• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2886
  • Last Modified:

HijackThis log - Computer full of executables and s-l-o-w. Please Help me.....

Computer has become very slow and hangs frequently. Have Adaware and Norton anti-virus. Have run both but problem remains. Attached is HijackThis log. Hopefully someone can tell me what to delete. thank you thank you thank you
Logfile of HijackThis v1.98.0
Scan saved at 9:08:04 PM, on 8/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TWAIN.DLL:ymhor
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\netig32.exe
C:\windows\system32\sncntr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\system32\sp2ctr.exe
C:\windows\system32\glwjmgeb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\yawofm.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [netig32.exe] C:\WINDOWS\system32\netig32.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [glwjmgeb] c:\windows\system32\glwjmgeb.exe /install
O4 - HKLM\..\RunOnce: [atlgd.exe] C:\WINDOWS\atlgd.exe
O4 - HKLM\..\RunOnce: [iewh32.exe] C:\WINDOWS\system32\iewh32.exe
O4 - HKLM\..\RunOnce: [javajb.exe] C:\WINDOWS\system32\javajb.exe
O4 - HKLM\..\RunOnce: [ntha32.exe] C:\WINDOWS\system32\ntha32.exe
O4 - HKLM\..\RunOnce: [ntzh.exe] C:\WINDOWS\system32\ntzh.exe
O4 - HKLM\..\RunOnce: [ieze32.exe] C:\WINDOWS\ieze32.exe
O4 - HKLM\..\RunOnce: [ipuo.exe] C:\WINDOWS\ipuo.exe
O4 - HKLM\..\RunOnce: [crmv.exe] C:\WINDOWS\system32\crmv.exe
O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\system32\atlkt32.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\crzv32.exe
O4 - HKLM\..\RunOnce: [ierr.exe] C:\WINDOWS\ierr.exe
O4 - HKLM\..\RunOnce: [crpw32.exe] C:\WINDOWS\system32\crpw32.exe
O4 - HKLM\..\RunOnce: [crsz32.exe] C:\WINDOWS\crsz32.exe
O4 - HKLM\..\RunOnce: [crnw32.exe] C:\WINDOWS\crnw32.exe
O4 - HKLM\..\RunOnce: [ipmd32.exe] C:\WINDOWS\system32\ipmd32.exe
O4 - HKLM\..\RunOnce: [ipep.exe] C:\WINDOWS\ipep.exe
O4 - HKLM\..\RunOnce: [crch32.exe] C:\WINDOWS\crch32.exe
O4 - HKLM\..\RunOnce: [javall.exe] C:\WINDOWS\system32\javall.exe
O4 - HKLM\..\RunOnce: [crpn32.exe] C:\WINDOWS\system32\crpn32.exe
O4 - HKLM\..\RunOnce: [mssu32.exe] C:\WINDOWS\mssu32.exe
O4 - HKLM\..\RunOnce: [appdq.exe] C:\WINDOWS\system32\appdq.exe
O4 - HKLM\..\RunOnce: [netpf.exe] C:\WINDOWS\netpf.exe
O4 - HKLM\..\RunOnce: [apicg.exe] C:\WINDOWS\apicg.exe
O4 - HKLM\..\RunOnce: [atlfw32.exe] C:\WINDOWS\system32\atlfw32.exe
O4 - HKLM\..\RunOnce: [apipr.exe] C:\WINDOWS\system32\apipr.exe
O4 - HKLM\..\RunOnce: [appan32.exe] C:\WINDOWS\appan32.exe
O4 - HKLM\..\RunOnce: [crkv.exe] C:\WINDOWS\crkv.exe
O4 - HKLM\..\RunOnce: [javalm.exe] C:\WINDOWS\system32\javalm.exe
O4 - HKLM\..\RunOnce: [winiv.exe] C:\WINDOWS\winiv.exe
O4 - HKLM\..\RunOnce: [addcs32.exe] C:\WINDOWS\system32\addcs32.exe
O4 - HKLM\..\RunOnce: [sdkew.exe] C:\WINDOWS\system32\sdkew.exe
O4 - HKLM\..\RunOnce: [ipry.exe] C:\WINDOWS\ipry.exe
O4 - HKLM\..\RunOnce: [addjd32.exe] C:\WINDOWS\system32\addjd32.exe
O4 - HKLM\..\RunOnce: [atlif.exe] C:\WINDOWS\atlif.exe
O4 - HKLM\..\RunOnce: [msnn32.exe] C:\WINDOWS\system32\msnn32.exe
O4 - HKLM\..\RunOnce: [netbc.exe] C:\WINDOWS\system32\netbc.exe
O4 - HKLM\..\RunOnce: [javaou32.exe] C:\WINDOWS\javaou32.exe
O4 - HKLM\..\RunOnce: [winwr32.exe] C:\WINDOWS\system32\winwr32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S11.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://63.166.193.103/netagent/objects/emagic.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4383/mcfscan.cab

