Hi I have a machine here that was loaded with viruses and trojans. I have managed to get it mostly cleaned up but there a couple of things that I can't quite fix. In my running processes, there is the entry 'avgserv.exe' which I know is related to a trojan, but I can't get it fixed. I have found some web sites with removal instructions but when I go to the registry entry that it tells me, the entries I need to delete aren't there. I have installed Trojan Hunter which removed a few, and now says the machine is clean. I have tried AVG which also caught a few and now says the machine is clean. I have tried to install Norton 2004, but everytime, I get an error in the install process, which I assume is b/c there is still some garbage on the machine. So Norton won't install. I have tried going to bitdefender.com and housecall.antivirus.com to run online scans but I am unable to load these b/c it tells me my settings for Active X aren't correct....even though I went in and set it to allow all Active X activity. I also can't browse to any major Antivirus companies web sites ... like Symantec or McAfee - I get the "unable to display this page" error. Other sites work though. There is also lots of pop ups when I'm on the Internet I have installed and ran both AdAware and Spybot which both cleaned out some stuff but are now saying the machine is clean. I have turned off System Restore and I have run all the scans in regular mode and in Safe Mode. I have looked through the registry for the entries that I have been told to delete but where it tells me they are supposed to be, I can't see them there. Anyway, I know that was a lot, but I would really appreciate any help here. Thank you alot! Homer

Homer: Here are a few more cleaning tools to try, if you haven't already. Kaspersky Avast CWShredder Stinger Make sure to update CWShredder after you download it. Best of luck, Solarian

hi homer, you may have a trojan that is blocking norton, avg etc. it could be a varient of optix and or the mosucker trojan. check these things out: Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run In the right pane, delete the value: RunProg Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices In the right pane, delete the value: RunProg Navigate to and delete the key: HKEY_LOCAL_MACHINE\Software\EES\OL0.4 Exit the Registry Editor. look for these files in your windows and system directory (winnt & system 32 directory) & delete if found: Wini.exe. Tapisvc.sys all the best, murve

"In my running processes, there is the entry 'avgserv.exe' which I know is related to a trojan, but I can't get it fixed." C:\PROGRA~1\Grisoft\AVG6\avgserv.exe is AVG. anti-virus.

What Abnormal says is correct. What makes you say you still have a Trojan???? I hope you are not using the same resource that told you that the AVG process is a Trojan. Dog's Security Ideas D4

Logfile of HijackThis v1.97.7 Scan saved at 00:35:09, on 11/06/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\LEXBCES.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.exe C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\WINDOWS\System32\LXSUPMON.exe C:\Program Files\Wireless Desktop\MOUSE32A.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe C:\Program Files\Internet Optimizer\optimize.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\winservn.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Documents and Settings\EasyGingeR\My Documents\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://flash.o2.co.uk/portal_secure/login/message_pad/0,,900,00.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=138770 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache1-cdif.server.ntli.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://flash.o2.co.uk/portal_secure/login/message_pad/0,,900,00.html N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.123found.com"); (C:\Documents and Settings\EasyGingeR\Application Data\Mozilla\Profiles\default\8eetz295.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\EasyGingeR\Application Data\Mozilla\Profiles\default\8eetz295.slt\prefs.js) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {BEB133E5-FD72-43b7-8AFF-681831CC72D9} - C:\WINDOWS\wiesasp2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.exe RUN O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Wireless Desktop\MOUSE32A.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe O4 - Startup: Reboot.exe O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Softstuf\softstrt.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Wireless Desktop.lnk = C:\Program Files\Wireless Desktop\MagicKey.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: NavCab - http://www.gamextazy.com/navinstaller/NavOnline.cab O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_cracks.cab O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} - http://files.cometsystems.com/cometcursor/cobrand/comet.cab?0.645650177881121080240558906 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://www.accesoplugin.com/dialercab/PPremiumInternacional.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25eb7b94525c84f23820/netzip/RdxIE601.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37974.4137847222 O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/minidialler/mddl/UK/910031_293395_.exe O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio.com/core/player/abasetup144.cab O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006_cracks.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab i deleted the virus, but it's still showing in the registry. It takes about five five minutes for computer to get online after rebooting. How to get rid of it from registry?