Help, please.

Well, one day my computer flipped out. I couldn't right-click anything on AOL, and then when I tried to close it, I kept getting this error saying "If you receive this error repeatedly, exit AOL." I don't remember if I closed AOL or if I turned off the whole computer, but I ran a virus scan with AVG and it told me that winlogon was infected and not healable, so I moved it to the vault. Before all this, though, AVG found a trojan horse dropper thing infecting svchost, and so it deleted it, and I got the same exact thing with a second virus scan. Also, adaware keeps finding ads, deleting them, and then finding more.

Anyways, after I moved winlogon to the vault, I restarted my computer to make sure I didn't **** anything up, and it turned out I did. I got a blue screen and this error:

STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0x0000022 (0x00000000 0x00000000).
The system has been shut down.

I can only run it in Safe Mode now.
«1

Comments

  • edited February 2007
    Do I need to give more information?
  • TroganTrogan London, UK
    edited February 2007
    Hi Bogus

    Click here to download HJTsetup.exe, and save it to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    • Copy and paste the log here
    DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
  • edited February 2007
    I got past the blue screen. I think I managed to narrow the issue down to this:

    trojan Win32/Wigon.E found in operating memory. The file can be deleted. It is strongly recommended that you back up any crucial data before you proceed. No action can be taken while the file is in memory. Click "Leave" to continue and subsequently run the cleaning of all local disks. System memory infection originated from file C:\WINDOWS\System32\wsys.dll.

    That's what this virus scan says. Is this file important? Should I delete it, rename it, what?

    By the way, I got past the blue screen by uninstalling AVG.
  • TroganTrogan London, UK
    edited February 2007
    Can you follow the instructions from my previous post and then we can see what's going on.
  • edited February 2007
    Is it okay if I PM it to you? It seems like personal stuff.
  • TroganTrogan London, UK
    edited February 2007
    I will only help you in the forums. Any person in any forum who needs help, posts a HijackThis log...there is nothing personal about it.
  • edited February 2007
    Logfile of HijackThis v1.99.1
    Scan saved at 1:39:44 PM, on 2/20/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\bak\bak\qttask.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\America Online 9.0d\waol.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Documents and Settings\Michael\My Documents\iPod\bin\iPodService.exe
    C:\Program Files\America Online 9.0d\shellmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Eset\nod32.exe
    C:\Program Files\Eset\nod32.exe
    C:\Documents and Settings\Michael\Desktop\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Robin\LOCALS~1\Temp\se.dll/spage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: (no name) - {3ff565c0-a20f-4f09-9763-9a5949e4340f} - C:\WINDOWS\system32\kbdsft.dll (file missing)
    O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp630F.tmp (file missing)
    O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
    O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Microsoft AntiSpyware helper - {6D888E74-CCD0-4006-B4F1-B5FA419CF8D2} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D888E74-CCD0-4006-B4F1-B5FA419CF8D2} - (no file) (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
    O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: kbdsft - kbdsft.dll (file missing)
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Michael\My Documents\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • TroganTrogan London, UK
    edited February 2007
    Thanks for the log.

    You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

    Please do the following...

    1. Create a folder on your Desktop and move HijackThis to it. This is so Backups have a safe place to lay.

    2. Download about:Buster from here. Once it is downloaded extract it to c:\aboutbuster and check for updates. Do NOT use it yet

    Download CWShredder from here, install it, check for updates but again, don't use it yet.

    3. Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Robin\LOCALS~1\Temp\se.dll/spage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    O2 - BHO: (no name) - {3ff565c0-a20f-4f09-9763-9a5949e4340f} - C:\WINDOWS\system32\kbdsft.dll (file missing)
    O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp630F.tmp (file missing)
    O2 - BHO: (no name) - {54698A2F-2247-4538-82FC-2B5443D66945} - C:\WINDOWS\system32\drivera.dll

    O20 - Winlogon Notify: kbdsft - kbdsft.dll (file missing)


    - Close ALL open windows (especially Internet Explorer!)
    - Click Fix Checked
    Close HiajckThis

    4. Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    5. Open CWShredder that you downloaded in the first step. Close ALL browser windows and click on the Fix button.

    Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

    6. Reboot back into Normal Mode and post the following...
    • about:buster log
    • New HijackThis log
    Lot of work still left to do...
  • edited February 2007
    Sorry for the delay. I got busy, but I'm not anymore. Doing everything now.
  • edited February 2007
    Logfile of HijackThis v1.99.1
    Scan saved at 3:10:12 PM, on 2/20/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\bak\bak\qttask.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\America Online 9.0d\waol.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\America Online 9.0d\shellmon.exe
    C:\Documents and Settings\Michael\Desktop\Backup Thing\HijackThis.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
    O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Microsoft AntiSpyware helper - {6D888E74-CCD0-4006-B4F1-B5FA419CF8D2} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D888E74-CCD0-4006-B4F1-B5FA419CF8D2} - (no file) (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
    O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Michael\My Documents\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • edited February 2007
    AboutBuster 6.06
    Scan started on [2/20/2007] at [2:57:14 PM]
    Internet Explorer Instances Terminated!
    HomeSearch Service stopped if present
    No Ads Found!
    No Files Found!
    Scan was COMPLETED SUCCESSFULLY at 2:59:11 PM
  • TroganTrogan London, UK
    edited February 2007
    Looking better!

    Lets continue...

    1. Download SmitfraudFix (by S!Ri) to your Desktop.
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press Enter
    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    IMPORTANT: Do NOT run any other options until you are asked to do so!

    2. Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    3. I need to see another log from HijackThis.
    • Run Hijackthis.
    • Click on Open the Misc Tools section.
    • Next click on Open uninstall manager.
    • Press the Save list button.
    • Save the file to your desktop, with the default name of uninstall_list
    • Copy & Paste the entire contents of that file in your in your next post.
    4. Please post the following...
    • SmitfraudFix log
    • VundoFix.txt
    • Uninstall list
  • edited February 2007
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP"
    [HKEY_CLASSES_ROOT\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]
    @="C:\WINDOWS\System32\replmap.dll"
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]
    @="C:\WINDOWS\System32\replmap.dll"

    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""

    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

    »»»»»»»»»»»»»»»»»»»»»»»» End
  • edited February 2007
    Vundo found nothing and didn't give me a log.

    Ad-Aware SE Personal
    Adobe Flash Player 9 ActiveX
    Adobe Reader 7.0
    AIM 6.0
    AOL Coach Version 1.0(Build:20040229.1 en)
    AOL Coach Version 2.0(Build:20041026.5 en)
    AOL Deskbar
    AOL Instant Messenger
    AOL Spyware Protection
    AOL Toolbar
    AOL Uninstaller (Choose which Products to Remove)
    AOL You've Got Pictures Screensaver
    Apple Software Update
    ArcSoft Software Suite
    AV Music Morpher 2.0.106 Gold
    BitComet 0.79
    Classic PhoneTools
    Dell ResourceCD
    DivX
    DivX Player
    Download Accelerator Plus
    Easy CD Creator 5 Basic
    em-pee three player 4.8
    HijackThis 1.99.1
    Intel(R) PRO Network Adapters and Drivers
    iPod for Windows 2005-09-23
    iTunes
    Java 2 Runtime Environment, SE v1.4.2
    Learn2 Player (Uninstall Only)
    Macromedia Shockwave Player
    Microsoft Office Professional Edition 2003
    Modem Helper
    Mozilla Firefox (2.0.0.1)
    MyDVD
    Nikon Message Center
    NOD32 antivirus system
    NVIDIA Windows 2000/XP Display Drivers
    Paltalk Messenger
    Pure Networks Port Magic
    QuickTime
    RealPlayer Basic
    RTC Client API v1.2
    Security Toolbar
    Skype 2.0
    Sound Blaster Live!
    System Requirements Lab
    TeamSpeak 2 RC2
    Update for Windows XP (KB898461)
    Viewpoint Media Player
    Windows Installer 3.1 (KB893803)
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows XP Hotfix - KB842773
    WinRAR archiver
    XBC 5.1
    Yahoo! extras
    Yahoo! Internet Mail
    Yahoo! Messenger
    Yahoo! Messenger Explorer Bar
    Yahoo! Toolbar
  • TroganTrogan London, UK
    edited February 2007
    The SmitfraudFix log is not complete. Could you repost it please.
  • edited February 2007
    Sorry about that.


