Please help me get rid of this naggin virus. Thanks.

[rimmi2002]

Hi I recently downloaded something which seemed like a virus but I still clicked on it. I have bitdefender 2010 total security running. It detected the virus and stopped it. Then the next day my internet went down, I was getting cannot get DNS address on that computer only. All wifi connection were working fine. I resolved it by putting in static DNS address that i found as a solution on a random website where people were getting DNS errors. When I ran the virus scan it found 8 instances of trojan.nsis.agent.a virus which it quarantined.

Now everytime I restart windows bitdefender it finds two instances of trojan.nsis.agent.a in searchprotocolhost.exe in the windows temp directory. It blocks and quarantines the files. It happens each time. So the source is still somewhere on the computer. Bitdefender and malware bytes find no viruses or trojans. Any suggestions of what else I can do?

Below is the log for Hijackthis

http://pastebin.com/A2341nkF

 

[lxskllr]

I didn't see anything in the hijackthis log. Try deleting everything from the temp directory, and then search for all files created on the date you started having problems, and after. See if anything doesn't look right.

 

[Schadenfroh]

Try this:
1. Disable System Restore
2. Run CCleaner
http://www.piriform.com/?utm_source=ccleaner.com&utm_medium=redirect
3. Reboot into Safe Mode with Networking
4. Update and run Antivir (again, with the deepest possible scan level):
http://www.avira.com/en/avira-free-antivirus
5. Update and run SuperAntiSpyware (use the most thorough settings):
http://www.superantispyware.com/

Be sure to uninstall Antivir when you finish, if you prefer BitDefender, not good to use two real-time antivirus products

 

[Emulex]

always format and restore from a last known good backup when infected. there is no way to 100% be sure of cleanliness. it's like herpes you may think its gone but it will come back some day. sorry that is the only true answer.

 

[bruceb]

If needed, also run Malwarebytes in Safe Mode. Good program, finds and fixes a lot of issues others sometimes miss.

http://www.malwarebytes.org/

 

[vailr]

Combofix:
http://www.majorgeeks.com/Combofix_d6402.html

 

[Modelworks]

Delete the contents of the temp folder. Folder is hidden so make sure you enable the show hidden files in folder options.
c:\Users\your username\AppData\Local\Temp

It is safe to delete everything inside that folder. It may say you cannot delete .log files , that is normal.

 

[rimmi2002]

I can boot into my computer from another OS on a differnt HD. Should I do that instead of safe and scan the affected HD?

 

[Slugbait]

I can boot into my computer from another OS on a differnt HD. Should I do that instead of safe and scan the affected HD?

My wife accidentally did exactly that a couple of months ago: booted into W2K on her old hard drive. She rebooted, and XP was suddenly using Classic theme, and various other problems. I flattened it.

This particular trojan does hide in your temp folder. I believe it also writes to the registry to re-infect after cleansing...check these:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \RunServicesOnce
HKEY_CURRENT_USER/Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER \Software \Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer\Run
HKEY_CURRENT_USER\ Software\ Microsoft \Windows\ CurrentVersion
Explorer/ShellFolders Startup="C:\windows/start menu/programs\startup

I agree with Schadenfroh: it's probably also in every restore point as well. I second the suggestion to use SUPERAntiSpyware.