my wifes laptop has suddenly gone down like a lead ballon with viruses. i think i have got rid of most of them (but probanly haven't). when i run Spybot it still says i have Virtumonde and Win32.Qhost.abh viruses.
the laptop has become sluggish
it only fully boots when it wants to
it will not let me access the internet to update any virus protection software - it will let me search google but if i click a page to go to it will not let me access the page
get pop up ads for all sorts of things.
it had no virus protection so i have installed AVG (via my own laptop and memory stick) but it won't let me update definitions

i am currently running Vundofix and it is still scanning

any help would be appreciated

thanks

End the VundoFix scan and do this:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself.
• Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

malwarebytes report below as requested

regards

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 3

00:32:51 28/08/2008
mbam-log-08-28-2008 (00-32-51).txt

Scan type: Quick Scan
Objects scanned: 100034
Time elapsed: 40 minute(s), 16 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 30
Registry Values Infected: 5
Registry Data Items Infected: 9
Folders Infected: 13
Files Infected: 46

Memory Processes Infected:
C:\WINDOWS\system\Update.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\urqOHYRh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qoMfFuTn.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24577c41-27a0-4033-ad26-581a3a7b1abb} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{24577c41-27a0-4033-ad26-581a3a7b1abb} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd861218-a2ac-46ea-ad5a-6e97f48aca50} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomffutn (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{dd861218-a2ac-46ea-ad5a-6e97f48aca50} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\pk.ie (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pk.ie.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj.1 (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1e1b2878-88ff-11d3-8d96-d7acac95951a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c89435b0-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e1b2879-88ff-11d3-8d96-d7acac95951a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c900b400-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{28a73c97-a538-08ee-fa8a-1cf3009db0d0} (Rogue.PestPatrol) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{1e1b286c-88ff-11d3-8d96-d7acac95951a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cb3870-cdfe-11d3-976a-00e02913a9e0} (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\altcompare (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcv6rj0eae3 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcv6rj0eae3 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\whiehelperobj.whiehelperobj (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webHancer Agent (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\webHancer (Adware.WebHancer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{dd861218-a2ac-46ea-ad5a-6e97f48aca50} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updates (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updates (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Printer (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\urqohyrh -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\urqohyrh -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.QHost) -> Data: c:\windows\system32\wowfx.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.QHost) -> Data: wowfx.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.QHost) -> Data: system32\wowfx.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Data: c:\windows\shell.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-OEM-0011903-00101) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe C:\WINDOWS\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\admin\Application Data\Microsoft\dtsc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\altcmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\rhcv6rj0eae3\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\urqOHYRh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hRYHOqru.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hRYHOqru.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMfFuTn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\eabutqat.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taqtubae.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ldnprkyk.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kykrpndl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\altcmd\altcmd32.dll (Rogue.PestPatrol) -> Quarantined and deleted successfully.
C:\WINDOWS\extf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxyxyXqp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\2JWNYBUH\installercash[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\2JWNYBUH\td1[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\OSEUBH31\kb456456[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\Microsoft\dtsc\15151.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\Microsoft\dtsc\s (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\altcmd\altcmd.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\altcmd\uninstall.bat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\system\Update.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\spoolvs.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\printer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Application Data\printer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Start Menu\Programs\Startup\findfast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wowfx.dll (Trojan.QHost) -> Delete on reboot.
C:\WINDOWS\system32\lphcr6rj0eae3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphcr6rj0eae3.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\shell.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\harry\Start Menu\Programs\Startup\findfast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Your MBAM log indicates some files will be deleted on reboot. If MBAM encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. If you have not rebooted, make sure you do this. When done, rescan again with MBAM and check all items found for removal. Then click the Logs tab and copy/paste the contents of the new report in your next reply. If you did reboot, then rescan again anyway and post a new log.

Forgot to mention that your MBAM log indicates you are using an older database version. Please update to the most current one. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

what do i do with the quarantined files? do i delete those too?

