Desktop Background (Spyware)

Archived from groups: microsoft.public.windowsxp.general (More info?)

I have a computer that I am working on (XP Home Eddition) and I have removed
500 plus items via adaware however his desktop background continues to have
this add that says WARNING YOU'RE IN DANGER and continues on about data
being stored on your hard disk. I removed the offending wall paper but I
believe there is still spyware on the computer. Below is my HIJACK This log.
I am not sure what else to remove thanks for any help you can give.

Logfile of HijackThis v1.99.1
Scan saved at 1:58:09 PM, on 6/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program
Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717177651316} -
C:\WINDOWS\System32\qwe1316.dll (file missing)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} -
C:\WINDOWS\System32\wer8274.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program
Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program
Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [uvsyjkbwtjzme] C:\WINDOWS\System32\ydcvlhs.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from
HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file
missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Microsoft AntiSpyware helper -
{E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
{E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
O12 - Plugin for .wav: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dlt/121.chm::/file.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software -
C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
Online, Inc. - C:\WINDOWS\wanmpsvc.exe
7 answers Last reply
More about desktop background spyware
  1. Archived from groups: microsoft.public.windowsxp.general (More info?)

    back up data, format, clean install. really, when you removed that many
    objects, it makes the most sense.


    "Branden" wrote:

    > I have a computer that I am working on (XP Home Eddition) and I have removed
    > 500 plus items via adaware however his desktop background continues to have
    > this add that says WARNING YOU'RE IN DANGER and continues on about data
    > being stored on your hard disk. I removed the offending wall paper but I
    > believe there is still spyware on the computer. Below is my HIJACK This log.
    > I am not sure what else to remove thanks for any help you can give.
    >
    > Logfile of HijackThis v1.99.1
    > Scan saved at 1:58:09 PM, on 6/6/2005
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\Explorer.EXE
    > C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    >
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    > Settings,ProxyOverride = localhost
    > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    > O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    > c:\program files\google\googletoolbar3.dll
    > O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program
    > Files\Norton AntiVirus\NavShExt.dll
    > O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717177651316} -
    > C:\WINDOWS\System32\qwe1316.dll (file missing)
    > O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} -
    > C:\WINDOWS\System32\wer8274.dll
    > O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    > O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program
    > Files\HP\Digital Imaging\bin\hpdtlk02.dll
    > O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    > c:\Program Files\Norton AntiVirus\NavShExt.dll
    > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > C:\WINDOWS\System32\msdxm.ocx
    > O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
    > files\google\googletoolbar3.dll
    > O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    > Files\Java\j2re1.4.2_03\bin\jusched.exe
    > O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    > O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
    > Files\HP\hpcoretech\hpcmpmgr.exe"
    > O4 - HKLM\..\Run: [HPHUPD05] c:\Program
    > Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    > O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    > O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > Files\Real\Update_OB\realsched.exe" -osboot
    > O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    > O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    > O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    > O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
    > Shared\ccApp.exe"
    > O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    > O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    > O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    > O4 - HKLM\..\Run: [uvsyjkbwtjzme] C:\WINDOWS\System32\ydcvlhs.exe
    > O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    > O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
    > Files\HP\Digital Imaging\bin\hpqtra08.exe
    > O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    > Office\Office\OSA9.EXE
    > O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
    > Files\Quicken\bagent.exe
    > O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from
    > HP\137903\Program\BackWeb-137903.exe
    > O8 - Extra context menu item: E&xport to Microsoft Excel -
    > res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    > O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    > C:\WINDOWS\System32\msjava.dll (file missing)
    > O9 - Extra 'Tools' menuitem: Sun Java Console -
    > {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file
    > missing)
    > O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    > C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    > O9 - Extra button: Microsoft AntiSpyware helper -
    > {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    > O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
    > {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    > O12 - Plugin for .wav: C:\Program Files\Internet
    > Explorer\PLUGINS\npqtplugin.dll
    > O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
    > ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dlt/121.chm::/file.exe
    > O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    > O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -
    > C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    > O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
    > c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    > O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
    > Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    > O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
    > c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    > O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software -
    > C:\WINDOWS\System32\gearsec.exe
    > O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    > C:\Program Files\iPod\bin\iPodService.exe
    > O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
    > Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    > O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    > O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton
    > AntiVirus\SAVScan.exe
    > O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
    > Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    >
    >
  2. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Hi Branden,

    This can be handled via Safe Mode. I had two systems in today with the
    same. The desktop screen is listed via Desktop/Desktop Customize/Web,
    simply uncheck Security. As for the rest, run HT in Safe Mode and follow
    the paths given, delete, reboot. More info:

    1. Start/Run/Regedit

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    Gain the exact path.
    Note: Save these two to regedit favorites.