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !
    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Michael\FAVORI~1
    C:\DOCUME~1\Michael\FAVORI~1\Antivirus Test Online.url FOUND !
    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
    C:\Program Files\Security Toolbar\ FOUND !
    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"=""
    "SubscribedURL"=""
    "FriendlyName"=""

    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!
    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{C1A2FDA2-1A5B-2A8F-F3A2-B22DA1A3C41D}"="NetWrap for Windows"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}"="WaitWain for Windows"
    [HKEY_CLASSES_ROOT\CLSID\{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}\InProcServer32]
    @="C:\WINDOWS\System32\wiatwain.dll"
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{C1A2FDA2-2A5B-2C8A-F2A2-BA2DB3A2C31C}\InProcServer32]
    @="C:\WINDOWS\System32\wiatwain.dll"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}"="Replay for WindowsXP"
    [HKEY_CLASSES_ROOT\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]
    @="C:\WINDOWS\System32\replmap.dll"
    [HKEY_CURRENT_USER\Software\Classes\CLSID\{D81E2FC4-B0A2-11D3-21AC-07C04C21A18A}\InProcServer32]
    @="C:\WINDOWS\System32\replmap.dll"

    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""

    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

    »»»»»»»»»»»»»»»»»»»»»»»» End
  • TroganTrogan London, UK
    edited February 2007
    Still not fully complete, but its enough. Here is the next bit of the instructions. I'll check this thread in the morning as its getting late here.

    Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
    ______________________________

    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    ______________________________

    Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
    Select option #2 - Clean by typing 2 and press Enter.
    Wait for the tool to complete and disk cleanup to finish.
    You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
    The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
    ______________________________

    Navigate to C:\Windows\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
    Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

    Clean out your Temporary Internet files. Proceed like this:
    • Quit Internet Explorer and quit any instances of Windows Explorer.
    • Click Start, click Control Panel, and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.
    Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

    Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
    ______________________________

    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
        scanavgjk2.jpg
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot in Normal Mode.
    ______________________________

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #3 - Delete Trusted zone by typing 3 and press Enter.
    Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
    ______________________________

    Please post:
    1. c:\rapport.txt
    2. AVG Anti-Spyware log
    3. A new HijackThis log
    You may need several replies to post the requested logs, otherwise they might get cut off.
  • edited February 2007
    Just so you know, on the delete Temporary Internet Files step, it froze and I had to end the task. I've always only been able to delete the cookies, but the not the files and offline files or whatever. Also, it wouldn't let me delete everything in my own Local Settings, but I could do it for all of the other users.



    Logfile of HijackThis v1.99.1
    Scan saved at 5:49:17 AM, on 2/21/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\bak\bak\qttask.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\America Online 9.0d\waol.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\America Online 9.0d\shellmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Michael\My Documents\iPod\bin\iPodService.exe
    C:\Documents and Settings\Michael\Desktop\Backup Thing\HijackThis.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Microsoft AntiSpyware helper - {6D888E74-CCD0-4006-B4F1-B5FA419CF8D2} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D888E74-CCD0-4006-B4F1-B5FA419CF8D2} - (no file) (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
    O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Michael\My Documents\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • edited February 2007
    SmitFraudFix v2.142

    Scan done at 17:23:26.78, Tue 02/20/2007
    Run from C:\Documents and Settings\Michael\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts




    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
  • edited February 2007


    AVG Anti-Spyware - Scan Report



    + Created at: 5:43:47 AM 2/21/2007

    + Scan result:



