Solved

HijackThis log - Computer full of executables and s-l-o-w. Please Help me.....

Posted on 2004-08-23
13
2,797 Views
Last Modified: 2011-09-20
Computer has become very slow and hangs frequently. Have Adaware and Norton anti-virus. Have run both but problem remains. Attached is HijackThis log. Hopefully someone can tell me what to delete. thank you thank you thank you
Logfile of HijackThis v1.98.0
Scan saved at 9:08:04 PM, on 8/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TWAIN.DLL:ymhor
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\netig32.exe
C:\windows\system32\sncntr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\sp2ctr.exe
C:\windows\system32\glwjmgeb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\yawofm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [netig32.exe] C:\WINDOWS\system32\netig32.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [glwjmgeb] c:\windows\system32\glwjmgeb.exe /install
O4 - HKLM\..\RunOnce: [atlgd.exe] C:\WINDOWS\atlgd.exe
O4 - HKLM\..\RunOnce: [iewh32.exe] C:\WINDOWS\system32\iewh32.exe
O4 - HKLM\..\RunOnce: [javajb.exe] C:\WINDOWS\system32\javajb.exe
O4 - HKLM\..\RunOnce: [ntha32.exe] C:\WINDOWS\system32\ntha32.exe
O4 - HKLM\..\RunOnce: [ntzh.exe] C:\WINDOWS\system32\ntzh.exe
O4 - HKLM\..\RunOnce: [ieze32.exe] C:\WINDOWS\ieze32.exe
O4 - HKLM\..\RunOnce: [ipuo.exe] C:\WINDOWS\ipuo.exe
O4 - HKLM\..\RunOnce: [crmv.exe] C:\WINDOWS\system32\crmv.exe
O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\system32\atlkt32.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\crzv32.exe
O4 - HKLM\..\RunOnce: [ierr.exe] C:\WINDOWS\ierr.exe
O4 - HKLM\..\RunOnce: [crpw32.exe] C:\WINDOWS\system32\crpw32.exe
O4 - HKLM\..\RunOnce: [crsz32.exe] C:\WINDOWS\crsz32.exe
O4 - HKLM\..\RunOnce: [crnw32.exe] C:\WINDOWS\crnw32.exe
O4 - HKLM\..\RunOnce: [ipmd32.exe] C:\WINDOWS\system32\ipmd32.exe
O4 - HKLM\..\RunOnce: [ipep.exe] C:\WINDOWS\ipep.exe
O4 - HKLM\..\RunOnce: [crch32.exe] C:\WINDOWS\crch32.exe
O4 - HKLM\..\RunOnce: [javall.exe] C:\WINDOWS\system32\javall.exe
O4 - HKLM\..\RunOnce: [crpn32.exe] C:\WINDOWS\system32\crpn32.exe
O4 - HKLM\..\RunOnce: [mssu32.exe] C:\WINDOWS\mssu32.exe
O4 - HKLM\..\RunOnce: [appdq.exe] C:\WINDOWS\system32\appdq.exe
O4 - HKLM\..\RunOnce: [netpf.exe] C:\WINDOWS\netpf.exe
O4 - HKLM\..\RunOnce: [apicg.exe] C:\WINDOWS\apicg.exe
O4 - HKLM\..\RunOnce: [atlfw32.exe] C:\WINDOWS\system32\atlfw32.exe
O4 - HKLM\..\RunOnce: [apipr.exe] C:\WINDOWS\system32\apipr.exe
O4 - HKLM\..\RunOnce: [appan32.exe] C:\WINDOWS\appan32.exe
O4 - HKLM\..\RunOnce: [crkv.exe] C:\WINDOWS\crkv.exe
O4 - HKLM\..\RunOnce: [javalm.exe] C:\WINDOWS\system32\javalm.exe
O4 - HKLM\..\RunOnce: [winiv.exe] C:\WINDOWS\winiv.exe
O4 - HKLM\..\RunOnce: [addcs32.exe] C:\WINDOWS\system32\addcs32.exe
O4 - HKLM\..\RunOnce: [sdkew.exe] C:\WINDOWS\system32\sdkew.exe
O4 - HKLM\..\RunOnce: [ipry.exe] C:\WINDOWS\ipry.exe
O4 - HKLM\..\RunOnce: [addjd32.exe] C:\WINDOWS\system32\addjd32.exe
O4 - HKLM\..\RunOnce: [atlif.exe] C:\WINDOWS\atlif.exe
O4 - HKLM\..\RunOnce: [msnn32.exe] C:\WINDOWS\system32\msnn32.exe
O4 - HKLM\..\RunOnce: [netbc.exe] C:\WINDOWS\system32\netbc.exe
O4 - HKLM\..\RunOnce: [javaou32.exe] C:\WINDOWS\javaou32.exe
O4 - HKLM\..\RunOnce: [winwr32.exe] C:\WINDOWS\system32\winwr32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S11.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://63.166.193.103/netagent/objects/emagic.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4383/mcfscan.cab

0
Comment
Question by:jalvord1
  • 6
  • 6
13 Comments
 
LVL 6

Accepted Solution

by:
akboss earned 205 total points
ID: 11878429
well looks like you have pick up quite a bit of spyware.

