Sister uses Aol Instant messenger and whenever she signs on her profile is reset and inserted is a link to a site prompting to download a file "b.exe" it says it is not a trojan, virus, or hijacking software, but I've got a hint not to trust them. I can't figure it out. Here's the Hi-Jack This log:

Logfile of HijackThis v1.97.0
Scan saved at 8:28:46 PM, on 11/17/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ClrSchP017.exe
C:\WINDOWS\System32\SahAgent.exe
C:\PROGRA~1\EZULA\mmod.exe
C:\Program Files\Bargain Buddy\bin2\bargains.exe
C:\WINDOWS\b.exe
C:\WINDOWS\vntwtweg.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
C:\WINDOWS\msbb.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost;
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\Im6um.dll
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\System32\n3tpa1.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {0FA3BB0A-C3F3-613D-FF4B-CE88BC15A4CF} - C:\WINDOWS\system32\wqthndpw.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {BA5BAA5D-A9C7-1C7B-24FC-2B8847AF33D8} - C:\WINDOWS\system32\vjpakfyo.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O4 - HKLM\..\Run: [BEHKO] C:\WINDOWS\BEHKO.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe
O4 - HKLM\..\Run: [jzatolqs] C:\WINDOWS\vntwtweg.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\bvh\Application Data\DownloadPlus.exe
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\AddressBar\createnote.htm
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\AddressBar\createbookmark.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\AddressBar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\AddressBar\navigate.htm
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
O11 - Options group: [CommonName] CommonName
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.imbum.com/Imbum.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F7ADCFE3-AA28-F99E-E665-B13AC332D249} (DownloadUL Class) - http://public.searchbarcash.com/cab/351/atrwzpca.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F31521AC-6C8F-4E51-BB1C-F52A7DD979D8}: NameServer = 205.152.133.254,205.152.132.235

Also after the last adaware scan it found 518 new processes/files/registry values/etc. I don't think my council on how to not get spyware really worked. This problem seems to still be affecting her though.

Hi k.c.

I am not an expert in these things (obviously), but it looks like sis has a virus/worm of the W32 type. Have you run an updated and clean antivirus yet? The experts will probably be along soon, but you might want to do that while you are waiting if you haven't already....:rolleyes: :)

I'm not an expert at this kind of thing either, but if it were me I'd have HT fix the following

C:\WINDOWS\b.exe
C:\PROGRA~1\EZULA\mmod.exe
C:\Program Files\Bargain Buddy\bin2\bargains.exe
C:\WINDOWS\vntwtweg.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = <http://localhost;>
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\Im6um.dll
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\System32\n3tpa1.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {BA5BAA5D-A9C7-1C7B-24FC-2B8847AF33D8} - C:\WINDOWS\system32\vjpakfyo.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O9 - Extra button: Sidesearch (HKLM)
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - <http://www.imbum.com/Imbum.cab>
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe <http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe>

O16 - DPF: {F7ADCFE3-AA28-F99E-E665-B13AC332D249} (DownloadUL Class) - <http://public.searchbarcash.com/cab/351/atrwzpca.cab>
O17 - HKLM\System\CCS\Services\Tcpip\..\{F31521AC-6C8F-4E51-BB1C-F52A7DD979D8}: NameServer = 205.152.133.254,205.152.132.235

There might be more things that need fixing. I would suggest getting the most current Spybot download and run that also.

Some of this stuff I will list will duplicate Steve's post, because I am being lazy and don't want to rip out the dupes..... :D

Close all browser windows, then in HijackThis check off the boxes next to the following and then the Fix button....

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int
ernet Settings,ProxyOverride = hxxp://localhost;
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm

O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\Im6um.dll
O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\System32\n3tpa1.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {0FA3BB0A-C3F3-613D-FF4B-CE88BC15A4CF} - C:\WINDOWS\system32\wqthndpw.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {BA5BAA5D-A9C7-1C7B-24FC-2B8847AF33D8} - C:\WINDOWS\system32\vjpakfyo.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O4 - HKLM\..\Run: [BEHKO] C:\WINDOWS\BEHKO.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe
O4 - HKLM\..\Run: [jzatolqs] C:\WINDOWS\vntwtweg.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\AddressBar\navigate.htm

O9 - Extra button: Sidesearch (HKLM)

O11 - Options group: [CommonName] CommonName

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - hxxp://www.imbum.com/Imbum.cab
O16 - DPF: {F7ADCFE3-AA28-F99E-E665-B13AC332D249} (DownloadUL Class) - hxxp://public.searchbarcash.com/cab/351/atrwzpca.cab


Then reboot and delete the following.....

(files)
C:\WINDOWS\wt\updater\wcmdmgrl.exe
C:\Program Files\ClearSearch\Loader.exe
C:\WINDOWS\msbb.exe
C:\WINDOWS\BEHKO.exe
C:\Program Files\Bargain Buddy\bin2\bargains.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\Belt.exe
C:\WINDOWS\b.exe <== CTRL-ALT-DEL and end task and delete this one before rebooting!!
C:\WINDOWS\vntwtweg.exe
C:\PROGRA~1\COMMON~2\ADDRES~1\winnet.exe
c:\program files\winfavorites\WinFavorites.exe
C:\PROGRA~1\ezula\mmod.exe

(folders)
C:\WINDOWS\wt\updater\
C:\Program Files\ClearSearch\
C:\Program Files\Bargain Buddy\
C:\PROGRA~1\COMMON~2\ADDRES~1\
c:\program files\winfavorites\
C:\PROGRA~1\ezula\


Leave the O17 alone....it most likely is her ISP.

Seems she's not haveing the problem anymore. Heres a follow up log. Also when searching around for the files you wanted me to delete there was also a "bbb.exe" which I have no clue what it is or does so I left it there uuntil it posts to be a problem.

Logfile of HijackThis v1.97.0
Scan saved at 5:42:04 PM, on 11/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?c001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\bvh\Application Data\DownloadPlus.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F31521AC-6C8F-4E51-BB1C-F52A7DD979D8}: NameServer = 205.152.133.254,205.152.132.235

Fix these items in Hijack this:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe

After fixing, reboot, and delete C:\WINDOWS\b.exe

HERE (http://www.sophos.com/virusinfo/analyses/trojcultb.html) is some info on this entry...

C:\WINDOWS\System32\wuauclt.exe

Looks like it could be causing problems.