Hello. I am trying to fix my mother-in-law's virus/spyware problems on her computer. Prior to finding this forum, I installed the programs I use on my own computer ie ZoneAlarm, AVG free, Adaware and Spybot 1.4 - heaps of problems were detected. I also ran hijackthis and used hjt's online tutorial to work through the log and select items for HJT to fix. After that I was still left with a url redirection to a "security tools" site. Since MSN Messenger was accessed on the problem computer, all the problems have reappeared again, including a file msmsgs.exe trying get access through the firewall - a file I thought was fixed by Hijackthis.

I would very much appreciate any help you could give me. I have run a panda online scan and hijackthis - the logs follow:

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 4:46:02 PM, on 4/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\System32\ixt0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DelPnPDirver] C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25144255-EDAC-48CE-A279-11ABF38EEB02}: NameServer = 203.2.75.132 198.142.0.51
O20 - AppInit_DLLs:
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Panda Activescan

Incident Status Location

Adware:adware/ncase Not disinfected c:\temp\salm.log
Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3pssavr.scr
Adware:adware/systemdoctor Not disinfected c:\windows\system32\issearch.exe
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Adware:adware/gator Not disinfected c:\windows\GatorHDPlugin.log-old.log
Adware:adware/wupd Not disinfected c:\program files\Admanager Controller
Adware:adware/searchrelevancy Not disinfected c:\program files\SearchRelevant
Adware:adware/winactive Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\kids\Cookies\kids@64.62.232[4].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\kids\Cookies\kids@888[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\kids\Cookies\kids@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\kids\Cookies\kids@adopt.hbmediapro[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\kids\Cookies\kids@adultfriendfinder[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\kids\Cookies\kids@c.enhance[1].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\kids\Cookies\kids@c.fsx[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\kids\Cookies\kids@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\kids\Cookies\kids@drivecleaner[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\kids\Cookies\kids@errorsafe[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\kids\Cookies\kids@i.screensavers[2].txt
Spyware:Cookie/TouchClarity Not disinfected C:\Documents and Settings\kids\Cookies\kids@intercasino.touchclarity[1].txt
Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\kids\Cookies\kids@malwarewipe[1].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\kids\Cookies\kids@paypopup[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\kids\Cookies\kids@searchportal.information[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\kids\Cookies\kids@systemdoctor[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\kids\Cookies\kids@toplist[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\kids\Cookies\kids@winantivirus[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\kids\Cookies\kids@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\kids\Cookies\kids@www.errorsafe[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\kids\Cookies\kids@www.systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\kids\Cookies\kids@www.winantivirus[1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\kids\Cookies\kids@www48.seeq[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\kids\Cookies\kids@xiti[1].txt
Adware:Adware/SecurityError Not disinfected C:\Documents and Settings\kids\Local Settings\Temporary Internet Files\Content.IE5\0DE34TQ7\topsecuritypage[2]
Adware:Adware/WUpd Not disinfected C:\Program Files\Admanager Controller\AdManComm.dll
Adware:Adware/SearchRelevancy Not disinfected C:\Program Files\SearchRelevant\SearchRelevant.dll
Adware:Adware/SearchRelevancy Not disinfected C:\Program Files\SearchRelevant\uninstall.exe
Adware:Adware/WUpd Not disinfected C:\temp\Remover.exe
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\components\flx12.dll
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\components\flx14.dll
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\components\flx16.dll
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\components\flx18.dll
Adware:Adware/SpywareQuake Not disinfected C:\WINDOWS\system32\components\flx20.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\components\flx27.dll
Adware:Adware/SystemDoctor Not disinfected C:\WINDOWS\system32\components\flx28.dll
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe
Virus:W32/Spamta.PZ.worm Disinfected Local Folders\Deleted Items\Mail server report.\Update-KB7453-x86.zip[Update-KB7453-x86.exe]

Welcome to the forum, Please see this information which is Pinned to the top of the forum.
http://forums.spybot.info/showthread.php?t=425

Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, using the Post Reply button.

