Virus antispyware cant locate

Hi I'm new here. I know a little about computers but not all the technical language. I am trying to help a friend. She had a trojan on her computer, we thought it had been got rid of but no. I have run avg and spybot in normal and safe mode, neither found anything, however when you enter anything in the homepage search bar the tab at the top of the page seems to flash through alot of web address totally unrelated to the search and the web page you asked for doesnt appear. . . she first realised she had a problem when she went on Ebay and couldnt open the sign in page. I have run windows malicious software removal tool as well. If this makes sense to anyone any advice would be very much appreciated (we did consider taking a lump hammer to it) and in fairly plain english please.
Thanks

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Ok thanks i will have to visit her sometime today .... and will get back to you.

Okay, standing by.

Here it is !

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:00:29, on 12/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 92.63.106.206 abbeyinternational.com
O1 - Hosts: 92.63.106.206 www.abbeyinternational.com
O1 - Hosts: 92.63.106.206 www99.americanexpress.com
O1 - Hosts: 92.63.106.206 www.bankcardservices.co.uk
O1 - Hosts: 92.63.106.206 bankcardservices.co.uk
O1 - Hosts: 92.63.106.206 www.bcol.barclaycard.co.uk
O1 - Hosts: 92.63.106.206 bcol.barclaycard.co.uk
O1 - Hosts: 92.63.106.206 www.businesscreditcardsonline.co.uk
O1 - Hosts: 92.63.106.206 businesscreditcardsonline.co.uk
O1 - Hosts: 92.63.106.206 www.cahoot.com
O1 - Hosts: 92.63.106.206 cahoot.com
O1 - Hosts: 92.63.106.206 www.capitaloneonline.co.uk
O1 - Hosts: 92.63.106.206 capitaloneonline.co.uk
O1 - Hosts: 92.63.106.206 www.cardservicing.mint.co.uk
O1 - Hosts: 92.63.106.206 cardservicing.mint.co.uk
O1 - Hosts: 92.63.106.206 www.egg.com
O1 - Hosts: 92.63.106.206 egg.com
O1 - Hosts: 92.63.106.206 www.firstdirect.com
O1 - Hosts: 92.63.106.206 firstdirect.com
O1 - Hosts: 92.63.106.206 www.halifax-online.co.uk
O1 - Hosts: 92.63.106.206 halifax-online.co.uk
O1 - Hosts: 92.63.106.206 www.ibank.cahoot.com
O1 - Hosts: 92.63.106.206 ibank.cahoot.com
O1 - Hosts: 92.63.106.206 www.mbna.co.uk
O1 - Hosts: 92.63.106.206 mbna.co.uk
O1 - Hosts: 92.63.106.206 www.mbna.ie
O1 - Hosts: 92.63.106.206 mbna.ie
O1 - Hosts: 92.63.106.206 www.mybank.alliance-leicester.co.uk
O1 - Hosts: 92.63.106.206 mybank.alliance-leicester.co.uk
O1 - Hosts: 92.63.106.206 www.mybusinessbank.co.uk
O1 - Hosts: 92.63.106.206 mybusinessbank.co.uk
O1 - Hosts: 92.63.106.206 www.myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 www.myonlineaccounts3.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 myonlineaccounts3.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 www.new.egg.com
O1 - Hosts: 92.63.106.206 new.egg.com
O1 - Hosts: 92.63.106.206 www.olb2.nationet.com
O1 - Hosts: 92.63.106.206 olb2.nationet.com
O1 - Hosts: 92.63.106.206 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 service.citicards.co.uk
O1 - Hosts: 92.63.106.206 www.service.citicards.co.uk
O1 - Hosts: 92.63.106.206 www.signin.ebay.co.uk
O1 - Hosts: 92.63.106.206 signin.ebay.co.uk
O1 - Hosts: 92.63.106.206 www.your.egg.com
O1 - Hosts: 92.63.106.206 your.egg.com
O1 - Hosts: 92.63.106.206 abbeyinternational.com
O1 - Hosts: 92.63.106.206 www.abbeyinternational.com
O1 - Hosts: 92.63.106.206 www99.americanexpress.com
O1 - Hosts: 92.63.106.206 www.bankcardservices.co.uk
O1 - Hosts: 92.63.106.206 bankcardservices.co.uk
O1 - Hosts: 92.63.106.206 www.bcol.barclaycard.co.uk
O1 - Hosts: 92.63.106.206 bcol.barclaycard.co.uk
O1 - Hosts: 92.63.106.206 www.businesscreditcardsonline.co.uk
O1 - Hosts: 92.63.106.206 businesscreditcardsonline.co.uk
O1 - Hosts: 92.63.106.206 www.cahoot.com
O1 - Hosts: 92.63.106.206 cahoot.com
O1 - Hosts: 92.63.106.206 www.capitaloneonline.co.uk