    2. Start/Run/Msconfig/Startup

    Gain the exact path.

    3. Follow the path via Windows Explorer.

    Leave/have all three windows opened, now open the Task Manager.

    Once knowing the exact path, end the process via the Task Manager, then
    delete the entry via Windows Explorer. From there, delete the run command
    from both regedit and msconfig. With regedit still open, hit F5. If it
    replaces itself, you didn't do it in a timely manner or you didn't follow
    the exact placement path.

    Note: In some cases, depending, you will be allowed to rename the .exe via
    safe mode and then delete.

    --

    All the Best,
    Kelly (MS-MVP)

    Troubleshooting Windows XP
    http://www.kellys-korner-xp.com


    "Branden" <Branden@discussions.microsoft.com> wrote in message
    news:F5AE6F75-A7D6-4A71-9F1B-43DB434225D4@microsoft.com...
    >I have a computer that I am working on (XP Home Eddition) and I have
    >removed
    > 500 plus items via adaware however his desktop background continues to
    > have
    > this add that says WARNING YOU'RE IN DANGER and continues on about data
    > being stored on your hard disk. I removed the offending wall paper but I
    > believe there is still spyware on the computer. Below is my HIJACK This
    > log.
    > I am not sure what else to remove thanks for any help you can give.
    >
    > Logfile of HijackThis v1.99.1
    > Scan saved at 1:58:09 PM, on 6/6/2005
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\Explorer.EXE
    > C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    >
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    > Settings,ProxyOverride = localhost
    > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    > O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    > c:\program files\google\googletoolbar3.dll
    > O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program
    > Files\Norton AntiVirus\NavShExt.dll
    > O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717177651316} -
    > C:\WINDOWS\System32\qwe1316.dll (file missing)
    > O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} -
    > C:\WINDOWS\System32\wer8274.dll
    > O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    > O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
    > c:\Program
    > Files\HP\Digital Imaging\bin\hpdtlk02.dll
    > O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    > c:\Program Files\Norton AntiVirus\NavShExt.dll
    > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > C:\WINDOWS\System32\msdxm.ocx
    > O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
    > c:\program
    > files\google\googletoolbar3.dll
    > O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    > Files\Java\j2re1.4.2_03\bin\jusched.exe
    > O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    > O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
    > Files\HP\hpcoretech\hpcmpmgr.exe"
    > O4 - HKLM\..\Run: [HPHUPD05] c:\Program
    > Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    > O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    > O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > Files\Real\Update_OB\realsched.exe" -osboot
    > O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    > O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    > O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    > O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
    > Shared\ccApp.exe"
    > O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    > O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    > O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    > O4 - HKLM\..\Run: [uvsyjkbwtjzme] C:\WINDOWS\System32\ydcvlhs.exe
    > O4 - HKLM\..\RunOnce: [Srv32 spool service]
    > C:\WINDOWS\System32\spoolsrv32.exe
    > O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
    > Files\HP\Digital Imaging\bin\hpqtra08.exe
    > O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    > Office\Office\OSA9.EXE
    > O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
    > Files\Quicken\bagent.exe
    > O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from
    > HP\137903\Program\BackWeb-137903.exe
    > O8 - Extra context menu item: E&xport to Microsoft Excel -
    > res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    > O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    > C:\WINDOWS\System32\msjava.dll (file missing)
    > O9 - Extra 'Tools' menuitem: Sun Java Console -
    > {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    > (file
    > missing)
    > O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    > C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    > O9 - Extra button: Microsoft AntiSpyware helper -
    > {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    > O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
    > {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    > O12 - Plugin for .wav: C:\Program Files\Internet
    > Explorer\PLUGINS\npqtplugin.dll
    > O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
    > ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dlt/121.chm::/file.exe
    > O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    > O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -
    > C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    > O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
    > c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    > O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
    > Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    > O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
    > Corporation -
    > c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    > O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software -
    > C:\WINDOWS\System32\gearsec.exe
    > O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    > C:\Program Files\iPod\bin\iPodService.exe
    > O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
    > Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    > O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    > O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton
    > AntiVirus\SAVScan.exe
    > O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
    > Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.general (More info?)

