Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
A yellow (sometimes red) triangle with an exclamation point inside, brings up a Malware Alert stated the following: Warning! Trojan Adware.W32.ExpDwnldr spyware detected. This trojan allows attacker to access your computer from remote locations, stealing passwords, Internet banking and personal data. This also prompts advertising popups. This process is a security risk and should be removed from your system/ Type: Trojan Horse. System Affected: Windows 98, 2000, NT, NE, XP. Security Risk(0-5): 4. Recommendations: Click Yes to get all available antispyware software.
My homepage keeps changing, and my desktop background changed with a red virus warning.
I ran hijackthis and the log appears below
Logfile of HijackThis v1.99.1
Scan saved at 4:13:42 PM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-
rba.exe
C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier
.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://red.clientapp.../ycomp/defaults
/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapp.../ycomp/defaults
/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page = http://music.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http://red.clientapp.../ycomp/defaults
/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Microsoft Internet Explorer
provided by Compaq
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride =
127.0.0.1;*windowsupdate*;*.local
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.../7_1/home.html");
(C:\Documents and Settings\Allen Jacobsen\Application
Data\Mozilla\Profiles\default\ei20rvnu.slt\prefs.js)
N3 - Netscape 7: user_pref
("browser.search.defaultengine", "engine://C%3A%
5CProgram%20Files%5CNetscape%5CNetscape%206%
5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and
Settings\Allen Jacobsen\Application
Data\Mozilla\Profiles\default\ei20rvnu.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-
9B51-7695ECA05670} - C:\Program Files\Yahoo!
\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7
-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {49CF52D7-8D58-4E22-A874-
AAD721F5B523} - C:\WINDOWS\ddesupport.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-
174F-4872-96B5-0B27DDD11DB2} - C:\Program
Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-
8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-
4638-B6FA-CE66B5AD205D} - C:\Program
Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-
8AD1-7859DF00B1D6} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-
9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-
B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
(file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F
-0090271D4F88} - C:\Program Files\Yahoo!
\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
\navapw32.exe
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft
Works\wkfud.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio]
"C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE"
NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program
Files\Google\Google Desktop Search\GoogleDesktop.exe"
/startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program
Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma
Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier
.exe
O4 - Startup: SpywareGuard.lnk = C:\Program
Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program
Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search -
res://C:\Program Files\AOL
Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search -
http://bar.mywebsear...html?p=ZSzeb029
O8 - Extra context menu item: Add to Google Photos
Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-
BD9C-000103C116D5} - C:\Program Files\Yahoo!
\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-
4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!
\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55
-00010333D0AD} - C:\Program Files\Yahoo!
\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-
ACC663939424} - C:\Program
Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-
00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-
00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7
-A9046DEA8A21} - c:\Program Files\Microsoft
Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7
-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%
\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E
-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program
files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: symsupportutil - https://www-
secure.symantec.com/techsupp/activedata/symsupportutil.C
AB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE}
(LSSupCtl Class) -
http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}
(YInstStarter Class) -
http://us.dl1.yimg.c.../dl/installs/yi
nst20040510.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8}
(ActiveDataInfo Class) -
http://www.symantec....rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345}
(Symantec SmartIssue) -
http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345}
(Symantec Script Runner Class) -
http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya
ICM Client) -
http://iowacniceweb0.../icm/caller.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
(MUWebControl Class) -
http://update.micros...te/v6/V5Control
s/en/x86/client/muweb_site.cab?1124157070031
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582}
(ICSScanner Class) -
http://download.zone...ns/spywaredetec
tor/ICSScanner37380.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://fpdownload2.m...ckwave/cabs/fla
sh/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
http://download.abac...es/abasetup.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88}
(Yahoo! Toolbar) -
http://us.dl1.yimg.c.../dl/toolbar/my/
yiebio5_0_2_6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D9EF6AA-814F-
4D19-A9E9-F38E5EFE2B9F}: NameServer = 170.215.255.114
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1
\GOEC62~1.DLL
O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32
\pmkhi.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32
\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32
\WRLogonNTF.dll
O21 - SSODL: msole - {E00B0440-2D44-45B7-A41B-
9C4D16F1EF72} - C:\WINDOWS\msole.dll
O21 - SSODL: msdde - {95019D4D-C96C-49CB-8B68-
ED2050B45B56} - C:\WINDOWS\msdde.dll
O23 - Service: AOL Connectivity Service (AOL ACS) -
America Online, Inc. - C:\PROGRA~1\COMMON~1
\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec
Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. -
C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet -
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-
rba.exe
O23 - Service: GoogleDesktopManager - Google -
C:\Program Files\Google\Google Desktop
Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google -
C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Content Monitoring Tool (msCMTSrvc) -
Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service
(navapsvc) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) -
Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1
\SCRIPT~1\SBServ.exe
O23 - Service: Service 8 (Service Filter) - Unknown
owner - C:\WINDOWS\smncs.exe
O23 - Service: Symantec Network Drivers Service
(SNDSrvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent
Service (default)) - Analog Devices, Inc. - C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. -
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) -
Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine
(WebrootSpySweeperService) - Webroot Software, Inc. -
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Please advise as to how I can remove this menace once and for all.
I very much appreciate your help in this matter
AJ-BrooklynNY
