Posts by DMR

Hi tonyb130, welcome to Daniweb :)

deonnanicole is right; our Posting Rules prohibit the posting of questions in another member's thread, for exactly the reasons she explained.

Given that, I've split your question into its own separate thread, which you can find here:

http://www.daniweb.com/techtalkforums/showthread.php?t=23799

Glad we could help you get it sorted :)

Oh, well. sometimes that's the fastest way to clean things up if you're really heavilly infested.

However, unless you take some preventative steps immediately after reinstalling Windows, you can become reinfected again in less than 20 minutes of being connected to the Net (no.. I'm not kidding). :(

Once you've gotten the base reinstall of Windows up and running, here are some measures you take before doing anything else:

1. Use Windows Automatic Update function to get your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec …

See if this utility restores your Task Manager:

http://www.dougknox.com/xp/utils/xp_taskmgrenab.htm

Let us know if it works or not.

You have a variant of the CoolWebSearch/Home Search Assistant parasite.

1. About:Buster should have helped, but it doesn't seemed to have done the trick. Please download and run these additional removal tools:

CWShredder
HSRemove

2. Run HiajckThis again and look for entries similar to the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\hxxsa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {53BFD0CE-7626-C39B-489D-49E0CCDA7369} - C:\WINDOWS\SYSTEM\APIAU.DLL
O4 - HKLM\..\Run: [BreezeTray] BrzTray.exe
O4 - HKLM\..\Run: [SDKWZ.EXE] C:\WINDOWS\SYSTEM\SDKWZ.EXE
O4 - HKLM\..\Run: [NETZZ32.EXE] C:\WINDOWS\SYSTEM\NETZZ32.EXE
O4 - HKLM\..\RunServices: [IEGB.EXE] C:\WINDOWS\IEGB.EXE /s
O4 - HKLM\..\RunServices: [ATLSR.EXE] C:\WINDOWS\SYSTEM\ATLSR.EXE /s

If such entries still exist, please go here and carefully follow the removal instructions given.

The infection uses random filenames, so the HijackThis log entries in the instructions are only for example; you will need to substitute the entries and filenames in the instructions with those I just listed above.

It should be pretty straightforward, but if you have questions, definitely ask us before proceeding. If you don't have questions, complete the …

msnistehrwn.exe seems to be a component of one of the newer variants of the SDBOT worm, and yes- it can disable Task Manager. However, your log is clean; it shows no indication of the worm's startup entries, etc.

Given that, can you give us a few details please? We'll need as much information as you can give in order to help you remove the pest:

- Which program detected the worm in the first place?

- Which exact online scans have you done?

- You said: "... but have been unsuccessful". Do that mean that the worm is still detected on your system? If so, which program detects it, what files does the program identify as being infected, and in what folder(s) are the infected files located?

If that behaviour is occuring even in Safe Mode, there's a good chance that you have physically corrupt sectors on your hard drive.

Drive manufacturers often have low-level utilities which can download and run to test a questionable drive. Find the make/model of your drive and see if such a utility is avalable for it.

Is the line visible even before Windows starts up (that is, is it present from the moment you turn the laptop on)? If so, you should take it to the dealer or an authorized service center for a diagnosis; that symptom would most likely indicate a hardware problem.

If the problem isn't visible until Windows actually boots up, you can try uninstalling and reinstalling the video drivers, but my hunch would still be that you've got a hardware defect.

Although it's not an absolute indication that your entire system is infection-free, that log is squaky clean. :)

Problems like you describe are pretty common with Internet Exploder, and many of the causes are not virus/spyware-related.

1. Use our Search function to find the many threads that we've had on the subject in our Web Browsers forum, and see if any of the suggested remedies do the trick for you. Here are some search keywords that should return relevant results:

page explorer display secure blank sites

2. Download and run the (free) IEFix utility; it might help.

3. If nothing above helps, repost here, let us know what you've already tried and what the results were, and we'll take it from there.

Hi macdaddyjfg,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

That being the case, I've split your post into its own separate thread, which you can find here.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Please do the following to start with:

Download the (free) HijackThis utility:

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

A few more things need to go.

1. Open a DOS box by typing "command" (omit the quotes) in the "Run.." option under your Start button menu.

• At the command prompt in the DOS window, type the following command:

regsvr32 /u C:\WINDOWS\SYSTEM\HIJENCA.DLL

Close the DOS window after the command command completes

1. Run HijackThis again and have it fix:

   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
   R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
   R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
   R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
   R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
   R3 - Default URLSearchHook is missing
   O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\TOOLBAR.DLL (file missing)
   O2 - BHO: (no name) - {4948A8E1-BE50-11D9-9E02-000855D4C36C} - C:\WINDOWS\SYSTEM\HIJENCA.DLL
   O18 - Filter: text/html - {7CDBC5E3-BE71-11D9-9E02-00084A455E60} - C:\WINDOWS\SYSTEM\HIJENCA.DLL
   O18 - Filter: text/plain - {7CDBC5E3-BE71-11D9-9E02-00084A455E60} - C:\WINDOWS\SYSTEM\HIJENCA.DLL

2. Search your system for the C:\WINDOWS\SYSTEM\HIJENCA.DLL file and delete it if it still exists.

3. Run HJT again and post a fresh log.

OK; we'll be here...