    > it makes the most sense.

    What kind of sense is that Kelly? Would you do the same?

    --

    All the Best,
    Kelly (MS-MVP)

    Troubleshooting Windows XP
    http://www.kellys-korner-xp.com


    "Kelly" <Kelly@discussions.microsoft.com> wrote in message
    news:11039653-56FC-4B62-BF57-C578F206EAD5@microsoft.com...
    > back up data, format, clean install. really, when you removed that many
    > objects, it makes the most sense.
    >
    >
    > "Branden" wrote:
    >
    >> I have a computer that I am working on (XP Home Eddition) and I have
    >> removed
    >> 500 plus items via adaware however his desktop background continues to
    >> have
    >> this add that says WARNING YOU'RE IN DANGER and continues on about data
    >> being stored on your hard disk. I removed the offending wall paper but I
    >> believe there is still spyware on the computer. Below is my HIJACK This
    >> log.
    >> I am not sure what else to remove thanks for any help you can give.
    >>
    >> Logfile of HijackThis v1.99.1
    >> Scan saved at 1:58:09 PM, on 6/6/2005
    >> Platform: Windows XP SP1 (WinNT 5.01.2600)
    >> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >>
    >> Running processes:
    >> C:\WINDOWS\System32\smss.exe
    >> C:\WINDOWS\system32\winlogon.exe
    >> C:\WINDOWS\system32\services.exe
    >> C:\WINDOWS\system32\lsass.exe
    >> C:\WINDOWS\system32\svchost.exe
    >> C:\WINDOWS\system32\svchost.exe
    >> C:\WINDOWS\Explorer.EXE
    >> C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    >>
    >> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    >> R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    >> R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    >> Settings,ProxyOverride = localhost
    >> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    >> C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    >> O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    >> O2 - BHO: Google Toolbar Helper -
    >> {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    >> c:\program files\google\googletoolbar3.dll
    >> O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
    >> c:\Program
    >> Files\Norton AntiVirus\NavShExt.dll
    >> O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717177651316} -
    >> C:\WINDOWS\System32\qwe1316.dll (file missing)
    >> O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} -
    >> C:\WINDOWS\System32\wer8274.dll
    >> O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    >> O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
    >> c:\Program
    >> Files\HP\Digital Imaging\bin\hpdtlk02.dll
    >> O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    >> c:\Program Files\Norton AntiVirus\NavShExt.dll
    >> O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    >> C:\WINDOWS\System32\msdxm.ocx
    >> O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
    >> c:\program
    >> files\google\googletoolbar3.dll
    >> O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    >> Files\Java\j2re1.4.2_03\bin\jusched.exe
    >> O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    >> O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
    >> Files\HP\hpcoretech\hpcmpmgr.exe"
    >> O4 - HKLM\..\Run: [HPHUPD05] c:\Program
    >> Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    >> O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    >> O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    >> O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    >> Files\Real\Update_OB\realsched.exe" -osboot
    >> O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    >> O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    >> O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    >> O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
    >> Shared\ccApp.exe"
    >> O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    >> O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    >> O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    >> O4 - HKLM\..\Run: [uvsyjkbwtjzme] C:\WINDOWS\System32\ydcvlhs.exe
    >> O4 - HKLM\..\RunOnce: [Srv32 spool service]
    >> C:\WINDOWS\System32\spoolsrv32.exe
    >> O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
    >> Files\HP\Digital Imaging\bin\hpqtra08.exe
    >> O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    >> Office\Office\OSA9.EXE
    >> O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
    >> Files\Quicken\bagent.exe
    >> O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from
    >> HP\137903\Program\BackWeb-137903.exe
    >> O8 - Extra context menu item: E&xport to Microsoft Excel -
    >> res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    >> O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    >> C:\WINDOWS\System32\msjava.dll (file missing)
    >> O9 - Extra 'Tools' menuitem: Sun Java Console -
    >> {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    >> (file
    >> missing)
    >> O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    >> C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    >> O9 - Extra button: Microsoft AntiSpyware helper -
    >> {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    >> O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
    >> {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    >> O12 - Plugin for .wav: C:\Program Files\Internet
    >> Explorer\PLUGINS\npqtplugin.dll
    >> O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
    >> ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dlt/121.chm::/file.exe
    >> O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    >> O23 - Service: AOL Connectivity Service (AOL ACS) - America Online,
    >> Inc. -
    >> C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    >> O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
    >> c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    >> O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
    >> Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    >> O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
    >> Corporation -
    >> c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    >> O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software -
    >> C:\WINDOWS\System32\gearsec.exe
    >> O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    >> C:\Program Files\iPod\bin\iPodService.exe
    >> O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -
    >> Symantec
    >> Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    >> O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    >> O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton
    >> AntiVirus\SAVScan.exe
    >> O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
    >> Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    >>
    >>
  4. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Hi.