0
jalvord1
Asked:
jalvord1
  • 6
  • 6
1 Solution
 
akbossCommented:
well looks like you have pick up quite a bit of spyware.

I suggest you download spybot 1.3 and the NEW ad-aware SE.
Run these when you run your A/V.

Now in HJT check these and then click fix.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\yawofm.exe
O4 - HKLM\..\Run: [netig32.exe] C:\WINDOWS\system32\netig32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [glwjmgeb] c:\windows\system32\glwjmgeb.exe /install
O4 - HKLM\..\RunOnce: [atlgd.exe] C:\WINDOWS\atlgd.exe
O4 - HKLM\..\RunOnce: [iewh32.exe] C:\WINDOWS\system32\iewh32.exe
O4 - HKLM\..\RunOnce: [javajb.exe] C:\WINDOWS\system32\javajb.exe
O4 - HKLM\..\RunOnce: [ntha32.exe] C:\WINDOWS\system32\ntha32.exe
O4 - HKLM\..\RunOnce: [ntzh.exe] C:\WINDOWS\system32\ntzh.exe
O4 - HKLM\..\RunOnce: [ieze32.exe] C:\WINDOWS\ieze32.exe
O4 - HKLM\..\RunOnce: [ipuo.exe] C:\WINDOWS\ipuo.exe
O4 - HKLM\..\RunOnce: [crmv.exe] C:\WINDOWS\system32\crmv.exe
O4 - HKLM\..\RunOnce: [atlkt32.exe] C:\WINDOWS\system32\atlkt32.exe
O4 - HKLM\..\RunOnce: [crzv32.exe] C:\WINDOWS\crzv32.exe
O4 - HKLM\..\RunOnce: [ierr.exe] C:\WINDOWS\ierr.exe
O4 - HKLM\..\RunOnce: [crpw32.exe] C:\WINDOWS\system32\crpw32.exe
O4 - HKLM\..\RunOnce: [crsz32.exe] C:\WINDOWS\crsz32.exe
O4 - HKLM\..\RunOnce: [crnw32.exe] C:\WINDOWS\crnw32.exe
O4 - HKLM\..\RunOnce: [ipmd32.exe] C:\WINDOWS\system32\ipmd32.exe
O4 - HKLM\..\RunOnce: [ipep.exe] C:\WINDOWS\ipep.exe
O4 - HKLM\..\RunOnce: [crch32.exe] C:\WINDOWS\crch32.exe
O4 - HKLM\..\RunOnce: [javall.exe] C:\WINDOWS\system32\javall.exe
O4 - HKLM\..\RunOnce: [crpn32.exe] C:\WINDOWS\system32\crpn32.exe
O4 - HKLM\..\RunOnce: [mssu32.exe] C:\WINDOWS\mssu32.exe
O4 - HKLM\..\RunOnce: [appdq.exe] C:\WINDOWS\system32\appdq.exe
O4 - HKLM\..\RunOnce: [netpf.exe] C:\WINDOWS\netpf.exe
O4 - HKLM\..\RunOnce: [apicg.exe] C:\WINDOWS\apicg.exe
O4 - HKLM\..\RunOnce: [atlfw32.exe] C:\WINDOWS\system32\atlfw32.exe
O4 - HKLM\..\RunOnce: [apipr.exe] C:\WINDOWS\system32\apipr.exe
O4 - HKLM\..\RunOnce: [appan32.exe] C:\WINDOWS\appan32.exe
O4 - HKLM\..\RunOnce: [crkv.exe] C:\WINDOWS\crkv.exe
O4 - HKLM\..\RunOnce: [javalm.exe] C:\WINDOWS\system32\javalm.exe
O4 - HKLM\..\RunOnce: [winiv.exe] C:\WINDOWS\winiv.exe
O4 - HKLM\..\RunOnce: [addcs32.exe] C:\WINDOWS\system32\addcs32.exe
O4 - HKLM\..\RunOnce: [sdkew.exe] C:\WINDOWS\system32\sdkew.exe
O4 - HKLM\..\RunOnce: [ipry.exe] C:\WINDOWS\ipry.exe
O4 - HKLM\..\RunOnce: [addjd32.exe] C:\WINDOWS\system32\addjd32.exe
O4 - HKLM\..\RunOnce: [atlif.exe] C:\WINDOWS\atlif.exe
O4 - HKLM\..\RunOnce: [msnn32.exe] C:\WINDOWS\system32\msnn32.exe
O4 - HKLM\..\RunOnce: [netbc.exe] C:\WINDOWS\system32\netbc.exe
O4 - HKLM\..\RunOnce: [javaou32.exe] C:\WINDOWS\javaou32.exe
O4 - HKLM\..\RunOnce: [winwr32.exe] C:\WINDOWS\system32\winwr32.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