I suggest you download spybot 1.3 and the NEW ad-aware SE.
Run these when you run your A/V.

Now in HJT check these and then click fix.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\yawofm.exe
O4 - HKLM\..\Run: [netig32.exe] C:\WINDOWS\system32\netig32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [glwjmgeb] c:\windows\system32\glwjmgeb.exe /install
O4 - HKLM\..\RunOnce: [atlgd.exe] C:\WINDOWS\atlgd.exe
O4 - HKLM\..\RunOnce: [iewh32.exe] C:\WINDOWS\system32\iewh32.exe
O4 - HKLM\..\RunOnce: [javajb.exe] C:\WINDOWS\system32\javajb.exe
O4 - HKLM\..\RunOnce: [ntha32.exe] C:\WINDOWS\system32\ntha32.exe
O4 - HKLM\..\RunOnce: [ntzh.exe] C:\WINDOWS\system32\ntzh.exe
O4 - HKLM\..\RunOnce: [ieze32.exe] C:\WINDOWS\ieze32.exe
O4 - HKLM\..\RunOnce: [ipuo.exe] C:\WINDOWS\ipuo.exe
O4 - HKLM\..\RunOnce: [crmv.exe] C:\WINDOWS\system32\crmv.exe
O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\system32\atlkt32.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\crzv32.exe
O4 - HKLM\..\RunOnce: [ierr.exe] C:\WINDOWS\ierr.exe
O4 - HKLM\..\RunOnce: [crpw32.exe] C:\WINDOWS\system32\crpw32.exe
O4 - HKLM\..\RunOnce: [crsz32.exe] C:\WINDOWS\crsz32.exe
O4 - HKLM\..\RunOnce: [crnw32.exe] C:\WINDOWS\crnw32.exe
O4 - HKLM\..\RunOnce: [ipmd32.exe] C:\WINDOWS\system32\ipmd32.exe
O4 - HKLM\..\RunOnce: [ipep.exe] C:\WINDOWS\ipep.exe
O4 - HKLM\..\RunOnce: [crch32.exe] C:\WINDOWS\crch32.exe
O4 - HKLM\..\RunOnce: [javall.exe] C:\WINDOWS\system32\javall.exe
O4 - HKLM\..\RunOnce: [crpn32.exe] C:\WINDOWS\system32\crpn32.exe
O4 - HKLM\..\RunOnce: [mssu32.exe] C:\WINDOWS\mssu32.exe
O4 - HKLM\..\RunOnce: [appdq.exe] C:\WINDOWS\system32\appdq.exe
O4 - HKLM\..\RunOnce: [netpf.exe] C:\WINDOWS\netpf.exe
O4 - HKLM\..\RunOnce: [apicg.exe] C:\WINDOWS\apicg.exe
O4 - HKLM\..\RunOnce: [atlfw32.exe] C:\WINDOWS\system32\atlfw32.exe
O4 - HKLM\..\RunOnce: [apipr.exe] C:\WINDOWS\system32\apipr.exe
O4 - HKLM\..\RunOnce: [appan32.exe] C:\WINDOWS\appan32.exe
O4 - HKLM\..\RunOnce: [crkv.exe] C:\WINDOWS\crkv.exe
O4 - HKLM\..\RunOnce: [javalm.exe] C:\WINDOWS\system32\javalm.exe
O4 - HKLM\..\RunOnce: [winiv.exe] C:\WINDOWS\winiv.exe
O4 - HKLM\..\RunOnce: [addcs32.exe] C:\WINDOWS\system32\addcs32.exe
O4 - HKLM\..\RunOnce: [sdkew.exe] C:\WINDOWS\system32\sdkew.exe
O4 - HKLM\..\RunOnce: [ipry.exe] C:\WINDOWS\ipry.exe
O4 - HKLM\..\RunOnce: [addjd32.exe] C:\WINDOWS\system32\addjd32.exe
O4 - HKLM\..\RunOnce: [atlif.exe] C:\WINDOWS\atlif.exe
O4 - HKLM\..\RunOnce: [msnn32.exe] C:\WINDOWS\system32\msnn32.exe
O4 - HKLM\..\RunOnce: [netbc.exe] C:\WINDOWS\system32\netbc.exe
O4 - HKLM\..\RunOnce: [javaou32.exe] C:\WINDOWS\javaou32.exe
O4 - HKLM\..\RunOnce: [winwr32.exe] C:\WINDOWS\system32\winwr32.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


also make sure these folders are removed.

C:\windows\system32\sp2ctr.exe
C:\windows\system32\glwjmgeb.exe
C:\WINDOWS\system32\netig32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\windows\system32\sncntr.exe




0
 

Author Comment

by:jalvord1
ID: 11901668
Thanks, that made a hugh difference! still have a problem where my IE explorer gets hijacked. I've posted the hijack this log below. Is there anything still hiding here that corrupts IE? Many thanks!