    You can go to these forums and post that logfile instead.
    http://forum.aumha.org/viewforum.php?f=30&sid=6bfda236300a9af91ff67b2ca29d42eb
    http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
    http://forums.tomcoyote.org/index.php?s=b8056765ea907bee6736bba11f47570e&showforum=27

    Just a few. You might have to register though.

    Regards,

    Gunilla.

    "Branden" <Branden@discussions.microsoft.com> skrev i meddelandet
    news:F5AE6F75-A7D6-4A71-9F1B-43DB434225D4@microsoft.com...
    >I have a computer that I am working on (XP Home Eddition) and I have
    >removed
    > 500 plus items via adaware however his desktop background continues to
    > have
    > this add that says WARNING YOU'RE IN DANGER and continues on about data
    > being stored on your hard disk. I removed the offending wall paper but I
    > believe there is still spyware on the computer. Below is my HIJACK This
    > log.
    > I am not sure what else to remove thanks for any help you can give.
    >
    > Logfile of HijackThis v1.99.1
    > Scan saved at 1:58:09 PM, on 6/6/2005
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\Explorer.EXE
    > C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    >
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    > Settings,ProxyOverride = localhost
    > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    > O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    > c:\program files\google\googletoolbar3.dll
    > O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program
    > Files\Norton AntiVirus\NavShExt.dll
    > O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717177651316} -
    > C:\WINDOWS\System32\qwe1316.dll (file missing)
    > O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} -
    > C:\WINDOWS\System32\wer8274.dll
    > O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    > O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
    > c:\Program
    > Files\HP\Digital Imaging\bin\hpdtlk02.dll
    > O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    > c:\Program Files\Norton AntiVirus\NavShExt.dll
    > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > C:\WINDOWS\System32\msdxm.ocx
    > O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
    > c:\program
    > files\google\googletoolbar3.dll
    > O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    > Files\Java\j2re1.4.2_03\bin\jusched.exe
    > O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    > O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
    > Files\HP\hpcoretech\hpcmpmgr.exe"
    > O4 - HKLM\..\Run: [HPHUPD05] c:\Program
    > Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    > O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    > O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > Files\Real\Update_OB\realsched.exe" -osboot
    > O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    > O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    > O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    > O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
    > Shared\ccApp.exe"
    > O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    > O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    > O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    > O4 - HKLM\..\Run: [uvsyjkbwtjzme] C:\WINDOWS\System32\ydcvlhs.exe
    > O4 - HKLM\..\RunOnce: [Srv32 spool service]
    > C:\WINDOWS\System32\spoolsrv32.exe
    > O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
    > Files\HP\Digital Imaging\bin\hpqtra08.exe
    > O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    > Office\Office\OSA9.EXE
    > O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
    > Files\Quicken\bagent.exe
    > O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from
    > HP\137903\Program\BackWeb-137903.exe
    > O8 - Extra context menu item: E&xport to Microsoft Excel -
    > res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    > O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    > C:\WINDOWS\System32\msjava.dll (file missing)
    > O9 - Extra 'Tools' menuitem: Sun Java Console -
    > {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    > (file
    > missing)
    > O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    > C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    > O9 - Extra button: Microsoft AntiSpyware helper -
    > {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    > O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
    > {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    > O12 - Plugin for .wav: C:\Program Files\Internet
    > Explorer\PLUGINS\npqtplugin.dll
    > O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
    > ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dlt/121.chm::/file.exe
    > O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    > O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -
    > C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    > O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
    > c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    > O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
    > Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    > O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
    > Corporation -
    > c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    > O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software -
    > C:\WINDOWS\System32\gearsec.exe
    > O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    > C:\Program Files\iPod\bin\iPodService.exe
    > O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
    > Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    > O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    > O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton
    > AntiVirus\SAVScan.exe
    > O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
    > Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    >
    >
  5. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Thanks for the websites. Geeks to go looks like it will work well. I really
    appreciate it.

    "Gunilla" wrote:

    > Hi.
    >
    > You can go to these forums and post that logfile instead.
    > http://forum.aumha.org/viewforum.php?f=30&sid=6bfda236300a9af91ff67b2ca29d42eb
    > http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
    > http://forums.tomcoyote.org/index.php?s=b8056765ea907bee6736bba11f47570e&showforum=27
    >
    > Just a few. You might have to register though.
    >
    > Regards,
    >
    > Gunilla.
    >
    > "Branden" <Branden@discussions.microsoft.com> skrev i meddelandet
    > news:F5AE6F75-A7D6-4A71-9F1B-43DB434225D4@microsoft.com...
    > >I have a computer that I am working on (XP Home Eddition) and I have
    > >removed
    > > 500 plus items via adaware however his desktop background continues to
    > > have
    > > this add that says WARNING YOU'RE IN DANGER and continues on about data
    > > being stored on your hard disk. I removed the offending wall paper but I
    > > believe there is still spyware on the computer. Below is my HIJACK This
    > > log.
    > > I am not sure what else to remove thanks for any help you can give.
    > >
    > > Logfile of HijackThis v1.99.1
    > > Scan saved at 1:58:09 PM, on 6/6/2005
    > > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    > >
    > > Running processes:
    > > C:\WINDOWS\System32\smss.exe
    > > C:\WINDOWS\system32\winlogon.exe
    > > C:\WINDOWS\system32\services.exe
    > > C:\WINDOWS\system32\lsass.exe
    > > C:\WINDOWS\system32\svchost.exe
    > > C:\WINDOWS\system32\svchost.exe
    > > C:\WINDOWS\Explorer.EXE
    > > C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    > >
    > > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    > > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    > > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    > > Settings,ProxyOverride = localhost
    > > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > > O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    > > O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    > > c:\program files\google\googletoolbar3.dll
    > > O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program
    > > Files\Norton AntiVirus\NavShExt.dll
    > > O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717177651316} -
    > > C:\WINDOWS\System32\qwe1316.dll (file missing)
    > > O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} -
    > > C:\WINDOWS\System32\wer8274.dll
    > > O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    > > O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
    > > c:\Program
    > > Files\HP\Digital Imaging\bin\hpdtlk02.dll
    > > O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    > > c:\Program Files\Norton AntiVirus\NavShExt.dll
    > > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    > > C:\WINDOWS\System32\msdxm.ocx
    > > O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
    > > c:\program
    > > files\google\googletoolbar3.dll
    > > O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    > > Files\Java\j2re1.4.2_03\bin\jusched.exe
    > > O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    > > O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
    > > Files\HP\hpcoretech\hpcmpmgr.exe"
    > > O4 - HKLM\..\Run: [HPHUPD05] c:\Program
    > > Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    > > O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    > > O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    > > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > > Files\Real\Update_OB\realsched.exe" -osboot
    > > O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    > > O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    > > O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    > > O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
    > > Shared\ccApp.exe"
    > > O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    > > O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    > > O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    > > O4 - HKLM\..\Run: [uvsyjkbwtjzme] C:\WINDOWS\System32\ydcvlhs.exe
    > > O4 - HKLM\..\RunOnce: [Srv32 spool service]
    > > C:\WINDOWS\System32\spoolsrv32.exe
    > > O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
    > > Files\HP\Digital Imaging\bin\hpqtra08.exe
    > > O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    > > Office\Office\OSA9.EXE
    > > O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program
    > > Files\Quicken\bagent.exe
    > > O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from
    > > HP\137903\Program\BackWeb-137903.exe
    > > O8 - Extra context menu item: E&xport to Microsoft Excel -
    > > res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    > > O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    > > C:\WINDOWS\System32\msjava.dll (file missing)
    > > O9 - Extra 'Tools' menuitem: Sun Java Console -
    > > {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    > > (file
    > > missing)
    > > O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
    > > C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    > > O9 - Extra button: Microsoft AntiSpyware helper -
    > > {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    > > O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper -
    > > {E8B9E9BB-E650-4FA7-B589-370A74555449} - (no file)
    > > O12 - Plugin for .wav: C:\Program Files\Internet
    > > Explorer\PLUGINS\npqtplugin.dll
    > > O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
    > > ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dlt/121.chm::/file.exe
    > > O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    > > O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -
    > > C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    > > O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
    > > c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    > > O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
    > > Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    > > O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
    > > Corporation -
    > > c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    > > O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software -
    > > C:\WINDOWS\System32\gearsec.exe
    > > O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    > > C:\Program Files\iPod\bin\iPodService.exe
    > > O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec
    > > Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    > > O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    > > O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton
    > > AntiVirus\SAVScan.exe
    > > O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
    > > Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    > >
    > >
    >
    >
    >
  6. Archived from groups: microsoft.public.windowsxp.general (More info?)

