Spyware - Help!

Hi Guys and Gals
Happy Easter to you.  I have this problem on my wifes laptop.  I first thought it was only a Browser Hijack, because she was going every where except were she wanted. Then her laptop would start rebooting on its own, unable to download like CCleaner, Stopzilla and CWShredder.  I was unable to also open regedit, msconfig and task manager.  I have scanned in safe mode with stopzilla, and picked up a "Click GiftLoad",  Stopzilla got rid of it but it keeps coming back. I also used CWShredder,Spybot S&D AVG Free but nothing changes. Here is my Hijack this log I certainly hope you can help, because I can't even reformat the hard drive.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:52:10 PM, on 22/04/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\System32\mobsync.exe
C:\Users\Joydy Miller\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6256 bytes

I have just been trying to download Combofix in case you suggest I use it, but I can't get Firefox or IE to open.  I tried to open CCleaner but it came up with a pop up saying "The service cannot accept control messages at this time".  Below is an AVG command line log from Safe Mode. Ok downloaded combofix but not opened the download yet, browser finally worked with about 3 browser screens and all over the internet. Anyway here is the AVG log, only one item tested and it was corrupt...
AVG 2011 Anti-Virus command line scanner
Copyright (c) 1992 - 2010 AVG Technologies
Program version 10.0.1209, engine 10.0.1500
Virus Database: Version 1500/3586 2011-04-20

C:\Boot\BCD Locked file. Not tested.
C:\Boot\BCD.LOG Locked file. Not tested.
C:\Documents and Settings\ Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\ProgramData\Application Data\ Locked file. Not tested.
C:\ProgramData\Desktop\ Locked file. Not tested.
C:\ProgramData\Documents\ Locked file. Not tested.
C:\ProgramData\Favorites\ Locked file. Not tested.
C:\ProgramData\Microsoft\Microsoft Antimalware\IMpServiceEDB4FA23-53B8-4AFA-8C5D-99752CCA7094.lock Locked file. Not tested.
C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-0.bin Locked file. Not tested.
C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MpDiag.bin Locked file. Not tested.
C:\ProgramData\Start Menu\ Locked file. Not tested.
C:\ProgramData\STOPzilla!\zilla5.log Locked file. Not tested.
C:\ProgramData\Templates\ Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\Users\Default\AppData\Local\Application Data\ Locked file. Not tested.
C:\Users\Default\AppData\Local\History\ Locked file. Not tested.
C:\Users\Default\AppData\Local\Temporary Internet Files\ Locked file. Not tested.
C:\Users\Default\Application Data\ Locked file. Not tested.
C:\Users\Default\Cookies\ Locked file. Not tested.
C:\Users\Default\Documents\My Music\ Locked file. Not tested.
C:\Users\Default\Documents\My Pictures\ Locked file. Not tested.
C:\Users\Default\Documents\My Videos\ Locked file. Not tested.
C:\Users\Default\Local Settings\ Locked file. Not tested.
C:\Users\Default\My Documents\ Locked file. Not tested.
C:\Users\Default\NetHood\ Locked file. Not tested.
C:\Users\Default\PrintHood\ Locked file. Not tested.
C:\Users\Default\Recent\ Locked file. Not tested.
C:\Users\Default\SendTo\ Locked file. Not tested.
C:\Users\Default\Start Menu\ Locked file. Not tested.
C:\Users\Default\Templates\ Locked file. Not tested.
C:\Users\Default User\ Locked file. Not tested.
C:\Users\jbparrawest\AppData\Local\History\ Locked file. Not tested.
C:\Users\jbparrawest\Documents\My Music\ Locked file. Not tested.
C:\Users\jbparrawest\Documents\My Pictures\ Locked file. Not tested.
C:\Users\jbparrawest\Documents\My Videos\ Locked file. Not tested.
C:\Users\jbparrawest\NetHood\ Locked file. Not tested.
C:\Users\jbparrawest\PrintHood\ Locked file. Not tested.
C:\Users\jbparrawest\Templates\ Locked file. Not tested.
C:\Users\Joydy Miller\AppData\Local\History\ Locked file. Not tested.
C:\Users\Joydy Miller\AppData\Local\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Users\Joydy Miller\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Locked file. Not tested.
C:\Users\Joydy Miller\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Locked file. Not tested.
C:\Users\Joydy Miller\Documents\My Music\ Locked file. Not tested.
C:\Users\Joydy Miller\Documents\My Pictures\ Locked file. Not tested.
C:\Users\Joydy Miller\Documents\My Videos\ Locked file. Not tested.
C:\Users\Joydy Miller\NetHood\ Locked file. Not tested.
C:\Users\Joydy Miller\ntuser.dat Locked file. Not tested.
C:\Users\Joydy Miller\ntuser.dat.LOG1 Locked file. Not tested.
C:\Users\Joydy Miller\ntuser.dat.LOG2 Locked file. Not tested.
C:\Users\Joydy Miller\PrintHood\ Locked file. Not tested.
C:\Users\Public\Documents\My Music\ Locked file. Not tested.
C:\Users\Public\Documents\My Pictures\ Locked file. Not tested.
C:\Users\Public\Documents\My Videos\ Locked file. Not tested.
C:\Users\Joydy Miller\Downloads\windows-kb890830-v3.17.exe.part Corrupted executable file
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1 Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG2 Locked file. Not tested.
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1 Locked file. Not tested.
C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG2 Locked file. Not tested.
C:\Windows\System32\catroot2\edb.log Locked file. Not tested.
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Locked file. Not tested.
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Locked file. Not tested.
C:\Windows\System32\config\COMPONENTS Locked file. Not tested.
C:\Windows\System32\config\COMPONENTS.LOG1 Locked file. Not tested.
C:\Windows\System32\config\COMPONENTS.LOG2 Locked file. Not tested.
C:\Windows\System32\config\DEFAULT Locked file. Not tested.
C:\Windows\System32\config\DEFAULT.LOG1 Locked file. Not tested.
C:\Windows\System32\config\DEFAULT.LOG2 Locked file. Not tested.
C:\Windows\System32\config\RegBack\COMPONENTS Locked file. Not tested.
C:\Windows\System32\config\RegBack\DEFAULT Locked file. Not tested.
C:\Windows\System32\config\RegBack\SAM Locked file. Not tested.
C:\Windows\System32\config\RegBack\SECURITY Locked file. Not tested.
C:\Windows\System32\config\RegBack\SOFTWARE Locked file. Not tested.
C:\Windows\System32\config\RegBack\SYSTEM Locked file. Not tested.
C:\Windows\System32\config\SAM Locked file. Not tested.
C:\Windows\System32\config\SAM.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SAM.LOG2 Locked file. Not tested.
C:\Windows\System32\config\SECURITY Locked file. Not tested.
C:\Windows\System32\config\SECURITY.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SECURITY.LOG2 Locked file. Not tested.
C:\Windows\System32\config\SOFTWARE Locked file. Not tested.
C:\Windows\System32\config\SOFTWARE.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SOFTWARE.LOG2 Locked file. Not tested.
C:\Windows\System32\config\SYSTEM Locked file. Not tested.
C:\Windows\System32\config\SYSTEM.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SYSTEM.LOG2 Locked file. Not tested.
C:\Windows\System32\LogFiles\WMI\RtBackup\ Locked file. Not tested.
C:\Windows\System32\wbem\Logs\WMITracing.log Locked file. Not tested.