    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP616\A0200554.dll -> Adware.Apropos : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP600\A0197613.dll -> Adware.Aws : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP616\A0200559.exe -> Adware.DealHelper : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject -> Adware.FizzleBar : Error during cleaning.
    HKLM\SOFTWARE\Classes\ToolbarBestToolbarsToolbar.BestToolbarsToolbarObject.1 -> Adware.FizzleBar : Error during cleaning.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{27150f81-0877-42e9-af13-55e5a3439a26} -> Adware.Generic : Cleaned with backup (quarantined).
    HKU\S-1-5-21-602162358-796845957-839522115-1005\Software\Classes\CLSID\CLSID\{6379A99A-9102-446C-A837-0623E1810D75} -> Adware.Generic : Cleaned with backup (quarantined).
    HKU\S-1-5-21-602162358-796845957-839522115-1005_Classes\CLSID\CLSID\{6379A99A-9102-446C-A837-0623E1810D75} -> Adware.Generic : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Classes\ISTx.Installer.2 -> Adware.ISTBar : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP616\A0200546.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP616\A0200547.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP616\A0200548.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP616\A0200549.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP616\A0200555.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
    C:\Program Files\America Online 9.0b\AOL.EXE -> Downloader.Agent.awf : Cleaned with backup (quarantined).
    C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
    C:\Program Files\QuickTime\bak\qttask.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
    C:\Program Files\QuickTime\qttask.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP592\A0195730.rbf -> Downloader.Agent.awf : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP616\A0200551.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\KXU7OTEN\popup[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[10].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[11].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[12].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[13].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[1].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[2].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[3].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[4].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[5].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[6].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[7].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[8].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\AJYFA1AZ\ysb_prompt[9].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\ZAZX9HBZ\ysb_prompt[1].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203961.dll -> Downloader.WarSpy.c : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP616\A0200545.dll -> Hijacker.Agent.fx : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\EPW3I1ET\ad-sp2-fastclick[1].swf -> Not-A-Virus.Hoax.SWF.Alerter.a : Cleaned with backup (quarantined).
    C:\Documents and Settings\Robin\Cookies\robin@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@sonycorporate.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@rotator.dex.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@thunderbolt.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@e-2dj6wfl4kndjgeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@free.wegcash[1].txt -> TrackingCookie.Wegcash : Cleaned.
    C:\Documents and Settings\Robin\Cookies\robin@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP595\A0195962.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP595\A0196116.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP600\A0196306.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\wsys.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
    [240] C:\WINDOWS\System32\wsys.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
    C:\Documents and Settings\Michael\Desktop\Backup Thing\backups\backup-20070220-144816-930.dll -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\drivera.dll -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\drivera.exe -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\monterreya_redux.exe -> Trojan.Kolweb.j : Cleaned with backup (quarantined).
  • TroganTrogan London, UK
    edited February 2007
    Looks like you have another infection present. This one being more serious and can be a pain to remove. :(

    Please download this file to your Desktop and run it.

    FindAWF

    It will produce a log. Please post that here.
  • edited February 2007
    It says it's searching for 21k files. Is it supposed to take a bit or is it another instant thing?


    Still just sitting there.
  • TroganTrogan London, UK
    edited February 2007
    Make sure you are ALL windows and programs closed. Try again. Otherwise restart the computer and then try again.
  • edited February 2007
    I didn't have everything closed, but the thing finally finished, anyway. I'll do another with all programs closed when I get home from school.

    Find AWF report by noahdfear ©2006

    21504 byte files found
    ~~~~~~~~~~~~~
    21504 "C:\Documents and Settings\Robin\My Documents\2006_Income_Taxes.xls"

    21504 byte files sorted with strings
    ~~~~~~~~~~~~~~~~~~~~~

    25600 byte files found
    ~~~~~~~~~~~~~

    25600 byte files sorted with strings
    ~~~~~~~~~~~~~~~~~~~~~

    26450 byte files found
    ~~~~~~~~~~~~~

    26450 byte files sorted with strings
    ~~~~~~~~~~~~~~~~~~~~~

    bak folders found
    ~~~~~~~~~~~

    Directory of C:\PROGRA~1\AMERIC~1.0B\BAK
    07/12/2005 06:17 AM 50,776 AOL.EXE
    01/24/2007 09:15 PM 24 shellmon.ph
    2 File(s) 50,800 bytes
    Directory of C:\PROGRA~1\MSNMES~1\BAK
    03/29/2005 05:28 PM 6,815,744 msnmsgr.exe
    1 File(s) 6,815,744 bytes
    Directory of C:\PROGRA~1\QUICKT~1\BAK
    0 File(s) 0 bytes
    Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK
    10/25/2006 06:58 PM 282,624 qttask.exe
    1 File(s) 282,624 bytes
    Directory of C:\PROGRA~1\COMMON~1\AOL\LAUNCH\BAK
    09/25/2006 05:52 PM 50,736 AOLLaunch.exe
    1 File(s) 50,736 bytes