O1 - Hosts: 92.63.106.206 capitaloneonline.co.uk
O1 - Hosts: 92.63.106.206 www.cardservicing.mint.co.uk
O1 - Hosts: 92.63.106.206 cardservicing.mint.co.uk
O1 - Hosts: 92.63.106.206 www.egg.com
O1 - Hosts: 92.63.106.206 egg.com
O1 - Hosts: 92.63.106.206 www.firstdirect.com
O1 - Hosts: 92.63.106.206 firstdirect.com
O1 - Hosts: 92.63.106.206 www.halifax-online.co.uk
O1 - Hosts: 92.63.106.206 halifax-online.co.uk
O1 - Hosts: 92.63.106.206 www.ibank.cahoot.com
O1 - Hosts: 92.63.106.206 ibank.cahoot.com
O1 - Hosts: 92.63.106.206 www.mbna.co.uk
O1 - Hosts: 92.63.106.206 mbna.co.uk
O1 - Hosts: 92.63.106.206 www.mbna.ie
O1 - Hosts: 92.63.106.206 mbna.ie
O1 - Hosts: 92.63.106.206 www.mybank.alliance-leicester.co.uk
O1 - Hosts: 92.63.106.206 mybank.alliance-leicester.co.uk
O1 - Hosts: 92.63.106.206 www.mybusinessbank.co.uk
O1 - Hosts: 92.63.106.206 mybusinessbank.co.uk
O1 - Hosts: 92.63.106.206 www.myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 www.myonlineaccounts3.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 myonlineaccounts3.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 www.new.egg.com
O1 - Hosts: 92.63.106.206 new.egg.com
O1 - Hosts: 92.63.106.206 www.olb2.nationet.com
O1 - Hosts: 92.63.106.206 olb2.nationet.com
O1 - Hosts: 92.63.106.206 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 92.63.106.206 service.citicards.co.uk
O1 - Hosts: 92.63.106.206 www.service.citicards.co.uk
O1 - Hosts: 92.63.106.206 www.signin.ebay.co.uk
O1 - Hosts: 92.63.106.206 signin.ebay.co.uk
O1 - Hosts: 92.63.106.206 www.your.egg.com
O1 - Hosts: 92.63.106.206 your.egg.com
O1 - Hosts: 92.63.106.206 abbeyinternational.com
O1 - Hosts: 92.63.106.206 www.abbeyinternational.com
O1 - Hosts: 92.63.106.206 www99.americanexpress.com
O1 - Hosts: 92.63.106.206 www.bankcardservices.co.uk
O1 - Hosts: 92.63.106.206 bankcardservices.co.uk
O1 - Hosts: 92.63.106.206 www.bcol.barclaycard.co.uk
O1 - Hosts: 92.63.106.206 bcol.barclaycard.co.uk
O1 - Hosts: 92.63.106.206 www.businesscreditcardsonline.co.uk
O1 - Hosts: 92.63.106.206 businesscreditcardsonline.co.uk
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: BHO - {B7B7C9E7-4AAC-467c-9BAE-76112D413A58} - C:\WINDOWS\system32\winbchs.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SIMBAR={788F5F5E-DFC8-401A-8A68-0D6C21EE0FDB}; InfoPath.1; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.girlgames1.com/play-11512-ultimateraceway.html"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/SmileyCentralFWBInitialSetup1.0.1.0.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227009046656
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

--
End of file - 11869 bytes

Since posting the above my mates computer has a pc security tool appeared which blocks all internet sites.

Hello.
Download HostsXpert from HERE

• Unzip it and start the program.
  
• If "Make writeable?" is shown in red at the top, click it to make writeable.
  
• Press "Restore MS Hosts File"
  
• OK the prompt.
  
• Then click on "Make read only"
  
• Exit HostXpert.
  

Next,

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
  O2 - BHO: BHO - {B7B7C9E7-4AAC-467c-9BAE-76112D413A58} - C:\WINDOWS\system32\winbchs.dll
  O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
  O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/SmileyCentralFWBInitialSetup1.0.1.0.cab
  O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

I will try this tomorrow... she is pretty impatient and i told her not to touch it till i heard from you assuming she hasnt gone and deleted everything i will do all the above and get back to you. W
Many thanks

While your at it, let me know if HostXpert throws up an error about not being able to create the host file, the infection here is somewhat similar to another infection where the host file is completely locked down after being hijacked, but the hijack in the other infection is different to this one.