Help Please Stupid Virus attack - Red X

Hello - I require help, pretty please geek police.

I have a virus that is blocking virus scanners and won't let me download anything that may clean it out.

It has a red circle with a White X on the task bar. Every minute it comes up saying "Warning! Security report. Your computer is infected! it is recommended to start spyware cleaner tool.

If I go to google and do a search on virus downloads it will work but if I was to click on the link it redirects me to some stupid ad and hitting back eventually takes me to My Documents

I have AVG and it wont let me download updates

on the top of the screen it says in red the same thing Warning Warning Warning

I am in safe mode now as it eventually booted the computer down to a blue screen of death

Please help

Cheers
Ainsley

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Hello

thanks so much for your prompt reply. Here is the txt result

cheers

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "seneka" found!
ImagePath: \systemroot\system32\drivers\senekaxvnymeyy.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

Lets kill this rootkit and then your programs should work, we'll use an effective scanner once this rootkit is gone.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
seneka

Files to delete:
C:\WINDOWS\system32\drivers\senekaxvnymeyy.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Hello

Each time this reboots and every key stroke it just gets worse and worse. Very weird things are happening. Trying to repost this again now

Results as follows

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "seneka" found!
ImagePath: \systemroot\system32\drivers\senekaxvnymeyy.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "seneka" deleted successfully.
File "C:\WINDOWS\system32\drivers\senekaxvnymeyy.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Probably the rootkits fault, but we'll see if this can remove the files.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/10/2009 9:20:42 PM
mbam-log-2009-03-10 (21-20-42).txt

Scan type: Quick Scan
Objects scanned: 65400
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 9
Folders Infected: 3
Files Infected: 61

Memory Processes Infected:
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\XPPoliceAntivirus (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\sounds (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\XPPoliceAntivirus\setup.dat (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cevakrnl.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cevakrnl.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cevakrnl.rvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ceva_dll.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ceva_emu.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ceva_vfs.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ceva_vfs.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cookie.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cran.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\cran.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\emalware.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\e_spyw.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\e_spyw.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\gvmscripts.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\hpe.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\java.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_97.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_97.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_w95.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_x95.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mdx_xf.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\mobmalware.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\na.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\nelf.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\regarch.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\regscan.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\rup.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\sdx.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\sdx.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\unpack.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\unpack.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\vb0.dat (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\vb1.dat (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\vb2.dat (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ve.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\ve.ivd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\Plugins\vedata.cvd (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\sounds\alert.wav (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\sounds\click.wav (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\XPPoliceAntivirus\sounds\fire.wav (Rogue.XPPoliceAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\User\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaathlwxrb.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaeptkjlov.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaexjgelwb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekajxjsddhf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalymyqksr.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaneoofjpj.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekarifonssw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekasiutkjlf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaulsioenp.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekayabwqvns.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekahopknkbx.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Thanks heaps for your help, it is getting quite late here, we will be back online in 17 hours...hopefully

Thanks heaps!

We have rebooted after the scan, and there seems to be no virus present, the red X is gone, and there is a command prompt file called 'c:\spsx.exe' that popped up on reboot that wont shut, otherwise it seems okay. we will check back tomorrow. is it an ongoing virus scanner, or just one off?

Can't thank you enough Belahzur,
cheers ainsley

The malware is still present.
When you get back, run this scanner.

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  Link 3
  
• Double click DDS.scr to run
  
• When complete, DDS.txt will open.
  
• Save the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

DDS (Ver_09-02-01.01) - NTFSx86
Run by User at 7:08:12.37 on Wed 03/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.75 [GMT 11:00]

AV: AVG 7.5.524 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\fxsteller.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.aapt.net.au
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Windows UDP Control Center] fxsteller.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{00cd55d6-ee5a-4570-9875-8a306628c032}\Icon3E5562ED7.ico
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\docume~1\admini~1\locals~1\temp\ntdll64.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-3-12 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-3-12 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-3-12 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-3-12 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-3-12 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-3-12 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2008-3-12 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-3-12 4960]
R2 Maxtor Sync Service;Maxtor Service;c:\program files\maxtor\sync\SyncServices.exe [2007-9-28 156976]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-03-10 21:36 93,266 a------- C:\sp2.exe
2009-03-10 21:34 290 a------- C:\spsx.exe
2009-03-10 21:07 --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-03-10 21:07 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-10 21:07 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 21:07 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 21:07 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-10 20:54 1,104 a------- C:\backup.reg
2009-03-10 20:37 135,168 a------- C:\zip.exe
2009-03-10 20:37 19,286 a------- C:\cleanup.exe
2009-03-10 20:37 574 a------- C:\cleanup.bat
2009-03-10 18:52 446 a------- c:\windows\system32\win32hlp.cnf
2009-03-10 18:52 104,960 ac------ c:\windows\system32\dllcache\userinit.exe
2009-03-10 18:52 1 a------- c:\windows\system32\uniq.tll
2009-03-10 18:52 30,720 a------- c:\windows\system32\303369.exe
2009-03-10 18:16 48,690 ---shr-- c:\windows\fxsteller.exe
2009-03-06 17:54 --d----- c:\program files\Monster Trucks Nitro Demo
2009-02-20 21:27 5,632 a------- c:\windows\system32\ptpusb.dll
2009-02-20 21:27 159,232 a------- c:\windows\system32\ptpusd.dll
2009-02-12 17:07 --d----- c:\program files\Tux4kids
2009-02-11 17:27 --d----- c:\docume~1\user\applic~1\TuxPaint
2009-02-11 17:26 --d----- c:\program files\TuxPaint

==================== Find3M ====================

2009-03-10 18:52 104,960 a------- c:\windows\system32\userinit.exe
2009-02-07 19:45 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-21 10:15 826,368 a------- c:\windows\system32\wininet.dll
2008-11-18 21:43 30 a------- c:\documents and settings\user\jagex_runescape_preferences.dat

============= FINISH: 7:08:48.89 ===============

Oh wow, this machine is horribly infected, how is it even able to boot properly?

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
  

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Oh Wow, thats not good news at all. Before this latest Red X Virus, it actually worked beautifully.
Can I ask you, would the keystrokes being logged be a program someone has installed within the house (ie someone I know spying) or are they more likely to be hacker related. I dont see how my computer would be of interest to anyone unless there is dissent in the house
Either way this is totally out of my league and I would appreciate your assistance

Nope, it's a hacker.

This line from DDS:
mRun: [Windows UDP Control Center] fxsteller.exe

Info:
http://www.threatexpert.com/report.aspx?md5=53b28cd0b371811bbfe6fbcbd5ecee22

This is why you got infected:
AV: AVG 7.5.524 *On-access scanning enabled* (Outdated)

You can't stay safe if you don't keep your AV up to date.
I'd seriously recommend a format here.

Belahur

OK So changed all passwords. I will then blow away windows and start again. I have all info music files etc saved in an external box, I presume this is also infected. What a nightmare

cheers

Actually, I don't think the external is infected.
MBAM/DDS would show an autorun.inf on the C drive, but there isn't in this case. So I think the external drive is fine.

hello,

could we please accept your kind offer of cleaning this pc remotely, we would like to try this before the re-format option

cheers!

Okay.

• Download combofix from here
  Link 1
  Link 2
  
• Please disable your local AV (Anti-virus) See HERE for how to disable your AV. (AVG7)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-03-10.03 - User 2009-03-12 17:50:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.276 [GMT 11:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG 7.5.503 *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\303369.exe
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekahopknkbx.sys
c:\windows\system32\init32.exe
c:\windows\system32\senekaeptkjlov.dll
c:\windows\system32\senekajxjsddhf.dat
c:\windows\system32\senekalymyqksr.dat
c:\windows\system32\senekarifonssw.dll
c:\windows\system32\senekaulsioenp.dll
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-10 21:36 . 2009-03-10 21:36 93,266 --a------ C:\sp2.exe
2009-03-10 21:34 . 2009-03-10 21:34 290 --a------ C:\spsx.exe
2009-03-10 21:27 . 2009-03-10 21:27 d-------- c:\documents and settings\Administrator
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-10 21:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 21:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 20:54 . 2009-03-10 20:54 1,104 --a------ C:\backup.reg
2009-03-10 20:37 . 2009-03-10 20:54 135,168 --a------ C:\zip.exe
2009-03-10 20:37 . 2009-03-10 20:54 19,286 --a------ C:\cleanup.exe
2009-03-10 20:37 . 2009-03-10 20:54 574 --a------ C:\cleanup.bat
2009-03-10 18:16 . 2009-03-09 22:51 48,690 -r-hs---- c:\windows\fxsteller.exe
2009-03-06 17:54 . 2009-03-06 17:54 d-------- c:\program files\Monster Trucks Nitro Demo
2009-02-20 21:27 . 2008-04-14 11:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-20 21:27 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-02-12 17:07 . 2009-02-12 17:07 d-------- c:\program files\Tux4kids

