Ried

Hi RTurner,

Judging by the comment in your intitial post, it appeared you had a Smitrfraud infection but the tool did not reveal it's presence. Thankfully, Panda revealed what was really at the root of your issue. The infection you had is most commonly known as Trojan-Downloader.Win32.Agent.awf. It replaces legitimate files that are common on almost every computer in existence, with a copy of itself & moves the legitimate file to a bak folder.

It then can access the internet and communicate with a remote server via HTTP, which in turn allows others to access the computer and download code from the internet.

It's hard to say exactly where you picked this up from. I see you are only using the Windows Firewall--the Windows Firewall only monitors incoming traffic, not outgoing. A Third Party firewall would have alerted you to it's presence a bit sooner as they monitor both incoming and outgoing communications.

I'll have links for some very good, free firewalls in addition to a few more protective programs I'd like you to add to your system, but first we need to do the following:

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

------------------------------------------------------

FIREWALL
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

Do not install more than one firewall program as they will conflict with each other.

• Comodo Personal Firewall
• ZoneAlarm

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 5000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)

• Now navigate to C:\ie-spyad. Double click to open it.
• From within the folder, double-click install.bat
• Select Option #2 - Install the new IE-SPYAD list, by typing 2
• Then return to the main menu.
• Select option #4 - Add the old porn sites domain, by typing 4

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

• Download Host.zip to your desktop.
• From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
  
• Click Next, click Next, select the option:
  "Show Extracted files", click Finish
  
• This will open the newly created hosts folder on your Desktop.
  
• Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.

Your installed copy of Spybot S&D is an outdated version. Please uninstall it and download the updated version:

Spybot - Search & Destroy 1.4
Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

• • Now click Mode menu and choose 'Advanced Mode'.
  • Click on Immunize to your left.
  • Next, click the Immunize button on top to Immunize your computer - you need to do this each time there is an update.
  • Click 'Check for Problems' and fix all the entries, which are indicated in RED.

And finally, your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

**************************************************

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

RTurner

Reid,

you're going to be kind of upset with me because i honestly thought my computer was acting better, but this morning when i got into the office i started having some of the same problems all over again. this morning my computer went back to acting funny when i tried opening up the internet. it seems to take a couple minutes just to get to my homepage "google.com" after the new window is loaded the internet seems to work fine. why is this back all of a sudden? i have barely used my computer since it was fixed. Thanks

Ried

I'm certainly not upset--we'll keep going.

Did you run these 2 tools as directed by Derek at SpyKiller? If not, please do so now:

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop.

• Right click on that file and choose Install.
• It will run immediately (you won't be able to see anything happen). You may delete it afterwards.
• Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Download: ResetProtocolDefaults.reg to your desktop.
http://www.mvps.org/winhelp2002/Rese...olDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

-----------------------------------------------------

Please run another online scan at Panda and post the results here.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

RTurner

sorry for the delayed response. i tried using the above two tools but there must be bad links because they are not working. but i did attach a panda scan. It is also worth noting that my main problems are slow internet explorer use. my mozilla internet explorer seems to be running fine. does this mean anything?


Incident Status Location

Virus:Trj/Agent.EDE Disinfected Operating system
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.zedo.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.com.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.sextracker.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.overture.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.webpower.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Ryan Turner\Application Data\Mozilla\Firefox\Profiles\lc8pkwla.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ryan Turner\Cookies\ryan turner@ad.yieldmanager[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ryan Turner\Cookies\ryan turner@atwola[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Ryan Turner\Cookies\ryan turner@burstnet[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Ryan Turner\Cookies\ryan turner@cgi-bin[3].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ryan Turner\Cookies\ryan turner@realmedia[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Ryan Turner\Cookies\ryan turner@webpower[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ryan Turner\Cookies\ryan turner@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ryan Turner\Desktop\Unused Desktop Shortcuts\Miscellaneous\VundoFix.exe[process.exe]
Virus:Trj/Agent.EDE Disinfected C:\Documents and Settings\Ryan Turner\Local Settings\Temporary Internet Files\Content.IE5\77P7ENNZ\9a1d428b171c9f4da02a734fb1d2ef63[1]
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Ahead\InCD\InCD.exe
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Launch Manager\CtrlVol.exe
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Launch Manager\HotkeyApp.exe
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Launch Manager\LaunchAp.exe
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Launch Manager\PanelICON.exe
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Virus:Trj/Agent.EDE Disinfected C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

Ried

The infection has returned. Please run FindAWF and post the log here.

The site hosting them was down for a while there. I just tried the links and they are back up. Please try again. No point in running them until we take out the imposters.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

RTurner

ran the find awf scan. here it is. Thank you!!!


Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\GATEWA~1\BAK

06/24/2003 08:33 PM 303,180 GWInkMonitor.exe
1 File(s) 303,180 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\LAUNCH~1\BAK

09/16/2003 01:28 PM 20,480 CtrlVol.exe
09/24/2003 12:53 PM 40,960 HotkeyApp.exe
05/12/2003 01:28 PM 32,768 LaunchAp.exe
09/24/2003 03:37 PM 36,864 PanelICON.exe
09/12/2003 02:24 PM 65,536 Wbutton.exe
5 File(s) 196,608 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/15/2005 12:12 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

06/23/2005 07:27 PM 85,696 VPTray.exe
1 File(s) 85,696 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 04:50 AM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\AHEAD\INCD\BAK

10/06/2003 10:40 AM 1,224,754 InCD.exe
1 File(s) 1,224,754 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/25/2003 02:30 PM 335,872 atiptaxx.exe
1 File(s) 335,872 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/02/2005 09:21 AM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/11/2002 03:19 AM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

08/16/2004 03:28 PM 610,304 SynTPEnh.exe
08/16/2004 03:28 PM 110,592 SynTPLpr.exe
2 File(s) 720,896 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

02/03/2007 11:43 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

303180 Jun 24 2003 "C:\Program Files\Gateway Utilities\bak\GWInkMonitor.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
20480 Sep 16 2003 "C:\Program Files\Launch Manager\bak\CtrlVol.exe"
40960 Sep 24 2003 "C:\Program Files\Launch Manager\bak\HotkeyApp.exe"
32768 May 12 2003 "C:\Program Files\Launch Manager\bak\LaunchAp.exe"
36864 Sep 24 2003 "C:\Program Files\Launch Manager\bak\PanelICON.exe"
65536 Sep 12 2003 "C:\Program Files\Launch Manager\bak\Wbutton.exe"
155648 Nov 15 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
1224754 Oct 6 2003 "C:\Program Files\Ahead\InCD\bak\InCD.exe"
335872 Jun 25 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
69632 Apr 11 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
610304 Aug 16 2004 "C:\CABS\505M\Mouse\SynTPEnh.exe"
610304 Aug 16 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
110592 Aug 16 2004 "C:\CABS\505M\Mouse\SynTPLpr.exe"
110592 Aug 16 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
52272 Feb 3 2007 "C:\Program Files\Google\googletoolbar5user.exe"
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe"
138168 Feb 3 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
10562512 Jul 13 2005 "C:\Documents and Settings\Ryan Turner\Desktop\Unused Desktop Shortcuts\Miscellaneous\GoogleEarth.exe"
171448 Feb 3 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report

Ried

Thanks--it will take me some time to write up a new batch file for you. I should have that for soon.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

RTurner

thank you so much you have been an unbelievable help!

Ried

You're welcome.

Let's we if I can get it all and knock this infection out for good.

Same as before, download the RTurner3.zip to your desktop.

------------------------------------------------------------

If you haven't downloaded these tools yet, please do so now: **It's easiest if you use IE for the download.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop.

Download: ResetProtocolDefaults.reg to your desktop.


------------------------------------------------------------

Close any open browsers.

------------------------------------------------------------

Reboot into Safe Mode.

------------------------------------------------------------

Double click on the RTurner.zip folder. Double click on the .bat file within. Click Run.

------------------------------------------------------------

Run AVG A-S

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

------------------------------------------------------------

Right click on the DelO15Domains file and choose Install.
It will run immediately (you won't be able to see anything happen).

**Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

------------------------------------------------------------

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

------------------------------------------------------------

Reboot into Normal Mode.

------------------------------------------------------------

Run another online scan at Panda and save the results.

------------------------------------------------------------

Run a scan with HijackThis and save the log.

------------------------------------------------------------

Run FindAWF and post the report here.

------------------------------------------------------------

Please include the following in your next reply:

Panda results
HijackThis log
awf.txt

Attached Files

RTurner3.zip (710 Bytes, 2 views)

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

RTurner

I am in the middle of this next step however the link DelO15Domains.inf is bad and wont take me to the right page. what should i do?

Ried

I've attached one for you.

Download and save it to your desktop. Extract all files, then right click on the DelO15Domains.inf and select Install.

__________________

Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

RTurner

ok did the latest although the Panda Scan did not find anything and did not give me the option to save a log. Here are my other logs including the AVG scan you asked me to do.

Logfile of HijackThis v1.99.1
Scan saved at 3:03:52 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Ahead\I