OCD,

Below is a new HijackThis log as well as the ESET log.txt. Upon rebooting I did not see the Windows Defender message I mentioned in an earlier post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:53 PM, on 6/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093100844828
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7497 bytes


[email="ESETSmartInstaller@High"]ESETSmartInstaller@High[/email] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 11:10:58
# local_time=2009-06-18 07:10:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339254606250000
# compatibility_mode=5889 61 66 100 1012203125000000
# scanned=17403
# found=2
# cleaned=0
# scan_time=903
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 09:11:23
# local_time=2009-06-18 05:11:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339614860781250
# compatibility_mode=5889 61 66 100 1012563379531250
# scanned=75809
# found=3
# cleaned=0
# scan_time=2838
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 10:07:08
# local_time=2009-06-18 06:07:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339648305937500
# compatibility_mode=5889 61 66 100 1012596824687500
# scanned=75807
# found=3
# cleaned=0
# scan_time=3172
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-19 05:56:31
# local_time=2009-06-19 01:56:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 340361939687500
# compatibility_mode=5889 61 66 100 698738018437500
# scanned=15163
# found=0
# cleaned=0
# scan_time=397
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-19 10:02:01
# local_time=2009-06-19 06:02:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 340509240625000
# compatibility_mode=5889 61 66 100 698885319375000
# scanned=75432
# found=3
# cleaned=1
# scan_time=2744
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000

Jeff G,

Run OTL.exe (it should still be on your desktop)

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  CODE
  :OTL
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  
  :Files
  C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak
  C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]
  
  
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

- - - - - Next - - - - -

Please re-run the: Eset Online Scanner
(You will need Internet Explorer to run this scan)

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button.
• Click Start. The scanner engine will initialize and update.
• Place a check mark in the box beside Remove found threats. < < Very Important
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes click the Details tab.
• Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• OTL logs OTL.Txt and Extras.Txt
• ESET log.txt
• Tell me how your computer is running at the moment.

OCD,

PC locked-up on me yesterday while on internet.

Below are my log fles:

========== OTL ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak moved successfully.
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_cc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTL by OldTimer - Version 2.1.1.0 log created on 06212009_112740

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_cc.dat not found!

Registry entries deleted on Reboot...


[email="ESETSmartInstaller@High"]ESETSmartInstaller@High[/email] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 11:10:58
# local_time=2009-06-18 07:10:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339254606250000
# compatibility_mode=5889 61 66 100 1012203125000000
# scanned=17403
# found=2
# cleaned=0
# scan_time=903
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 09:11:23
# local_time=2009-06-18 05:11:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339614860781250
# compatibility_mode=5889 61 66 100 1012563379531250
# scanned=75809
# found=3
# cleaned=0
# scan_time=2838
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 10:07:08
# local_time=2009-06-18 06:07:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339648305937500
# compatibility_mode=5889 61 66 100 1012596824687500
# scanned=75807
# found=3
# cleaned=0
# scan_time=3172
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-19 05:56:31
# local_time=2009-06-19 01:56:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 340361939687500
# compatibility_mode=5889 61 66 100 698738018437500
# scanned=15163
# found=0
# cleaned=0
# scan_time=397
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-19 10:02:01
# local_time=2009-06-19 06:02:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 340509240625000
# compatibility_mode=5889 61 66 100 698885319375000
# scanned=75432
# found=3
# cleaned=1
# scan_time=2744
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-21 04:08:48
# local_time=2009-06-21 12:08:48 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 342025310312500
# compatibility_mode=5889 61 66 100 700401389062500
# scanned=41419
# found=0
# cleaned=0
# scan_time=1995


Jeff G

Jeff G,

We seem to be getting conflicting information from the ESET Online Scanner.

Question: Are you rebooting between running the OTL and the ESET Online Scan?

If you did not reboot between the scans, please reboot and then proceed to re-run the ESET Online Scan.
(instructions below should you need them)

- - - - - Next - - - - -

Please re-run the: Eset Online Scanner
(You will need Internet Explorer to run this scan)

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button.
• Click Start. The scanner engine will initialize and update.
• Place a check mark in the box beside Remove found threats. < < Very Important
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes click the Details tab.
• Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• ESET log.txt
• Tell me how your computer is running at the moment.

OCD,

I didn't think I was re-booting between running the OTL scan and the ESET online scan.

Following the instructions in your last post, I re-booted and then ran the ESET online scan.

Below is the log file as well as the details of the "Threats Found!"