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 06:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 06:35 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-03-12 06:26 --------- d-----w c:\documents and settings\User\Application Data\AVG7
2009-03-10 10:09 5,747 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-01 03:02 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2009-02-12 04:58 --------- d-----w c:\program files\TuxPaint
2009-02-11 07:16 --------- d-----w c:\documents and settings\User\Application Data\TuxPaint
2009-02-07 08:17 --------- d-----w c:\program files\Google
2009-02-07 08:13 --------- d-----w c:\program files\MySpace
2009-02-07 08:10 --------- d-----w c:\program files\Canon
2009-02-07 07:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-06 18:18 --------- d-----w c:\program files\Common Files\CANON
2009-02-06 18:14 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-02-06 18:13 --------- d--h--w c:\program files\CanonBJ
2009-01-19 20:49 --------- d-----w c:\program files\sz8080_6
2009-01-19 20:49 --------- d-----w c:\documents and settings\User\Application Data\School Zone Preferences
2008-11-18 10:43 30 ----a-w c:\documents and settings\User\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-21 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-21 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-21 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 57344]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-03-12 579072]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-12 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
VPN Client.lnk - c:\windows\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico [2008-11-26 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\User_Feed_Synchronization-{10B83218-3B6A-4A63-B109-B4A676C056FB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = www.aapt.net.au
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 17:56:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-1958367476-682003330-1004\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre1.6.0_03\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-12 18:02:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 07:02:00

Pre-Run: 1,929,736,192 bytes free
Post-Run: 2,536,493,056 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

168 --- E O F --- 2009-03-10 20:32:31

Nearly there.

Now open a new notepad file.
Input this into the notepad file:

File::
C:\sp2.exe
C:\spsx.exe
C:\backup.reg
C:\zip.exe
C:\cleanup.exe
C:\cleanup.bat
c:\windows\fxsteller.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

ComboFix 09-03-10.03 - User 2009-03-13 14:04:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.267 [GMT 11:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFscript.txt
AV: AVG 7.5.503 *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-10 21:36 . 2009-03-10 21:36 93,266 --a------ C:\sp2.exe
2009-03-10 21:34 . 2009-03-10 21:34 290 --a------ C:\spsx.exe
2009-03-10 21:27 . 2009-03-10 21:27 d-------- c:\documents and settings\Administrator
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-03-10 21:07 . 2009-03-10 21:07 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-10 21:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 21:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 20:54 . 2009-03-10 20:54 1,104 --a------ C:\backup.reg
2009-03-10 20:37 . 2009-03-10 20:54 135,168 --a------ C:\zip.exe
2009-03-10 20:37 . 2009-03-10 20:54 19,286 --a------ C:\cleanup.exe
2009-03-10 20:37 . 2009-03-10 20:54 574 --a------ C:\cleanup.bat
2009-03-10 18:16 . 2009-03-09 22:51 48,690 -r-hs---- c:\windows\fxsteller.exe
2009-03-06 17:54 . 2009-03-06 17:54 d-------- c:\program files\Monster Trucks Nitro Demo
2009-02-20 21:27 . 2008-04-14 11:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-02-20 21:27 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 21:00 --------- d-----w c:\documents and settings\User\Application Data\AVG7
2009-03-12 20:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-12 06:35 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-03-10 10:09 5,747 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-01 03:02 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2009-02-12 06:07 --------- d-----w c:\program files\Tux4kids
2009-02-12 04:58 --------- d-----w c:\program files\TuxPaint
2009-02-11 07:16 --------- d-----w c:\documents and settings\User\Application Data\TuxPaint
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 08:17 --------- d-----w c:\program files\Google
2009-02-07 08:13 --------- d-----w c:\program files\MySpace
2009-02-07 08:10 --------- d-----w c:\program files\Canon
2009-02-07 07:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-06 18:18 --------- d-----w c:\program files\Common Files\CANON
2009-02-06 18:14 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-02-06 18:13 --------- d--h--w c:\program files\CanonBJ
2009-01-19 20:49 --------- d-----w c:\program files\sz8080_6
2009-01-19 20:49 --------- d-----w c:\documents and settings\User\Application Data\School Zone Preferences
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-11-18 10:43 30 ----a-w c:\documents and settings\User\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-21 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-21 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-21 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 57344]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-03-12 579072]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-12 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
VPN Client.lnk - c:\windows\Installer\{00CD55D6-EE5A-4570-9875-8A306628C032}\Icon3E5562ED7.ico [2008-11-26 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\User_Feed_Synchronization-{10B83218-3B6A-4A63-B109-B4A676C056FB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uStart Page = www.aapt.net.au
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 14:07:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-1958367476-682003330-1004\Software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
@Allowed: (2) (Administrators)
"Policy"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
Completion time: 2009-03-13 14:10:17
ComboFix-quarantined-files.txt 2009-03-13 03:09:17
ComboFix2.txt 2009-03-12 07:02:21