If the online scans don't help, do the following:

Download the (free) HijackThis utility.

Once downloaded:

Create a folder outside of any Temp/Temporary folders for HJT and move it there. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents can tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

In addition to your Symantec scan, you should do a least two of the following free online virus/spyware scans; they may catch things that Symantec didn't:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/

Let us know what (if anything) those scans found, and if they were able to remove the mailer infection.

Is it supposed to contain a "services" folder?

Actually, a basic XP system won't have a C:Windows\System32\Services folder; it isn't a folder that gets created during the Windows install.

There may be legit applications that create a Services folder during their installation, but the existence of the folder is also known to be associated with at least a couple of pieces of malware.

Was ibs55.exe some sort of mother file which kept spawning the misb22.exe files?

Actually, the type of "mother files" I was refering to are usually files with a ".dll" extension as opposed to an ".exe" extension, but the idea is still the same regardless of what type of file has actually caused the others to come back to life. When a malicious infection spawns more that one file, those files can act as "guardians" or "sentinels" for each other in the way that if one of them senses that someone/something has terminated the other, it will immediately issue a command to restart the one that was "killed".

I'll let cruchie and dlh 6213 respond to the rest of your questions, as theye've been your primary troubleshooters here.

all files were deleted i think except C:\WINDOWS\System32\{007D53FO.....} which wasn't to be found.

Sorry, that wasn't quite the right path. It should have been:

C:\WINDOWS\System32\Services\{007D53F0-7FE3-40B6-BD90-A305EE4B59AB}

Some of the other nasties have respawned as well. Have HJT fix these again:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DANNYH~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O21 - SSODL: pufPxz - {D03F9FC7-7A95-356D-B10A-9F3EB1B5D2B5} - C:\WINDOWS\System32\dnlsbn.dll (file missing)

Once you do that:

1. Turn off XP's System Restore feature.

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
…

In terms of the reported intrusion- can you describe you overall network setup in more detail please?

- What type of Internet connection do you have (Cable, DSL, etc.)?

- If you have broadband, do you have a Cable/DSL firewall router installed?

- Is there wireless in use on the network?

- Is this an office network or just a home network? How many machines are on it, what functions do they perform (workstation, file server, mail server, etc.), and how are they interconnected?

One of the keys to figuring out the intent and possible danger of a reported connection from the outside world is to figure which ports are being used in the connection. By default, many ports known to vulnerable to exploit are left open. The thing to do is to eliminate access to those ports by shutting down the services that use them and configuring your firewall to block connections on those ports.

You can get some interesting and illuminating detail in that regard by opening a DOS window and typing the following command at the prompt:

netstat -ano

Paul,

Were you able to use the Killbox to delete the C:\WINDOWS\ibs55.exe file?

1. misb22 has invited a friend to the party:

C:\WINDOWS\ibs55.exe

Repeat the Killbox procedure for the above file as well as C:\misb22.exe.

2. Turn off XP's System Restore feature.

3. I've got a feeling that you might have a hidden "mother file" that is spawning the .exe files. Please download the Silent Runners script, run it, and post the log it generates. The log will give us information about a few things that HijackThis doesn't report.

Hi Paul,

A couple of things:

1. There are usually more "R0" and "R1" entries in a HijackThis log, reporting things like Internet Explorer's default Home page, Search page, etc. It's possible that you may not have those entries in your particular log, be just to be sure: are you positive you're posting the full contents of your logs?

2. I don't see anything in your log which would indicate that a hijacker is still present.

- Does SpywareGuard pop up warnings that something is trying to reset your home page to about:blank, and if so, does it give the name of the program/process that is trying to do that?

- The about:blank setting may just be a leftover of the infection. If you go into your Internet Options control panel and manually set your home page to something other than about:blank, does that change "stick", or does something still try to change it back to about:blank?

Good job- your latest log is clean. :)

Ok- thread reopened. The concensus is that you probably aren't an Evil Hacker. :mrgreen:

There are a number of tools you can use to recover or change a forgotten password, and yes, some of them do involve a Linux boot disk. The reason being that Linux can access Windows drives/partitions, but it totally ignores Windows permissions and passwords.

Here are a couple of links which discuss some of the options:

http://www.petri.co.il/forgot_administrator_password.htm
http://is-it-true.org/nt/atips/atips262.shtml

And here are the results of a general Google search on the subject:

http://www.google.com/search?hl=en&q=%22windows+2000%22+password+recovery&spell=1

Hi bama.mal, welcome to the site :)

I know this is a dangerous subject because you never can tell what is really going on...

Unfortunately, you're right. Bypassing password protection is a "dangerous subject", for just the reason you state: we have no way of knowing if a member who asks for help in that regard has good or bad intentions. The reality is that we leave ourselves open to possible legal action if we offer advice in "grey areas" such as this.

With that in mind, please understand my action here: I am going to temporarilly lock this thread until I can contact our site's administrator and get her take/word on your particular question.

In the mean time, I'll suggest the obvious: contact the "someone" who gave you the computer and ask him/her what the possible passwords might be.

The setting to display the Run option is in your Start menu preferences. Right-click on your Taskbar, click Properties, click the Start Menu tab, and then click the Customize button.

- If you're using the standard XP Start Menu style: click on the Advanced tab in the Customize window, scroll down to the "Run command" option, and click on its check-mark box.

- If you're using the "classic" Windows Start Menu style: put a check in the "Display Run" box in the Customize window.

1. Just a couple of loose ends left in that log; otherwise it looks clean.
Have HJT fix:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

2. In terms of the download problem: I can't think of anything else to suggest except to see what happens when you get a chance to install Firefox.

3. "Disappearing" mail: If you're using Outlook or Outlook Express, your read messages haven't gone anywhere, they're just hidden from you because either your "View" setting is set to "Unread Messages" instead of just "Messages", or you have a rule/filter in place which is hiding read messages.

(you really ARE good!!! :lol: )

Nah- we just know where the stash of magic digital dust is, and we like to share. :cheesy:

There are still at least two malicious elements in your last log as far as I can see.

1. Have HJT fix:

O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2005423191951_mcinfo.exe /insfin

2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following file:
C:\WINDOWS\system32\pc32.exe bg

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you …

Everything seems to be working ok. No popups, no error messages, and no odd/unknown programs displayed in task manager.

I'll uninstal and the reinstall Avast, and see if everything is working ok!

OK- do that, and let us know how it goes. If everything still appears to be cool I'll mark this one as solved.

(I see that I wasn't the only one with an older version of HJT this evening!)

lol. Nope- effects of the full moon and all that I guess... :mrgreen:

Now all I've got to do is get my email account back up an running again!
<trying to log on this evening I'm getting a message saying that the account is being locked! I can't think why, so I've got to go through the hassel of contacting the uni to sort it out in the morning!

Groan- I hope they haven't mistaken you for a spammer (and that you have paid your bill)...

Thanks again
(DMR and Crunchie (think you've both helped with a problem that I have had before!)

You're welcome.
Yeah, we're busy little beavers around here- we try to munch on as many HJT logs as humanly possible (although I think for crunchie, a few hundred logs a day only counts as a snack). :)

No nasties that I can see in your lastest log, although the following entries indicate that your install of Avast! may have taken a hit in the process:

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

You might want to uninstall and reinstall Avast! just to be on the safe side.

How are things behaving now; still seeing any signs of malicious activity?

1.

Also, new error message on startup:

C:\WINDOWS\NAIL.EXE
Windows cannot find 'C:\Windows\Nail.exe'...

Have HJT fix this one again and let's see if it takes this time:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

2 .

Your instruction 2b) 023 - service..... wasn't there...and couldn't find "Delete an NT service"...

Ah- thanks for that info; it alerted me to something I missed before:

You are running a slightly older version of HiajckThis. Please download the latest version (1.99.1) from here, run it, and post the log that new version generates.

As the member who originally started this thread has not responded for (exactly) 1 year, the thread is consided abandonded and is being locked.

If the original poster would like this thread re-activated, please PM a moderator. All other members should start their own threads for their questions.

Hello The Unreal Wolf,

I don't know if you noticed, but this thread is almost a year old; a lot can change in that amount of time.

The Killbox is now called the Pocket Killbox, and can be downloaded here. I can't find a working link to DLLFix anywhere; my guess is that it isn't in use anymore. In any event, programs such as those are dangerous to use without having an expert give you directions that are specific to your particular infection.

If you need help, you should do the following:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log in a new …

Ahh... and there was much rejoicing in BrowserLand. :cheesy:

Glad we could (finally) help you get it all sorted.

Let us know if everything is really OK; I'll mark this thread as solved if so.

BTW: the last HTJ log you posted looks clean. :)

Firefox has its own settings for Proxy configuration, which are separate from those used by IE.

I'm not familiar with NTL Medic, but you may be able to look at the Proxy settings in your Internet Options control panel and duplicate those in Firefox's settings:

Open the Internet Options control panel and go to Connections>Lan Settings. If you see Proxy configuration information there, try to replicate that information in Firefox's Tools>Options>General>Connection Settings window.

1. To get rid of the newdotnet mess:

a) Download and run LSPFix.

- If you do not see newdotnet6_38-1.dll listed in the "Keep" window, simply click the Finish button and then click OK in the resulting dialog box.

- If you do see newdotnet6_38-1.dll listed in the "Keep" window, put a check in the "I know what I'm doing" box, hilight newdotnet6_38-1.dll, and click the ">>" button to move newdotnet6_38-1.dll to the "Remove" window. Click Finish and then OK to complete the fix.

b) Run HijackThis again and have it fix:

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~3.DLL,NewDotNetStartup -s
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38-1.dll' missing (<-- if still present)

2. For the "Nail.exe" infection, reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

a) In your Start menu, click the "Run..." option, type the following command in the "Open:" box, and click OK:
services.msc

When the Services console opens, locate "System Startup Service",
right-click on it, and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services console.

b) Run HJT and have it fix the following (don't close HJT after the fixes are done though):

…

Let me try a few more tries downloading and I will let you know the results.

Yes, do that please. This has been a pretty long battle; it would be good to know if you finally got it fixed.

1. Turn off System Restore; instructions and explanation are here.

2. Follow the trojan removal instructions given in this Microsoft article:

http://support.microsoft.com/?scid=kb;en-us;897079

3. Run the AVG and Spyware Doctor scans again. If they no longer detect the trojan, re-enable System Restore. If they still detect the trojan, let us know.

No indications of any obvious "nasties" that I can see in that log- looks clean to me.

Are things running smother now?

This is new t your logs and I don't like the looks of it:

C:\PROGRAM FILES\POKERSTARS.NET\POKERSTARS.EXE

Gaming/gambling programs and sites are notorious for spyware; uninstall that program.

Hi Adrian,

Many of these infections do "morph", and because of that, they can be rather difficult to weed out.

Please do this to start with:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded::

A) Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!

B) Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here. The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Log is sqeaky clean; you look good to go. :)

One thing though- I see that you have the ZA firewall and SpyBot's "Sd Helper" installed, but I see no indication of any anti-virus software. You really should have some sort of real-time AV protection running.

O1 - Hosts: terminalserver 192.168.0.12
O1 - Hosts: fileserver 192.168.0.10
O1 - Hosts: exchangeserver 192.168.0.11

Those are actually probably valid host entries for different machines on Hoggy12's internal network. The IP addresses are all in the private, non-routable address range of a Class C network, so they aren't hijacks/redirects.

Can you tell us where Spyware Doctor says the trojan is located?

Yes, do that if you can please. Your latest log looks clean, but HijackThis isn't designed to detect all types of infections, so you may still have something lurking in your system.

Also install the latest updates for your AVG anti-virus program and run a full scan with that. If AVG finds infections, give us the info on that from AVG's scan report.

Yes, you do still show signs of infections.

I need to log off for the day, but hopefully one of our other members will pick up on this until I can return.

The "AdStatus" infection still appears in your log. Did you follow my earlier reomoval instructions exactly and fully? Even if you did, AdStatus may be respawning itself.

Please do the following:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates. Also run the free online virus scan at at least two of these sites:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of …

While I can't say that these are the source of your problem, your log does show indications of infection.

1. You should print out these directions, as you cannot have any web browsers open while performing the following HijackThis fixes.

2. With any/all web browsers closed, have HJT fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [NAV_Update] C:\NAV_Update.exe
O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\PAUL~1.BUS\LOCALS~1\Temp\bundle.exe

If you do not have a Realtek sound card, also fix this:
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

There is a valid "soundman.exe" file which is part of some Realtek sound card software, but there is also a malicious file of the same name.

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Delete the following files:
C:\WINDOWS\about.htm
C:\NAV_Update.exe

If you've detemined that the "soundman.exe" file is not part of your sound card software, locate and delete that file as well.
- Delete the following folder entirely:
C:\Program Files\AdStatus Service

- For every user account listed under C:\Documents and Settings, delete the entire contents …

No problem with move/split stuff- I was just kidding.

Try to give us a HJT log generated while you're booted into Windows normally (not safe mode). Also remember what I posted earlier about making sure that HJT is not running from any temp folder, and that Internet Explorer is entirely closed down while you're working with HJT.

Oh *groan*- I see now that you're making my life as a moderator rather difficult.

You have two concurrent threads going on regarding the same problem (which is something that our posting guidelines prohibit), I've just responded to both, and now I'm going to have to merge them together. (Did I mention that I hate thread merges and splits?) :mrgreen:

Oh well- here we go...

i cant do this as the virus won't let me open the program

Which program?

Please clarify:

- Was HJT run in Safe Mode or normal mode?

- Is it HJT or AVG that you cannot open?