:\WINDOWS\system32\{EEF25E47-BC4A-4F84-B50B-970A3B4B853E}.exe

    ===================================================

    And here is the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:31:38 p.m., on 29/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\CTSvcCDA.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Dynalink\Adsl\dslagent.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4926A78F-93C7-4620-AB97-752428F8DE0A}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6128C2BC-BEB6-4994-AA19-2B48CBC32B0D}: NameServer = 85.255.113.130 85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{95AF4DC6-75F8-4A82-88C8-F309BFFD1C4B}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AD4C4FC8-534A-4320-BFEA-7D88366E5E9C}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
    O17 - HKLM\System\CS1\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
    O17 - HKLM\System\CS2\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    I hope that someone can make sense of all that - I don't really know where to start with it!

    Many thanks,
    Josh

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,538

    Default

    G'Day and welcome to the forum, If you still need help, let's start like this:

    1) Turn off TeaTimer, it will block changes we must make:
    http://russelltexas.com/malware/teatimer.htm

    Thanks to LonnyRJones, Swandog46, AutoDad and anyone else who helped with this fix.

    2) You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/file...Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    At the end of the fix, you may need to restart your computer again.

    Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

    (please save those logs until we finish)

    Now lets check some settings on your system.
    (2000/XP) Only
    In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be avaiable on some systems
    Next Go start run type cmd and hit OK
    type
    ipconfig /flushdns
    then hit enter, type exit hit enter
    (that space between g and / is needed)


    Please download ATF Cleaner by Atribune
    http://www.atribune.org/content/view/25/2/
    Save it to your Desktop. We will use this later.

    Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4926A78F-93C7-4620-AB97-752428F8DE0A}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6128C2BC-BEB6-4994-AA19-2B48CBC32B0D}: NameServer = 85.255.113.130 85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{95AF4DC6-75F8-4A82-88C8-F309BFFD1C4B}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AD4C4FC8-534A-4320-BFEA-7D88366E5E9C}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
    O17 - HKLM\System\CS1\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
    O17 - HKLM\System\CS2\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    Restart the computer and post a new HJT log along with any comments you think will help.

    Cheers Mate

    Your Java program needs updating, see this: http://forums.spybot.info/showpost.p...80&postcount=2
    C:\Program Files\Java\jre1.5.0_06\ <<< out of date

  3. #3
    Junior Member
    Join Date
    Aug 2006
    Location
    Auckland, NZ
    Posts
    3

    Default

    Hi pskelley, thanks heaps for taking the time to help me with those suggestions.

    I followed all your steps, and I've copied the two log files below. You didn't specifically mention it, but I also re-enabled the TeaTimer and SDHelper programs a couple of minutes ago (after running the final HJT scan) - and as soon as I did this, I got a few (three or four) pop-ups telling me about an attempt to change some values, it looked like something to do with my browser or home page? I denied everything, just in case.... Is this a problem?

    OK, here are the reports:
    ===================================================

    Fixwareout ver 1.003
    Last edited 8/11/2006
    Post this report in the forums please

    Reg Entries that were deleted
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    ...

    PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    Searching by size/names...


    Search five digit cs, dm and jb files.
    This WILL/CAN also list Legit Files, Submit them at Virustotal

    Other suspects.
    Directory of C:\WINDOWS\system32
    {EEF25E47-BC4A-4F84-B50B-970A3B4B853E}.exe

    Misc files.

    Checking for older varients covered by the Rem3 tool.


    ==================================================
    ... and from HJT:
    ==================================================
    Logfile of HijackThis v1.99.1
    Scan saved at 8:01:20 p.m., on 31/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\CTSvcCDA.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Dynalink\Adsl\dslagent.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\HijackThis\HijackThis.exe

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    ===================================================

    For what it's worth, I haven't noticed any of the erratic behaviour that was plaguing me before .... is it too early to hope that I am clean?!

    Thanks,
    Josh

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,538

    Default

    Yep Josh...I usually say turn off TeaTimer until you are done. You did the right thing and TT is doing the right thing when it blocks attempts to place stuff on your computer without your knowledge. You should check to make sure it is not a valid program asking to do something, If it is not block it. I should point out that you can set the program to block stuff quietly without bothering you if you wish. The only bad thing is that if something valid tries to update, it could get blocked. I personally run Spybot but do not use TT preferring SpywareGuard instead.

    Your HJT log is clean of malware here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

    Let's run the computer for 24 hours, then post to let me know there are no problems, I'll ask tashi to close the topic at that point.

    Thanks...Phil

  5. #5
    Junior Member
    Join Date
    Aug 2006
    Location
    Auckland, NZ
    Posts
    3

    Default



    It looks like your remedies worked Phil! I've since updated myself with further layers of protection, as suggested by the helpful links you provided. I've also figured out that I was waaaay behind with using the "Immunise" function in Spybot - I don't think I had ever used it before and there were thousands of things I wasn't protected against... whoops... even the greatest software is of limited use in the hands of an idiot! :blush:

    Thanks again for your advice - it's fantastic to know that there are folks like you and all the others on this forum, who go out of their way to help the needy and don't even get paid for it! You are all stars!

    All the best,
    Josh

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,052

    Default

    Cheers Josh.

    As the problem appears to be resolved this topic has been archived.

    If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
    Microsoft MVP. Consumer Security 2006-2014


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •