Spyware problem!!

Posted on 2005-04-24
Last Modified: 2016-10-25
I seem to have a bad spyware problem on my computer. It is running very slowly and I am getting a lot of pop ups. Can you help me get rid of this. I have posted my log file below:

Logfile of HijackThis v1.99.1
Scan saved at 8:31:08 AM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marsha\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Marsha\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =*
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Marsha\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TvmBho.dll
O2 - BHO: (no name) - {9C9E9A27-C910-4441-8680-2DFE85E5BFAD} - C:\WINDOWS\System32\ffmn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Marsha\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: ZIPscript.lnk = C:\NavPress\ZIPscrpt.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM32\MAXSPEED.EXE
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM32\MAXSPEED.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {8517FE74-CC6B-48BF-B2DC-1EA8C5E175B0} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8517FE74-CC6B-48BF-B2DC-1EA8C5E175B0} - (no file) (HKCU)
O16 - DPF: Win32 Classes -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) -
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
O18 - Filter: text/html - {FC4F1150-54BA-44E0-8A63-1DF7132B2765} - C:\WINDOWS\System32\ffmn.dll
O18 - Filter: text/plain - {FC4F1150-54BA-44E0-8A63-1DF7132B2765} - C:\WINDOWS\System32\ffmn.dll
O23 - Service: PRTG 4 Service - Paessler Router Traffic Grapher (PRTG4Service) - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher 4\prtg4.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thank you.

Question by:aej1973
    LVL 10

    Accepted Solution

    Here is your anylized log, run it again in safe mode with system restore disabled then remove what the log says to.
    LVL 38

    Assisted Solution

    by:Rich Rumble
    First, turn off system restore, since your using Xp, then using a few tools try to remove the programs/pest's- again only after turning off system restore.

    Try these tools to remove the pest's
    LVL 27

    Assisted Solution

    Additionally you might want to test if these webbrowsers help you in avoiding malware/spyware: and

    Richrumbles suggestion to use the microsoft Antispyware (beta) is a good choice. It is running all the time in background and pops up, when some program wants to change anything important in your windows system, like changing IE settings, adding programs to autostart etc.
    A bit too colourfull, but still not annoying.

    Another solution would be spybot search & destroy, it comes with a resident program called teatimer, preventing changes to the system too, maybe a bit more sophisticated, and LESS colourfull ;-) You can get it from here:

    A third solution (though payware) is acronis privacy expert 8, it comes with a bundle of features, including a resident spyware shield.   There is a 15 days trial version available.

    Acronis Privacy Expert Suite is not only an anti-spyware solution.
    It delivers the best value on the market with the must-have security and privacy tools:
    Internet clean-up: protect your Internet privacy removing traces of your surfing;
    System clean-up: eliminate traces of your system activities;
    Disk clean-up: securely destroy all the data on your old hard disk;
    File shredder: make your deleted data unrecoverable by undelete or unerase utilities;
    Pop-up blocker: stop unwanted pop-up ads;
    Data destruction methods: wipe out all data without possibility to recover through the use of 8 powerful data destruction methods.

    Being a computer maniac, I use all three programs (but not all of them parallel activated). My best choice was to use firefox and using an account w/o administrator rights. Most spyware is not able to infest my system because I have no proper rights to do so, so the spyware is locked out too.

    Good luck,


    Author Comment

    Thank you very much for all the help, the system looks much better now. I have one more question;

    I had a back ground picture before my system got infected with the spyware but now as a back ground picture I only have a black screen on  my desktop. How do I get my original picture back? Thanks a ton again for all the help.

    LVL 27

    Expert Comment

    Is it listed in desktop -> properties ->desktop ->background?

    -> Search Button.

    Or you simply download it again from the internet.

    LVL 12

    Expert Comment

    Or reactivate the active desktop :)

    Righclick the background and set it there.

    C:\WINDOWS\System32\rundll32.exe could be executed to run a malicious .dll file.
    The file itsself is 100% windows safe.

    Also do NOT run hijackthis from a temp directory,
    Create a nice dir for it to run from.

    Author Comment

    Hello: I am sorry for the delay in getting back. I was on the road for a few days.
    When I get to the desktop properties it gives me a option only to change the screen saver and there is no desktop option.Also when I turn on the computer I get the following message;

    c:/document ~/admin/local~?temp/se.dll
    Module cannot be found

    What is to be done, it takes a lot of time before the system starts up. The spyware problem seems to have been taken care of. Thank you for the help.

    LVL 12

    Expert Comment


    This is probably a "reach" but -
    Run "Regedit" and navigate to this key:
    What is showing in the right-hand pane?


    Author Comment

    Name: default
    Data: Value not set

    This is what is there on the right hand side. Thanks.
    LVL 3

    Expert Comment

    Download and run adaware and microsoft anti-spyware.  These two together do a great job for me and they're free!!
    LVL 12

    Assisted Solution

    These are the locations that XP loads background images from:
    %USERPROFILE%\My Documents\My Pictures (& sub-folders)
    %AppData%\Microsoft\Internet Explorer
    %ProgramFiles%\Plus!\Themes (& sub-folders)

    Check them.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now