Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 49 Posts

·
Registered
Joined
·
242 Posts
Discussion Starter · #1 ·
HI THERE,

AVG ANTI-SPYWARE, HAS DETECTED A COUNT OF ADAWARE/SPYWARE, BUT CANNOT DELETE IT.

I HAVE TRIED DELETING, QUARINTINE, DELETING ON RE-BOOT, ALL TO NO AVAIL. I GET THE MESSAGE "ERRORS OCCURRED WHIL APPLYING THE ACTIONS...PLEASE SEE THE LIST ON THE LEFT.

I'VE ALSO RUN AVG ANTI-SPYWARE IN SAFE-MODE. STILL NOT ABLE TO DELETE

LATELY, IV BEEN UNABLE TO LOG ONTO HOTMAIL ACCOUNT. DON'T KNOW IF THIS IS RELATED, OR PART OF A MORE WIDESPREAD PROBLEM WITH HOTMAIL.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:20:54 31/12/2006

+ Scan result:

HKLM\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\5&2f85662e&0\Control\\ActiveService -> Adware.GoodByeSpyware : Error during cleaning.

::Report end

HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:20, on 31/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\broadband guardian\PCTHelp.exe
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [PCTAgent] D:\Program Files\broadband guardian\PCTHelp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: "*.live.com"
O15 - Trusted Zone: "*.msn.com"
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157284587733
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157284568530
O16 - DPF: {89521361-EA5B-11D7-97CA-00E08103E149} (Parental Controls Agent Class) - http://ebgcfg.eircom.net:8080/config/elements/artemislogin/PCTAgent.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

(I'VE DONE THESE SCANS IN THE ADMINISTRATOR PROFILE ON THE PC)

ANY HELP GREATLY APPRECIATED.
 

·
Registered
Joined
·
13 Posts
Hi,
Look what virus it found and google it, then look for the best removal solution.
check if the infected file is in an archive ie .zip or .rar, if so it cant do any harm but it wont be repaired or deleted by your AV and will always trigger an alert.
AND or download a few progs specifically designed for adware/ spyware/ malware removal ie spybot search and destroy, spyware doctor, stopzilla. etc
Or upload the file to http://www.virustotal.com/en/indexf.html they use a number of AV engines with latest updates and one of these may have a specific cleaning utility for the virus.
cY83r
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #3 ·
Tried to google it with very few results. I went to use the link you gave me but I don't know the location of the file to up-load it, other than it shows up in a registry scan with AVG-ANTI SPYWARE.

Have also scanned with SpyBot, Ad-Aware and AVG Free 7.5, to no avail.

Any other suggestions...
 

·
Administrator
Joined
·
123,556 Posts
Hi jack123,

I believe this may be a false positive.

I would like to check what driver is associated with it.

Please export the following key.

Go to Start - Run - type in regedit and cick OK.

Expand the following keys by clicking on the + to their left.

HKEY_LOCAL_MACHINE
SYSTEM
ControlSet001
Enum
USB
ROOT_HUB
5&2f85662e&0


Under 5&2f85662e&0, in the left-hand pane, right click on Control and then select "export". Save it to your desktop with the name Control.

Then right click on the Control file on your desktop and select "open with" and select "Notepad". Then copy and paste the contents here please.
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #10 ·
Hi Cookiegal,

Thanks so much for the reply. Here is the Control contents:-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\5&2f85662e&0\Control]
"ActiveService"="usbhub"
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #12 ·
Sorry for the delay - 2 very demanding kids!!
Here it is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\5&2f85662e&0]
"Capabilities"=dword:00000080
"UINumber"=dword:00000000
"HardwareID"=hex(7):55,00,53,00,42,00,5c,00,52,00,4f,00,4f,00,54,00,5f,00,48,\
00,55,00,42,00,26,00,56,00,49,00,44,00,31,00,31,00,30,00,36,00,26,00,50,00,\
49,00,44,00,33,00,30,00,33,00,38,00,26,00,52,00,45,00,56,00,30,00,30,00,36,\
00,31,00,00,00,55,00,53,00,42,00,5c,00,52,00,4f,00,4f,00,54,00,5f,00,48,00,\
55,00,42,00,26,00,56,00,49,00,44,00,31,00,31,00,30,00,36,00,26,00,50,00,49,\
00,44,00,33,00,30,00,33,00,38,00,00,00,55,00,53,00,42,00,5c,00,52,00,4f,00,\
4f,00,54,00,5f,00,48,00,55,00,42,00,00,00,00,00
"Service"="usbhub"
"ConfigFlags"=dword:00000000
"ParentIdPrefix"="6&235a1f63&0"
"ClassGUID"="{36FC9E60-C465-11CF-8056-444553540000}"
"Class"="USB"
"Driver"="{36FC9E60-C465-11CF-8056-444553540000}\\0006"
"Mfg"="(Standard USB Host Controller)"
"DeviceDesc"="USB Root Hub"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\5&2f85662e&0\Device Parameters]
"SymbolicName"="\\??\\USB#ROOT_HUB#5&2f85662e&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
"FailReasonID"=dword:00000005

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\5&2f85662e&0\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\ROOT_HUB\5&2f85662e&0\Control]
"ActiveService"="usbhub"
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #15 ·
Ok, Thanks for clearing that 1 up Cookiegal.

Can you shed any light on why I can't get an audio cd to play in a limited account?

I havn't changed any settings/permissions. Various audio cd's just won't go into autoplay. A window just opens and shows the wmp icons for all the tracks on the cd.

Is there a widespread problem with logging onto hotmail. Looking around the forum would seem to suggest it. Where can I get more info on it?
 

·
Administrator
Joined
·
123,556 Posts
These sound like separate issues. Did both of these problems start at the same time?

Autoplay may be disabled. Log on as administrator, right-click on the drive icon for your CD drive and select Properties.

Choose the AutoPlay tab, and choose the desired action for each type of CD. For example, choose Music CD, then click Select an action to perform, then select "play using Windows Media Player".

Let me now how that goes please.
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #17 ·
Hi
Only noticed the audio issue a few days ago, (after I posted this thread), that cd's were'nt playing.

I followed your instructions, but it's made no difference.

(Don't know if this is relevant, but you can still hear windows sounds)
 

·
Administrator
Joined
·
123,556 Posts
Download WinPFind.exe to your desktop and double click on it open it and then select “extract” to extract the files. This will create a folder named WinPFind on your desktop.

Start in Safe Mode Using the F8 method:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.

Double click on the WinPFind folder on your desktop to open it and then double click on the WinPFind.exe file to start the program.

  • Click “Configure scan options”
  • Under “Run AdOns” select the following:
    • Policies.def
    • Security.def
  • Click “apply”
  • Click "Start Scan"
  • It will scan the entire System, so please be patient and let it complete.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log.
 

·
Registered
Joined
·
242 Posts
Discussion Starter · #19 ·
Hi cookiegal,

I've downloaded WinPFind.exe, but ive gota go for the night now as it's 01.15 here + im up @ 06.00. Thanks for the reply. I'll follow through your instructions as soon as I can tomorrow. Thanks
 
1 - 20 of 49 Posts
Status
Not open for further replies.
Top