Help please. I'm in popup hell

Logs taken from hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:18:37, on 12/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeSearchInstallRTM?clid=2057&ver=12&app=outlook.exe&p1=32&p2=5&p3=1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.70.234.30
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [1461ce31] rundll32.exe "C:\WINDOWS\system32\yxfmrukb.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O4 - Global Startup: PhoneManager.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra 'Tools' menuitem: HttpWatch Basic - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatch.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.google.co.uk

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192793897446
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192793939554

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://10.102.5.19/tsweb/msrdp.cab
O16 - DPF: {AAFE6820-7F9E-4665-85A0-8E06F9040CF6} (LawPort wrapper for Scripting.FileSystemObject) - http://inlls.adslocal.net/lawport/includes/activeX/LawPort_Utility/LawPort_Utility.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://per-emea.webex.com/client/T25L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://portal..co.uk/dana-cached/setup/JuniperSetupSP1.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxduserv.exe

O23 - Service: lxdu_device - - C:\WINDOWS\system32\lxducoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14761 bytes

------------------------------------------------------

Last edited by mypcisfoobar on 12th January 2009, 9:08 pm; edited 2 times in total (Reason for editing : edited to protect 3rd parties)

I removed a dodgy looking dll file called ppcujz.dll using hijack this in safe mode.

Since then the pop ups have been less intense but i still get my default browser (firefox) popping up trying to do something. I copied the URLs it is going to:

Any help would be greatly appreciated.
Regards
Ross

Hello.
For other users safety, I have removed the links, please don't post harmful links in the forum.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O4 - HKLM\..\Run: [1461ce31] rundll32.exe "C:\WINDOWS\system32\yxfmrukb.dll",b
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Thank you for your help.
Please find requested logs:
Malwarebytes' Anti-Malware 1.32
Database version: 1647
Windows 5.1.2600 Service Pack 3

12/01/2009 21:08:55
mbam-log-2009-01-12 (21-08-55).txt

Scan type: Quick Scan
Objects scanned: 66903
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 21
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\tuvVMdDu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yxfmrukb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fccaWNdC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ppcujz.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7aa766ea-8c40-4797-9601-02dca3c1616a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7aa766ea-8c40-4797-9601-02dca3c1616a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fdd35125-b316-47c1-a61c-23fc20482022} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fdd35125-b316-47c1-a61c-23fc20482022} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fccawndc (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7aa766ea-8c40-4797-9601-02dca3c1616a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fdd35125-b316-47c1-a61c-23fc20482022} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\tuvvmddu -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\tuvvmddu -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tuvVMdDu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uDdMVvut.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uDdMVvut.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ppcujz.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fhnicybf.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fbycinhf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yxfmrukb.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bkurmfxy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccaWNdC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\epvxkdvq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXNgdeb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMeFwVo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\rwoolhou\Local Settings\Temp\senekaad69.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\rwoolhou\Local Settings\Temp\winsinstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\rwoolhou\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\rwoolhou\Local Settings\Temporary Internet Files\Content.IE5\2V5X81G2\InstallAVg_770522166350[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\rwoolhou\Local Settings\Temporary Internet Files\Content.IE5\E9S7077R\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\rwoolhou\Local Settings\Temporary Internet Files\Content.IE5\E9S7077R\URdyweFB[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\rwoolhou\Local Settings\Temporary Internet Files\Content.IE5\EG0FA5K5\winsinstall[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaiuuilhjw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaxwprqhtk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaciwkvlvd.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ssqPgDuv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Hello.
Lets take a look around now.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Click No for Optional Scan.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-01-07.01) - NTFSx86
Run by rwoolhou at 21:18:16.92 on 12/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1385 [GMT 0:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\lxducoms.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Lexmark 5600-6600 Series\ezprint.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\Avaya\IP Office\Phone Manager\PhoneManager.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\rwoolhou\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk
uDefault_Page_URL = hxxp://www.google.co.uk
mDefault_Page_URL = hxxp://www.google.co.uk
uInternet Settings,ProxyOverride = 10.70.234.30
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: HttpWatch Basic: {f1f69322-008f-4895-b2bf-ad194219825a} - c:\program files\httpwatch\httpwatchsc.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: HttpWatch Basic: {2b4c4770-27fd-4a09-b17d-33ca580965fb} - c:\program files\httpwatch\httpwatch.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [NSLauncher] c:\program files\nokia\nokia software launcher\NSLauncher.exe /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"
mRun: [EzPrint] "c:\program files\lexmark 5600-6600 series\ezprint.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-8796-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netscr~1.lnk - c:\program files\juniper\netscreen-remote\SafeCfg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\phonem~1.lnk - c:\program files\avaya\ip office\phone manager\PhoneManager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {D103E85B-5D67-42c1-8C83-F01079DBAB26} - {2B4C4770-27FD-4A09-B17D-33CA580965FB} - c:\program files\httpwatch\httpwatch.dll
Trusted Zone: axial.co.uk\vpn
Trusted Zone: axial.co.uk\vpn2
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rwoolhou\applic~1\mozilla\firefox\profiles\vbh8h2rr.default\
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - component: c:\program files\httpwatch\firefox\components\httpwatchff.dll
FF - plugin: c:\documents and settings\rwoolhou\local settings\application data\octoshape\octoshape streaming services\octoprogram-l03-nms0810164_sua_900\npoctoshape.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: XUL Cache: {21230F03-31C8-409B-A877-380246D2B87A} - c:\windows\system32\config\systemprofile\local settings\application data\{21230f03-31c8-409b-a877-380246d2b87a}\

============= SERVICES / DRIVERS ===============

R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [2008-1-23 138296]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-7-16 31816]
R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);c:\windows\system32\drivers\NEOFLTR_600_12141.sys [2007-10-2 63024]
R1 NEOFLTR_630_13725;Juniper Networks TDI Filter Driver (NEOFLTR_630_13725);c:\windows\system32\drivers\NEOFLTR_630_13725.sys [2008-11-21 64480]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2008-1-23 36188]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-2-22 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-2-22 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-2-22 174952]
R4 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2008-1-23 536634]
R4 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R4 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-3-14 103744]
R4 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-7-16 144704]
R4 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-7-16 54608]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S4 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2009-1-6 98984]

=============== Created Last 30 ================

2009-01-12 20:44 --d----- c:\docume~1\rwoolhou\applic~1\Malwarebytes
2009-01-12 20:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-12 20:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 20:44 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-12 20:44 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-12 19:07 124,928 a------- c:\windows\system32\assdbw.dll
2009-01-12 19:07 124,928 a------- c:\windows\system32\upfvbgho.dll
2009-01-12 19:04 41,472 a------- c:\windows\system32\hrstnqmh.dll
2009-01-12 18:50 --d----- c:\program files\Trend Micro
2009-01-11 23:28 17 a------- C:\stinger10000457.opt
2009-01-11 09:48 2,747,911 a------- C:\stinger10000457.exe
2009-01-06 15:48 --d----- c:\documents and settings\all users\Lx_cats
2009-01-06 15:44 40,960 a------- c:\windows\system32\lxduvs.dll
2009-01-06 15:44 360,448 a------- c:\windows\system32\lxducoin.dll
2009-01-06 15:44 61,218 a------- c:\windows\system32\lxduprpr.chm
2009-01-06 15:43 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-01-06 15:43 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-01-06 15:43 87,040 ac------ c:\windows\system32\dllcache\wiafbdrv.dll
2009-01-06 15:43 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-01-06 15:43 1,036,288 a------- c:\windows\system32\lxdudrs.dll
2009-01-06 15:43 81,920 a------- c:\windows\system32\lxducaps.dll
2009-01-06 15:43 69,632 a------- c:\windows\system32\lxducnv4.dll
2009-01-06 15:42 --d----- c:\program files\Lexmark Toolbar
2009-01-06 15:42 --d----- c:\program files\Lexmark Printable Web
2009-01-06 15:42 44 a------- c:\windows\system32\lxdurwrd.ini
2009-01-06 15:42 352,256 a------- c:\windows\system32\LXDUwupd.dll
2009-01-06 15:42 17,064 a------- c:\windows\system32\LXDUwupd.exe
2009-01-06 15:40 389,120 a------- c:\windows\system32\LXDUinst.dll
2009-01-06 15:40 100,419 a------- c:\windows\system32\LexFiles.ulf
2009-01-06 15:40 438,272 a------- c:\windows\system32\LXDUhcp.dll
2009-01-06 15:40 364,544 a------- c:\windows\system32\lxduinpa.dll
2009-01-06 15:40 851,968 a------- c:\windows\system32\lxduusb1.dll
2009-01-06 15:40 524,288 a------- c:\windows\system32\lxduutil.dll
2009-01-06 15:40 339,968 a------- c:\windows\system32\lxduiesc.dll
2009-01-06 15:40 1,069,056 a------- c:\windows\system32\lxduserv.dll
2009-01-06 15:40 651,264 a------- c:\windows\system32\lxdupmui.dll
2009-01-06 15:40 577,536 a------- c:\windows\system32\lxdulmpm.dll
2009-01-06 15:40 200,704 a------- c:\windows\system32\lxduinsb.dll
2009-01-06 15:40 147,456 a------- c:\windows\system32\lxdujswr.dll
2009-01-06 15:39 --d----- c:\program files\Lexmark 5600-6600 Series
2009-01-05 11:38 --d----- c:\docume~1\rwoolhou\applic~1\Blackberry Desktop
2009-01-03 19:51 256 a------- c:\windows\system32\pool.bin
2009-01-03 19:51 --d----- c:\docume~1\rwoolhou\applic~1\Research In Motion
2009-01-03 19:39 --d----- c:\windows\RegisteredPackages
2009-01-03 19:37 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2009-01-03 19:36 --d----- c:\program files\common files\Research In Motion
2009-01-03 19:36 --d----- c:\program files\Research In Motion
2009-01-03 19:23 --dsh--- c:\windows\ftpcache
2008-12-23 09:56 18 a------- C:\pending.un

