Spyware help needed

[No-One]

I think my dad may have broken a record. I performed a clean install of xp onto his pc. Installed serice packs 1 and 2, then downloaded every security patch from windows update. Then installed AVG antivirus and set it to update every 24 hours. Also installed adaware which I use to run a full system scan every weekend.

Despite all this he somehow managed to get the pc infected with something within 24 hours. AVG, adaware both come up clean but something is still very wrong. Every link that it clicked up within a search engine throws him to a totally random site. For example, 3 attempts at clicking 1 link for a local estate agents this afternoon threw him to an online encylopedia, then a pc recycling service, then some hardcore porn site.

Anybody got any recommendations of other things to try?

 

[4T5]

Run Hijack this and post the results.
Also try Spybot Search and Destroy, making sure you update it before you run it.

 

[No-One]

S&D found some things. Cleaned them all but this problem remains. This is a log from Hijack This.

Logfile of HijackThis v1.99.1
Scan saved at 19:14:52, on 16/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {59EE1223-BC41-899C-0E89-A888575ADDAA} - 10010.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [borlandg] 10010.exe
O4 - HKLM\..\Run: [uio] ExchangeMaster.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WhatsNewBot] NsCplTray.exe
O4 - HKCU\..\Run: [PrcIdle] iesetupdll.exe
O4 - HKCU\..\Run: [zxc] ParisM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136217227156
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E34D1E4-290A-4650-B1C3-4471D69A218B}: NameServer = 85.255.116.85,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E306D99-7CCA-4893-9AA4-6C34803201A6}: NameServer = 85.255.116.85,85.255.112.206
O17 - HKLM\System\CCS\Services\Tcpip\..\{76F6E9F8-D20F-4C6E-995D-C79829D4BC2D}: NameServer = 85.255.116.85,85.255.112.206
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E34D1E4-290A-4650-B1C3-4471D69A218B}: NameServer = 85.255.116.85,85.255.112.206
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E34D1E4-290A-4650-B1C3-4471D69A218B}: NameServer = 85.255.116.85,85.255.112.206
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE