Can I please Post a Hijackthis file

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

That's because you were already in Advance mode.

First let's Fix SpyBot's Ignore Products Bug:
I want you to run SpyBot and get into the Advanced mode by selecting Mode and then
Advanced mode. Then select Settings and the in the left column select Ignore Products.
In the right window pane make sure the All products tab is selected. Then in that
window, right click your mouse and choose "Deselect all". Now in the left pane click
at the top on SpyBot S&D and then choose Search for Updates. Download any updates
required. Now click Check for Problems. Fix any that are found.

See if that fixes the O10 - Hijacked Internet access by New.Net line seen in your HJT log.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.kfhophjyeocpdwdcspcyvdla.biz/uBm75WtJv8RAkVt/DyS5JPEm7FtZfveThPUBQeG12sv7_0WyPuJ_h/iQS0joy5B4.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

 

Did you take care of what I said about the Ignore Products bug. Make sure no items are checked in that list. It has a bug which has 4 products set to be ignored. One of which is new.net

 

Your log is basically clean but I have a few comments and a question:

You must not run multiple antivirus applications. You have both AVG7 and Symantec/Norton running. You need to uninstall one of them.

If you have Symantec/Norton's Firewall running, have you disabled the one in Win XP SP2?

Question: What is this SnapDetect stuff?
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?

How is everything working?

 

Norton is a well known program that some people consider to be very good, however most of us here do not like it or McAfee because they require why too many processes and eat system resources. Most of the free antivirus programs, like Avast, AVG, and AntiVir Personal, do a very good jobs without the bloatware. It's up to you. You may have other things in the Norton package to since some of there software suites add all kinds of stuff like firewall, popup blockers, recycle bin protectors, adware checking, etc. You have to see what you want. But you need to have only on antivirus program installed.

It's possible that SnapDetect.exe is related to her camera ( or maybe a scanner ?) Right click on it and see who it belongs too by looking at Properties, Version info.

This is what you need to do: How to Protect yourself from malware!

 

You could have a lot of stuff hanging around from an old infection and maybe it is removing 8 at a time. Or maybe it cannot remove the items. First a question, why run it. You should only run HSremove and About:Buster if you have the HSA and or about:blank hijack problem which you should easily be able to tell.

That said, try running HSremove in safe mode with ALL other process closed and no physical ability (unplug cables) to connect to the internet. Then run About:Buster and allow it to run its secondary scan too. Then reboot to normal mode and do nothing else but run About:Buster and run the secondary scan again. IMMEDIATELY after it completes reboot in normal mode.

Let me know if About:Buster and HSremove were finding anything.
Is you HJT log still clean?

 

Try the msconfig method to boot into safe mode. Read about it here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

If you can boot into safe mode that way, rerun what I asked.

 

You have to re-enable normal boot up using msconfig (the inverse of what you did to get into safe mode).

You said about:Buster in normal mode found the same 8 items, I think you meant HSremove?
about:Buster does open MyDocuments when it completes each scan.

What version of HSremove are you using?
What version of About:Buster and what version is the Reference file?

 

You must not have downloaded About:Buster from the link in the READ ME as we request that you do. About:Buster is on version 4.0. Download it and then run it. Each time you run it, before doing a scan, you should click the Update button (that is how you find out about the Reference file version). The download file comes with Reference 16 but the current Reference version available is 21. It will show you that. Click the Download Update button to get updated.

Then run it again as I previously requested.