Logfile of HijackThis v1.98.0
Scan saved at 8:02:40 AM, on 8/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TWAIN.DLL:ymhor
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Verizon Control Pad] "C:\Program Files\Verizon Online\ControlPad\cpad.exe" #SPLASH
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S11.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://63.166.193.103/netagent/objects/emagic.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4383/mcfscan.cab

0
 

Author Comment

by:jalvord1
ID: 11902957
Forgot to add:
When booting up, now Windows Installer runs trying to install something from Microsoft Office. I have to hit 'cancel' many time to get it to stop.....
0
 
LVL 6

Expert Comment

by:akboss
ID: 11905111

>>>Thanks, that made a hugh difference! still have a problem where my IE explorer gets hijacked

Did you set the resident and tea timers in spybot?
On the task bar near the clock there shold be an icon for spybot. Right click on it and select resident IE. Make sure that there are check marks next to
(block all bad pages silently)and (use resident in IE sessions)
If you choose the advanced mode for spybot then click on the "tools" bar on the left side.There you need to find "resident" and click on it. you will see a box that says "resident protection status" both check boxes should have checks in them.

By doing this spybot will do alot of the work for you. You may start getting "spybot" popups that ask for permissions. Grant permission if there was something you downloaded or started up. If you did not do anything then deny permissions.

Now these need to get clean.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll

Do you know the programs associated with these? If you dont then you might consider removing them.

C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://63.166.193.103/netagent/objects/emagic.cab

If your ok with looking in your registry then I will take you through it as a final check.
0
 

Author Comment

by:jalvord1
ID: 11906975
Thanks for your help so far. I'm kind of a newbie and I'm not quite sure what you mean by "set the resident and tea timers in spybot". I have Spybot Search & Destroy 1.3. There is no icon in the tray on the right side. Should there be? or are you referring to a different spybot program?
Thanks in advance!

0
 

Author Comment

by:jalvord1
ID: 11907024
forgot to post: Here's the latest Hijackthis log. Every time I delete :
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
....it keeps coming back!


C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
...these are both files associated with Tiny Personal Firewall

Here's the log:
Logfile of HijackThis v1.98.0
Scan saved at 4:17:18 PM, on 8/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TWAIN.DLL:ymhor
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\netig32.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Verizon Control Pad] "C:\Program Files\Verizon Online\ControlPad\cpad.exe" #SPLASH
O4 - HKLM\..\Run: [netig32.exe] C:\WINDOWS\system32\netig32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S11.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B1167-645C-4B5A-A9AD-4AD165D51E4E}: NameServer = 199.45.32.43 199.45.32.38

0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:akboss
ID: 11908075
You can set those in spybot under the advance mode.
"If you choose the advanced mode for spybot then click on the "tools" bar on the left side.There you need to find "resident" and click on it. you will see a box that says "resident protection status" both check boxes should have checks in them.
"

C:\WINDOWS\system32\d3dl32.dll>>>this needs to be deleted not the system32 file but the d3dl32.dll.
You will need to "show all files" and "show hidden extension" to see them all.

fix these after you have removed the .dll above.
 
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B1167-645C-4B5A-A9AD-4AD165D51E4E}: NameServer = 199.45.32.43 199.45.32.38
0
 

Author Comment

by:jalvord1
ID: 11908166
I can't seem to check the "sd helper" box. The other one is now checked. Consequently, when I right click on the icon next to the clock, the "resident ie" is grayed out......
0
 
LVL 6

Expert Comment

by:akboss
ID: 11909080
hmm...ok if you go back into spybot there is a "immunize" button. Click on this one and let it immunize everything. On the right side the is a box  that says "permanently running bad..." make sure the "enable" box is checked and the menu below that says "block all pages silently".

Then go to the "tools" bar and click on it. make sure all the boxes are checked.(ie: view report,resident,shredder,etc).


this should set that to the right setting.

Did you find the C:\WINDOWS\system32\d3dl32.dll and remove it?

0
 

Author Comment

by:jalvord1
ID: 11914407
most curious....From the Immunize screen, I cannot check the 'enable permanent blocking of bad addresses'' . There is a yellow exclamation mark that indicates: "Browser helper to block bad addresses in NOT installed.....

I did delete the d3dl32.dll file but it keeps returning...I have system restore off. Should I be doing all this as an Administrator in Safe Mode? Up to this point, I've signed onto XP with my individual screen (We have 4 users in house)
0
 
LVL 6

Expert Comment

by:akboss
ID: 11918747
>>>>Should I be doing all this as an Administrator in Safe Mode?

answer>>>YES

I would uninstall and re install spybot.

What has ad-aware SE done? I use it along with spybot and my Anti virus as a 1-2-3 punch on baddies out there.

Also your an update behind in HijackThis. Newest is 1.98.2
0
 
LVL 6

Expert Comment

by:akboss
ID: 11918756
If none of these have worked completely then there are a couple more downloads that may help.


When you re install spybot make sure that the wizard lets you check the resident and tea timer that way it will be installed.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 11921408
Hi!

Just a note to add to what akboss has advised:
Have HJT fix this one -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab

Also, search your computer for all instances of any of the dll's or exe's
that have been pinpointed for removal, and delete all you find.
Particularly check your prefetch, dllcache, and ALL temp folders.

Regards...
RF
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now