virus/spyware/trojan or malware

Hi,
Hopefully I'm posting this correctly.
Fisrtly it's my laptop that has some sort of problem.
Im running windows XP.
It started off with Antivitus 2009 then spyware protect 2009, followed by win32/Nuqel.E.
I cannot log onto laptop in normal or selective start up.
I can start it in safe mode.
If I try in safe mode with networking, then whatever I put into the search engine bar, jumps to some other program to do with spyware protect.
I'm typing this on my sons PC as mine cannot use internet on the laptop and use is limited.
I read your terms and conditions.
I have registered on your system.
I have tried to install latest Java and JavaRa and Adobe Reader 9, by copying them from sons pc onto my laptop by card reader however when I try to install I get " system administrator has set policies to prevent this installation".
I have turned word wrap off in notedpad and have managed to get a hijack this log file, as below.

Please can you help?
thanks in anticipation
Ade

Logfile of HijackThis v1.99.1
Scan saved at 11:59:28, on 07/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ade\My Documents\AntiVirusStuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {CDBFB8EA-840A-4C3A-9E6D-0511BE8F909D} - C:\WINDOWS\system32\atkctr.dll
O2 - BHO: C:\WINDOWS\system32\rah3b8ffdnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMcfg] smcfg.exe -s
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [Xziburowo] rundll32.exe "C:\WINDOWS\Bvuxoxihuvuwox.dll",e
O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKLM\..\Run: [SystemTray Monitor] SysTraymon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX685 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJE.EXE /FU "C:\WINDOWS\TEMP\E_SC7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Ade\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [L08AXLRD_4183064] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [L08AXLRD_3587278] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [L08AXLRD_24200738] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [L08AXLRD_2356017] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Startup: ChkDisk.dll
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotKeyDriver.lnk = C:\Program Files\HotKey_Driver\HotKeyDriver.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.Viglen.co.uk/
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: zppavayf - zppavayf32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
  O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
  O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
  O2 - BHO: (no name) - {CDBFB8EA-840A-4C3A-9E6D-0511BE8F909D} - C:\WINDOWS\system32\atkctr.dll
  O2 - BHO: C:\WINDOWS\system32\rah3b8ffdnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
  O4 - HKLM\..\Run: [Xziburowo] rundll32.exe "C:\WINDOWS\Bvuxoxihuvuwox.dll",e
  O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
  O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
  O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Ade\LOCALS~1\Temp\csrssc.exe
  O20 - Winlogon Notify: zppavayf - zppavayf32.dll (file missing)
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

I have run the scan of highjack this and 'fix checked' the files mentioned, however I cannot run Malwarebytes' anti malware as the program will not start in safe mode.
I can only start the pc in this mode. If I when I launch XP normally it immediately logs off again.
I do hope you can help,
thanks
Ade

Lets do a rootkit scan.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\atkctr.dll
C:\WINDOWS\system32\rah3b8ffdnd.dll
C:\WINDOWS\Bvuxoxihuvuwox.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

The process did exactly as you said.
When it rebooted it did not start normally and I had to again press F8 for safe mode, then once I copied the avenger.txt file to card reader I was able to transfer to my sons PC as below for your viewing,
thanks
Ade

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSmaxt.sys
Driver disabled successfully.

Rootkit scan completed.


Error: could not open file "C:\WINDOWS\system32\atkctr.dll"
Deletion of file "C:\WINDOWS\system32\atkctr.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

File "C:\WINDOWS\system32\rah3b8ffdnd.dll" deleted successfully.
File "C:\WINDOWS\Bvuxoxihuvuwox.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Hello.
MBAM should work now, give it a try.

So far so good. It did launch Malwarebytes, however wouldn't update in safe mode without networking. I restarted laptop again in safe mode with networking and it did update. I immediately got warnings from windows security alert about a virus(BankerFox.A).
Anyway ran malwarebytes and it found 28 objects infected. You were right some could not be removed unless pc was restarted. I have done this in safe mode without networking. Found log created by malwarebytes as below.
Thanks once again
Ade

Malwarebytes' Anti-Malware 1.33
Database version: 1738
Windows 5.1.2600 Service Pack 3

08/02/2009 15:57:48
mbam-log-2009-02-08 (15-57-48).txt

Scan type: Quick Scan
Objects scanned: 61458
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 28

Memory Processes Infected:
C:\WINDOWS\Temp\rdlB9.tmp (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\Temp\rdlBA.tmp (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysguard (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Opachki) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf4552-94f1-42bd-f434-3604812c807d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xziburowo (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\pdbcopy.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\pdbcopy.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\7z.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\7z.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdlB9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdlBA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSfxwp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ade\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Opachki) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl92.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl9B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl9F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS2802.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Bvuxoxihuvuwox.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pdbcopy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7z.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vmware-ufad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ade\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS26c1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winlognn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbubx.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnmxh.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

Lets make sure it's gone now.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

Well I thought things were going well.
I mentioned earlier I was unable to use the laptop to post this as the internet would not launch nor would normal startup, well with me transfering the data for your viewing from the laptop to my sons pc via card reader, the spyware virus has transferred via the card reader to my sons pc.
I ran malwarebytes on it as I had it downloaded and all seems well with the sons pc.(so far)
Anyway, that'll be another issue later, back to my pc and I managed to get the DDS.txt log as below,
thanks again
Ade
PS the posted message was too big, its continued on below.