Thanks

Thank you pskelley for your reply :)

I went down to my mother-in-law's place yesterday and tried to d/l SP1a but unfortunately I hit a snag. When my m-in-law bought her computer it came with XP included but in trying to d/l SP1a we were advised that her copy of XP didn't pass their validation test. So we were unable to proceed with the update. So I have told her that I will try and backup all her files over the next week or so, re-format her HD and then buy her a copy of XP and install it.

In the meantime, is there anything else I can do for my mother-in-law to ease her current situation? She would really like to be able to use her email again. I'm also a bit worried about doing the backups while there are infections on her computer. Thank you so much.

Thanks for the feedback, Is this a valid copy of Windows? and how did she operate this long with no Service Pack? XP has been out for a couple of years. I also wonder what the message is, if it is a valid copy of Windows it could be a Microsoft error:
http://www.microsoft.com/resources/howtotell/ww/windows/default.mspx
If her copy of Windows is valid, contact Microsoft for instructions:
http://support.microsoft.com/

Follow these instructions to start the cleanup:
http://forums.spybot.info/showthread.php?t=4015

Use Post Reply, stay in this topic.
Thanks

Thank you for your help pskelley :bigthumb: . I apologise for what was an unavoidable delay in replying to your post and following your instructions.

I've followed the self-help instructions and provide rapport.txt and the hjt log as requested in instruction 9. The only problem I had was with regards to instruction 6, Display/Desktop/Customize/Web tab/ Web pages/Security info/Delete - the "security info" option was not available to me. With regards to the windows problem, I have been living interstate until recently and wasn't around when my mother-in-law purchased her computer but I think she has really flipped out over all this spyware/non-valid XP stuff and really wants me to buy her a new copy of XP - she also has a very restricted and minimal internet access plan ... something she is going to have to change in order to keep her new virus and spyware programs updated. It can all seem a little daunting, sometimes :red: .

Anyway, hopefully a couple of her problems have been fixed for now. here's the reports:

rapport.txt

SmitFraudFix v2.132

Scan done at 11:35:39.77, Sat 13/01/2007
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{ff170564-36c8-43f7-9100-559e166405cf}"="cussers"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ixt??.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\Program Files\Safety Bar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 12:09:29 PM, on 13/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DelPnPDirver] C:\Program Files\panasonic\panasonic KX-P7100\DelPnPD.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168146353885
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168146304904
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - AppInit_DLLs:
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for the feedback, I am just a little surprised she could purchase the PC and not get a valid copy of Windows on it, that being illegal? I have to assume you know what you are doing. If you are purchasing it is a shame you can't get Vista. Here's some information:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=purchase+windows+vista I am not sure what the status of the release is at this time.

Smitfraudfix cleaned most of the infection, just a little more and I will include a freeware tool to run from the Desktop that will make cleaning easier for her. Here is a tutorial for using it:
http://forums.security-central.us/showthread.php?t=1925

First I need to mention the Java program which is badly out of date and will get her infected, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2\ <<< out of date, please download the newest version of Java and uninstall all old versions in Add Remove programs.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O20 - AppInit_DLLs:

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

That should take care of her malware problems. If you can go straight to Vista, IE7 should be installed with it. If you either install WindowsXP or can figure out how to update to Service Pack 2. I suggest you update to IE7 for the additional protection it affords. You will not be able to do this without SP2.
http://www.microsoft.com/windows/ie/default.mspx?mg_id=10017
http://www.microsoft.com/windows/ie/downloads/default.mspx

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Thanks so much pskelley for your assistance. My mother-in-law passes on her thanks to you too. I have completed everything except for updating the JRE - that file was 12.8MB so I'm I will d/l it at home and then take it to my m-in-law's to install. Everything seems to be working fine now - what a great help you all are here :bigthumb: . All this has made me realise how hopelessly out of date my own computer is (still using M/S ME :red: ) so it's Vista (and a new computer to run it ;) ) for me asap.

Thanks for all the links too ... I've learnt so much since I initially posted my problem.

cheerio, Altair xxx

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.