also make sure these folders are removed.

C:\windows\system32\sp2ctr.exe
C:\windows\system32\glwjmgeb.exe
C:\WINDOWS\system32\netig32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\windows\system32\sncntr.exe




0
 
jalvord1Author Commented:
Thanks, that made a hugh difference! still have a problem where my IE explorer gets hijacked. I've posted the hijack this log below. Is there anything still hiding here that corrupts IE? Many thanks!

Logfile of HijackThis v1.98.0
Scan saved at 8:02:40 AM, on 8/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TWAIN.DLL:ymhor
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Verizon Control Pad] "C:\Program Files\Verizon Online\ControlPad\cpad.exe" #SPLASH
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S11.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://63.166.193.103/netagent/objects/emagic.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install2.5/Installer.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4383/mcfscan.cab

0
 
jalvord1Author Commented:
Forgot to add:
When booting up, now Windows Installer runs trying to install something from Microsoft Office. I have to hit 'cancel' many time to get it to stop.....
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
akbossCommented:

>>>Thanks, that made a hugh difference! still have a problem where my IE explorer gets hijacked

Did you set the resident and tea timers in spybot?
On the task bar near the clock there shold be an icon for spybot. Right click on it and select resident IE. Make sure that there are check marks next to
(block all bad pages silently)and (use resident in IE sessions)
If you choose the advanced mode for spybot then click on the "tools" bar on the left side.There you need to find "resident" and click on it. you will see a box that says "resident protection status" both check boxes should have checks in them.

By doing this spybot will do alot of the work for you. You may start getting "spybot" popups that ask for permissions. Grant permission if there was something you downloaded or started up. If you did not do anything then deny permissions.

Now these need to get clean.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll

Do you know the programs associated with these? If you dont then you might consider removing them.

