Alright, my family clicked a link in somebody's profile and proceeded to download the file. It was one of those LOOK HERE! They said that it ended in .scr but forgot the beginning. It is probably BestFriends.scr. Anyways, my AIM is fine and my computer seems all right, but IE is acting a little weird. Every site I go to, the Information Bar displays this message. "To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options..."
It's getting annoying and I think that traces of this trojan are still present. Please help me fix this! Thanks

Logfile of HijackThis v1.98.2
Scan saved at 4:05:41 PM, on 10/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ryan\Desktop\Unused Desktop Shortcuts\hijackthis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_7947.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe

"To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options..."


This is a function of SP2 in Windows XP. It's not from a virus or trojan. However, you *are* infected by trojans. Remove the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] svchosting.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] svchosting.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_7947.dll' missing
O16 - DPF: {11111111-1111-1111-1111-111111111133} - file://c:\windows\temp\ie.exe

I suggest you install some sort of virus scanner. I didn't see anything resident on your system. You need to protect your PC, otherwise you'll just be going around in circles, getting infected, removal, reinfection, removal...

I fixed those files... I still get the message in IE, though. I know that it's a SP2 add-on, but before I got this trojan, it didn't pop-up on any web pages. Now it pops up on all of them and I don't want it there. Is there any reason why it pops up all the time, as opposed to before? Are there any settings I can change or files to delete that will get rid of this so my computer goes back to the way before?

Thanks so far, Kwitko

Please post a new log and let's make sure it's all gone. And get thee to an antivirus quick!

Logfile of HijackThis v1.98.2
Scan saved at 6:51:48 PM, on 10/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ryan\Desktop\Unused Desktop Shortcuts\hijackthis1982.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\iTunes\iTunesHelper.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

That log looks fine. You can delete this entry just because it's clutter:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Are you still having any problems?

Yeah, the annoying "To help protect your security, Internet Explorer has restricted this file from showing active content that could access your computer. Click here for options..." won't go away. And it never used to show up before so something's up or I changed something to lead to it. Is there any way to get rid of it? Maybe is there a command or option that will allow it to allow this "blocked content" that shouldn't even be blocked?

What is the file that is trying to connect to the Internet?

I don't know... it wasn't there before...