Whenever I open IE6 (in Win XP Pro, SP2), I get the error message "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." The error signature:
AppName: iexplore.exe
AppVer: 6.0.2900.2180
ModName: wininet.dll
ModVer: 6.0.2900.2861
Offset: 0001b7e8

I have tried "sfc /scannow" and the disk defragmenter. I did a system restore to a day when I knew it was working last week. I searched the Microsoft KB articles and couldn't find anything that looked like it directly applied.

If anyone out there has any suggestions, I would greatly appreciate it.

The Wininet.dll could be the Troj/Zlob-AO trojan.
Please download http://www.merijn.org/files/hijackthis.zip
Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan and save log".

When the scan is finished, the log will open in Notepad. Do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

Thank you for your reply. Here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 3:38:50 PM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1129902552\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.6.2.15\PlaxoHelper.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Utils\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [SafeTPKeyCheck] C:\WINDOWS\SafeTP\STPMGR.EXE /CHECKSEED
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129902552\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Iomega Automatic Backup] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.15\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - [url]https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://aolexpressions.aol.com/testdrive.adp?clientId=2&expTypeId=1&catId=43&langCode=&subcatId=988&tm=296&expId=7150[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{F74E76D0-9925-45DC-A013-421BF25E993D}: NameServer = 18.71.0.151,18.70.0.160

O18 - Protocol: bw+0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {94450FAA-939E-4315-8768-6434A489BE4F} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

Please download, install, and update the NEW free version of Ewido Anti-Malware (http://www.ewido.net/en/download/):

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

From the main ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful")

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

If ewido finds anything, it will pop up a notification. Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Then post back with the ewido log, and say how the computer is running.

I rebooted the machine just for good measure and I still have the same problem. Anything that uses wininet.dll (ie6, google desktop, etc.) crashes. Thanks in advance for hopefully future help.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:52:28 PM, 6/1/2006
+ Report-Checksum: D3A52231

+ Scan result:

C:\Documents and Settings\tfeledy\Cookies\tfeledy@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@adopt.specificcli ck[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@centrport[2].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@data2.perf.overtu re[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@data3.perf.overtu re[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@e-2dj6wfmiclcpelo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@entrepreneur.122. 2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@lov.valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@microsofteup.112. 2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@msnportal.112.2o7 [1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@news.com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@server.iad.livepe rson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@server3.web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@snapfish.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@sonycorporate.122 .2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@stat.onestat[1].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\tfeledy\Cookies\tfeledy@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup

C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@adtech[1].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@ehg-becton.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@ehg-qualcomm.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@servedby.advertising [1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\tfeledy\Local Settings\Temp\Cookies\tfeledy@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
G:\Cheetah1_Backup\Documents and Settings\tfeledy\Cookies\tfeledy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
G:\Cheetah1_Backup\Documents and Settings\tfeledy\Cookies\tfeledy@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
G:\Cheetah1_Backup\Documents and Settings\tfeledy\Cookies\tfeledy@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
G:\Cheetah1_Backup\Documents and Settings\tfeledy\Cookies\tfeledy@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
H:\Cheetah1_Backup\Documents and Settings\tfeledy\Cookies\tfeledy@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
H:\Cheetah1_Backup\Documents and Settings\tfeledy\Cookies\tfeledy@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
H:\Cheetah1_Backup\Documents and Settings\tfeledy\Cookies\tfeledy@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
H:\Cheetah1_Backup\Documents and Settings\tfeledy\Cookies\tfeledy@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup


::Report End

Please do this to look for a possible cause:

Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)

Again, thank you.

SmitFraudFix v2.53

Scan done at 9:56:02.25, Fri 06/02/2006
Run from C:\Utils\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\tfeledy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\tfeledy\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

It doesn't look like this is the problem and it is the most common reason for this problem... You can run the second step if you would like, but you may need to restore your Desktop if you do... Here are the instructions if you decide you want to try it:

It would be a good idea to print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Let us know what you decide to do and we may need to run another scan to look deeper...

like, but you may need to restore your Desktop if you do... Here are the instructions if you decide you want to try it:

Let us know what you decide to do and we may need to run another scan to look deeper...

What exactly do you mean by "restore" my Desktop? Do you mean that I will just have to re-assign whatever picture it is that I have chosen to be on it, or are we talking something more than that? I am certainly willing to try anything at this point. It sounds like you think this could end up being a fix for the problem, no?

Whatever you suggest is fine with me.

What exactly do you mean by "restore" my Desktop? Do you mean that I will just have to re-assign whatever picture it is that I have chosen to be on it, or are we talking something more than that? I am certainly willing to try anything at this point. It sounds like you think this could end up being a fix for the problem, no?

Whatever you suggest is fine with me.
I believe it just means putting back your Desktop preferences, but I haven't walked through it with anyone yet, so I am not sure... Also, I am not sure this will do anything since nothing nasty showed up in Option 1... We can go straight on to another scan if you would prefer... Here is one that is supposed to be quite thorough...

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
[list]
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
[/list

Actually, yes it means that you need to restore your settings.

Thank you both for your replies. I was away at a conference and am back on the hunt to try to fix it tomorrow. I'll try the new scan then and post the results.

It's still scanning, but I have a quick question. It has identified several things as "Probably BACKDOOR.Trojan" and one thing as "Probably DLOADER.Trojan", the backdoor ones seem to be AOL ones, so I don't mind getting rid of those, but I'm a little hesitant about the DLoader one because it's ENCore.dll and looks like it is a legit EndNote file. Should I leave that alone? Or this is just a disguise to make me think I should leave it alone...

Here's the results log:

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\TRITON_SUITE_INSTALL_1.7.13.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\TRITON_SUITE_INSTALL_1.8.8.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.1.3;Probably BACKDOOR.Trojan;Incurable.Moved.;
config.000;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.1.1.6;Probably BACKDOOR.Trojan;Incurable.Moved.;
config.000;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.4.2;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.56.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.68.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
config.000;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.9.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
ENCore.dll;C:\Program Files\EndNote 9;Probably DLOADER.Trojan;Incurable.Moved.;

So where are we now? Is it worth it to try uninstalling and re-installing IE6 somehow? I also noticed there is an IE7 beta out -- what about trying to use that? Is there any chance that it is not some sort of malware/trojan and for whatever reason that .dll really is corrupt? Should I try the registry fix you suggested a couple of posts ago? Thanks again for your help.

p.s. As you can see I moved the files at first so I could just delete the ones I was sure of deleting. EndNote doesn't work now, so can I just put that ENCore.dll back?

p.s. As you can see I moved the files at first so I could just delete the ones I was sure of deleting. EndNote doesn't work now, so can I just put that ENCore.dll back?
I am not sure what you are referring to in the first part of this note and in the comment about a Registry fix...

If you know what Endnote is and that it is safe, you can certainly move the file back... That program sometimes gets false positives which is why the instructions are to move instead of kill...

It doesn't look like this is the problem and it is the most common reason for this problem... You can run the second step if you would like, but you may need to restore your Desktop if you do... Here are the instructions if you decide you want to try it:

It would be a good idea to print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.


All I was wondering in my first comment is if I should try what you suggested earlier with smitfraudfix.cmd... or something else?

Also, I know exactly what Endnote is -- it's just basically a database for references. I just wanted to make sure there wasn't something I was missing.

In the mean time, I tried another fix, which is to try re-installing IE6 by "Method 2" on:
http://www.theeldergeek.com/repair_ie6.htm


From the Start menu, select Search, select All Files and Folders.
Select More Advanced Options and place a checkmark beside Search Hidden Files and Folders option.
Ensure that Search System Folders and Search Subfolders are also checked.
In the All or Part of the File Name box, type ie.inf
In the Look In drop-down menu, select C: or the letter of the hard drive that contains the Windows folder.
Click the Search button.
In the search results pane, find the ie.inf file located in Windows\Inf folder.
Right click the ie.inf file and click Install on the context menu.
Reboot the computer when the file copy process is complete.