    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~
    38000 May 7 2004 "C:\Program Files\America Online 9.0\aol.exe"
    50776 Jul 12 2005 "C:\Program Files\America Online 9.0a\aol.exe"
    50776 Jul 12 2005 "C:\Program Files\America Online 9.0c\aol.exe"
    50776 Jul 12 2005 "C:\Program Files\America Online 9.0d\aol.exe"
    50776 Jul 12 2005 "C:\Program Files\America Online 9.0b\bak\AOL.EXE"
    24 Jun 22 2006 "C:\Program Files\America Online 9.0\shellmon.ph"
    24 Dec 5 2006 "C:\Program Files\America Online 9.0a\shellmon.ph"
    24 Jan 24 2007 "C:\Program Files\America Online 9.0b\shellmon.ph"
    24 Feb 20 2007 "C:\Program Files\America Online 9.0c\shellmon.ph"
    24 Feb 21 2007 "C:\Program Files\America Online 9.0d\shellmon.ph"
    24 Jan 24 2007 "C:\Program Files\America Online 9.0b\bak\shellmon.ph"
    826 Jun 23 2006 "C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0\shellmon.ph"
    6311 Dec 5 2006 "C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0a\shellmon.ph"
    779 Jan 24 2007 "C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0b\shellmon.ph"
    6953 Feb 20 2007 "C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0c\shellmon.ph"
    6416 Feb 21 2007 "C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\shellmon.ph"
    5354792 Jul 29 2006 "C:\Program Files\MSN Messenger\msnmsgr.exe"
    6815744 Mar 29 2005 "C:\Program Files\MSN Messenger\bak\msnmsgr.exe"
    282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
    282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
    50736 Sep 25 2006 "C:\Program Files\AIM6\aollaunch.exe"
    50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1139569510\ee\aollaunch.exe"
    50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\Launch\bak\AOLLaunch.exe"

    end of report
  • TroganTrogan London, UK
    edited February 2007
    Hi Bogus

    You should print out or copy these instructions as the Internet will not be available for part of the fix. Please follow the instructions carefully.

    Lets begin...

    Download these files to your Desktop. Right-click and select Save Links As (in Firefox) or Save Target As (in IE) to download.
    1. http://www.mvps.org/winhelp2002/DelDomains.inf
    2. http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg
    Don't do anything with them yet!
    ____________________________

    Open Notepad!
    Copy and Paste everything from the Quote box into Notepad:
    if exist "C:\Program Files\America Online 9.0b\AOL.EXE" del /q "C:\Program Files\America Online 9.0b\AOL.EXE"
    copy /y "C:\Program Files\America Online 9.0b\bak\AOL.EXE" "C:\Program Files\America Online 9.0b\AOL.EXE"

    if exist "C:\Program Files\America Online 9.0b\shellmon.ph" del /q "C:\Program Files\America Online 9.0b\shellmon.ph"
    copy /y "C:\Program Files\America Online 9.0b\bak\shellmon.ph" "C:\Program Files\America Online 9.0b\shellmon.ph

    if exist "C:\Program Files\MSN Messenger\msnmsgr.exe" del /q "C:\Program Files\MSN Messenger\msnmsgr.exe"
    copy /y "C:\Program Files\MSN Messenger\bak\msnmsgr.exe" "C:\Program Files\MSN Messenger\msnmsgr.exe"

    if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
    copy /y "C:\Program Files\QuickTime\bak\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"

    if exist "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" del /q "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe"
    copy /y "C:\Program Files\Common Files\AOL\Launch\bak\AOLLaunch.exe" "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe"
    Go to File > Save As
    Save File name as "Fix.bat" (including quotes)
    Save the file to your Desktop
    ____________________________

    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    ____________________________

    Locate Fix.bat on your Desktop and double-click it. A black box will open and close quickly - that is normal!

    Reboot back into Normal Mode
    ____________________________

    Locate the two files you downloaded earlier...

    Right-click on DelDomains.inf and select install
    Right-click on ResetProtocolDefaults.reg and select merge
    ____________________________

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    Please post the following...
    1. Kaspersky log
    2. New HijackThis log
  • edited February 2007
    When I started the scan, it said there is no disk in drive, and told me to insert a disk into drive A. I pressed Continue, and then got the same error message (although I didn't read the top that time, so it might have said something other than waol) so I pressed Continue again, and now it's scanning.
  • edited February 2007
    Logfile of HijackThis v1.99.1
    Scan saved at 8:18:13 PM, on 2/23/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\QuickTime\bak\bak\qttask.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\America Online 9.0d\waol.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\America Online 9.0d\shellmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\iTunes\iTunes.exe
    C:\Documents and Settings\Michael\My Documents\iPod\bin\iPodService.exe
    C:\Documents and Settings\Michael\Desktop\Backup Thing\HijackThis.exe
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_0_0.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0d\AOL.EXE" -b
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Yahoo! Search - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - [URL]file:///C:\Program[/URL] Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: Microsoft AntiSpyware helper - {6D888E74-CCD0-4006-B4F1-B5FA419CF8D2} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6D888E74-CCD0-4006-B4F1-B5FA419CF8D2} - (no file) (HKCU)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
    O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Documents and Settings\Michael\My Documents\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • edited February 2007
    I didn't see a Save As Text option.