Pre-Run: 2,413,068,288 bytes free
Post-Run: 2,474,467,328 bytes free

131 --- E O F --- 2009-03-10 20:32:31

That didn't work right.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  C:\sp2.exe
  C:\spsx.exe
  C:\backup.reg
  C:\zip.exe
  C:\cleanup.exe
  C:\cleanup.bat
  c:\windows\fxsteller.exe
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Hello This is what I got. cheers

========== FILES ==========
C:\sp2.exe moved successfully.
C:\spsx.exe moved successfully.
C:\backup.reg moved successfully.
C:\zip.exe moved successfully.
C:\cleanup.exe moved successfully.
C:\cleanup.bat moved successfully.
c:\windows\fxsteller.exe moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03132009_204211

Okay, the malware is gone, but not done yet.
Your AVG is outdated and won't keep you protected, so we have to remove it and install a new AV.

First though, we need to remove Combofix because we don't need it now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Lets see what's installed.

• Open HijackThis
  
• Click "Open the Misc Tools section"
  
• Click "Open Uninstall Manager"
  
• Click "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

sorry we dont have the program 'HijackThis'
could you please send us a link
cheers

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Click "Open the Misc Tools section"
  
• Click "Open Uninstall Manager"
  
• Click "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

here you go...thanks

ABBYY FineReader 5.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11
AVG 7.5
Ben 10 Escape Fury
Canon MP Navigator EX 2.0
Canon MP630 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Cisco Systems VPN Client 4.7.00.0533
Dell Resource CD
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
Lexmark X1100 Series
Malwarebytes' Anti-Malware
Maxtor Manager
Maxtor Manager
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
mIRC
Monster Trucks Nitro Demo
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
OTOY
Pencil-Pal Preschool
QuickTime
Registry Mechanic 8.0
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
SoundMAX
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VLC media player 0.9.2
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Service Pack 3
WinRAR archiver

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

Adobe Reader 7.0
AVG 7.5
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 3
VLC media player 0.9.2

These items I ask to be uninstalled, are all old versions and I want to update them to the new versions.
First, install Avira.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Second, install the latest versions of Adobe Reader.

Download and install version 9 from here:
http://get.adobe.com/uk/reader/

Let me know once you've done that and then we'll do VLC player and Java.

ok i am done
cheers

Hello.
Okay, Java and VLC.

Please download and install the VLC player 0.9.8b from here:
http://www.videolan.org/vlc/download-windows.html

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
  
• Select the first option where it says "This release includes the highly anticipated...".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Then from your desktop double-click on jre-6u12-windows-i586-p.exe that you downloaded to install the newest version.
  

Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from here

• First, unzip it.
  
• Then run JavaRa. (If you are running Vista, you will need to right click JavaRa > select "Run as administrator")
  
• Select English from the drop down menu and press Select.
  
• This will open JavaRa.
  
• Press Remove older versions
  
• Press yes to the prompt.
  
• It will make a log file of what it's removed.
  
• Copy and paste the log back here.
  

here we go
thanks heaps!

JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sat Mar 14 00:27:37 2009

Found and removed: C:\Program Files\Java\jre1.6.0_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

------------------------------------

Finished reporting.

That should do it.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Thank you!
i don't think i can put into words how much help you have been. You guys are great! Thanks for everything that you have done and the time and effort you have put into our problem.
Cheers Ainsley