It didn't work :(

Given that you don't seem to have an active infection, I would probably not run Option 2 at this point...

There is a program called IEFix, but I don't have it handy at the moment... Maybe someone else will be able to post it for you today... I will check back when I get home from work...

Another update. What I'm trying may be futile, but at least I feel like I'm trying something... Here's what I tried:

Unchecked IE in Add/Remove programs, windows components
Attempted to rename wininet.dll, but it apparently regenerates itself
Searched my computer and found the newest version besides the one that was currently being used in the System32 folder - it was in a folder from an update: KB912812. I replaced the file in the System 32 folder with the one I found.
I went back to Add/Remove programs and re-installed IE


Not only did I still have the same problem when I was done, but other funny things started happening (programs not starting at startup, icons usually next to the clock dissappearing, etc.). I did a system restore to a point I set before I started, so now things seem to be back to status quo.

I'll look for IEFix. Thanks.

I downloaded IE fix from http://www.softpedia.com/get/Tweak/Browser-Tweak/IEFix.shtml and ran it, pointing it to the I386 folder on my computer to get the files, as I have an OEM version of XP. It uses the ie.inf method to basically accomplish (as far as I can tell) what I did in post 22. After a reboot, I still have the same problem with the same error message.

Ug. I really don't want to have to go through a reinstall of the OS and the dozens of programs I have on this machine to fix a problem with this one file -- please tell me there's something else I can try.

Well, since Option 2 is capable of replacing wininet.dll it may be worthwhile to go ahead and run it to see if it makes a difference... Since we don't see an infection, it is likely you will need to repair your Desktop when it is done...

I tried option 2 and not only did it not fix the problem, but it also managed to get rid of all the icons that are usually running next to the time. I did a system restore to get back to where I started.

Here's the log:
SmitFraudFix v2.53

Scan done at 17:21:50.71, Fri 06/09/2006
Run from C:\Utils\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

ps - I'll be out of town for the weekend, so I'll be able to try stuff again on Monday. Hopefully there is something else to try...

I tried option 2 and not only did it not fix the problem, but it also managed to get rid of all the icons that are usually running next to the time. I did a system restore to get back to where I started.
That is what it means about having to restore the Desktop... I probably wouldn't have used the System Restore since that will restore anything bad that might have been there too... Hopefully it is clean of malware, but I don't know what is causing the problem otherwise... It is probably a Registry glitch... Maybe mjc can address that...

Generally, the SysTray icons are those programs that start when Windows starts. Usually all it takes to get them back is a reboot. If they don't come back on a reboot, then run msconfig to see if they've been disabled. IF so, enable them and reboot again.

I would have been OK with just fixing the systray icons (a reboot didn't work in this case) and replacing the walpaper if it had fixed the problem with the IE crash, but it didn't. I would be happy to try it again without going back to a restore point, but I really don't think it fixed anything.

Also, just to add to your notes for the future, it re-sets your IE home page. Again, not a big deal, but just in case people want to save it.

What did it set it to? The default MS page?

At this point, I think we can safely elimante most, if not all malware. It seems what you have is a genuine IE problem...have you tried a repair install of IE. You may want to try getting the full version (not the web installer) of IE before you give it a shot.

Or, you can try this IE update. It should have the proper files for your version...

http://www.microsoft.com/technet/security/bulletin/ms06-013.mspx

This patch should also be installed, before the other one, if possible...

http://www.microsoft.com/technet/security/bulletin/ms05-026.mspx

Yes, it did set to the default MS page.

I tried installing both patches (second then first) and checked to see if I still had the problem after each install -- I still do.

I did try a couple different versions of re-installing IE (posts 22 & 24) -- would you suggest something different?

Navigate to the Windows\system32 folder and find wininet.dll.

Right click on it => Properties => Version

Copy down the version info.