With MBAM, once the scan is completed, infected files marked for "Remove Selected", are copied to the quarantine, renamed, encrypted and password protected, and then the file is either immediately removed or removed on reboot.

If you rebooted and are not having any issues, open MBAM, click on the Quarantine tab and select the option to Delete all.

new log attached

thanks for your help

Malwarebytes' Anti-Malware 1.25
Database version: 1093
Windows 5.1.2600 Service Pack 3

22:19:26 28/08/2008
mbam-log-08-28-2008 (22-19-26).txt

Scan type: Quick Scan
Objects scanned: 102636
Time elapsed: 31 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\44e5f4f3 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rqbmvpso (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe C:\WINDOWS\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

How is your computer running now? Any more reports/signs of infection?

when it loads up i get two error messages

a RUNDLL message which says

error loading C:\WINDOWS|system32\efywhaxw.dll. The specified module could not be found

and a C:\WINDOWS\shell.exe message which says

windows cannot find 'C:\WINDOWS\shell.exe'. make sure you typed the name correctly, and then try again. To search for a file click the Start button and then click Search.

i have also noticed that when i log on with my wifes user name and password that the control panel is no longer available and a windows message comes up asking me to contact the administrator if i search for it on the CMD prompt. however it is present if i log on with my user name. both log ins have administrator priveleges

my newly installed AVG virus software keeps finding viruses - i don't know if they are on the system or incoming via the internet (ongoing)

Spybot -SD Resident started churning stuff out when i rebooted. below is the spybot log after i rebooted - i denied every change - should i have done?

28/08/2008 19:25:56 Denied (based on user decision) value "44e5f4f3" (new data: "") deleted in System Startup global entry!
28/08/2008 19:26:04 Denied (based on user decision) value "Shell" (new data: "Explorer.exe") changed in Winlogon!
28/08/2008 19:26:05 Denied (based on user decision) value "rqbmvpso" (new data: "") deleted in Shell services!
28/08/2008 22:27:41 Denied (based on user decision) value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") changed in System Startup global entry!
28/08/2008 22:27:48 Denied (based on user decision) value "44e5f4f3" (new data: "") deleted in System Startup global entry!
28/08/2008 22:27:55 Denied (based on user decision) value "Shell" (new data: "Explorer.exe") changed in Winlogon!


regards

It's not unusual to receive such an error after using tools to remove malware infection.

RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related. A RunDLL "Error loading..." or "specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup has been deleted and it becomes an orphaned registry entry. Windows is trying to load this file(s) but cannot locate it since the file was removed during an anti-virus or anti-malware scan. However, the associated registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

• Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
• Open the folder and double-click on autoruns.exe to launch it.
• Please be patient as it scans and populates the entries.
• When done scanning, it will say Ready at the bottom.
• Scroll through the list and look for a startup entry related to the file(s) in the error message.
• Right-click on the entry and choose delete.
• Reboot your computer and see if the startup error returns.

Several of the Spybot S&D detected changes were those relating to deleted items by MABM so you should allow them. Rescan one more time with MBAM the same as before and permit Spybot to allow the changes. Don't forget to post the logs.

Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

• Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
• When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
• If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
• Please copy and paste the contents of Report.txt in your next reply.
• Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

IMPORTANT NOTE: You are dealing with a serious infection. One or more of the identified infections (tdssserv.sys) was related to a nasty rootkit component and another was a backdoor Trojan. Backdoor Trojans and rootkits are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the infection was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"

Ran the Autoruns program and deleted the DLL file and it has now stopped coming up at start up - thanks

downloaded and ran SDFix and below is copy of log. it re-prompted Spybot to ask about the 'Shell.exe' entry. this time i allowed it and it brought back my control panel

will run one more Malwarebytes scan and add to post later

once again thanks for your help - i won't reccomend you to my friends otherwise you will get too busy and won't have time to help me next time (there won't be a next time as i am all anti-virused up)

