1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help with AVG Virus Vault

Discussion in 'Virus & Other Malware Removal' started by HillBillyJim, Feb 4, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. HillBillyJim

    HillBillyJim Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    91
    Hi all,

    Lately I cannot go online for more than 30 minutes without AVG detecting a trojan and having me put it in the Virus Vault or delete it.

    Also could someone please tell me why I cannot empty the Virus Vault in AVG Free Edition V. 7.0.300 It is currently showing 8 Trojans in it and when I try to empty the vault it will not get rid of them.
    Under the 'Virus Name' heading there are 5 of the same entries all identifying the same Trojan horse Downloader.Small.8.R and all have the same path C:\System Volume Information\_restore{}.exe. The other 2 are called Trojan horse Downloader.Small.11.BU and Trojan horse Dialer and the path leads to a Temp Folder in My Documents. The last one is a Trojan horse Downloader.Small.8.R and it's path is in my Windows\System32\dload.exe

    When I highlight any one of these trojans it tells me in the information box below that it is a backup copy and that it is infected. Does this mean that there is an original file somewhere on my PC that too is infected?

    Should I be able to find these files following these paths or because they are in my Virus Vault does that mean they are off my computer?

    I ran the Panda Online Virus Scanner earlier and it found another Trojan and fixed it. I have also had my browser hijacked twice tonight but I have had that happen before and following the same advice given here I was able to fix that problem. It almost appears that I must still have some active Trojans on the system to be giving me these browser problems though.

    Here is a hijack this log in case you need to look at it...

    Logfile of HijackThis v1.98.2
    Scan saved at 10:05:58 PM, on 2/4/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Gary\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O1 - Hosts: 38.115.131.131 sk2.slsk.org
    O1 - Hosts: 38.115.131.131 www.slsk.org
    O1 - Hosts: 38.115.131.131 mail.slsk.org
    O1 - Hosts: 38.115.131.131 server.slsk.org
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab


    As you can tell I have a lot of questions so any help/info would be really appreciated.

    Thanks,

    Jim
     
  2. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

    O1 - Hosts: 38.115.131.131 sk2.slsk.org

    O1 - Hosts: 38.115.131.131 www.slsk.org

    O1 - Hosts: 38.115.131.131 mail.slsk.org

    O1 - Hosts: 38.115.131.131 server.slsk.org

    O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe

    O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe

    Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

    Reboot into SAFE MODE(F5 or F8 when restarting)
    Here is a link on how to boot into Safe Mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
    Here is a link to help with that:
    http://www.bleepingcomputer.com/forums/index.php?showtutorial=62

    Please pay close attention to the Configuration of Hidden Files in Windows XP,as I know for sure in the Home Edition,the Config can be done in Normal Mode and when switched to Safe Mode the Config goes back to Default and Hides Files!

    Once In Safe Mode and Hidden Files are Showing,Locate and delete this File:

    C:\WINDOWS\System32\prvdi.exe<<< Just the EXE!

    When finished, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.
    Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

    Here is a link explaining:

    http://netsquirrel.com/msconfig/

    I will find the Info on the Virus Vault when you post back!
     
  3. HillBillyJim

    HillBillyJim Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    91
    Thanks for the help Cretemonster

    I did what you said but when I rebooted into safe mode and switched to show all hidden files I could not find C:\WINDOWS\System32\prvdi.exe anywhere. I don't know if that is a good thing or not. Here is the new Hijackthis Log with everything configured to startup...



    Logfile of HijackThis v1.98.2
    Scan saved at 11:13:58 PM, on 2/4/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\System32\qttask.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Gary\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F3 - REG:win.ini: run=E:\setup.ins
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Sonic RecordNow! Deluxe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab


    Thanks again for the help.
     
  4. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Go to Add\Remove Programs and Remove NewDotNet!

    Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup

    Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

    Reboot into SAFE MODE(F5 or F8 when restarting)

    Delete this Folder:

    C:\Program Files\NEWDOTNET<<< The Entire NewDotNet Folder!

    Reboot Normal and Download eScan:
    http://www.mwti.net/antivirus/free_utilities.asp

    Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, Copy and paste it in your next reply.
    All I need to see,is what appears in the lower Window!
     
  5. HillBillyJim

    HillBillyJim Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    91
    Here is the results from the eScan Cretemonster,


    File C:\WINDOWS\System32\msvcrta.dll infected by "Trojan.Win32.Agent.q" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\System32\msvcrta.dll infected by "Trojan.Win32.Agent.q" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\SYSTEM32\DRIVERS\SBCPHID.SYS tagged as not-a-virus:BuggyProg.Win32.Sbcphid. No Action Taken.
    File C:\WINDOWS\System32\KILLAPPS.EXE tagged as not-a-virus:RiskWare.Tool.KillApp.b. No Action Taken.
    File C:\WINDOWS\System32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\System32\n3tpa1i.dll infected by "Trojan-Dropper.Win32.Agent.eq" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\System32\setup_incred_7.exe infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
    File C:\WINDOWS\System32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.

    Thanks again for looking
     
  6. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Allmost there!