DDS (Ver_09-01-07.01) - NTFSx86 MINIMAL
Run by Ade at 16:35:44.95 on 08/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.991.769 [GMT 0:00]

AV: eTrust EZ Antivirus *On-access scanning enabled* (Updated)
FW: eTrust EZ Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ade\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {cdbfb8ea-840a-4c3a-9e6d-0511be8f909d} - c:\windows\system32\atkctr.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo RX685 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticje.exe /fu "c:\windows\temp\E_SC7.tmp" /EF "HKCU"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [L08AXLRD_4183064] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [L08AXLRD_3587278] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [L08AXLRD_24200738] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [L08AXLRD_2356017] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMcfg] smcfg.exe -s
mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
mRun: [Zone Labs Client] "c:\program files\ca\etrust ez armor\etrust ez firewall\ca.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CAVRID] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVRID.exe"
mRun: [CaAvTray] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVTray.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Xziburowo] rundll32.exe "c:\windows\Bvuxoxihuvuwox.dll",e
mRunOnce: [Cleanup] C:\cleanup.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotkey~1.lnk - c:\program files\hotkey_driver\HotKeyDriver.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

============= SERVICES / DRIVERS ===============

R0 gchkihsb;gchkihsb;c:\windows\system32\drivers\gchkihsb.sys [2004-9-16 23424]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-11-22 10872]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2009-2-5 15671]
R4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
S0 ati1chxx;ati1chxx;c:\windows\system32\drivers\ati1chxx.sys [2009-2-3 32768]
S0 ati7hkxx;ati7hkxx;c:\windows\system32\drivers\ati7hkxx.sys [2009-2-3 32768]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
S1 ethacyss;ethacyss;c:\windows\system32\drivers\ethacyss.sys [2009-2-2 137280]
S1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2009-2-5 21031]
S1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2009-2-5 15478]
S1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2009-2-5 879832]
S1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-2-6 26787]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-5 271792]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2007-11-9 13352]
S3 pmxscan;USB USB FlatBed Scanner Driver;c:\windows\system32\drivers\usbscan.sys [2006-6-9 15104]
S3 Unilocator;Unilocator;c:\windows\system32\LOCATRNT.EXE [1996-9-30 138240]
S3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2009-2-5 108360]
S4 CAISafe;CAISafe;c:\program files\ca\etrust ez armor\etrust ez antivirus\iSafe.exe [2009-2-5 259184]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 192112]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169584]
S4 VETMSGNT;VET Message Service;c:\program files\ca\etrust ez armor\etrust ez antivirus\VetMsg.exe [2009-2-5 197744]
S4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-02-08 15:50 78,613 a------- c:\windows\system32\B8.tmp
2009-02-08 15:50 67,585 a------- c:\windows\system32\B7.tmp
2009-02-08 15:50 168 a------- c:\windows\system32\B6.tmp
2009-02-08 15:48 5,613 a------- c:\windows\system32\B5.tmp
2009-02-08 15:48 67,585 a------- c:\windows\system32\B4.tmp
2009-02-08 15:48 168 a------- c:\windows\system32\B3.tmp
2009-02-08 15:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-08 15:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 15:43 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-08 08:39 471,876 a------- C:\zip.exe
2009-02-08 08:39 19,286 a------- C:\cleanup.exe
2009-02-08 08:39 574 a------- C:\cleanup.bat
2009-02-07 09:49 --d----- c:\windows\Internet Logs
2009-02-06 18:46 26,787 a------- c:\windows\system32\drivers\vetmonnt.sys
2009-02-06 18:44 441 a------- c:\windows\system32\TDSSnrsr.dat
2009-02-05 21:29 --d----- c:\program files\CA
2009-02-05 07:13 32,768 a---h--- c:\documents and settings\ade\aajcv.exe
2009-02-05 07:13 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-05 07:12 162,628 a------- c:\windows\system32\20.tmp
2009-02-05 07:12 88 a------- c:\windows\system32\1F.tmp
2009-02-05 07:10 616 a------- c:\windows\system32\1E.tmp
