Hello Craigb69, welcome to CTH
It is the Pahatia worm that gives you so much trouble. You also have SpywareBot installed, which is listed as an undesirable program to have, see
here, but we will address that later. Let's start with the repairs.
Go
Here and download
ATF cleaner. Click on the downloaded file to run it, and select
"Select All", then click
Empty Selected (and close ATF).
If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.
I see you have AVG AntiSpyware installed. Update it and close the program.
Don't scan just yet.
~~~~~~~~~~~~~~~
Run HijackThis (craigb69.exe) and select
"None of the above just start the program". Click
Config> Misc Tools> Open Process Manager and click to highlight each of the following items and
Kill Process for each:
C:\WINDOWS\system\ISASS.exe <--
Be careful! NOT C:\WINDOWS\system32\lsass.exe <-- This is legitimate in the system32 folder!
C:\WINDOWS\system\LNETINFO.exe
C:\WINDOWS\security\krnl32.bat
~~~~~~
In the same HijackThis window click
Back> Scan. Place a checkmark next to the following items in
bold and click Fix Checked:
F2 - REG:system.ini: Shell=Explorer.exe "C:\Program Files\Microsoft Office\Temp.exe"
O4 - HKLM\..\Run: [Patah Hati] C:\WINDOWS\system\ISASS.exe
O4 - HKLM\..\Run: [user logon] C:\WINDOWS\Help\user logon.exe
O4 - HKCU\..\Run: [HotKeysCmds] C:\WINDOWS\hkcmd.exe
O4 - Global Startup: system startup.pif = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
And close HijackThis.
~~~~~~~~~~~~~~~~~~
Download
The Avenger from
here to your Desktop and unzip it.
Copy all the text contained in the code box below by highlighting it and right clicking and selecting
"Copy"
Code:
Files to delete:
C:\WINDOWS\system\ISASS.exe
C:\WINDOWS\system\LNETINFO.exe
C:\WINDOWS\security\krnl32.bat
C:\Program Files\Microsoft Office\Temp.exe
C:\WINDOWS\Help\user logon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\system startup.pif
Now, start The Avenger program by clicking on its icon on your desktop. Look under
"Script file to execute" and click on
"Input Script Manually". Next click on the
Magnifying Glass icon and a blank dialogue box will open called
"View/Edit script". Position your mouse inside the box, rightclick and choose
Paste. All the text above in the code box should now appear there. Click
Done and click on the
Green Light to begin execution of the script. Answer
"Yes" twice when prompted.
The Avenger will restart your computer. (if the code to execute contains
"Drivers to Unload", The Avenger will actually restart your system twice.)
When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to
C:\avenger.txt. The deleted files will be backed up and saved to
C:\avenger\backup.zip.
Once your computer has rebooted, please post back the contents of C:\avenger.txt
~~~~~~~~~~~~~~
Reboot into
Safe Mode. At startup start tapping the F8 key and select Safe Mode (see
here).
Make sure all windows are closed and run AVG. Click
Scanner, then click on the
Scan tab. Click
Complete System Scan to begin scanning. When the scan is complete click
Recommended Action and change it to
Quarantine. Then click
Apply all actions.
Once the scan has finished, click the
Save report button, then click
Save Report As. This will create a text file. Make sure you know where to find this file again.
Then reboot back to Normal Mode.
~~~~~~~~~
I would also like to see another kind of scan,
go here and download
Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and
will notify when the scan is complete. Copy the log from the Startup Programs file back here.
Run
HijackThis and post back the log, along with the
Silent Runners log, the
avenger.txt and the
AVG report please.