    You are welcome! :-))

    Gunilla.

    "Branden" <Branden@discussions.microsoft.com> skrev i meddelandet
    news:57BD2087-9B95-4128-B564-612E6845D4C8@microsoft.com...
    > Thanks for the websites. Geeks to go looks like it will work well. I
    > really
    > appreciate it.
    >
    > "Gunilla" wrote:
    >
    >> Hi.
    >>
    >> You can go to these forums and post that logfile instead.
    >> http://forum.aumha.org/viewforum.php?f=30&sid=6bfda236300a9af91ff67b2ca29d42eb
    >> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
    >> http://forums.tomcoyote.org/index.php?s=b8056765ea907bee6736bba11f47570e&showforum=27
    >>
    >> Just a few. You might have to register though.
    >>
    >> Regards,
    >>
    >> Gunilla.
    >>
    >> "Branden" <Branden@discussions.microsoft.com> skrev i meddelandet
    >> news:F5AE6F75-A7D6-4A71-9F1B-43DB434225D4@microsoft.com...
    >> >I have a computer that I am working on (XP Home Eddition) and I have
    <Snipped>
  7. Archived from groups: microsoft.public.windowsxp.general (More info?)

    "Kelly" <Kelly@discussions.microsoft.com> wrote in message
    news:11039653-56FC-4B62-BF57-C578F206EAD5@microsoft.com...
    > back up data, format, clean install. really, when you removed that many
    > objects, it makes the most sense.

    Nonesense !!!

    the OP can post his log here
    http://forum.aumha.org/

    But he can make a start by removing both these items listed below and
    the associated run key
    uvsyjkbwtjzme and ydcvlhs.exe [stop both with Task Manager first].

    O4 - HKLM\..\Run: [uvsyjkbwtjzme] C:\WINDOWS\System32\ydcvlhs.exe

    rgds
    Li'l Roberto


    > "Branden" wrote:
    >
    >> I have a computer that I am working on (XP Home Eddition) and I have
    >> removed
    >> 500 plus items via adaware however his desktop background continues to
    >> have
    >> this add that says WARNING YOU'RE IN DANGER and continues on about data
    >> being stored on your hard disk. I removed the offending wall paper but I
    >> believe there is still spyware on the computer. Below is my HIJACK This
    >> log.
    >> I am not sure what else to remove thanks for any help you can give.
    >>
    >> Logfile of HijackThis v1.99.1
    >> Scan saved at 1:58:09 PM, on 6/6/2005
    >> Platform: Windows XP SP1 (WinNT 5.01.2600)
    >> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Ask a new question

Read More

Desktops System32 Windows XP