2009-02-05 07:09 162,628 a------- c:\windows\system32\1A.tmp
2009-02-05 07:09 88 a------- c:\windows\system32\18.tmp
2009-02-04 20:45 67 a------- C:\Ntf14.tmp
2009-02-04 20:45 67 a------- C:\Ntf13.tmp
2009-02-04 18:03 67 a------- C:\Ntf12.tmp
2009-02-04 18:03 67 a------- C:\Ntf11.tmp
2009-02-04 17:50 96,256 a------- c:\windows\system32\atkctr.dll
2009-02-04 17:49 67 a------- C:\NtfF.tmp
2009-02-04 17:49 67 a------- C:\Ntf10.tmp
2009-02-03 19:42 1,333,698 a------- C:\NtfD.tmp
2009-02-03 19:42 67 a------- C:\NtfE.tmp
2009-02-03 19:22 1,135,405 a------- C:\NtfB.tmp
2009-02-03 19:22 67 a------- C:\NtfC.tmp
2009-02-03 18:42 32,768 a------- c:\windows\system32\drivers\ati7hkxx.sys
2009-02-03 18:42 1,030,621 a------- C:\Ntf9.tmp
2009-02-03 18:42 67 a------- C:\NtfA.tmp
2009-02-03 16:57 0 a------- c:\windows\system32\10.tmp
2009-02-03 16:57 820,981 a------- C:\Ntf7.tmp
2009-02-03 16:57 67 a------- C:\Ntf8.tmp
2009-02-03 13:55 67 a------- C:\Ntf6.tmp
2009-02-03 13:55 67 a------- C:\Ntf5.tmp
2009-02-03 13:15 88,790 a------- c:\windows\system32\11.tmp
2009-02-03 13:13 67 a------- C:\Ntf4.tmp
2009-02-03 13:13 67 a------- C:\Ntf3.tmp
2009-02-03 12:58 0 a------- c:\windows\system32\19.tmp
2009-02-03 12:55 136,990 a------- c:\windows\system32\17.tmp
2009-02-03 12:54 8,510 a------- c:\windows\system32\13.tmp
2009-02-03 06:56 16,896 a------- c:\windows\system32\zppavayf.dll
2009-02-03 06:48 32,768 a------- c:\windows\system32\drivers\ati1chxx.sys
2009-02-03 06:48 527 a------- c:\windows\system32\win32hlp.cnf
2009-02-02 22:04 --d----- c:\program files\TomTom DesktopSuite
2009-02-02 21:36 137,280 a------- c:\windows\system32\drivers\ethacyss.sys
2009-02-02 21:31 5 a------- c:\windows\_id.dat
2009-02-02 21:31 124 a------- c:\windows\adobe.bat
2009-02-02 21:30 64,512 a------- c:\windows\system32\res2coff.exe
2009-02-02 19:32 128,306 a------- c:\windows\system32\126_av.exe
2009-02-02 19:08 --d----- c:\docume~1\ade\applic~1\Malwarebytes
2009-02-02 19:08 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-02 18:58 0 a------- c:\windows\system32\20B.tmp
2009-02-02 17:11 --dsh--- c:\windows\system32\twain32
2009-02-02 17:02 67 a------- C:\Ntf2.tmp
2009-02-02 17:02 67 a------- C:\Ntf1.tmp
2009-02-02 07:18 --d----- c:\program files\common files\Download Manager
2009-02-01 22:43 61,440 a------- c:\windows\system32\chert13-303374.exe
2009-02-01 22:36 1 a------- c:\windows\system32\uniq.tll
2009-02-01 22:36 43,520 a------- c:\windows\system32\303374.exe
2009-01-18 18:32 --d----- c:\program files\common files\Adobe Systems Shared
2009-01-11 21:35 --d----- c:\docume~1\ade\applic~1\HandBrake
2009-01-11 21:25 --d----- c:\program files\HandBrake
2009-01-11 21:07 --d----- c:\docume~1\ade\applic~1\AVS4YOU
2009-01-11 21:07 --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-01-11 21:05 --d----- c:\program files\common files\AVSMedia
2009-01-11 21:05 24,576 a------- c:\windows\system32\msxml3a.dll
2009-01-11 21:05 --d----- c:\program files\AVS4YOU

==================== Find3M ====================

2009-02-06 18:45 879,832 a------- c:\windows\system32\drivers\VetEFile.sys
2009-02-06 18:45 108,360 a------- c:\windows\system32\drivers\VetEBoot.sys
2009-02-05 21:29 4,212 -c--h--- c:\windows\system32\zllictbl.dat
2009-02-05 21:29 115,824 a------- c:\windows\UnVet32.exe
2009-02-05 21:29 107,632 a------- c:\windows\AVShlExt.dll
2009-02-05 21:29 74,864 a------- c:\windows\system32\VetRedir.dll
2009-02-05 21:29 21,031 a------- c:\windows\system32\drivers\Vet-Filt.sys
2009-02-05 21:29 15,671 a------- c:\windows\system32\drivers\VetFDDNT.sys
2009-02-05 21:29 15,478 a------- c:\windows\system32\drivers\Vet-Rec.sys
2009-02-05 07:12 14,336 a------- c:\windows\system32\svchost.exe
2009-02-02 07:20 142,848 a------- c:\windows\system32\userinit.exe
2009-01-03 17:47 10,344 a------- c:\windows\system32\drivers\symlcbrd.sys
2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2008-12-11 00:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-11 00:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-09 02:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-09 02:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-05-23 09:05 87,608 ac------ c:\docume~1\ade\applic~1\inst.exe
2008-05-23 09:05 47,360 ac------ c:\docume~1\ade\applic~1\pcouffin.sys
2007-01-10 10:42 52,400 ac------ c:\docume~1\ade\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 16:36:28.23 ===============

Hello.
Some of your legit files are patched, do you have your XP disc?

• Download combofix from here combofix.exe
  
• Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it. See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

WOW- I'm already amazed. The laptop did exactly as you said.

I haven't got the XP disc as it was pre-installed when purchased. I do have recovery disc.
I am reluctant to reboot as I have many family photos on the laptop.

It rebooted normally.
Here is the C:\combofix.txt log in two posts

ComboFix 09-02-07.01 - Ade 2009-02-08 19:42:57.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.762 [GMT 0:00]
Running from: C:\Documents and Settings\Ade\Desktop\Combo-Fix.exe
FW: eTrust EZ Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ade\Application Data\inst.exe
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\303374.exe
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\drivers\protect.sys
C:\WINDOWS\system32\TDSSnrsr.dat
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\zppavayf.dll
E:\autorun.inf
.
---- Previous Run -------
.
C:\WINDOWS\system32\uniq.tll
C:\WINDOWS\system32\win32hlp.cnf
C:\WINDOWS\system32\zlbw.dll

C:\WINDOWS\system32\userinit.exe . . . is infected!!

C:\WINDOWS\system32\svchost.exe . . . is infected!!

C:\WINDOWS\system32\spoolsv.exe . . . is infected!!

C:\WINDOWS\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_ICF
-------\Legacy_PROTECT
-------\Legacy_TDSSSERV.SYS
-------\Service_Passthru
-------\Service_protect
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 19:47 . 2009-02-08 19:47 67,585 --a------ C:\WINDOWS\system32\1C.tmp
2009-02-08 19:47 . 2009-02-08 19:47 168 --a------ C:\WINDOWS\system32\1B.tmp
2009-02-08 19:47 . 2009-02-08 19:48 0 --a------ C:\WINDOWS\system32\1D.tmp
2009-02-08 19:46 . 2009-02-08 19:46 67 --a------ C:\Ntf16.tmp
2009-02-08 19:46 . 2009-02-08 19:46 67 --a------ C:\Ntf15.tmp
2009-02-08 19:38 . 2009-02-08 19:38 64,512 --a------ C:\WINDOWS\system32\idag.exe
2009-02-08 19:38 . 2009-02-08 19:38 168 --a------ C:\WINDOWS\system32\2.tmp
2009-02-08 15:50 . 2009-02-08 15:51 78,613 --a------ C:\WINDOWS\system32\B8.tmp
2009-02-08 15:50 . 2009-02-08 15:50 67,585 --a------ C:\WINDOWS\system32\B7.tmp
2009-02-08 15:50 . 2009-02-08 15:50 168 --a------ C:\WINDOWS\system32\B6.tmp
2009-02-08 15:48 . 2009-02-08 15:48 67,585 --a------ C:\WINDOWS\system32\B4.tmp
2009-02-08 15:48 . 2009-02-08 15:48 5,613 --a------ C:\WINDOWS\system32\B5.tmp
2009-02-08 15:48 . 2009-02-08 15:48 168 --a------ C:\WINDOWS\system32\B3.tmp
2009-02-08 15:43 . 2009-02-08 15:43 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-08 15:43 . 2009-01-14 16:11 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-02-08 15:43 . 2009-01-14 16:11 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-02-07 09:49 . 2009-02-07 10:56 d-------- C:\WINDOWS\Internet Logs
2009-02-05 21:29 . 2009-02-05 21:29 d-------- C:\Program Files\CA
2009-02-05 07:13 . 2009-02-05 07:13 66,560 ---h----- C:\WINDOWS\system32\secupdat.dat
2009-02-05 07:13 . 2009-02-05 07:13 32,768 --ah----- C:\Documents and Settings\Ade\aajcv.exe
2009-02-05 07:12 . 2009-02-05 07:12 162,628 --a------ C:\WINDOWS\system32\20.tmp
2009-02-05 07:12 . 2009-02-05 07:12 88 --a------ C:\WINDOWS\system32\1F.tmp
2009-02-05 07:10 . 2009-02-05 07:10 616 --a------ C:\WINDOWS\system32\1E.tmp
2009-02-05 07:09 . 2009-02-05 07:09 162,628 --a------ C:\WINDOWS\system32\1A.tmp
2009-02-05 07:09 . 2009-02-05 07:09 88 --a------ C:\WINDOWS\system32\18.tmp
2009-02-04 20:45 . 2009-02-04 20:45 67 --a------ C:\Ntf14.tmp
2009-02-04 20:45 . 2009-02-04 20:45 67 --a------ C:\Ntf13.tmp
2009-02-04 18:03 . 2009-02-04 18:03 67 --a------ C:\Ntf12.tmp
