Ron's "Infected" Windows XP PC

Dear Major Geeks, Help, please.
Trying to help my friend, Ron, whose (Windows XP) PC seems badly "infected."

We suspect that his system became infected through:
1. Windows XP being connected to BroadBand Internet without a Firewall.
2. Ron Downloading and Installing and Running suspect programs for "Paid Surveys" etc.

We installed "Norton Internet Security 2005" and ran Live update till "No More"

We ran Norton Anti-Virus OK - It found about 36 "Threats", but was unable to remove some because they were inside compressed files .zip or .cab.

We ran AdAwareSE. It found about 130 "Threats" and removed them all, but some returned after the next restart. Will double-check that Windows XP's "System Restore" is OFF, till further notice.

Hard Drive C: "Thrashes" for about 15 mins after each restart, and about 5 minutes after any input. Whan "Thrashing" stops, PC response is quite quick, but goes very slow when you connect to the Internet.

Unwanted programs start themselves soon after you connect the (BroadBand) Modem to the Internet. eg. Internet Explorer starts itself on page http://some_chap's_name
I Suggested that Ron should stay off-line except when sending/receiving e-mail, then disconnect straight after.

We saw a message saying that Windows Virtual Memory was low and that Windows was increasing it.
(Is this the cause of the hard drive thrashing?)

We saw a brief message (from where?) saying that the system was infected with Sasser? worm.
Unsure if this was a trusted message from Norton, or a malicious pop-up.
Run the Fix Sasser tool from Symantec.com

I ran "HijackThis" - I have the log - but I'm being obedient, and not posting it. Yet.

Thank you for your help / advice.

Regards, Rick.

 

make sure that you follow all of the instructions on READ ME 1ST (it actually works pretty good). you seem to mention some of the stuff but don't know if you followed it all. running them in safe mode etc. I've actually got a little file from McAfee, that's a DOS Scan that I run, and then I do the stuff as mentioned. I have also found that some things find stuff that others don't (even antivirus software). - steve

http://forums.majorgeeks.com/showthread.php?t=35407

 

if you still suspect a virus? you might try running this program. this is hosted on my site with instructions on how to run it as well. This program (and instructions) are actually from McAfee, that I got in online chat(s) with them! - sosaman

http://users3.ev1.net/~ahls/DOS-Scan.zip <-- Program (the link is also on instruction page)

http://users3.ev1.net/~ahls/dos-scan.html <-- Instructions

SCAN /ADL /CLEAN /ALL /REPORT REPORT.TXT <-- (I would rename "REPORT REPORT.TXT - to REPORT Report1.txt), if you are going to run it more than once, that way it doesn't copy over the original .txt, if you need it.