==================== Find3M ====================

2008-12-19 09:21 63,834 a------- c:\windows\system32\nvModes.dat
2008-11-21 08:37 64,480 a------- c:\windows\system32\drivers\NEOFLTR_630_13725.sys
2008-10-24 08:24 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-06-30 15:30 3,570,908 a------- c:\documents and settings\rwoolhou\dat-5327.zip
2008-04-23 09:38 185,170 a------- c:\documents and settings\rwoolhou\config.cmd
2008-04-11 10:15 164,043,607 a------- c:\documents and settings\rwoolhou\iShared-FullInstall-3_7_1_1-10-release.exe

============= FINISH: 21:19:04.15 ===============

Hello.
There is some vundo left, but that can wait now. We have to remove the Goored infection first.

Please download GooredFix and save it to your Desktop. Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

GooredFix v1.81 by jpshortstuff
Log created at 21:29 on 12/01/2009 running Option #2 (user)
Firefox version 3.0.5 (en-GB)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{21230F03-31C8-409B-A877-380246D2B87A}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{21230F03-31C8-409B-A877-380246D2B87A}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{21230F03-31C8-409B-A877-380246D2B87A}\
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Failed.
->Delete on reboot... Set.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1E2593B2-E106-4697-BCE7-A9D30DE05D73}"="C:\Program Files\HttpWatch\Firefox\"

=====Reboot=====

Goored has been removed, so lets get rid of the vundo now.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  c:\windows\system32\assdbw.dll
  c:\windows\system32\upfvbgho.dll
  c:\windows\system32\hrstnqmh.dll
  C:\stinger10000457.opt
  C:\stinger10000457.exe
  c:\windows\system32\pool.bin
  C:\pending.un
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
DllUnregisterServer procedure not found in c:\windows\system32\assdbw.dll
c:\windows\system32\assdbw.dll NOT unregistered.
c:\windows\system32\assdbw.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\upfvbgho.dll
c:\windows\system32\upfvbgho.dll NOT unregistered.
c:\windows\system32\upfvbgho.dll moved successfully.
LoadLibrary failed for c:\windows\system32\hrstnqmh.dll
c:\windows\system32\hrstnqmh.dll NOT unregistered.
File move failed. c:\windows\system32\hrstnqmh.dll scheduled to be moved on reboot.
C:\stinger10000457.opt moved successfully.
C:\stinger10000457.exe moved successfully.
c:\windows\system32\pool.bin moved successfully.
C:\pending.un moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\user\LOCALS~1\Temp\etilqs_5hytS5clMuRWlhtRi3MO scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\user\LOCALS~1\Temp\~DF36AD.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\user\LOCALS~1\Temp\~DF39A8.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\user\LOCALS~1\Temp\~DF7834.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\user\LOCALS~1\Temp\~DF8A61.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_918.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\vmware-vmount.log scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV5.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01122009_214547

Files moved on Reboot...
File c:\windows\system32\hrstnqmh.dll not found!
File C:\DOCUME~1\user\LOCALS~1\Temp\etilqs_5hytS5clMuRWlhtRi3MO not found!
File C:\DOCUME~1\user\LOCALS~1\Temp\~DF36AD.tmp not found!
File C:\DOCUME~1\user\LOCALS~1\Temp\~DF39A8.tmp not found!
File C:\DOCUME~1\user\LOCALS~1\Temp\~DF7834.tmp not found!
File C:\DOCUME~1\user\LOCALS~1\Temp\~DF8A61.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_918.dat moved successfully.
File move failed. C:\WINDOWS\temp\vmware-vmount.log scheduled to be moved on reboot.
File C:\WINDOWS\temp\WFV5.tmp not found!
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\vbh8h2rr.default\XUL.mfl moved successfully.

Hello.
Looks good now, what problems remain?

None I think

No more pop-ups and the speed has returned.

Thank you very very much for all your help. It is really appreciated!!!

Ross

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  
• Select the first option where it says "Java SE Runtime Environment (JRE) 6 Update 11".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  - Java 2 Runtime Environment, SE v1.4.2
  - J2SE Runtime Environment 5.0
  - J2SE Runtime Environment 5.0 Update 2
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa.
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

JavaRa 1.12 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Mon Jan 12 22:54:18 2009

Found and removed: C:\Program Files\Java\jre1.6.0_05 JavaRa 1.12 Removal Log. Report follows after line. ------------------------------------ The JavaRa removal process was started on Mon Jan 12 22:55:58 2009

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA} Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2 Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01 Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA} Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB} Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\ ------------------------------------ Finished reporting.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.