2009-02-04 18:03 . 2009-02-04 18:03 67 --a------ C:\Ntf11.tmp
2009-02-04 17:50 . 2004-08-04 13:00 96,256 --a------ C:\WINDOWS\system32\atkctr.dll
2009-02-04 17:49 . 2009-02-04 17:49 67 --a------ C:\NtfF.tmp
2009-02-04 17:49 . 2009-02-04 17:49 67 --a------ C:\Ntf10.tmp
2009-02-03 19:42 . 2009-02-03 20:13 1,333,698 --a------ C:\NtfD.tmp
2009-02-03 19:42 . 2009-02-03 19:42 67 --a------ C:\NtfE.tmp
2009-02-03 19:22 . 2009-02-03 19:41 1,135,405 --a------ C:\NtfB.tmp
2009-02-03 19:22 . 2009-02-03 19:22 67 --a------ C:\NtfC.tmp
2009-02-03 18:42 . 2009-02-03 19:21 1,030,621 --a------ C:\Ntf9.tmp
2009-02-03 18:42 . 2009-02-05 16:25 32,768 --a------ C:\WINDOWS\system32\drivers\ati7hkxx.sys
2009-02-03 18:42 . 2009-02-03 18:42 67 --a------ C:\NtfA.tmp
2009-02-03 16:57 . 2009-02-03 18:40 820,981 --a------ C:\Ntf7.tmp
2009-02-03 16:57 . 2009-02-03 16:57 67 --a------ C:\Ntf8.tmp
2009-02-03 16:57 . 2009-02-03 16:57 0 --a------ C:\WINDOWS\system32\10.tmp
2009-02-03 13:55 . 2009-02-03 13:55 67 --a------ C:\Ntf6.tmp
2009-02-03 13:55 . 2009-02-03 13:55 67 --a------ C:\Ntf5.tmp
2009-02-03 13:15 . 2009-02-03 13:15 88,790 --a------ C:\WINDOWS\system32\11.tmp
2009-02-03 13:13 . 2009-02-03 13:14 67 --a------ C:\Ntf4.tmp
2009-02-03 13:13 . 2009-02-03 13:14 67 --a------ C:\Ntf3.tmp
2009-02-03 12:58 . 2009-02-03 12:58 0 --a------ C:\WINDOWS\system32\19.tmp
2009-02-03 12:55 . 2009-02-03 12:56 136,990 --a------ C:\WINDOWS\system32\17.tmp
2009-02-03 12:54 . 2009-02-03 12:55 8,510 --a------ C:\WINDOWS\system32\13.tmp
2009-02-03 06:48 . 2009-02-03 17:36 32,768 --a------ C:\WINDOWS\system32\drivers\ati1chxx.sys
2009-02-02 22:04 . 2009-02-02 22:04 d-------- C:\Program Files\TomTom DesktopSuite
2009-02-02 21:36 . 2009-02-05 07:09 137,280 --a------ C:\WINDOWS\system32\drivers\ethacyss.sys
2009-02-02 21:31 . 2009-02-03 20:17 124 --a------ C:\WINDOWS\adobe.bat
2009-02-02 21:31 . 2009-02-02 21:31 5 --a------ C:\WINDOWS\_id.dat
2009-02-02 21:30 . 2009-02-02 21:30 64,512 --a------ C:\WINDOWS\system32\res2coff.exe
2009-02-02 19:32 . 2009-02-02 19:32 128,306 --a------ C:\WINDOWS\system32\126_av.exe
2009-02-02 19:08 . 2009-02-02 19:08 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-02 19:08 . 2009-02-02 19:08 d-------- C:\Documents and Settings\Ade\Application Data\Malwarebytes
2009-02-02 18:58 . 2009-02-02 18:58 0 --a------ C:\WINDOWS\system32\20B.tmp
2009-02-02 17:12 . 2009-02-02 17:12 22,016 --ahs---- C:\WINDOWS\system32\config\systemprofile\protect.dll
2009-02-02 17:11 . 2009-02-05 07:13 d--hs---- C:\WINDOWS\system32\twain32
2009-02-02 17:02 . 2009-02-02 17:02 67 --a------ C:\Ntf2.tmp
2009-02-02 17:02 . 2009-02-02 17:02 67 --a------ C:\Ntf1.tmp
2009-02-02 07:18 . 2009-02-02 07:18 d-------- C:\Program Files\Common Files\Download Manager
2009-02-01 22:43 . 2009-02-01 22:43 61,440 --a------ C:\WINDOWS\system32\chert13-303374.exe
2009-01-18 18:33 . 2009-01-18 18:33 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2009-01-18 18:32 . 2009-01-18 18:32 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2009-01-11 21:35 . 2009-01-11 21:35 d-------- C:\Documents and Settings\Ade\Application Data\HandBrake
2009-01-11 21:25 . 2009-01-11 21:25 d-------- C:\Program Files\HandBrake
2009-01-11 21:07 . 2009-01-11 21:07 d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2009-01-11 21:07 . 2009-01-11 21:07 d-------- C:\Documents and Settings\Ade\Application Data\AVS4YOU
2009-01-11 21:05 . 2009-02-04 18:28 d-------- C:\Program Files\Common Files\AVSMedia
2009-01-11 21:05 . 2009-02-04 18:28 d-------- C:\Program Files\AVS4YOU
2009-01-11 21:05 . 2007-02-27 18:36 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll

Last edited by Ade3277 on 8th February 2009, 8:07 pm; edited 1 time in total

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 19:48 --------- d-----w C:\Documents and Settings\Ade\Application Data\DMCache
2009-02-08 19:47 18,944 ---ha-w C:\WINDOWS\system32\drivers\protect.sys
2009-02-05 21:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2009-02-02 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2009-02-02 19:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-02 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Norton
2009-01-18 18:31 --------- d-----w C:\Program Files\Common Files\Adobe
2009-01-16 20:56 --------- d-----w C:\Program Files\Google
2009-01-14 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-11 21:31 --------- d-----w C:\Program Files\DivX
2009-01-11 21:21 --------- d-----w C:\Documents and Settings\Ade\Application Data\Vso
2009-01-11 20:14 --------- d-----w C:\Program Files\DVDVideoSoft
2009-01-11 20:14 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2009-01-06 11:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-01-05 15:39 --------- d-----w C:\Program Files\Bonjour
2009-01-05 15:37 --------- d-----w C:\Program Files\iTunes
2009-01-05 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-05 15:36 --------- d-----w C:\Program Files\iPod
2009-01-05 15:36 --------- d-----w C:\Program Files\Common Files\Apple
2009-01-05 15:27 --------- d-----w C:\Program Files\QuickTime
2009-01-05 15:09 --------- d-----w C:\Program Files\Safari
2009-01-05 13:12 --------- d-----w C:\Program Files\Free WMA to MP3 Converter
2009-01-05 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-01-04 12:05 --------- d-----w C:\Program Files\Ahead
2009-01-04 11:55 --------- d-----w C:\Program Files\Common Files\Nero
2009-01-04 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2009-01-03 17:47 10,344 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2009-01-03 11:05 --------- d-----w C:\Program Files\Common Files\Ahead
2008-12-27 10:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-12-27 10:33 --------- d-----w C:\Program Files\TomTom HOME 2
2008-12-27 10:33 --------- d-----w C:\Documents and Settings\Ade\Application Data\TomTom
2008-12-11 10:57 333,952 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-05-23 09:05 47,360 -c--a-w C:\Documents and Settings\Ade\Application Data\pcouffin.sys
2007-01-10 10:42 52,400 -c--a-w C:\Documents and Settings\Ade\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2004-08-04 13:00 31744 e9fd36c652215e4d22893485ed1c1573 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2008-04-14 00:12 31744 d62497f87012485acd7bc10bcfda6f57 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2009-02-05 07:12 14336 b6d2734935fc224edca6138f9f958bcd C:\WINDOWS\system32\svchost.exe

2008-04-14 00:12 1051136 0b5e0b75fea14ad060a6bf0eb1aebf9d C:\WINDOWS\explorer.exe
2007-06-13 11:26 1050624 4908b19a9c830a6145766f18471c0131 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 10:23 1050624 0cd253ded4d3b3d95174bf17fa7cfdbc C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 13:00 1049600 3351a6e5b389a846b7c2a56e43a1119d C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-14 00:12 1051136 5f303aac89951cafc6b753f74529275d C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2004-08-04 13:00 32768 1c511de92cf006f779c33f5b880662ea C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 00:12 32768 3eba43f2baf8902fba14264e2fa20eeb C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2008-04-14 00:12 32768 2fe8ef9cc99ed7d5b5fb686131562a7b C:\WINDOWS\system32\ctfmon.exe

2005-06-11 00:17 75264 b77a1fa98288e51383135052d3e7c8cd C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 23:53 75264 dd026ed8d08f17aaf21663ad5006be7b C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 13:00 75264 a80b51046367382a4a11a177fbce1065 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 00:12 75264 0e53f5810137eda413dee64cd11427ce C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2008-04-14 00:12 75264 fbf11f1eda44a70cc3001177212d7737 C:\WINDOWS\system32\spoolsv.exe

2004-08-04 13:00 41984 93432176a24edb23caecbe66f130ca4e C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
2008-04-14 00:12 43520 a842a873acb1c915d7689ff273a50104 C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2009-02-02 07:20 142848 e27a3a0d47f219ce34d3e1692fc7f333 C:\WINDOWS\system32\userinit.exe
2009-02-02 07:20 142848 d441ea8e9119938f356dbf1d960ad6ef C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CDBFB8EA-840A-4C3A-9E6D-0511BE8F909D}]
2004-08-04 13:00 96256 --a------ C:\WINDOWS\system32\atkctr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12 32768]
"EPSON Stylus Photo RX685 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJE.EXE" [2007-04-13 06:00 199680]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 10:12 234856]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-11-21 09:38 2553264]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 18:55 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12 1712640]
"L08AXLRD_4183064"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]
"L08AXLRD_3587278"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]
"L08AXLRD_24200738"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]
"L08AXLRD_2356017"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2004-09-06 05:28 442368]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-12-06 08:45 151552]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-12-06 16:32 593920]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-05-10 03:50 126976]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-01 13:02 180224]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-01 12:58 147456]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 07:40 143360]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-01 12:58 147456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 180224]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 86016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2004-10-12 08:33 722192]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 09:55 888832]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-11-04 10:30 434176]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 180224]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 00:13 774168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-11-20 13:20 290088]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 09:27 52848]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 14:16 111936]
"SMcfg"="smcfg.exe" [2004-11-01 16:55 102400 C:\WINDOWS\SmCfg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 00:12 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 00:12 32768]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotKeyDriver.lnk - C:\Program Files\HotKey_Driver\HotKeyDriver.exe [2005-04-27 12:07:03 2306048]

