How do I unlock a file?

I have been infected with Trojan Horse Norton has detected it and says file seasg.exe is a file that is causing me problems (constant sending stuff) I have found it but cant move or delete it , it says "file locked" is there ANY way I can get rid of this file? i.e unlock it to delete it?
Please HELP!!!!

[Scoobs]

Try booting in safe mode to see if you or norton can delete it that way (press f8 on boot to get menu)

Many thanks Scoobs it worked

I am on broadband is it normal to "send" more information than "receive" I have now been on 44 minutes sent 12,001,568 and received 2,997,345 I am confused
Any help appreciated.

certainly not normal for me. my stats are just about opposite to yours?

[Scoobs]

nope its not normal the only time you would see that is if you are uploading .

have you run a hijack log yet.

or somebody is downloading from your puter behind your back?
make sure your files are not for sharing?

Sorry had to post in two files would not accept one long file it said to many smilies!

Logfile of HijackThis v1.98.2
Scan saved at 20:37:08, on 18/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\program files\Evidence Eliminator\ee.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\BigFix\BigFix.exe
C:\Palm\hotsync.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\snlogsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\EDDIE BADGER\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.power-search.info/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://directory.tiscali.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.power-search.info/panel_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.power-search.info/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.power-search.info/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update] snlogsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] snlogsvc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Evidence Eliminator] C:\program files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe
O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: DigiChat Applet - http://www.rxxx.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5112F39E-A79B-410D-B654-60E773EFA122}: NameServer = 80.225.252.186 80.225.252.178

You have a few infections but we need to deal with your trojan infection first.
The malicious file is C:\Windows\System\snlogsvc.exe
Did you download, update and run TDS-3 as I suggested in another thread? If not, do this first. Then we'll set about removing any other malware.

When posting HJT! logs, please use the "Post Reply" button rather than the "Quick Reply" feature. Now you will see that you have a few options available to you.
Uncheck "Automatically Parse URLs" and check "Disable Smilies". Now your log entries will be legible and they'll fit into a single post.
As soon as you've cleaned your trojan infection, reboot, rerun HJT! and post a fresh log here.

As this is a RAT, you would be very wise to change any passwords etc that you have entered. This type of software is capable of logging keystrokes and mouse clicks which means that your security has been completely compromised.

It's obvious from your traffic reports that someone is downloading from you or using you as a zombie. Before removing the trojan, run Netstat to find the IP and report the intruder to the relevant authorities.

Yet another triumph for Norton AV... NOT!

Killbox is a useful tool for deleting files that are "in use" or "locked".

Some users may have heard of or previously used EndItAll, but it's no longer a free program unfortunately.

I had run TDS-3 before reading your last email and it came up with the following..

Live Trojan Found (in process memory)
DCOM RCP report Exploit
C:\windows\system32\snlogsvc.exe

I deleted this under TDS-3 unfortunately before running NETSTAT

Logfile of HijackThis v1.98.2
Scan saved at 05:57:41, on 19/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\program files\Evidence Eliminator\ee.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program files\BigFix\BigFix.exe
C:\WINDOWS\System32\rundll32.exe
C:\Palm\hotsync.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\EDDIE BADGER\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.power-search.info/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://directory.tiscali.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.power-search.info/panel_search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.power-search.info/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.power-search.info/panel_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Update] snlogsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] snlogsvc.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Evidence Eliminator] C:\program files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe
O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: DigiChat Applet - http://www.rxxx.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5112F39E-A79B-410D-B654-60E773EFA122}: NameServer = 80.225.252.186 80.225.252.178

Something has improved, since the offending file was removed (although it seems to be constantly sending out stuff) the status shows.... after 1hr 14mins sent 808,878 received 3,326,812

and this morning....after 39 mins sent 199,432 received 239,905

Rerun HJT! and hit the config button. In the fields provided, enter your preferred home page etc; mine are as follows:
Default Start Page - http://www.the-scream.co.uk/forums
Default Search Page - http://www.google.co.uk
Default Search Assistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
Default Search Customise - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

Now go back to the main screen and have it fix the items marked in red:


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.power-search.info/panel_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://directory.tiscali.co.uk/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.power-search.info/panel_search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.power-search.info/panel_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.power-search.info/panel_search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali

O1 - Hosts: 64.91.255.87 www.dcsresearch.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE

O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe

O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [Microsoft Update] snlogsvc.exe

O4 - HKLM\..\RunServices: [Microsoft Update] snlogsvc.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [Evidence Eliminator] C:\program files\Evidence Eliminator\ee.exe /m

O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b

O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe

O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/

O16 - DPF: DigiChat Applet - http://www.rxxx.com/DigiChat/DigiClasses/Client_IE.cab

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{5112F39E-A79B-410D-B654-60E773EFA122}: NameServer = 80.225.252.186 80.225.252.178


Reboot into safe mode, find and delete the following files:
snlogsvc.exe

Reboot as normal, rerun HJT! and post another log.

