PDA

View Full Version : AVG and Spybot hang while scanning



More Biff
2006-08-29, 10:01
Hi guys,

I'd appreciate your advice with this problem. I've started to notice erratic behaviour on my PC over the last week - Mozilla Thunderbird locks up when sending mail, other apps don't run at all. Both Spybot and AVG (Free version) get stuck at certain points while scanning my disks, and I can't access the System32 folder either. :(

I have attached online virus scan and HJT logs below. Hope they are formatted OK...

============================================
Here is the result from Panda:

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@112.2o7[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@ad.yieldmanager[1].txt
Spyware:Cookie/BannerBank Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@ad10.bannerbank[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@ads.addynamix[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@adtech[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@as-eu.falkag[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@as-us.falkag[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@as1.falkag[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@bravenet[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@burstnet[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@c5.zedo[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@casalemedia[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@cgi-bin[6].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@cgi-bin[7].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@com[2].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@dist.belnk[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@fortunecity[1].txt
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@hotlog[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@landing.domainsponsor[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@maxserving[1].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@paycounter[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@realmedia[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@revenue[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@serving-sys[1].txt
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@spylog[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@statcounter[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@terra.com[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@tradedoubler[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@tribalfusion[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@xiti[1].txt
Spyware:Cookie/XXXCounter Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@xxxcounter[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@yadro[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Taipan\Cookies\taipan@zedo[2].txt
Virus:Trj/Ruins.MB Disinfected C:\RECYCLER\S-1-5-21-1177238915-884357618-839522115-1004\Dc11\xxx[1].jpg
Virus:Trj/Ruins.MB Disinfected C:\RECYCLER\S-1-5-21-1177238915-884357618-839522115-1004\Dc2.exe
Adware:Adware/SBSoft Not disinfected C:\RECYCLER\S-1-5-21-1177238915-884357618-839522115-1004\Dc3.dll
Virus:Trj/Ruins.MB Disinfected C:\WINDOWS\system32\csnqu.exe
Virus:Trj/Ruins.MB Disinfected C:\WINDOWS\system32\dmuoh.exe
Adware:Adware/QuickWeb Not disinfected C:\WINDOWS\system32\{EEF25E47-BC4A-4F84-B50B-970A3B4B853E}.exe

===================================================

And here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:31:38 p.m., on 29/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Dynalink\Adsl\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{4926A78F-93C7-4620-AB97-752428F8DE0A}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{6128C2BC-BEB6-4994-AA19-2B48CBC32B0D}: NameServer = 85.255.113.130 85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{95AF4DC6-75F8-4A82-88C8-F309BFFD1C4B}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD4C4FC8-534A-4320-BFEA-7D88366E5E9C}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
O17 - HKLM\System\CS2\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I hope that someone can make sense of all that - I don't really know where to start with it!

Many thanks,
Josh

pskelley
2006-08-30, 16:59
G'Day and welcome to the forum, If you still need help, let's start like this:

1) Turn off TeaTimer, it will block changes we must make:
http://russelltexas.com/malware/teatimer.htm

Thanks to LonnyRJones, Swandog46, AutoDad and anyone else who helped with this fix.

2) You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt

(please save those logs until we finish)

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{4926A78F-93C7-4620-AB97-752428F8DE0A}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{6128C2BC-BEB6-4994-AA19-2B48CBC32B0D}: NameServer = 85.255.113.130 85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{95AF4DC6-75F8-4A82-88C8-F309BFFD1C4B}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD4C4FC8-534A-4320-BFEA-7D88366E5E9C}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113
O17 - HKLM\System\CS2\Services\Tcpip\..\{132D1E56-D2C4-4965-B505-D7408DC6F26F}: NameServer = 85.255.113.130,85.255.112.113
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.130 85.255.112.113

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log along with any comments you think will help.

Cheers Mate

Your Java program needs updating, see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< out of date

More Biff
2006-08-31, 11:13
Hi pskelley, thanks heaps for taking the time to help me with those suggestions.

I followed all your steps, and I've copied the two log files below. You didn't specifically mention it, but I also re-enabled the TeaTimer and SDHelper programs a couple of minutes ago (after running the final HJT scan) - and as soon as I did this, I got a few (three or four) pop-ups telling me about an attempt to change some values, it looked like something to do with my browser or home page? I denied everything, just in case.... Is this a problem?

OK, here are the reports:
===================================================

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32
{EEF25E47-BC4A-4F84-B50B-970A3B4B853E}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


==================================================
... and from HJT:
==================================================
Logfile of HijackThis v1.99.1
Scan saved at 8:01:20 p.m., on 31/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dynalink\Adsl\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] "C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

===================================================

For what it's worth, I haven't noticed any of the erratic behaviour that was plaguing me before .... is it too early to hope that I am clean?!

Thanks,
Josh

pskelley
2006-08-31, 12:45
Yep Josh...I usually say turn off TeaTimer until you are done. You did the right thing and TT is doing the right thing when it blocks attempts to place stuff on your computer without your knowledge. You should check to make sure it is not a valid program asking to do something, If it is not block it. I should point out that you can set the program to block stuff quietly without bothering you if you wish. The only bad thing is that if something valid tries to update, it could get blocked. I personally run Spybot but do not use TT preferring SpywareGuard instead.

Your HJT log is clean of malware:bigthumb: here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Let's run the computer for 24 hours, then post to let me know there are no problems, I'll ask tashi:) to close the topic at that point.

Thanks...Phil

More Biff
2006-09-02, 04:09
:D:

It looks like your remedies worked Phil! I've since updated myself with further layers of protection, as suggested by the helpful links you provided. I've also figured out that I was waaaay behind with using the "Immunise" function in Spybot - I don't think I had ever used it before and there were thousands of things I wasn't protected against... whoops... even the greatest software is of limited use in the hands of an idiot! :blush:

Thanks again for your advice - it's fantastic to know that there are folks like you and all the others on this forum, who go out of their way to help the needy and don't even get paid for it! You are all stars!

All the best,
Josh

tashi
2006-09-05, 07:59
Cheers Josh. :)

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.