regards

SDFix log


SDFix: Version 1.220
Run by Ruth on 29/08/2008 at 11:15

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

AUTOEXEC.NT Restored from backups

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\admin\LOCALS~1\Temp\sfsrv.exe.bat - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\smchk.exe.bat - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\tmp4B.tmp - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\removalfile.bat - Deleted
C:\DOCUME~1\admin\LOCALS~1\Temp\sfsrv.exe - Deleted
C:\WINDOWS\devldr32.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 11:30:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\008098641a7a]
"000eed654e88"=hex:59,d4,92,f5,85,fb,c2,e8,96,59,12,b8,b2,ce,e5,27
"001262d3d151"=hex:b0,27,c5,b4,65,7b,30,86,44,b0,4d,90,52,f0,1b,fd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:d2b605e2
"s1"=dword:0aa8e5e0
"s2"=dword:b2156293
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d4,8c,6d,d4,2b,fb,96,e0,1f,3d,ca,88,9a,48,90,74,df,77,40,8a,0d,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d4,8c,6d,d4,2b,fb,96,e0,1f,3d,ca,88,9a,48,90,74,df,77,40,8a,0d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\008098641a7a]
"000eed654e88"=hex:59,d4,92,f5,85,fb,c2,e8,96,59,12,b8,b2,ce,e5,27
"001262d3d151"=hex:b0,27,c5,b4,65,7b,30,86,44,b0,4d,90,52,f0,1b,fd
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:d4,8c,6d,d4,2b,fb,96,e0,1f,3d,ca,88,9a,48,90,74,df,77,40,8a,0d,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\tdssserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\tdssserv.sys"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\WINDOWS\\kdx\\KHost.exe"="C:\\WINDOWS\\kdx\\KHost.exe:*:Enabled:Delivery Manager"
"C:\\Program Files\\KService\\KService.exe"="C:\\Program Files\\KService\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Cheat Engine\\Cheat Engine Server.exe"="C:\\Program Files\\Cheat Engine\\Cheat Engine Server.exe:*:Enabled:Cheat Engine Server"
"C:\\Documents and Settings\\admin\\My Documents\\My Pictures\\utorrent.exe"="C:\\Documents and Settings\\admin\\My Documents\\My Pictures\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Documents and Settings\\admin\\My Documents\\My Pictures\\Vuze\\Azureus.exe"="C:\\Documents and Settings\\admin\\My Documents\\My Pictures\\Vuze\\Azureus.exe:*:Enabled:Azureus"
"C:\\WINDOWS\\winlogon.exe"="C:\\WINDOWS\\winlogon.exe"
"C:\\WINDOWS\\system32\\taskmngr.exe"="C:\\WINDOWS\\system32\\taskmngr.exe:*:Enabled:taskmngr"
"C:\\WINDOWS\\system32\\winupdmgr.exe"="C:\\WINDOWS\\system32\\winupdmgr.exe:*:Enabled:winupdmgr"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Documents and Settings\\admin\\Application Data\\printer.exe"="C:\\Documents and Settings\\admin\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\admin\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\admin\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\admin\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\admin\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\KService\\KService.exe"="C:\\Program Files\\KService\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Documents and Settings\\admin\\Application Data\\printer.exe"="C:\\Documents and Settings\\admin\\Application Data\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\admin\\Application Data\\pcpriv.exe"="C:\\Documents and Settings\\admin\\Application Data\\pcpriv.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\admin\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\admin\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 14 Aug 2008 1,430,016 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,892,160 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 18 Nov 2004 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 27 Nov 2004 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Sat 26 Jun 2004 4,348 A..H. --- "C:\My Documents\My Music\License Backup\drmv1key.bak"
Sat 26 Jun 2004 20 A..H. --- "C:\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 26 Jun 2004 312 A..H. --- "C:\My Documents\My Music\License Backup\drmv2key.bak"
Sat 26 Jun 2004 1,536 A..H. --- "C:\My Documents\My Music\License Backup\drmv2lic.bak"
Mon 9 Jun 2008 701 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti5C.tmp"
Thu 30 Nov 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 18 Nov 2004 4,348 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1key.bak"
Thu 18 Nov 2004 20 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 18 Nov 2004 400 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2key.bak"
Thu 18 Nov 2004 1,536 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2lic.bak"
Mon 5 Sep 2005 32,256 ...H. --- "C:\Documents and Settings\anewman\Application Data\Microsoft\Word\~WRL2016.tmp"
Mon 28 Jul 2008 0 A..H. --- "C:\Documents and Settings\harry\Local Settings\Temp\dotnetfx3521022.08\1033\dotnetfx30\BITDE.tmp"
Sat 23 Oct 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