THREATS FOUND TEXT
C:\_OTL\MovedFiles\06212009_112740\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan unable to clean

C:\_OTL\MovedFiles\06212009_112740\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan unable to clean

ESET LOG FILE
[email="ESETSmartInstaller@High"]ESETSmartInstaller@High[/email] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 11:10:58
# local_time=2009-06-18 07:10:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339254606250000
# compatibility_mode=5889 61 66 100 1012203125000000
# scanned=17403
# found=2
# cleaned=0
# scan_time=903
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 09:11:23
# local_time=2009-06-18 05:11:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339614860781250
# compatibility_mode=5889 61 66 100 1012563379531250
# scanned=75809
# found=3
# cleaned=0
# scan_time=2838
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 10:07:08
# local_time=2009-06-18 06:07:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339648305937500
# compatibility_mode=5889 61 66 100 1012596824687500
# scanned=75807
# found=3
# cleaned=0
# scan_time=3172
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-19 05:56:31
# local_time=2009-06-19 01:56:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 340361939687500
# compatibility_mode=5889 61 66 100 698738018437500
# scanned=15163
# found=0
# cleaned=0
# scan_time=397
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-19 10:02:01
# local_time=2009-06-19 06:02:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 340509240625000
# compatibility_mode=5889 61 66 100 698885319375000
# scanned=75432
# found=3
# cleaned=1
# scan_time=2744
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-21 04:08:48
# local_time=2009-06-21 12:08:48 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 342025310312500
# compatibility_mode=5889 61 66 100 700401389062500
# scanned=41419
# found=0
# cleaned=0
# scan_time=1995
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-22 07:08:19
# local_time=2009-06-22 03:08:19 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 342997013750000
# compatibility_mode=5889 61 66 100 701373092500000
# scanned=76559
# found=2
# cleaned=0
# scan_time=3289
C:\_OTL\MovedFiles\06212009_112740\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\_OTL\MovedFiles\06212009_112740\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000


Jeff G

Jeff G,

We still seem to be having some difficulty getting an accurate result.

• Please repeat the steps below taking careful consideration to rebooting after each step.
• Also pay close attention to items with red notations.
• Only run the programs requested and in the following order.

- - - - - Next - - - - -

Please locate the folder in red and delete it and it's entire contents.
Be sure to delete the entire folder that is designated.

• C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak

Right click the file or folder, select Delete.

- - - - - Next - - - - -

Run OTL.exe (it should still be on your desktop)

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  
  CODE
  :OTL
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  
  :Files
  C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak
  C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]
  
  
• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

- - - - - Next - - - - -

Reboot

- - - - - Next - - - - -

Please re-run the: Eset Online Scanner
(You will need Internet Explorer to run this scan)

• Place a check mark in the box YES, I accept the Terms Of Use
• Click the Start button.
• Now click the Install button.
• Click Start. The scanner engine will initialize and update.
• Place a check mark in the box beside Remove found threats. < < Very Important
• Click the Scan button. The scan will now run, please be patient.
• When the scan finishes click the Details tab.
• Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• OTL logs OTL.Txt and Extras.Txt
• ESET log.txt
• Tell me how your computer is running at the moment.

OCD,

Below is the OTL log. I will reboot and then run the Eset Online Scanner and post its log file in the my next reply.

========== OTL ==========
Process explorer.exe killed successfully!
========== FILES ==========
File\Folder C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak not found.
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4dc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTL by OldTimer - Version 2.1.1.0 log created on 06232009_183705

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_4dc.dat not found!

Registry entries deleted on Reboot...


Jeff G

OCD,

While running the ESET Online Scan my PC locked-up. I had to re-boot.

I'm going to begin again. I will start from the beginning of your instructions.

Please ignore the previous post.

Jeff G

I followed the instructions as you outlined. Below are my log files.

There were no issues this time.

Jeff G

========== OTL ==========
Process explorer.exe killed successfully!
========== FILES ==========
File\Folder C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak not found.
File\Folder C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_f8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTL by OldTimer - Version 2.1.1.0 log created on 06232009_192807

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_f8.dat not found!

Registry entries deleted on Reboot...