C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
O16 - DPF: {140F03AE-0588-11D4-BD45-0050048A82BF} (eShare Web Collaboration Class) - http://63.166.193.103/netagent/objects/emagic.cab

If your ok with looking in your registry then I will take you through it as a final check.
0
 
jalvord1Author Commented:
Thanks for your help so far. I'm kind of a newbie and I'm not quite sure what you mean by "set the resident and tea timers in spybot". I have Spybot Search & Destroy 1.3. There is no icon in the tray on the right side. Should there be? or are you referring to a different spybot program?
Thanks in advance!

0
 
jalvord1Author Commented:
forgot to post: Here's the latest Hijackthis log. Every time I delete :
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
....it keeps coming back!


C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
...these are both files associated with Tiny Personal Firewall

Here's the log:
Logfile of HijackThis v1.98.0
Scan saved at 4:17:18 PM, on 8/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall Pro\UmxAgent.exe
C:\Program Files\Tiny Firewall Pro\UmxTray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TWAIN.DLL:ymhor
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\netig32.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Verizon Control Pad] "C:\Program Files\Verizon Online\ControlPad\cpad.exe" #SPLASH
O4 - HKLM\..\Run: [netig32.exe] C:\WINDOWS\system32\netig32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall Pro\amon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S11.tmp"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\ControlPad\Misc\a_menu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B1167-645C-4B5A-A9AD-4AD165D51E4E}: NameServer = 199.45.32.43 199.45.32.38

0
 
akbossCommented:
You can set those in spybot under the advance mode.
"If you choose the advanced mode for spybot then click on the "tools" bar on the left side.There you need to find "resident" and click on it. you will see a box that says "resident protection status" both check boxes should have checks in them.
"

C:\WINDOWS\system32\d3dl32.dll>>>this needs to be deleted not the system32 file but the d3dl32.dll.
You will need to "show all files" and "show hidden extension" to see them all.

fix these after you have removed the .dll above.
 
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {935FF0DB-6EAC-6699-8318-C1F0F013C96D} - C:\WINDOWS\system32\d3dl32.dll
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB6B1167-645C-4B5A-A9AD-4AD165D51E4E}: NameServer = 199.45.32.43 199.45.32.38
0
 
jalvord1Author Commented:
I can't seem to check the "sd helper" box. The other one is now checked. Consequently, when I right click on the icon next to the clock, the "resident ie" is grayed out......
0
 
akbossCommented:
hmm...ok if you go back into spybot there is a "immunize" button. Click on this one and let it immunize everything. On the right side the is a box  that says "permanently running bad..." make sure the "enable" box is checked and the menu below that says "block all pages silently".

Then go to the "tools" bar and click on it. make sure all the boxes are checked.(ie: view report,resident,shredder,etc).


this should set that to the right setting.

Did you find the C:\WINDOWS\system32\d3dl32.dll and remove it?

0
 
jalvord1Author Commented:
most curious....From the Immunize screen, I cannot check the 'enable permanent blocking of bad addresses'' . There is a yellow exclamation mark that indicates: "Browser helper to block bad addresses in NOT installed.....

I did delete the d3dl32.dll file but it keeps returning...I have system restore off. Should I be doing all this as an Administrator in Safe Mode? Up to this point, I've signed onto XP with my individual screen (We have 4 users in house)
0
 
akbossCommented:
>>>>Should I be doing all this as an Administrator in Safe Mode?

answer>>>YES

I would uninstall and re install spybot.

What has ad-aware SE done? I use it along with spybot and my Anti virus as a 1-2-3 punch on baddies out there.

Also your an update behind in HijackThis. Newest is 1.98.2
0
 
akbossCommented:
If none of these have worked completely then there are a couple more downloads that may help.


When you re install spybot make sure that the wizard lets you check the resident and tea timer that way it will be installed.
0
 
rossfingalCommented:
Hi!

Just a note to add to what akboss has advised:
Have HJT fix this one -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2901cdb6bd246dc06f06/netzip/RdxIE601.cab

Also, search your computer for all instances of any of the dll's or exe's
that have been pinpointed for removal, and delete all you find.
Particularly check your prefetch, dllcache, and ALL temp folders.

Regards...
RF
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now