Hi Zero,
All suggestions done and it still seems to be uploading?, many thanks for your patience and help this is the latest hijack this

Logfile of HijackThis v1.98.2
Scan saved at 15:13:40, on 19/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\program files\Evidence Eliminator\ee.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\BigFix\BigFix.exe
C:\Palm\hotsync.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\EDDIE BADGER\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IW Controlcenter] C:\PROGRA~1\INSTAN~1\INSTAN~1\IWCTRL.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Evidence Eliminator] C:\program files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe
O4 - Global Startup: Billminder.lnk = C:\quickenw\BILLMIND.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5112F39E-A79B-410D-B654-60E773EFA122}: NameServer = 80.225.252.186 80.225.252.178

Your log looks clean but there are a few entries which if removed, will improve performance.

Firstly though, do you actually need all the programs that you are running? BigFix for example is one such program.
Take a look at your Add/Remove Programs applet and see if there's anything there that you don't need.
Do you use the MS Office StartBar?
Check the options in MS Messenger and on't allow it to start at boot.

You will upload some data - That's natural. If you're still worried, run another Netstat command and post the outcome here. Ensure that you are online but with nothing connected and make sure that you use -a switch with the command:
netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP your-obbuq8xnm4:epmap your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:microsoft-ds your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:1025 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:1026 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:3155 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:3220 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:3223 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:5000 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:netbios-ssn your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:3218 origin2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3220 support2.microsoft.com:http ESTABLISHED
TCP your-obbuq8xnm4:3221 origin2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3222 go.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3223 207.46.248.254:http ESTABLISHED
TCP your-obbuq8xnm4:3224 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3225 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3226 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3227 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3228 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3229 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3230 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3231 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3232 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3233 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3234 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3235 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3236 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3237 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:3238 support2.microsoft.com:http TIME_WAIT
TCP your-obbuq8xnm4:10858 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:3001 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:3002 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:3003 your-obbuq8xnm4:0 LISTENING
TCP your-obbuq8xnm4:3006 your-obbuq8xnm4:0 LISTENING
UDP your-obbuq8xnm4:microsoft-ds *:*
UDP your-obbuq8xnm4:isakmp *:*
UDP your-obbuq8xnm4:3007 *:*
UDP your-obbuq8xnm4:3014 *:*
UDP your-obbuq8xnm4:3017 *:*
UDP your-obbuq8xnm4:ntp *:*
UDP your-obbuq8xnm4:netbios-ns *:*
UDP your-obbuq8xnm4:netbios-dgm *:*
UDP your-obbuq8xnm4:1900 *:*
UDP your-obbuq8xnm4:3019 *:*
UDP your-obbuq8xnm4:3235 *:*
UDP your-obbuq8xnm4:7249 *:*
UDP your-obbuq8xnm4:27027 *:*
UDP your-obbuq8xnm4:ntp *:*
UDP your-obbuq8xnm4:1900 *:*
UDP your-obbuq8xnm4:3025 *:*
UDP your-obbuq8xnm4:3192 *:*
UDP your-obbuq8xnm4:3213 *:*

It's best if you run this test with no connections made to anything. That way, if you are secretly uploading to someone, it would be instantly recognisable.
However, nothing jumps out at me but you do have several ports open and listening. I'll have a look later to see what these may be for.
You also have NetBios running over TCP. That should be disabled.

You really need to get yourself a firewall and set it up properly.

I have a second computer running Windows 98 networked is this what netbios is for? its sharing my Mitsubishi monitor, I only use this machine for running The Oxford English Dictionary ( I do a lot of writing) which will not operate under XP. I do not have the second PC set up for the internet, I do not require it, would it solve some of my problems if I ceased to have the second PC coupled up?

I am sure I am running XP firewall is this satifactory? or what would you suggest?

Many thanks for all your kind help and assistance.

As I've just posted in another thread, the XP firewall did absolutely nothing to prevent or even warn you about your trojan "phoning home" so it's ineffectiveness has just been proved!

With regards to Netbios over TCP, open the advanced settings window for your actual internet connection and disable Netbios over TCP:

[henrydcruz]

Try Microsoft Excel password unlocker tool which smartly pull out lost Excel file password & unlock Excel file. Excel password recovery software works superbly when crack Excel file password. This software easily unlock Excel file without wasting your valuable time.

[WilliamPerez]

How about a file that cannot be open on your USB? Any suggestions?