[email="ESETSmartInstaller@High"]ESETSmartInstaller@High[/email] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 11:10:58
# local_time=2009-06-18 07:10:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339254606250000
# compatibility_mode=5889 61 66 100 1012203125000000
# scanned=17403
# found=2
# cleaned=0
# scan_time=903
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 09:11:23
# local_time=2009-06-18 05:11:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339614860781250
# compatibility_mode=5889 61 66 100 1012563379531250
# scanned=75809
# found=3
# cleaned=0
# scan_time=2838
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-18 10:07:08
# local_time=2009-06-18 06:07:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 339648305937500
# compatibility_mode=5889 61 66 100 1012596824687500
# scanned=75807
# found=3
# cleaned=0
# scan_time=3172
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000
# version=6
# iexplore.exe=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=stopped
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-19 05:56:31
# local_time=2009-06-19 01:56:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 340361939687500
# compatibility_mode=5889 61 66 100 698738018437500
# scanned=15163
# found=0
# cleaned=0
# scan_time=397
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-19 10:02:01
# local_time=2009-06-19 06:02:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 340509240625000
# compatibility_mode=5889 61 66 100 698885319375000
# scanned=75432
# found=3
# cleaned=1
# scan_time=2744
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-21 04:08:48
# local_time=2009-06-21 12:08:48 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 342025310312500
# compatibility_mode=5889 61 66 100 700401389062500
# scanned=41419
# found=0
# cleaned=0
# scan_time=1995
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-22 07:08:19
# local_time=2009-06-22 03:08:19 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 342997013750000
# compatibility_mode=5889 61 66 100 701373092500000
# scanned=76559
# found=2
# cleaned=0
# scan_time=3289
C:\_OTL\MovedFiles\06212009_112740\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
C:\_OTL\MovedFiles\06212009_112740\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx HTML/TrojanClicker.Agent.AG trojan (unable to clean) 00000000000000000000000000000000
esets_scanner_update returned -1 esets_gle=53251
# version=6
# IEXPLORE.EXE=7.00.6000.16850 (vista_gdr.090423-0018)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=db47e108779d0846b6e0c7c5bc977b4c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-06-24 12:39:26
# local_time=2009-06-23 08:39:26 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 22 60 12 344059684843750
# compatibility_mode=5889 61 66 100 702435763593750
# scanned=74801
# found=0
# cleaned=0
# scan_time=3510

Jeff G,

We are still getting conflicting information from the ESET Online Scanner, let's try a different online scanner.

Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click on the Accept button and install any components it needs.
• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
  
• Once the scan is complete, click on View scan report To obtain the report:
• Click on: Save Report As
• Next, in the Save as prompt, Save in area, select: Desktop
• In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
• Then, click: Save
• Please post the Kaspersky Online Scanner Report in your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %.
Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• Kaspersky log
• New HJT log taken after the above scan has run
• Tell me how your computer is running at the moment.

Jeff G,

Still with us?

Yes, still with you.

Away for a few days.

OCD - More to come.

Jeff G

Below is my Kaspersky log and my new HJT log taken after the Kaspersky scan.

A few day ago my computer was freezing almost every few minutes, really bizzare. I took the case off and blew out the dust. This seemed to help.

I'm still thinking that there is more to this then blowing out the dust.

Jeff G

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:55 PM, on 6/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093100844828
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 7465 bytes


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, June 29, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, June 29, 2009 23:30:26
Records in database: 2402936
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 84681
Threat name: 1
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 01:48:56


File name / Threat name / Threats count
C:\_OTL\MovedFiles\06212009_112740\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.bak Infected: Trojan-Clicker.HTML.Agent.ag 5
C:\_OTL\MovedFiles\06212009_112740\Documents and Settings\JeffG\Local Settings\Application Data\Identities\{159A91DE-DFB3-437C-9775-3B990FDDEE28}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Clicker.HTML.Agent.ag 5

The selected area was scanned.

Jeff G,

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

- - - - - Next - - - - -

Please re-run the Kaspersky Online scanner again.
(instructions below if needed)

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click on the Accept button and install any components it needs.
• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Once the scan is complete, click on View scan report To obtain the report:
• Click on: Save Report As
• Next, in the Save as prompt, Save in area, select: Desktop
• In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
• Then, click: Save
• Please post the Kaspersky Online Scanner Report in your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

- - - - - Next - - - - -

Reboot, on your next post please provide the following:

• Kaspersky log
• Tell me how your computer is running at the moment

Below is my newest Kaspersky log.

I've not experienced any recent freeze-ups.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, June 30, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 30, 2009 19:05:33
Records in database: 2407057
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 85343
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:47:39

No malware has been detected. The scan area is clean.

The selected area was scanned.