Collected AF+ others from MSN

Hi, my girlfriend clicked on a file sent from one of her friends on MSN. The result was not that good... I can't seem to remove Collected AF and there is also a 304.exe that starts on startup. The computer is a laptop with XP home edition service pack 2, 512 mb memory DDR SDRAM, 1500 MHz with a wireless internet connection. Running Zone Alarms free firewall and AVG for viruses. I have followed the steps from the READ&RUN me first thread. (Exceptions: Windows Defender was updated to latest version. Not the one in the thread. Could not run online tests in safe mode so they were run in normal mode, tried the networking option in safe mode, but could not excess the net, other than that everything was run as it was supposed to. I have posted the logs as well.

Thank you for your help.

 

2 last. Runkeys and newfiles

 

Scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin....com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Hanne Sæter\Skrivebord\304.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"

O11 - Options group: [INTERNATIONAL] International*

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Documents and Settings\Hanne Sæter\Skrivebord\304.exe

Next, run CCleaner to clean up cookies and temp files.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I did all of the above except the part about deleting 304.exe as I could not find it. (I'm guessing hijackthis took care of it The computer looks fine now.Did a scan with AVG and everything looked alright. I have attatched the new log file for hijackthis. Thank you for your help. Greatly appreciated!

 

Your log looks good, are you having any further problems?

 

That's good to hear.No more problems. The computer runs fine now. Thank you again for your help!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!