Hello.
Bad news.

Your machine is infected with Virut.
Virut is a file infector, but it wasn't written properly and these infected files may become corrupt, there is nothing we can do now.
Your machine is also compromised, use a clean machine and change any passwords for any online banking, msn, etc.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

And I thought all was going well.
thankyou for your time.
Ade

Hi,
I have changed all my passwords via another pc.
The laptop will now not connect to the internet.
Any ideas?
I tried repair for wireless by right clicking the icon in right corner.
I then tried with ethernet connection and still nothing, other than i ran diagnostic from the screen that came up and there was something about winsock and also adapter stae not found in registry.
your help is appreciated.
thanks
Ade

Hello.
Until you format (DO NOT back anything up), I can't help you anymore.
Your files are patched and we can't do anything to change it back, only formatting will fix this.

Will formatting lose all my family photos?
You mention in brackets "do not back anything up". Can I not save photos and videos of family to disc or external drive?
What does it mean "files are patched"?
Can you explain, what has happened in easy terms for a novice like me.
At the moment I can view my photos and videos but not access the internet.
I played around with the pc and the wireless icon in bottom right hand corner is now connected but internet page or e-mail won't access/connect.
The ethernet connection with wire won't work either.
I know it's alot of questions but I'm confused.
thanks
Ade

I'll try to explain as easy as I can.

When an XP machine logons to a user account, userinit file and registry value are called upon, which allows you in.
Userinit is infected by the malware and as I said with it not being correctly written, the file may become corrupt. If that happens, you will not be able to logon anymore, and because of the infection, we cannot replace the file. Meaning you will lose EVERYTHING and not getting it back.

Photo pictures (bmp,jpg,gif, etc) and video files (avi,mpg,mp4, etc) should be okay, it's .exe files and .scr files that are patched.

Backup your pictures/video (DO NOT backup any .exe/.scr files otherwise you backup the infection too)

Then format.

Can we not re-write the userinit file and alter the registry back?
Or is that an impossible task!
Your are talking to someone who knows nothing about pc talk,
thanks
Ade

Nope, ALL these legit .exe files are patched and cannot be replaced.
Everything (besides formatting) is useless.

I mentioned in an earlier post that the card reader i was using to upload the logs appeared to put spyware protect 2009 onto this pc i'm using however I ran malwarebytse and I have had no further problems would this pc be ok.

Nope.
If Virut remains on the PC, you are basically giving the bad guys a new machine to host malware on.
You can never use this machine for stuff like Paypal because it will keylog your passwords.

It gets worse and worse. I hope I haven't got two pc's knackered.
I ran hijack this from my sons pc and the log is below.
Am I posting this correctly?
I would appreciate it if you can see if this ones ok. It's an older pc but good enough for my sons hoemwork, thanks Ade


Logfile of HijackThis v1.99.1
Scan saved at 19:52:00, on 10/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adrian\My Documents\AntiVirusStuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus Photo RX685 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJE.EXE /FU "C:\DOCUME~1\Adrian\LOCALS~1\Temp\E_S2.tmp" /EF "HKCU"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

His machine looks fine.
No HJT signs that you had from the other machine.

You are running an old version of Hijack This, and I ask that you use this new version if needed due to versions below 2.0.2 have a few bugs in them.

Please download the current version of HijackThis from HERE

Have downloaded new version.
Do you need to see a log created from the new version or not?

If not, just to let you know I will endeavour to save all family photos and vids from other pc to an external hard drive. Once I've done this I will come back to you if thats okay on this post to see what we can do with re-format of the laptop. Hopefully that'll be okay. This maybe a couple of days.
PS. you mentioned that .exe and .scr are the ones not to back up.Are these easy to spot. I believe i know what an .exe looks like as it has the extension as that, and they are files that load up programs, but I cannot recall ever seeing a .scr file. Can I save powerpoint presentations?

scr means screensaver, but it's also an executable file.
Powerpoints are .ppt, so they are safe.

Don't need a new log.

Thanks for all your help.
I'll certainly mention you to friends.
I'll be back in a couple of days or so,
thanks
Ade

Hi,
Before I back up my files, are all .exe files bad, or can I back up ones that run software that I have been using as long as I know what it is. The reason I ask is I have downloaded a garmin .exe file I bought for my gps. Will this now be safe to copy onto external hard drive and use again once laptop has been re-formatted,
thanks
Ade

Nope, it's infected.

