Link to home
Start Free TrialLog in
Avatar of jalvord1
jalvord1

asked on

HijackThis log - Computer full of executables and s-l-o-w. Please Help me.....

Computer has become very slow and hangs frequently. Have Adaware and Norton anti-virus. Have run both but problem remains. Attached is HijackThis log. Hopefully someone can tell me what to delete. thank you thank you thank you
Logfile of HijackThis v1.98.0
Scan saved at 9:08:04 PM, on 8/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TWAIN.DLL:ymhor
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\netig32.exe
C:\windows\system32\sncntr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\sp2ctr.exe
C:\windows\system32\glwjmgeb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\yawofm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [netig32.exe] C:\WINDOWS\system32\netig32.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [glwjmgeb] c:\windows\system32\glwjmgeb.exe /install
O4 - HKLM\..\RunOnce: [atlgd.exe] C:\WINDOWS\atlgd.exe
O4 - HKLM\..\RunOnce: [iewh32.exe] C:\WINDOWS\system32\iewh32.exe
O4 - HKLM\..\RunOnce: [javajb.exe] C:\WINDOWS\system32\javajb.exe
O4 - HKLM\..\RunOnce: [ntha32.exe] C:\WINDOWS\system32\ntha32.exe
O4 - HKLM\..\RunOnce: [ntzh.exe] C:\WINDOWS\system32\ntzh.exe
O4 - HKLM\..\RunOnce: [ieze32.exe] C:\WINDOWS\ieze32.exe
O4 - HKLM\..\RunOnce: [ipuo.exe] C:\WINDOWS\ipuo.exe
O4 - HKLM\..\RunOnce: [crmv.exe] C:\WINDOWS\system32\crmv.exe
O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\system32\atlkt32.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\crzv32.exe
O4 - HKLM\..\RunOnce: [ierr.exe] C:\WINDOWS\ierr.exe
O4 - HKLM\..\RunOnce: [crpw32.exe] C:\WINDOWS\system32\crpw32.exe
O4 - HKLM\..\RunOnce: [crsz32.exe] C:\WINDOWS\crsz32.exe
O4 - HKLM\..\RunOnce: [crnw32.exe] C:\WINDOWS\crnw32.exe
O4 - HKLM\..\RunOnce: [ipmd32.exe] C:\WINDOWS\system32\ipmd32.exe
O4 - HKLM\..\RunOnce: [ipep.exe] C:\WINDOWS\ipep.exe
O4 - HKLM\..\RunOnce: [crch32.exe] C:\WINDOWS\crch32.exe
O4 - HKLM\..\RunOnce: [javall.exe] C:\WINDOWS\system32\javall.exe
O4 - HKLM\..\RunOnce: [crpn32.exe] C:\WINDOWS\system32\crpn32.exe
O4 - HKLM\..\RunOnce: [mssu32.exe] C:\WINDOWS\mssu32.exe
O4 - HKLM\..\RunOnce: [appdq.exe] C:\WINDOWS\system32\appdq.exe
O4 - HKLM\..\RunOnce: [netpf.exe] C:\WINDOWS\netpf.exe
O4 - HKLM\..\RunOnce: [apicg.exe] C:\WINDOWS\apicg.exe
O4 - HKLM\..\RunOnce: [atlfw32.exe] C:\WINDOWS\system32\atlfw32.exe
O4 - HKLM\..\RunOnce: [apipr.exe] C:\WINDOWS\system32\apipr.exe
O4 - HKLM\..\RunOnce: [appan32.exe] C:\WINDOWS\appan32.exe
O4 - HKLM\..\RunOnce: [crkv.exe] C:\WINDOWS\crkv.exe
O4 - HKLM\..\RunOnce: [javalm.exe] C:\WINDOWS\system32\javalm.exe
O4 - HKLM\..\RunOnce: [winiv.exe] C:\WINDOWS\winiv.exe
O4 - HKLM\..\RunOnce: [addcs32.exe] C:\WINDOWS\system32\addcs32.exe
O4 - HKLM\..\RunOnce: [sdkew.exe] C:\WINDOWS\system32\sdkew.exe
O4 - HKLM\..\RunOnce: [ipry.exe] C:\WINDOWS\ipry.exe
O4 - HKLM\..\RunOnce: [addjd32.exe] C:\WINDOWS\system32\addjd32.exe
O4 - HKLM\..\RunOnce: [atlif.exe] C:\WINDOWS\atlif.exe
O4 - HKLM\..\RunOnce: [msnn32.exe] C:\WINDOWS\system32\msnn32.exe
O4 - HKLM\..\RunOnce: [netbc.exe] C:\WINDOWS\system32\netbc.exe
O4 - HKLM\..\RunOnce: [javaou32.exe] C:\WINDOWS\javaou32.exe
O4 - HKLM\..\RunOnce: [winwr32.exe] C:\WINDOWS\system32\winwr32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S11.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://63.166.193.103/netagent/objects/emagic.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4383/mcfscan.cab

ASKER CERTIFIED SOLUTION
Avatar of akboss
akboss
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jalvord1
jalvord1

ASKER

Thanks, that made a hugh difference! still have a problem where my IE explorer gets hijacked. I've posted the hijack this log below. Is there anything still hiding here that corrupts IE? Many thanks!

Logfile of HijackThis v1.98.0
Scan saved at 8:02:40 AM, on 8/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TWAIN.DLL:ymhor
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Verizon Control Pad] "C:\Program Files\Verizon Online\ControlPad\cpad.exe" #SPLASH
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S11.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://63.166.193.103/netagent/objects/emagic.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4383/mcfscan.cab

Avatar of jalvord1
jalvord1

ASKER

Forgot to add:
When booting up, now Windows Installer runs trying to install something from Microsoft Office. I have to hit 'cancel' many time to get it to stop.....
Avatar of akboss
akboss
Flag of United States of America image

>>>Thanks, that made a hugh difference! still have a problem where my IE explorer gets hijacked

Did you set the resident and tea timers in spybot?
On the task bar near the clock there shold be an icon for spybot. Right click on it and select resident IE. Make sure that there are check marks next to
(block all bad pages silently)and (use resident in IE sessions)
If you choose the advanced mode for spybot then click on the "tools" bar on the left side.There you need to find "resident" and click on it. you will see a box that says "resident protection status" both check boxes should have checks in them.

By doing this spybot will do alot of the work for you. You may start getting "spybot" popups that ask for permissions. Grant permission if there was something you downloaded or started up. If you did not do anything then deny permissions.

Now these need to get clean.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll

Do you know the programs associated with these? If you dont then you might consider removing them.

C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://63.166.193.103/netagent/objects/emagic.cab

If your ok with looking in your registry then I will take you through it as a final check.
Avatar of jalvord1
jalvord1

ASKER

Thanks for your help so far. I'm kind of a newbie and I'm not quite sure what you mean by "set the resident and tea timers in spybot". I have Spybot Search & Destroy 1.3. There is no icon in the tray on the right side. Should there be? or are you referring to a different spybot program?
Thanks in advance!

Avatar of jalvord1
jalvord1

ASKER

forgot to post: Here's the latest Hijackthis log. Every time I delete :
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
....it keeps coming back!


C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
...these are both files associated with Tiny Personal Firewall

Here's the log:
Logfile of HijackThis v1.98.0
Scan saved at 4:17:18 PM, on 8/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TWAIN.DLL:ymhor
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\netig32.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Verizon Control Pad] "C:\Program Files\Verizon Online\ControlPad\cpad.exe" #SPLASH
O4 - HKLM\..\Run: [netig32.exe] C:\WINDOWS\system32\netig32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S11.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B1167-645C-4B5A-A9AD-4AD165D51E4E}: NameServer = 199.45.32.43 199.45.32.38

Avatar of akboss
akboss
Flag of United States of America image
You can set those in spybot under the advance mode.
"If you choose the advanced mode for spybot then click on the "tools" bar on the left side.There you need to find "resident" and click on it. you will see a box that says "resident protection status" both check boxes should have checks in them.
"

C:\WINDOWS\system32\d3dl32.dll>>>this needs to be deleted not the system32 file but the d3dl32.dll.
You will need to "show all files" and "show hidden extension" to see them all.

fix these after you have removed the .dll above.
 
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B1167-645C-4B5A-A9AD-4AD165D51E4E}: NameServer = 199.45.32.43 199.45.32.38
Avatar of jalvord1
jalvord1

ASKER

I can't seem to check the "sd helper" box. The other one is now checked. Consequently, when I right click on the icon next to the clock, the "resident ie" is grayed out......
Avatar of akboss
akboss
Flag of United States of America image
hmm...ok if you go back into spybot there is a "immunize" button. Click on this one and let it immunize everything. On the right side the is a box  that says "permanently running bad..." make sure the "enable" box is checked and the menu below that says "block all pages silently".

Then go to the "tools" bar and click on it. make sure all the boxes are checked.(ie: view report,resident,shredder,etc).


this should set that to the right setting.

Did you find the C:\WINDOWS\system32\d3dl32.dll and remove it?

Avatar of jalvord1
jalvord1

ASKER

most curious....From the Immunize screen, I cannot check the 'enable permanent blocking of bad addresses'' . There is a yellow exclamation mark that indicates: "Browser helper to block bad addresses in NOT installed.....

I did delete the d3dl32.dll file but it keeps returning...I have system restore off. Should I be doing all this as an Administrator in Safe Mode? Up to this point, I've signed onto XP with my individual screen (We have 4 users in house)
Avatar of akboss
akboss
Flag of United States of America image
>>>>Should I be doing all this as an Administrator in Safe Mode?

answer>>>YES

I would uninstall and re install spybot.

What has ad-aware SE done? I use it along with spybot and my Anti virus as a 1-2-3 punch on baddies out there.

Also your an update behind in HijackThis. Newest is 1.98.2
Avatar of akboss
akboss
Flag of United States of America image
If none of these have worked completely then there are a couple more downloads that may help.


When you re install spybot make sure that the wizard lets you check the resident and tea timer that way it will be installed.
Avatar of rossfingal
rossfingal
Flag of United States of America image
Hi!

Just a note to add to what akboss has advised:
Have HJT fix this one -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab

Also, search your computer for all instances of any of the dll's or exe's
that have been pinpointed for removal, and delete all you find.
Particularly check your prefetch, dllcache, and ALL temp folders.

Regards...
RF