Please HELP Protoride worm

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

kdmbas

Thread Starter
Joined
Jan 21, 2004
Messages
48
Attached is my Hijack This log. Could someone look at it and see what I need to do. I had the Protoride Worm and did the correction as posted on Symtec web site. Computer still runs extremely slow. I am running AVG 6 and I have run Spybot and Adaware. Any help would be very much appreciated.



Logfile of HijackThis v1.99.0
Scan saved at 11:54:01 PM, on 1/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\KEVINS~1\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\wys.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
C:\PROGRA~1\Bpt\bpt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\dxdcurs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\System32\cidaemon.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wtxs.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wtxs.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from TC Online Internet Services
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRA~1\SURFSI~1\SskBho.dll
F3 - REG:win.ini: load=
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7CD20E91-1F31-41da-8379-479EA31DF969} - (no file)
O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [yswyk] C:\WINDOWS\System32\jhvq\yswyk.exe
O4 - HKLM\..\Run: [Xcpy1] "C:\PROGRA~1\COMMON~1\Java\Xcpy1.exe "
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\KEVINS~1\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Spool] "C:\WINDOWS\System32\wys.exe" /startup
O4 - HKLM\..\Run: [rivn] C:\WINDOWS\System32\dlxtjcm\rivn.exe
O4 - HKLM\..\Run: [rfstx] C:\WINDOWS\System32\jmnujwgp\rfstx.exe
O4 - HKLM\..\Run: [rfgd] C:\WINDOWS\System32\kjgg\rfgd.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [FeCPY] "C:\PROGRA~1\COMMON~1\Java\fecpy.exe "
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [Breg] "C:\PROGRA~1\COMMON~1\Java\bptre.exe "
O4 - HKLM\..\Run: [BPT] "C:\PROGRA~1\Bpt\bpt.exe "
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ASSERR] C:\WINDOWS\System32\ASSERR.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRA~1\SURFSI~1\Ssk.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IwpERQbEh] dxdcurs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRA~1\SURFSI~1\Ssk.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://wtxs.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://benefitstreet.webex.com/client/v_mywebex/webex/ieatgpc.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
117,416
Go to Control Panel - Add/Remove programs and delete any of these that you find there:

NaviSearch
CashBack
BargainBuddy
BullseyeNetwork
SurfSideKick
Fen
CxtPls
Bpt


Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} –
C:\PROGRA~1\SURFSI~1\SskBho.dll

F3 - REG:win.ini: load=

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

O2 - BHO: (no name) - {7CD20E91-1F31-41da-8379-479EA31DF969} - (no file)

O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll

O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O4 - HKLM\..\Run: [yswyk] C:\WINDOWS\System32\jhvq\yswyk.exe

O4 - HKLM\..\Run: [Xcpy1] "C:\PROGRA~1\COMMON~1\Java\Xcpy1.exe

O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\KEVINS~1\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup

O4 - HKLM\..\Run: [Spool] "C:\WINDOWS\System32\wys.exe" /startup

O4 - HKLM\..\Run: [rivn] C:\WINDOWS\System32\dlxtjcm\rivn.exe

O4 - HKLM\..\Run: [rfstx] C:\WINDOWS\System32\jmnujwgp\rfstx.exe

O4 - HKLM\..\Run: [rfgd] C:\WINDOWS\System32\kjgg\rfgd.exe

O4 - HKLM\..\Run: [FeCPY] "C:\PROGRA~1\COMMON~1\Java\fecpy.exe "

O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe

O4 - HKLM\..\Run: [Breg] "C:\PROGRA~1\COMMON~1\Java\bptre.exe "

O4 - HKLM\..\Run: [BPT] "C:\PROGRA~1\Bpt\bpt.exe "

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [ASSERR] C:\WINDOWS\System32\ASSERR.exe

O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRA~1\SURFSI~1\Ssk.exe

O4 - HKCU\..\Run: [IwpERQbEh] dxdcurs.exe

O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRA~1\SURFSI~1\Ssk.exe

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe


Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\Program Files\CxtPls - folder
c:\Program Files\Fen - folder
C:\WINDOWS\System32\nvms.dll - file
C:\WINDOWS\System32\mscb.dll - file
C:\WINDOWS\System32\msbe.dll - file
C:\WINDOWS\System32\jhvq\yswyk.exe - file
C:\PROGRA~1\COMMON~1\Java\Xcpy1.exe - file
C:\DOCUME~1\KEVINS~1\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe - file
C:\WINDOWS\System32\wys.exe - file
C:\WINDOWS\System32\dlxtjcm - folder
C:\WINDOWS\System32\jmnujwgp - folder
C:\WINDOWS\System32\kjgg - folder
C:\PROGRA~1\COMMON~1\Java\fecpy.exe - file
C:\Program Files\CashBack - folder
C:\PROGRA~1\COMMON~1\Java\bptre.exe - file
O4 - HKLM\..\Run: [BPT] "C:\PROGRA~1\Bpt - folder
C:\Program Files\AutoUpdate - folder
C:\WINDOWS\System32\ASSERR.exe - file
dxdcurs.exe - file
C:\PROGRA~1\SURFSIDEKICK - folder
C:\WINDOWS\zeta.exe - file


How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
Click "Apply" then "OK"

Do a couple of on-line virus scans at these links:

http://housecall.trendmicro.com/ - be sure to check “auto clean” before scanning

http://www.pandasoftware.com/activescan/

Reboot and post another log please.
 

kdmbas

Thread Starter
Joined
Jan 21, 2004
Messages
48
Here is the new Hijack Log. REALLY appreciate the help. Both online scans came up with 10 each. By the way. I am look at getting new antivirus software. What do you think about PC-Cillin by Trendmicro. Is it ok to run PC-Cillin(or whatever Antivirus Software) along with AVG6.

Again thanks for the help.

Logfile of HijackThis v1.99.0
Scan saved at 7:48:37 PM, on 1/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wtxs.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wtxs.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from TC Online Internet Services
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://wtxs.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://benefitstreet.webex.com/client/v_mywebex/webex/ieatgpc.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
 

kdmbas

Thread Starter
Joined
Jan 21, 2004
Messages
48
OOOOOOPPPPPSS!!!

I forgot to reboot before posting log. Here is the new log AFTER the reboot


THANKS>



Logfile of HijackThis v1.99.0
Scan saved at 7:59:20 PM, on 1/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wtxs.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wtxs.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from TC Online Internet Services
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://wtxs.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://benefitstreet.webex.com/client/v_mywebex/webex/ieatgpc.cab
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
117,416
The log looks good now.

Both are good anti-virus programs but you cannot run both as they will conflict with each other and cause problems.

Now you should turn system restore off to flush out all previous restore points and then turn it back on and create a new restore point:

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD, for added protection.

http://www.javacoolsoftware.com/spywareblaster.html

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

Delete your temporary files:

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the recycle bin.
 

kdmbas

Thread Starter
Joined
Jan 21, 2004
Messages
48
THANKS ALOT. I have another computer with the same problem. But that is for another weekend. Think I will go with PC-Cillin since it will scan email and comes with a Firewall. Do you know of any quirks with unistalling AVG.

Again thanks.

I am going to make a donation. Hopefully you get to share in it since you were so helpfull.

Have a great Day. I will now!!!!!
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
117,416
You're welcome and TSG thanks you for the donation. 100% goes to keep this great site up and running.

AVG, as most anti-virus programs, can be difficult to uninstall. As I'm not using it myself I researched and found some instructions to the effect that it comes with an un-installer. Go to Start, All Programs, hover your cursor over AVG and the un-installer will appear. Run this to un-install the software. Do not use the Add/Remove programs.

Good luck with that.

:)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top