Go to the Program Files\Internet Explorer folder and do the same for iexplore.exe

Then, back in the sys32 folder rename wininet.dll to wininet.bak

And then run the first patch again...when finished, it should have replaced wininet.dll. If it did then post that version info, too. If not, we need to figure out where the patches/repairs are failing...

Sorry, could you clarify which one is the "first" patch you would like me to run? ms05-026.mspx?

06-13...the other patch isn't going to be affected by manually changing wininet.dll.

Versions:
wininet.dll: 6.0.2900.2861
iexplore.exe: 6.0.2900.2180

They are the same before and after the patch. This isn't too surprising though, is it? I was running the most updated version when this trouble started...

Ideally they should match...

I'm not entirely sure that the wininet.dll is actually getting updated. It could be being pulled from the dllcache folder instead of beign replaced...look to see if it happens to be there.

You may be having a problem with WFP (Windows File Protection).

I did a search for alll the wininet.dll on my computer. It came up with one in c:\I386 (642 KB, 9/29/2004), and a bunch in C:\WINDOWS\$NtUniinstall and \&hf_mig$ folders that are all related to patcth installs. The version for the one in the I386 folder is 6.0.2900.2518.

Hmmm....ok, try substituting one of the earlier versions and see if it stays the same after a reboot, or if it switches to the 2861 version.

After reboot, it seems I have successfully copied a new wininet.dll into the system32 folder (version 6.0.2900.2753). However, I still have the same crash that I had before, now with the older wininet.dll. Here are a copule of example crashes:
weather.exe, 6.5.0.15, wininet.dll, 6.0.2900.2753
iexplore.exe, 6.0.2900.2180, wininet.dll, 6.0.2900.2753

Are we barking up the wrong tree here? Could there be something else that's causing the .dll to crash without there being something wrong with the .dll itself?

Yes, but the dll is the most likely culprit.

This also, although all updates/patches should have done it too, eliminates the chance of it being a hacked/malware version of wininet...

Try and get a full report of the event...run drwatson in the run box and then use IE as you normally would, until it crashes.

Maybe I am missing something about how to run/use drwatson (I don't know it that well), but I run, drwatson, open IE, it crashes, and when I click on Dr. Watson (1.00b) it says "No Faults Detected".

ps. The windows updater is bugging me to install new updates -- I'm guessing this is because of the old version of wininet.dll that I have running. Should I install it or let it be for now?

Is this really not fixable? :-(

About the only thing I can think of right now is a repair of XP as a whole...but still seems a bit extreme.

You've checked for infections six ways to Sunday. You've fixed IE just about every way that is allowable in XP. You've manually tried several versions of the dll in question...

How about grabbing Process Explorer (http://www.sysinternals.com/Utilities/ProcessExplorer.html) from Sysinternals.com...with it running do a search for wininet.dll (in the program) and make sure that the copy actually being used is in the proper location, that it is the one we think it is...

I'm going to try an automated repair of windows as a last resort before re-install, but I tried to delete my temporary intertnet files (control panel, internet options, "delete files") and got an error message... I don't know if it actually is related or not but I figured if anyone out there has any ideas as to how these dlls actually work together, then it might help. The error:

RUNDLL
An exception occurred while trying to run "C:\WINDOWS\system32\shell32.dll, Control_RunDLL "C:\WINDOWS\system32\INETCPL.CPL", Internet Options"

Just so everyone who might read this post knows, I ended up having to reformat the drive and reinstall everything. The inplace re-install (trying to get windows to just replace the essential files) didn't work. Good luck to anyone else out there who runs into this.

Just so everyone who might read this post knows, I ended up having to reformat the drive and reinstall everything. The inplace re-install (trying to get windows to just replace the essential files) didn't work. Good luck to anyone else out there who runs into this.
Sorry to hear that, but it is getting to be more common as the malware gets more tricky... With some rootkits, a complete wipe and reinstall is the only way to ever be fairly sure you are clean...