    Nevermind, I figured it out. Hold on.
  • edited February 2007


    KASPERSKY ONLINE SCANNER REPORT
    Friday, February 23, 2007 8:22:50 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
    Kaspersky Online Scanner version: 5.0.83.0
    Kaspersky Anti-Virus database last update: 23/02/2007
    Kaspersky Anti-Virus database records: 272972



    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 361997
    Number of viruses found: 17
    Number of infected objects: 61 / 0
    Number of suspicious objects: 0
    Duration of the scan process: 04:53:19

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\idb\Username\mydb.idx Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\idb\Username\style.lst Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\idb\Username\toolbar.lst Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\idb\SNMaster.idx Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\organize\CACHE\Username04 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\organize\Username Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\organize\Username.abi Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\organize\Username.aby Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\ShopAssist\DataStore\global\clientcache.adb Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\C_America Online 9.0d\ShopAssist\DataStore\users\Username.adb Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\7b4704d7f54477dd82827fd514f209b2_3ac3a59f-b508-4120-a58a-cdaca4f58723 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\71e03564ae38725a3408969069a3dc4d_3ac3a59f-b508-4120-a58a-cdaca4f58723 Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Michael\Application Data\AOL\C_America Online 9.0d\IDB\Apps.Lst Object is locked skipped
    C:\Documents and Settings\Michael\Application Data\AOL\C_America Online 9.0d\IDB\art.idx Object is locked skipped
    C:\Documents and Settings\Michael\Application Data\AOL\C_America Online 9.0d\IDB\sap.dat Object is locked skipped
    C:\Documents and Settings\Michael\Application Data\AOL\C_America Online 9.0d\IDB\spool.lst Object is locked skipped
    C:\Documents and Settings\Michael\Application Data\AOL\C_America Online 9.0d\IDB\sysnews.lst Object is locked skipped
    C:\Documents and Settings\Michael\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
    C:\Documents and Settings\Michael\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Michael\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
    C:\Documents and Settings\Michael\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
    C:\Documents and Settings\Michael\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\Michael\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
    C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Michael\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Michael\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Michael\Local Settings\History\History.IE5\MSHist012007022320070224\index.dat Object is locked skipped
    C:\Documents and Settings\Michael\Local Settings\Temp\~DF5BA3.tmp Object is locked skipped
    C:\Documents and Settings\Michael\Local Settings\Temp\~DF8802.tmp Object is locked skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\GFB8OZXD\sia[1].txt/index.exe Infected: Trojan-Dropper.Win32.Delf.ev skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\GFB8OZXD\sia[1].txt/index.htm Infected: Trojan-Downloader.VBS.Psyme.a skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\GFB8OZXD\sia[1].txt CHM: infected - 2 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\GFB8OZXD\sia[2].txt/index.exe Infected: Trojan-Dropper.Win32.Delf.ev skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\GFB8OZXD\sia[2].txt/index.htm Infected: Trojan-Downloader.VBS.Psyme.a skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\GFB8OZXD\sia[2].txt CHM: infected - 2 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\I8M5VXGW\enter[2].htm Infected: Trojan-Downloader.JS.Psyme.ap skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\KL4DO1WR\ysb_regular[2].cab/ysbactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\KL4DO1WR\ysb_regular[2].cab CAB: infected - 1 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\KLCPM7CH\main[1].chm/main.htm Infected: Exploit.HTML.Mht skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\KLCPM7CH\main[1].chm/update.exe Infected: Trojan-Downloader.Win32.Murlo.k skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\KLCPM7CH\main[1].chm CHM: infected - 2 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\Q2LT2NDE\ysb_prompt[1].htm Infected: Exploit.HTML.CodeBaseExec skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\Q2LT2NDE\ysb_prompt[2].htm Infected: Exploit.HTML.CodeBaseExec skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\S9K12ZGX\ysb_prompt[1].htm Infected: Exploit.HTML.CodeBaseExec skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\S9K12ZGX\ysb_prompt[2].htm Infected: Exploit.HTML.CodeBaseExec skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\SDAZ09AV\dia233[1].htm Infected: Exploit.HTML.Mht skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\SX8BOL4P\a0y7NYkib5FmcPf7tAo[2].chm/1.htm Infected: Trojan-Downloader.HTML.Agent.i skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\SX8BOL4P\a0y7NYkib5FmcPf7tAo[2].chm/on-line.exe Infected: Trojan-Downloader.Win32.Small.amb skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\SX8BOL4P\a0y7NYkib5FmcPf7tAo[2].chm CHM: infected - 2 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\SX8BOL4P\index[8].html Infected: Trojan-Clicker.HTML.IFrame.b skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\SX8BOL4P\main[3].html Infected: Trojan-Clicker.HTML.IFrame.b skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\ied_s7[1].chm/ied_s7.htm Infected: Trojan-Downloader.JS.Small.ad skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\ied_s7[1].chm CHM: infected - 1 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\ied_s7[2].chm/ied_s7.htm Infected: Trojan-Downloader.JS.Small.ad skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\ied_s7[2].chm CHM: infected - 1 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\ied_s7[3].chm/ied_s7.htm Infected: Trojan-Downloader.JS.Small.ad skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\ied_s7[3].chm CHM: infected - 1 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\main[1].chm/main.htm Infected: Exploit.HTML.Mht skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\main[1].chm/update.exe Infected: Trojan-Downloader.Win32.Murlo.k skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\main[1].chm CHM: infected - 2 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\VMKZJ905\prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\YVA329W9\J6Oel78aYdGzgtzubsE[1].chm/1.htm Infected: Trojan-Downloader.HTML.Agent.i skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\YVA329W9\J6Oel78aYdGzgtzubsE[1].chm/on-line.exe Infected: Trojan-Downloader.Win32.Small.amb skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\YVA329W9\J6Oel78aYdGzgtzubsE[1].chm CHM: infected - 2 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\YVA329W9\J6Oel78aYdGzgtzubsE[2].chm/1.htm Infected: Trojan-Downloader.HTML.Agent.i skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\YVA329W9\J6Oel78aYdGzgtzubsE[2].chm/on-line.exe Infected: Trojan-Downloader.Win32.Small.amb skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\YVA329W9\J6Oel78aYdGzgtzubsE[2].chm CHM: infected - 2 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\YVA329W9\on-line[1].exe Infected: Trojan-Downloader.Win32.Small.amb skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\ZAZX9HBZ\ldr[1].txt/index.htm Infected: Trojan-Downloader.VBS.Psyme.a skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\ZAZX9HBZ\ldr[1].txt CHM: infected - 1 skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\ZAZX9HBZ\ldr[2].txt/index.htm Infected: Trojan-Downloader.VBS.Psyme.a skipped
    C:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\ZAZX9HBZ\ldr[2].txt CHM: infected - 1 skipped
    C:\Documents and Settings\Michael\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
    C:\Documents and Settings\Michael\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Michael\NTUSER.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP595\A0196105.sys Infected: Trojan.Win32.Agent.ady skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP595\A0196117.exe Infected: Trojan.Win32.Patched.g skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP595\A0196121.sys Infected: Trojan.Win32.Agent.ady skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP600\A0196307.exe Infected: Trojan.Win32.Patched.g skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP600\A0197579.sys Infected: Trojan.Win32.Agent.ady skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203980.dll Infected: Trojan.Win32.Agent.ady skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203981.dll Infected: Trojan.Win32.Kolweb.j skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203982.dll Infected: Trojan.Win32.Kolweb.j skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203983.exe Infected: Trojan.Win32.Kolweb.j skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203984.exe Infected: Trojan.Win32.Kolweb.j skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203985.EXE Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203986.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203987.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP618\A0203988.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\System Volume Information\_restore{39835DCC-6463-45FD-A881-079B49A934CB}\RP620\change.log Object is locked skipped
    C:\WINDOWS\Debug\oakley.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\winlogon.exe Infected: Trojan.Win32.Patched.g skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
  • edited February 2007
    It says I needed to be using Internet Explorer, but I was using AOL.
This discussion has been closed.