Also let me know how your computer is running and if there are any more reports/signs of infection.

computer seems to be running fine.

AVG scanner keeps advising of threats but i am unsure if they are resident or trying to get in. shold i run a scan with it and post results?

latest scan of Malwarebytes is clean

attached for your info

Malwarebytes' Anti-Malware 1.25
Database version: 1093
Windows 5.1.2600 Service Pack 3

16:07:42 29/08/2008
mbam-log-08-29-2008 (16-07-42).txt

Scan type: Quick Scan
Objects scanned: 87901
Time elapsed: 23 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

i am actually talking to you from the infected laptop now and not the other one

regards

Looks good. Let me know what threats AVG is finding. Include the specific file name and location (full path) not just the generic vendor name.

these are the sort of thing

Trojan horse - SHeur CFTG - C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP712\A0337616.exe

Trojan horse - SHeur CFTG - C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP712\A0337617.exe

Trojan horse - SHeur CFTG - C:\System Volume Information\_restore{77CD0FD2-F758-4EE2-AE8C-BD61828C1D28}\RP712\A0337618.exe

just the last number changing each time

regards

The infected RP***\A00*****.exe/.dll file(s) identified by your anti-virus are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.

i set the system restore point as you advised. i then started to run Disc Clean but when i go to run Disk clean up either from Start>Run>cleanmgr or from start>all programs>accesories>etc it starts up the program and then after about 1 minute switches the computer off completely

i have tried it 3 times and each time the same thing happens - program loads, says calculating (3 blue bars) then after about 40-60 seconds switches the computer off

it wasn't until i went via My Computer C Drive>properties>disk cleanup that it worked

anything i need to worry about?

please advise?

also ran Malwarebytes scan again - attached log

Malwarebytes' Anti-Malware 1.25
Database version: 1103
Windows 5.1.2600 Service Pack 3

19:21:34 01/09/2008
mbam-log-09-01-2008 (19-21-34).txt

Scan type: Quick Scan
Objects scanned: 87890
Time elapsed: 26 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd861218-a2ac-46ea-ad5a-6e97f48aca50} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


regards

The Disk Cleanup tool stops responding
Disk Cleanup Tool Stops Responding While Compressing Old Files

How is your computer running now? Any more reports/signs of infection?

only those 2 that showed up when i ran Malwarebytes again - what are they and where did they appear from?

apart from that the PC is running great!

thanks for your continued support

If those two registry entries keep returning then something is interfering with their deletion. That could be another piece of malware which is recreating them or another security program blocking the MBAM fix. Disconnect from the Internet and temporarily disable all your security programs. Rescan with MBAM the same as before. If the entries return, we will have to investigate more by having you post a hijackthis log in the HJT forum.

they have not re-appeared so good news eh?

1 final question (i hope)

i noticed today that when i typed in ipconfig into start>run it opens up and quickly closes the command box without letting me do anything? however if i type in cmd it will open up the command box and let me type in ipconfig and run the prompt?

any idea why i can't type in ipconfig straight into the run box?

apart from that everything else seems fine

thank you so much for your help - i really appreciate your time

regards

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok"
• Disk Cleanup will scan your files for several minutes, then open.
• Click the "More Options" Tab.
• Click the "Clean up" button under System Restore.
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
• Click Yes, then click Ok.
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
• Disk Cleanup will remove the files and close automatically.

To use ipconfig, you have to open a Command Prompt window first, then type: ipconfig

How do I use ipconfig?