I had some kind of spyware/adaware - every time I logged in, a program called "Setup" would automatically run, and task manager couldn't be opened unless I seached for it in Explorer. I deleted the files and that is not a problem anymore, but now, all the users on the computer has had desktops re-formatted to a plain blue background, the start up icons in the bottom right corner are not loading, and some programs such as Outlook do not run. THe desktop cannot be changed, and I am suspecting some kind of virus. I made a new user, and it seems to be working as normal, it is the old ones which are still affected.
I have attached a HJT log, please see if there are any problems.
Thanks.

Hello and welcome to Techspot.

I can find nothing particularly nasty in your HJT log. However, that doesn`t necessarily mean your system is clean.

Go HERE and follow the instructions exactly.

As for the desktop problem, you should try the following. Right click an empty place on the desktop and select properties. Click on the desktop tab, then click the cutomize desktop button. Click the web tab and untick any webpages that are selected in the web pages window. Make sure the lock desktop items box is unticked. Click ok/apply/ok. See if that allows you to change your dektop wallpaper.

Regards Howard :wave: :wave:

This thread is for the use of ashleyw only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

The previous log was from my new user that I made.
I have now attached a HJT log from one of the affected users.

There are a few nasty entries in your last HJT log.

Go HERE and follow the instructions exactly.

Post a fresh HJT log, only after doing the above.

Regards Howard

I followed all the steps above, and most of the tools that concentrate on a particular kind of virus came out clean.
However, the HJT log seemed to not have changed. I have attached a new log

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

O18 - Protocol: ipp - (no CLSID) - (no file)

O18 - Protocol: msdaipp - (no CLSID) - (no file)

Click on the fix checked button.

Close HJT.

Reboot into normal mode and turn system restore back on.


Regards Howard

This thread is for the use of ashleyw only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

In Safe Mode, there was an error when turning system restore off, and was unable to do so. I deleted the items on HJT anyway, but they reappeared in a new scan. After rebooting normally, I tried turning off system restore, and I was able to. In HJT, I then deleted the mentionned files, but they still persist and refuse to be deleted..=l

Turn system restore off, then boot into safe mode and follow the instructions. Post a fresh HJT log from normal mode after doing that.

Regards Howard