Hi,
more questions.
I have purchased an external hard drive (Western digital USB type).
I have an issue before I back up my photos and vids. When the hardrive is plugged into laptop it launches software enabling me to sync my files from laptop to the drive.
This is launched by a .exe file.
If i can't run this external harddrive, by launching the program how can i copy my folders to it?
Or is the harddrive safe to run on the laptop?
your thoughts,
thanks
Ade

Hello.
The external drive should be okay, there drives indexing or autoplay isn't run an exe, it's run by an autorun.inf file that launches it for your machine.

Please download Flash_Disinfector from HERE

• First, download it to your desktop.
  
• Now double click it to run it and will tell it you what to do when you open it.
  
• It will temporarily kill explorer.exe and your desktop will go blank.
  
• Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  
• It will make a dummy autorun.inf in the root of every drive.
  
• You can now delete Flash_Disinfector.exe.
  

The drive should be okay now.

hi,

the above does not work. "The webpage cannot be found".
Was I to download it to my sons pc?, whilst the external drive is plugged into his usb port?
Or download via sons pc, copy it to card reader then upload to laptop onto desk top with external hard drive plugged into the laptop usb?
thanks
Ade

Hello.
Thank you for letting me know.
F_D has moved, new link here:
http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe

hi,
got it.
Saved the .exe file to sons pc, put it on card reader to my laptop.
I haven't run it yet, cos I don't know if I should save/back up all the photos now to hard drive or after running it.
Can you advise?
thanks
Ade

Run it first, then back up.
F_D will provide protection while you do this.

I have run it.
Connected external hard drive and card reader.
Got a box that said,"done".
Now copying photos to hard drive, this could take a while by the looks of things.
As soon as it's done, I'll get back to you,
thanks again,
Ade

Hi,
All photos and vids backed up to external hard drive
What can I do now with the nightmare of a laptop?
Thanks
Ade

Format it.
Put in your XP setup disc.
Reboot your machine and boot from the disc.

Then format.
Some links with info how to and other stuff here:

http://www.geekpolice.net/virus-spyware-malware-removal-f11/virus-spyware-trojan-or-malware-t6494.htm#40105

Hi,
Formatting done.
thanks everso for your help,
Ade

Hi again,
Well I thought things were fine.
I put the recovery disc in the PC, I re-started the laptop, I then got the message to boot from disc and press enter.
I did all this it took about an hour.
When I start the pc now, I get a black screen with the following.

Microsoft Windows XP Home Edition
Microsoft Recovery Console
Microsoft Windows XP Home Edition

I have to tab up or down and choose one.
If I choose the top one, things appear to run ok( basic software at factory install), however when I go into my computer, c drive, then ades folder, i get message access is denied.

If I choose the second "Microsoft Windows XP Home Edition", I get all the stuff, software, folders, everything as it was but it takes about a minute and then it crashes and goes to a blue screen.
When I restart it the next time, it says the pc has recovered from a serious error.
The laptop used to start on it's own and I didn't have to choose anything.
Any ideas?
thanks
Ade

I think you got the wrong disc.
Recovery disc is the basic recovery console, it has to be a setup disc, or has the setup files on that disc you have now.

I'm sure it's the right disc.
You get all the warning signs that all data will be lost if you go ahead.

Just so as I have this right.
Your previous post says format it, then put in the disc then reboot from disc.

Do i just put the disc in the drive restart the computer then when it says " to boot from disc press any key", I press any key.
There is nothing else to do before this or after.
Format means put the disc in- Correct?
thanks
Ade

My bad.
Yes, it's probably the right disc then.

The account that this logs onto, is it the admin account?

Ahh,
I think I'm getting there.
I could be at this for years to come.

First,
I backed up photos.
How do I back up microsoft outlook names address, e-mails?
It's all blank in safe mode and the pc crashes in normal startup.
thanks
Ade

Hmm.
To restore backups you mean?

I assume you can just drag/drop files onto the C (or D) drive, but email backups may not appear in outlook, but if you can still read the messages, just keep them on your hardrive (C drive) along with whatever else you have put back.

Hi,
I'm an idiot.
I have now re-installed XP.
What i did first time was install a second copy of XP and had a partition.
All gone now, back to factory state.
Anything i should install, tweak or do now?
thanks
Ade

Yep.
Turn autoplay off again. You don't need the stick plugged in this time.

Please download Flash_Disinfector from HERE

• First, download it to your desktop.
  
• Now double click it to run it and will tell it you what to do when you open it.
  
• It will temporarily kill explorer.exe and your desktop will go blank.
  
• Let Flash_Disinfector do it's job and it will restart explorer.exe for you.
  
• It will make a dummy autorun.inf in the root of every drive.
  
• You can now delete Flash_Disinfector.exe.
  

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

I have taken all the advice. I am so pleased with the result. Feedback form has been completed, thanks so much,
Ade

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.