Have run adaware and spybot to clear out the known stuff, but pop-ups redirecting to a site selling spy removal software keep appearing.

Logfile of HijackThis v1.97.7
Scan saved at 11:42:12, on 27/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\altiris\aclient\aclient.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\vsAOD.Exe
C:\OfficeScan NT\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\apptz.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\altiris\aclient\AClntUsr.EXE
C:\OfficeScan NT\pccntmon.exe
C:\OfficeScan NT\RAUAgent.exe
C:\WINDOWS\appxk32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\userinit.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pgiqa.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pgiqa.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pgiqa.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pgiqa.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pgiqa.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pgiqa.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InHealth Group
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.0.1.249:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*;192.168.*;172.*;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6F50E73A-6232-13C7-A27E-83C8C4197E89} - C:\WINDOWS\system32\appvb32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AClntUsr] c:\altiris\aclient\AClntUsr.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [appxk32.exe] C:\WINDOWS\appxk32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKLM\..\RunOnce: [apptz.exe] C:\WINDOWS\system32\apptz.exe
O4 - HKLM\..\RunOnce: [atlbi.exe] C:\WINDOWS\atlbi.exe
O4 - HKLM\..\RunOnce: [iegl32.exe] C:\WINDOWS\iegl32.exe
O4 - HKLM\..\RunOnce: [ipvn32.exe] C:\WINDOWS\system32\ipvn32.exe
O4 - HKLM\..\RunOnce: [d3dr32.exe] C:\WINDOWS\system32\d3dr32.exe
O4 - HKLM\..\RunOnce: [netei32.exe] C:\WINDOWS\netei32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.inhealthgroup.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8034.151099537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ihgd.inhealthgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = ihgd.inhealthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ihgd.inhealthgroup.com

Download About:Buster from http://tools.zerosrealm.com/AboutBuster.zip


Reboot into safe mode.

Run AboutBuster.exe, click ok, then start, then
OK. This will scan your computer for the files responsible for
hijacking your home and/or search settings/page. Run it twice and copy the results both times.

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

• Scan Within Archives
• Scan Active Processes
• Scan Registry
• Deep Scan Registry
• Scan my IE favorites for banned URL’s
• Scan my Hosts file
• Under Click here to select drives + folders, choose:
• All of your hard drives

Click on the Advanced button on the left and select:

• Include additional process information
• Include additional file information
• Include environment information
• Include additional object details

Click the Tweak button and select:

• Under the Scanning Engine:
  • Unload recognized processes during scanning
  • Include basic Ad-aware settings in logfile
  • Include additional Ad-aware settings in logfile
• Under the Cleaning Engine:
  • Let Windows remove files in use at next reboot

Click on Proceed to save the settings.

Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

• Use Custom Scanning Options

Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Reboot your computer.

Post a new HijackThis log along with the report from About:Buster.

Hi, info as requested

Logfile of HijackThis v1.97.7
Scan saved at 10:32:48, on 30/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\altiris\aclient\aclient.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\vsAOD.Exe
C:\WINDOWS\system32\apptz.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\altiris\aclient\AClntUsr.EXE
C:\OfficeScan NT\pccntmon.exe
C:\OfficeScan NT\RAUAgent.exe
C:\WINDOWS\system32\javaqs32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\userinit.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hjsij.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hjsij.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hjsij.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hjsij.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hjsij.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hjsij.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InHealth Group
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.0.1.249:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*;192.168.*;172.*;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {82335B62-7DEF-0FF6-3C5F-94007ED6C7B3} - C:\WINDOWS\apphj32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AClntUsr] c:\altiris\aclient\AClntUsr.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\OfficeScan NT\RAUAgent.exe
O4 - HKLM\..\Run: [javaqs32.exe] C:\WINDOWS\system32\javaqs32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKLM\..\RunOnce: [ipvn32.exe] C:\WINDOWS\system32\ipvn32.exe
O4 - HKLM\..\RunOnce: [d3dr32.exe] C:\WINDOWS\system32\d3dr32.exe
O4 - HKLM\..\RunOnce: [msvt32.exe] C:\WINDOWS\system32\msvt32.exe
O4 - HKLM\..\RunOnce: [crnl.exe] C:\WINDOWS\system32\crnl.exe
O4 - HKLM\..\RunOnce: [nthh.exe] C:\WINDOWS\nthh.exe
O4 - HKLM\..\RunOnce: [ntmg.exe] C:\WINDOWS\ntmg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.inhealthgroup.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...8034.151099537
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ihgd.inhealthgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = ihgd.inhealthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ihgd.inhealthgroup.com

and
there were a lot of the following - too many to post to the forum:

Removed! : C:\WINDOWS\System32\xudtj.dat
Removed! : C:\WINDOWS\System32\ybghk.dat
Removed! : C:\WINDOWS\System32\zanir.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Attempted Clean Of Temp folder.
Pages Reset... Done!

Could you boot into Safe Mode. Run about:buster again. Reboot into Normal Mode, perform a scan with Ad-aware and then post a fresh log. Thanks.

Will do. But it will be sometime Monday.

Thanks

I also forgot to mention, before you run About:Buster in Safe Mode, Restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InHealth Group
O2 - BHO: (no name) - {82335B62-7DEF-0FF6-3C5F-94007ED6C7B3} - C:\WINDOWS\apphj32.dll
O4 - HKLM\..\Run: [javaqs32.exe] C:\WINDOWS\system32\javaqs32.exe
O4 - HKLM\..\RunOnce: [ipvn32.exe] C:\WINDOWS\system32\ipvn32.exe
O4 - HKLM\..\RunOnce: [d3dr32.exe] C:\WINDOWS\system32\d3dr32.exe
O4 - HKLM\..\RunOnce: [msvt32.exe] C:\WINDOWS\system32\msvt32.exe
O4 - HKLM\..\RunOnce: [crnl.exe] C:\WINDOWS\system32\crnl.exe
O4 - HKLM\..\RunOnce: [nthh.exe] C:\WINDOWS\nthh.exe
O4 - HKLM\..\RunOnce: [ntmg.exe] C:\WINDOWS\ntmg.exe

Click Fix Checked

Then run About:Buster in Safe Mode

Done that; with the following result:

-- Scan 1 --------
About:Buster Version 2.0
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.97.7
Scan saved at 14:49:14, on 02/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\altiris\aclient\aclient.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINDOWS\vsAOD.Exe
C:\WINDOWS\Explorer.EXE
C:\OfficeScan NT\pccntmon.exe
C:\OfficeScan NT\RAUAgent.exe
C:\altiris\aclient\AClntUsr.exe
C:\OfficeScan NT\pccntupd.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wvqia.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wvqia.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InHealth Group
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.0.1.249:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 10.*;192.168.*;172.*;<local>
O4 - HKLM\..\Run: [AClntUsr] c:\altiris\aclient\AClntUsr.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RemoteAgent] C:\OfficeScan NT\RAUAgent.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.inhealthgroup.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ihgd.inhealthgroup.com
O17 - HKLM\Software\..\Telephony: DomainName = ihgd.inhealthgroup.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ihgd.inhealthgroup.com

Hiya,
We are getting there.

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by InHealth Group

Click Fix Checked

Then run About:Buster again in Safe Mode. Ensure you download the latest version from here beforehand

Post a fresh log

Hi Owen

Will do when I am back in the office - Thurs.
BTW InHealth Group are well known to me, how can that be the problem? Not suggesting you are wrong, just like to know how the buggers opperate.

I don't mind, its your computer so you are entitled to know what I'm asking. What I asked you to remove was a bit of Branding. This is when your ISP or someone who provides your browser adds their name to your browser.

Your browser probably says Microsoft Internet Explorer provided by InHealth Group. Fixing this entry will change your browser back to how it should be and it will instead display Microsoft Internet Explorer.