17 replies to this topic

[Andavari]

Has anyone else had any shutdown and restart issues with Microsoft AntiSpyware Beta 1 installed and resident with its Real-time protection.

I've noticed that my system is taking longer to shutdown and restart if the Real-time protection system tray icon is loaded, manually closing it however resolves the issue with gcasServ.exe. It's also the first time I've seen WinXP display a message about a program not responding during shutdown and restart.

[DJpailo]

its beta, so its probably a bug..

[Andavari]

Lol that's a no b.s. kind of answer. Straight to the point.

[Tarun]

What else do you typically run?

[Andavari]

I suppose you'd need a HJT log for a proper analysis, am I right?

[Tarun]

That's up to you really.

I've recently noticed my machine takes a bit longer to shutdown/reboot too, though I don't run the MSAS Real-Time agent.

[Andavari]

Well I suppose it wouldn't hurt to verify my new install is clean.

Logfile of HijackThis v1.99.1
Scan saved at 1:21:20 AM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Push The Freakin Button\PTFB.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CookieCop\CookieCop.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = %userprofile%\My Documents\ie_homepage.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = CookieCop:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.dell.com; *.microsoft.com;<local>
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Microsoft AntiSpyware Real-Time Protection] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft IntelliType Pro (Wireless Keyboard)] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [Microsoft IntelliPoint (Wireless Mouse)] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Broadcom Modem Messaging Applet] BCMSMMSG.exe
O4 - Startup: Push The Freakin Button.lnk = C:\Program Files\Push The Freakin Button\PTFB.exe
O4 - Startup: WinRAR SFX History Cleaner.lnk = C:\WINDOWS\regedit.exe
O4 - Startup: WinRescue.lnk = C:\Program Files\WinRescueXP\RescueXP.exe
O4 - Global Startup: CookieCop.lnk = C:\Program Files\CookieCop\CookieCop.exe
O4 - Global Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\system32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\system32\link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126938267031
O17 - HKLM\System\CCS\Services\Tcpip\..\{C071DFBC-449B-44C0-B8F4-9210B12BC3B2}: NameServer = 67.134.110.5 67.134.110.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Tarun]

Clean, as expected.

[Ultimate Predator]

I have noticed nothing to be honest, though I have quite a few startup programs including this, so I probably wouldn't have noticed.

[rridgely]

I can varify that MSAS causes a machine to boot slower even the real time protection is shut down. I don't use it anymore because of this reason. I would still let novice pc users get it though. But for me I don't want anything that will slow down my boot up.

I haven't ever seen the error message that your getting though andavari.

[Andavari]

rridgely, on Oct 19 2005, 08:28 PM, said:

I haven't ever seen the error message that your getting though andavari.

<{POST_SNAPBACK}>

It's like an old relic from the Win9x days (or an OS flashback), that would commonly have various programs that wouldn't allow a system to shutdown without forcing the program to exit.

I've only seen it twice within the last month, and it's no problem to click the End Now button to force it to exit, but like I said it's only occurred twice.

[Ultimate Predator]

Actually, on occasions my PC does require me to hit end now. Could be it. When my PC gets fixed I'm doing a complete work-through on my PC for what should or shouldn't be there, I might get rid of it considering it is only a Beta program. What do you think?

[Andavari]

Ultimate Predator, on Oct 20 2005, 02:52 AM, said:

When my PC  gets fixed I'm doing a complete work-through on my PC for what should or shouldn't be there, I might get rid of it considering it is only a Beta program. What do you think?

<{POST_SNAPBACK}>

I will personally continue to use MSAS as long as it remains freeware.

The reason I'll continue using it is because on my previous XP install I ignored what I thought were two constant false positives: An MSIE restricted website registry key, and a VISE uninstaller .exe file. I'm now thinking MSAS was correct in finding two infections.

Now after the fresh XP install MSAS didn't detect anything even though I'm using the same software, drivers, etc., except for the OEM installed crapware like AOL, Music Match Jukebox, etc. Although it hasn't found anything as of yet on this fresh install, I won't so blindly ignore something it finds in the future just because other programs such as Ad-Aware, Ewido, and Spybot S&D don't.

[Ultimate Predator]

Just found out today some interesting facts; don't use real scanning for Microsoft antispyware, can cause installation problems with some programs, and apperantly don't use a Reg Cleaner of any sought, including that of CCleaner (came from a proffesional).

[Tarun]

Ultimate Predator, on Oct 20 2005, 04:37 PM, said:

Just found out today some interesting facts; don't use real scanning for Microsoft antispyware, can cause installation problems with some programs, and apperantly don't use a Reg Cleaner of any sought, including that of CCleaner (came from a proffesional).

<{POST_SNAPBACK}>

Install problems? False.

No harm in registry cleaning as long as you're careful and make backups.

[Andavari]

Ultimate Predator, on Oct 20 2005, 03:37 PM, said:

Just found out today some interesting facts; don't use real scanning for Microsoft antispyware, can cause installation problems with some programs, and apperantly don't use a Reg Cleaner of any sought, including that of CCleaner (came from a proffesional).

<{POST_SNAPBACK}>

Sound's like some "professional" has been telling you some b.s.

The only install "problem" would be the detection of adware/spyware infested programs that should have been scanned in the first place. Of course MSAS or any other good antispyware program with real-time protection is going to halt something when it's detected, it isn't called real-time protection for nothing.

Tarun, on Oct 20 2005, 03:40 PM, said:

Install problems?  False.

No harm in registry cleaning as long as you're careful and make backups.

<{POST_SNAPBACK}>

Agreed!

[Andavari]

Well I just discovered two reasons why MSAS may cause system shutdown/restart problems, since the real-time protection is sometimes very slow to notice a change in system security settings:
1. Inputting restricted sites into MSIE.
2. Inputting restricted sites into the HOSTS file.

It however seems like more of a problem when inputting sites into the HOSTS file to block. I've waited a number of minutes (up to thirty) before MSAS even notifies that an addition/change was made in the HOSTS file, and if attempting to system shutdown/restart before the notification is displayed it may or will cause an issue during shutdown/restart.

[Ultimate Predator]

No, on MS Antispyware it can stop files being installed on the PC. Look, all I know is the guy disabled MS Antispyware real time and tried installing EZ Antivirus, and thus it worked. I agree about the issues though, I've never had a problem with them.