Zerolin-A Trojan won't go away!

Hi,
Have a users machine with this Trojan. Our Anti virus software found it and shreded it (Sophos) However on reboot it comes back. I looked on Sophos website for instructions on how to remove the nasty, downloaded their latest files and an application to remove it, ran both. Looked clean. Ran Spybot and Adaware 2 reg entries cleaned. Used the latest stinger from MCAfees found nothing.
Looked in MSCONFIG (Machine is win 2k service pack 2 btw) removed internat.exe.

Empyted temp internet files (which is where Sophos keep s reporting the nasty is located) Rebooted, still there?

I logged into the machine as admin ran all the above and it found nothing. The user logs in, bang theres the trojan!

Here is the Hijack this log from the machine taken under the users login :-

Logfile of HijackThis v1.97.7
Scan saved at 12:44:19, on 18/05/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SxgTkBar.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tendringpct.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = TWIZZLE:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Please help its driving me mad!

 

That scanner is down at the moment...do you have any others I could try?

 

Does the user have any mapped shares? May be getting the critter from another machine on the network.

 

Couldn't use any online scanner as our firewall config wouldnt let them through (and its out of my control too )

I managed to get hold of something free (cant remember the name now as I'm at home) and that found nothing.

Then re ran Sohos and it found nothing, so it looks like its gone now.

Very odd indeed.

Thanks for your help as usual gents. Will see if its returned tomorrow.