------------------------------------------------------------
Objects scanned     : 2037946
Found infections    :    0
Found PUPs          :    0
Healed infections   :    0
Healed PUPs         :    0
Warnings            :    1
------------------------------------------------------------

[here]

follow advice here and post the logs those programs make  in your next reply here

Hi DVK01
I cannot run DDS, when I double click I get a pop telling me "the service cannot accept control messages at this time".  What should I do.

[Microsoft MVP/Consumer Security]

try one of the alternative downloads
there are 3 different versions to try to overcome problems like this

Ok the second one did the same as the first and the third opens to this code..MZ��������ÿÿ��¸�������@�����������������������������������€���º�´   Í!¸
LÍ!This program cannot be run in DOS mode.

$�������PE��L
�+�I��������à�

2�n��������������������@����������������������à����ûo

What should I do now??

[Please read and follow all these instructions very carefully]

uninstall AVG
reboot
Delete any existing version of ComboFix you have sitting on your desktop

Please read and follow all these instructions very carefully

Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

Download ComboFix from Here or Hereto your Desktop.
As you download it rename it to username123.exe


**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
• Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  
• Remember to re enable the protection again after combofix has finished
  

--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running

Double click on renamed combofix.exe & follow the prompts.

If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 

Please tell us if it has cured the problems or if there are any outstanding issues

Hi Derek
AVG will not uninstall for me, it gets so far then asks if I have enough permissions but gives nowhere for the answer.  I have some logs but they a pretty large.  At the moment the desktop is locked and I am unable to do anything, so your help is sorely needed.

Dave

[Microsoft MVP/Consumer Security]

try this uninstaller for avg

http://www.appremover.com

Hi Derek
It looks like everything is Ok on the browser side, but I am still getting "The service cannot accept control messages at this time"...is this virus related or something else.  This generally pops up when i try to install something such as IOBIT Defragger or when I tried to open the Disc Recovery Creator.

Dave

[Microsoft MVP/Consumer Security]

post the combofix log so we can see what still needs doing

to attempt to cure that error message

work through the list of services shown here & make sure they are set as shown under default home premium
http://www.blackviper.com/2009/05/31/black-vipers-windows-vista-service-pack-2-service-configurations/

one or more of the needed services will have been disabled

Where do I find the Combofix logs??

OK I know where to find the logs, but I am having problems.  Windows Explorer keeps crashing and the desktop keeps reloading  I can't get to anything because of this.  Would this have anything to do with Services and can I check the services via Task Manager as that is the only way I can get them to display??

Hi Derek
I cannot find Combofix.txt, there are files relating to Combofix.sys but that is the only one.  There is a folder on the C drive called Qoobox that I am still trying to open as the laptop is so slow as bad as it was before especially with windows explorer crashing all the time.  Any suggestions??

[Microsoft MVP/Consumer Security]

reboot to safe mode & see if you can get to the combofix logs that way, they should be inside C:\qoobox
probbaly in the quarantine folder