    I do like that scanner,it shows alot that most dont!

    Go staright to Safe Mode,Locate and Delete these:

    C:\WINDOWS\System32\msvcrta.dll<<< Just the DLL

    C:\WINDOWS\System32\KVIF_7.dll<<< Just the DLL

    C:\WINDOWS\System32\n3tpa1i.dll<<< Just the DLL

    C:\WINDOWS\System32\SHAgentNew.dll<<< Just the DLL

    C:\WINDOWS\System32\setup_incred_7.exe<<< Just the EXE

    C:\WINDOWS\SYSTEM32\DRIVERS\SBCPHID.SYS<<< Just that SYS file

    Reboot Normal,Scan With HijackThis and lets have a look!
     
  7. HillBillyJim

    HillBillyJim Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    91
    Well Cretemonster here is the latest HijackThis Scan what do ya think...

    Logfile of HijackThis v1.98.2
    Scan saved at 1:15:26 AM, on 2/5/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\gearsec.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\System32\qttask.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\Program Files\Ahead\Nero\nero.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\Imapi.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Gary\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Sonic RecordNow! Deluxe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
    O4 - Global Startup: Image Transfer.lnk = ?
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab


    BTW I still can't empty the AVG virus vault any ideas why that might be?

    Thanks again,

    Jim
     
  8. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Let me look into the AVG Issue!

    How is the PC acting now?
     
  9. HillBillyJim

    HillBillyJim Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    91
    Sorry it took so long for a reply Cretemonster. I had to get some ZZZZs.

    So far so good. I have been online for about 4 hours today and the AVG prompt hasn't popped up and my browser hasn't been hijacked!!

    I really appreciate your help last night.

    I tried again this morning to empty the Virus Vault but no luck. It is so weird, if I go in and try to delete each file in the vault individually they will go until the last one. When I try to delete it the other sever show back up in the Virus Vault. I am going to try to get in touch with AVG and inquire about this. Hopefully it is just a glitch and that these Trojans aren't still running wild on my PC.

    Thanks again,

    Jim
     
  10. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Gimmie a bit,I have some friends in the UK that live by AVG and I will try to locate them and see what they have to say!
    Atleast they are in a Vault and unable to got out!

    I have a few in Quarintine myself,so dont be too worried about those!

    I do have some stuff I would like you to take a look at and keep around for Safer Surfing!

    Here is my one stop shop:

    http://majorgeeks.com/downloads31.html

    Here you can pick up some great FREE programs to help you keep the PC clean!

    Ad Aware SE 1.05

    Spybot Search and Destroy 1.3

    Spyware Blaster

    Spyware Guard

    Here is my choice of FREE Firewalls:

    Sygate Personal Firewall:
    http://majorgeeks.com/download3356.html

    I use all these and make sure they are Updated with My Antivirus once a week!!

    Here are some links to help you on your way!!!

    http://forums.thetechguys.com/showthread.php?t=4544

    http://www.pcstats.com/articleview.cfm?articleID=1579

    http://forums.thetechguys.com/showthread.php?t=8859

    I will be back in touch when I find out about the Vault!!!
     
  11. Diskman4

    Diskman4

    Joined:
    Feb 5, 2005
    Messages:
    6
    "Also could someone please tell me why I cannot empty the Virus Vault in AVG Free Edition V. 7.0.300 It is currently showing 8 Trojans in it and when I try to empty the vault it will not get rid of them. "

    The reason for this Jim is that the files you are trying to delete are in the system restore and are protected, the easiest way I found of getting rid of them is to run a disk cleanup, under "other options" click to clear system restore, this will delete all but the last system restore file and will also delet your trojans......Hope this helps
     
  12. HillBillyJim

    HillBillyJim Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    91
    Cretemonster,

    Thanks for all the help I really appreciate it. :D
    I use all of the programs that you suggested already except I have Zone Alarm for a free firewall. It seems to work ok.

    Diskman4,

    I tried to do like you suggested; I performed a disc cleanup and under the more options tab I selected to cleanup restore points but when I opened up the Virus Vault to delete them the same thing happened...I couldn't delete them from my Virus Vault.

    Thanks for the suggestion though ;)

    I emailed AVG but of course because it is the free version they don't offer any support other than the FAQ found on their website which mentions nothing of this problem.
     
  13. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    Give this a try:

    Go to the virus vault and click on ACTION at the top, then select EMPTY VAULT. then empty your recycle bin.

    Let me know if that works!
     
  14. HillBillyJim

    HillBillyJim Thread Starter

    Joined:
    Jan 17, 2004
    Messages:
    91
    I tried that Cretemonster but no luck. I guess I am going to have to just be happy the little suckers are stuck in jail with NO chance for parole ;)

    It has been 2 days now and no sign of any trojans or browser hijacks :)

    Thanks again for your help.
     
  15. Cretemonster

    Cretemonster

    Joined:
    Jan 29, 2005
    Messages:
    31
    I will still keep trying to peck away at the Virus Vault as best I can,the good thing is the fact the buggers are gone!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326877

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice