1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please HELP Protoride worm

Discussion in 'Virus & Other Malware Removal' started by kdmbas, Jan 29, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. kdmbas

    kdmbas Thread Starter

    Joined:
    Jan 21, 2004
    Messages:
    48
    Attached is my Hijack This log. Could someone look at it and see what I need to do. I had the Protoride Worm and did the correction as posted on Symtec web site. Computer still runs extremely slow. I am running AVG 6 and I have run Spybot and Adaware. Any help would be very much appreciated.



    Logfile of HijackThis v1.99.0
    Scan saved at 11:54:01 PM, on 1/28/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\DOCUME~1\KEVINS~1\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\wys.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    C:\Program Files\CashBack\bin\cashback.exe
    C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
    C:\PROGRA~1\Bpt\bpt.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\dxdcurs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\NaviSearch\bin\nls.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wtxs.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wtxs.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from TC Online Internet Services
    R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRA~1\SURFSI~1\SskBho.dll
    F3 - REG:win.ini: load=
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {7CD20E91-1F31-41da-8379-479EA31DF969} - (no file)
    O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O4 - HKLM\..\Run: [yswyk] C:\WINDOWS\System32\jhvq\yswyk.exe
    O4 - HKLM\..\Run: [Xcpy1] "C:\PROGRA~1\COMMON~1\Java\Xcpy1.exe "
    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\KEVINS~1\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Spool] "C:\WINDOWS\System32\wys.exe" /startup
    O4 - HKLM\..\Run: [rivn] C:\WINDOWS\System32\dlxtjcm\rivn.exe
    O4 - HKLM\..\Run: [rfstx] C:\WINDOWS\System32\jmnujwgp\rfstx.exe
    O4 - HKLM\..\Run: [rfgd] C:\WINDOWS\System32\kjgg\rfgd.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [FeCPY] "C:\PROGRA~1\COMMON~1\Java\fecpy.exe "
    O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
    O4 - HKLM\..\Run: [Breg] "C:\PROGRA~1\COMMON~1\Java\bptre.exe "
    O4 - HKLM\..\Run: [BPT] "C:\PROGRA~1\Bpt\bpt.exe "
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [ASSERR] C:\WINDOWS\System32\ASSERR.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRA~1\SURFSI~1\Ssk.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IwpERQbEh] dxdcurs.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRA~1\SURFSI~1\Ssk.exe
    O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://wtxs.net
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://benefitstreet.webex.com/client/v_mywebex/webex/ieatgpc.cab
    O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
    O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,317
    Go to Control Panel - Add/Remove programs and delete any of these that you find there:

    NaviSearch
    CashBack
    BargainBuddy
    BullseyeNetwork
    SurfSideKick
    Fen
    CxtPls
    Bpt


    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} –
    C:\PROGRA~1\SURFSI~1\SskBho.dll

    F3 - REG:win.ini: load=

    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll

    O2 - BHO: (no name) - {7CD20E91-1F31-41da-8379-479EA31DF969} - (no file)

    O2 - BHO: Flash Extender - {95795B67-BBAB-47d0-8A9F-069E8242C0E5} - c:\Program Files\Fen\fen.dll

    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll

    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll

    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

    O4 - HKLM\..\Run: [yswyk] C:\WINDOWS\System32\jhvq\yswyk.exe

    O4 - HKLM\..\Run: [Xcpy1] "C:\PROGRA~1\COMMON~1\Java\Xcpy1.exe

    O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\KEVINS~1\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe" /startup

    O4 - HKLM\..\Run: [Spool] "C:\WINDOWS\System32\wys.exe" /startup

    O4 - HKLM\..\Run: [rivn] C:\WINDOWS\System32\dlxtjcm\rivn.exe

    O4 - HKLM\..\Run: [rfstx] C:\WINDOWS\System32\jmnujwgp\rfstx.exe

    O4 - HKLM\..\Run: [rfgd] C:\WINDOWS\System32\kjgg\rfgd.exe

    O4 - HKLM\..\Run: [FeCPY] "C:\PROGRA~1\COMMON~1\Java\fecpy.exe "

    O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe

    O4 - HKLM\..\Run: [Breg] "C:\PROGRA~1\COMMON~1\Java\bptre.exe "

    O4 - HKLM\..\Run: [BPT] "C:\PROGRA~1\Bpt\bpt.exe "

    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    O4 - HKLM\..\Run: [ASSERR] C:\WINDOWS\System32\ASSERR.exe

    O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRA~1\SURFSI~1\Ssk.exe

    O4 - HKCU\..\Run: [IwpERQbEh] dxdcurs.exe

    O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRA~1\SURFSI~1\Ssk.exe

    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\Program Files\CxtPls - folder
    c:\Program Files\Fen - folder
    C:\WINDOWS\System32\nvms.dll - file
    C:\WINDOWS\System32\mscb.dll - file
    C:\WINDOWS\System32\msbe.dll - file
    C:\WINDOWS\System32\jhvq\yswyk.exe - file
    C:\PROGRA~1\COMMON~1\Java\Xcpy1.exe - file
    C:\DOCUME~1\KEVINS~1\LOCALS~1\Temp\ICD1.tmp\svcmm32.exe - file
    C:\WINDOWS\System32\wys.exe - file
    C:\WINDOWS\System32\dlxtjcm - folder
    C:\WINDOWS\System32\jmnujwgp - folder
    C:\WINDOWS\System32\kjgg - folder
    C:\PROGRA~1\COMMON~1\Java\fecpy.exe - file
    C:\Program Files\CashBack - folder
    C:\PROGRA~1\COMMON~1\Java\bptre.exe - file
    O4 - HKLM\..\Run: [BPT] "C:\PROGRA~1\Bpt - folder
    C:\Program Files\AutoUpdate - folder
    C:\WINDOWS\System32\ASSERR.exe - file
    dxdcurs.exe - file
    C:\PROGRA~1\SURFSIDEKICK - folder
    C:\WINDOWS\zeta.exe - file


    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Do a couple of on-line virus scans at these links:

    http://housecall.trendmicro.com/ - be sure to check “auto clean” before scanning

    http://www.pandasoftware.com/activescan/

    Reboot and post another log please.
     
  3. kdmbas

    kdmbas Thread Starter

    Joined:
    Jan 21, 2004
    Messages:
    48
    Here is the new Hijack Log. REALLY appreciate the help. Both online scans came up with 10 each. By the way. I am look at getting new antivirus software. What do you think about PC-Cillin by Trendmicro. Is it ok to run PC-Cillin(or whatever Antivirus Software) along with AVG6.

    Again thanks for the help.

    Logfile of HijackThis v1.99.0
    Scan saved at 7:48:37 PM, on 1/29/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wtxs.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wtxs.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from TC Online Internet Services
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://wtxs.net
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://benefitstreet.webex.com/client/v_mywebex/webex/ieatgpc.cab
    O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
    O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
     
  4. kdmbas

    kdmbas Thread Starter

    Joined:
    Jan 21, 2004
    Messages:
    48
    OOOOOOPPPPPSS!!!

    I forgot to reboot before posting log. Here is the new log AFTER the reboot


    THANKS>



    Logfile of HijackThis v1.99.0
    Scan saved at 7:59:20 PM, on 1/29/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
    C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\System32\mrtMngr.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wtxs.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://wtxs.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer from TC Online Internet Services
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://wtxs.net
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://benefitstreet.webex.com/client/v_mywebex/webex/ieatgpc.cab
    O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
    O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
    O23 - Service: IMAPI CD-Burning COM Service - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,317
    The log looks good now.

    Both are good anti-virus programs but you cannot run both as they will conflict with each other and cause problems.

    Now you should turn system restore off to flush out all previous restore points and then turn it back on and create a new restore point:

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

    I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD, for added protection.

    http://www.javacoolsoftware.com/spywareblaster.html

    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html

    Delete your temporary files:

    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the recycle bin.
     
  6. kdmbas

    kdmbas Thread Starter

    Joined:
    Jan 21, 2004
    Messages:
    48
    THANKS ALOT. I have another computer with the same problem. But that is for another weekend. Think I will go with PC-Cillin since it will scan email and comes with a Firewall. Do you know of any quirks with unistalling AVG.

    Again thanks.

    I am going to make a donation. Hopefully you get to share in it since you were so helpfull.

    Have a great Day. I will now!!!!!
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,317
    You're welcome and TSG thanks you for the donation. 100% goes to keep this great site up and running.

    AVG, as most anti-virus programs, can be difficult to uninstall. As I'm not using it myself I researched and found some instructions to the effect that it comes with an un-installer. Go to Start, All Programs, hover your cursor over AVG and the un-installer will appear. Run this to un-install the software. Do not use the Add/Remove programs.

    Good luck with that.

    :)
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324533

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice