I have a recuring trojan (long story) called installer.exe (c:\documents and settings\me(or any other login)\local settings\temp\.)

searched for files containing text "installer.exe" none but spybot reg backups.

on startup it(?) opens www.freewebs.com\anywho\plays.html (may not be exact).

Searched for files containing text but none exist.

It also deactivates my sp2 firewall on startup.

Don't want to think about what else it is donig.

Removed all:
Viruses (AVG - up to date)
Adware (Ad-aware - upto date)
Spyware (spybotS&D - uptodate)
Managed to remove malware with Windows-KB890830-V1.4-ENU.exe (easier said than done).

AVG detects and removes (or heals) it. but the next time i restart there it is again.

I didn't restart very often because of a faulty RAM module. (easier and cheeper to hibernate).

Found this http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453075415 but none of the files it suggests exist.

I think it has been spread from my computer.
got 900 undeliverable e-mail reports in 3 hours (Now supressed using junkmail filter). (I think that was the malware though it seems to have stoped trying to send).

Can anyone help?

Download program called "hijack this" and post its log file here, so we can look at it.

Got a hijack this report. (with trojan removed) will this do or will you need one with the trojan active?

Here is the one with trojan deleted.

Logfile of HijackThis v1.99.1
Scan saved at 22:25:53, on 29/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\jflv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\oxlbcawg.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\Program Files\3B Software\Ad Blocker Pro\Ad Blocker Pro.uzy
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\3B Software\GhostSurf\GhostSurf.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Tony\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [msnappau] C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
O4 - HKLM\..\Run: [Imonitor] C:\Program Files\McAfee\QuickClean\Plguni.exe /START
O4 - HKLM\..\Run: [AdBlocker] C:\Program Files\Tweak-XP Pro\AdBlocker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad Blocker Pro] "C:\Program Files\3B Software\Ad Blocker Pro\Ad Blocker Pro.exe" -minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Norton Antivirus 7.0a] C:\WINDOWS\System32\jflv.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Updater] C:\WINDOWS\System32\oxlbcawg.exe
O4 - HKLM\..\RunServices: [System Updates Manager] winserv32.exe
O4 - HKLM\..\RunServices: [Device Microsoft System] devsrv.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe /startmonitor
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: GhostSurf.lnk = C:\Program Files\3B Software\GhostSurf\GhostSurf.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - [url=file:///C:\Program]file:///C:\Program[/url] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Allow personal info to reach this site - [url=file://C:\Program]file://C:\Program[/url] Files\3B Software\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - [url=file://C:\Program]file://C:\Program[/url] Files\3B Software\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - [url=file://C:\Program]file://C:\Program[/url] Files\3B Software\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Backward &Links - [url=res://C:\Program]res://C:\Program[/url] Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Block personal info from this site - [url=file://C:\Program]file://C:\Program[/url] Files\3B Software\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - [url=file://C:\Program]file://C:\Program[/url] Files\3B Software\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - [url=file://C:\Program]file://C:\Program[/url] Files\3B Software\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - [url=res://C:\Program]res://C:\Program[/url] Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - [url=file://C:\Program]file://C:\Program[/url] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - [url=file://C:\Program]file://C:\Program[/url] Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - [url=file://C:\Program]file://C:\Program[/url] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - [url=file://C:\Program]file://C:\Program[/url] Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [url=res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000]res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000[/url]
O8 - Extra context menu item: Si&milar Pages - [url=res://C:\Program]res://C:\Program[/url] Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - [url=res://C:\Program]res://C:\Program[/url] Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - [url=file:///C:\Program]file:///C:\Program[/url] Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0527.dll
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\3B Software\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\3B Software\GhostSurf\LaunchPCC.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5...b?1106346043992
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Updates Manager (WinManager) - Unknown owner - C:\WINDOWS\System32\winserv32.exe" -service (file missing)

Thanks for your help.

Boot into safe mode, rescan with hijack this, select and fix these:
Originally posted by mctonale:

All running fine now.

Thank you so much.