OH yes.. I had trouble turning my computer off to reboot the last time but booted up OK. I had to just push the off button.
Dar

They may be hiding in the restore files. Turn off system restore , reboot the computer and turn system restore back on and that will get them out of the restore points.

Please download Malwarebytes' Anti-Malware to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Here is a link that might be useful: malwarebytes.org

Don't clean out the system restore points yet it is always best to do that last that way we have an option left in case something should go wrong with any removal process. But it is a good idea to do it after the machine is clean. You may also need to visit another forum for a complete check we will give a link for that after we see the Malwarebytes log.

I believe this is what U want to see..
What do I do next & how much damage is being done?
Should I stay off the computer until this is fixed? I have to keep it on till I see your answer.

Malwarebytes' Anti-Malware 1.30
Database version: 1439
Windows 5.1.2600 Service Pack 3

11/30/2008 10:54:04 PM
mbam-log-2008-12-30 (22-54-04).txt

Scan type: Full Scan (C:\:E:\:)
Objects scanned: 263349
Time elapsed: 1 hour(s), 8 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\"055fd26d-3a88-4e15-963d-dc8493744b1d> (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ni.gscns (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule30 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ohxfekmpaz (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Downloader) -> Data: digeste.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\baad\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\baad\Local Settings\Temp\winasnet.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\baad\Local Settings\Temp\wJQs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore"8D077847-2814-437C-9117-EA7A694B02FC>\RP482\A0061604.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digeste.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\yAtULcde.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\baad\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\baad\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regsvr32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv541228088479.cpx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv651228088431.cpx (Trojan.Agent) -> Quarantined and deleted successfully.

sugar_fl since you have Vundo I would like to have you come to a security help forum and let the team there have you run some scans so we can see what more needs to be done, you are not yet fully clean. Please go here and register, then start a new thread in the area I am linking to. Tell Corrine I sent you and please copy all the info you gave here to that thread we will need to have it all there.
HijackThis Logs
will be looking for you there.

Nice work,

Thank you, Lets send you to another forum that are experts in the field they will take it from here, please see the link you will need to join the forum in order to post I am a member there also. The next order of instruction is to download hijackthis do a system scan and safe a log file,this will become clear to you as you read the instructions there, please post a hijackthis log and the Malwarebytes log from here into a post at the new forum.

It's ok to use the computer do not install anything or remove anything.

Tell them zep sent you you will be well taken care of and no need to reformat..

I think Malwarebytes got everything those are common infections but we need to make sure and the other site will do that..

Here is a link that might be useful: landzdown.com

See you already have help.....

Raven ..it said that the other ones would be deleted on reboot which I just did. I wrote here to soon but it hadn't closed down before I rebooted. Do U mean just the info from malwarebytes or all the post I wrote..

Just the info from malwarebytes Corrine can look at this thread if needed, not sure where raven went.

I have registered & waiting for the E-mail.. I put down my main address (no hotmail) it is to important to risk hotmail..

Very good,

ravens probably is giving them a heads up -- good luck.

zep

good deal sugar, the team is from all over the world so you may have to wait for a little bit for someone to get to you but don't worry we will get you taken care of.

zep looks like we were both posting at the same time again LOL.

I have made hidden folders visible.. guess I next need to download HideJackThis & wait for help..

I know we have to stop meeting like this LOL.

That's right sugar fl,

Good job..

Zep it is downloaded but do I install it.. seems that start the scan.. should I do that?

it should auto install, just double click on the hijacjthis Icon, on the desk top it will run then do a (system scan & safe a log file), you can copy & paste it into a reply .

here is what it gave me..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:44 AM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Hallmark\Hallmark Card Studio 2007\Planner\PLNRnote.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html";); (C:\Documents and Settings\BAAD\Application Data\Mozilla\Profiles\default\lvbwbt7t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\BAAD\Application Data\Mozilla\Profiles\default\lvbwbt7t.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - "06849E9F-C8D7-4D59-B87D-784B7D6BE0B3> - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CInterceptor Object - "38D3FE60-3D53-4F37-BB0E-C7A97A26A156> - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - "3CA2F312-6F6E-4B53-A66E-4E65E497C8C0> - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: VMN Toolbar - "4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33> - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O2 - BHO: Ipswitch.WsftpBrowserHelper - "601ED020-FB6C-11D3-87D8-0050DA59922B> - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: SSVHelper Class - "761497BB-D6F0-462C-B6EB-D4DAF1D92D43> - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - "A057A204-BACC-4D26-9990-79A187E2698E> - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - "AF69DE43-7D58-4638-B6FA-CE66B5AD205D> - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: VMN Toolbar - "4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33> - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - "A057A204-BACC-4D26-9990-79A187E2698E> - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Pando] "C:\Program Files\Pando Networks\Pando\Pando.exe" /Minimized
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Event Planner Reminder.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe
O9 - Extra button: (no name) - "08B0E5C0-4FCB-11CF-AAA5-00401C608501> - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - "08B0E5C0-4FCB-11CF-AAA5-00401C608501> - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - "7F9DB11C-E358-4ca6-A83D-ACC663939424> - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - "e2e2dd38-d088-4134-82b7-f2ba38496583> - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - "e2e2dd38-d088-4134-82b7-f2ba38496583> - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - "FB5F1910-F110-11d2-BB9E-00C04F795683> - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - "FB5F1910-F110-11d2-BB9E-00C04F795683> - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: "149E45D8-163E-4189-86FC-45022AB2B6C9> (SpinTop DRM Control) - file://C:\Program Files\Mahjong Escape - Ancient Japan\Images\stg_drm.ocx
O16 - DPF: "CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA> (Java Runtime Environment 1.4.1_02) -
O16 - DPF: "CC450D71-CC90-424C-8638-1F2DBAC87A54> (ArmHelper Control) - file://C:\Program Files\Mahjong Escape - Ancient Japan\Images\armhelper.ocx
O18 - Protocol: linkscanner - "F274614C-63F8-47D5-A4D1-FBDDE494F8D1> - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9314 bytes

I clicked analize this like the top instruction said but don't see what to do next.. nothing is checked..

Do not do anything...........Do not use hijackthis yourself.

Wait for a reply never use hijackthis with out instruction, please post this in the other forum also..

Thanks.. Only follow instruction from that forum now.

I have already posted it there..
I haven't done anything else..
Thanks Zep..

Your welcome,

Your going to have more work to do so Get some rest and wait for a reply from them let us know how it goes.

excellent job so far sugar_fl, the team will be able to help you quickly now that we have your hijackthis log.
Please continue at the other forum now, thanks.