Pop-ups won't stop - ? Vundo. Help please?

[thebigun]

Appears I have got the Vundo trojan. It got through AVG so upgraded to my works McAfee Enterprise - after a few runs it appeared to have cleared it, however pop-ups still occur. McAfee recomended the following - which I did after switching off system restore (as they recomended)


Instructions

Download Process Explorer (procexp.exe) from Sysinternals
Reboot the infected machine
Launch the VirusScan On-Demand Scanner (ODS), or the command-line scanner, but don't initiate the scan yet
Run Process Explorer and suspend the Explorer.exe, Winlogon.exe, and rundll32.exe processes (right-click on these process names and choose suspend)
Scan & clean with the current DAT files and engine (the Window launched in step 3 above) [there will be clean failures, that is expected]
Physically power the machine off and back on.(a hard reset is required as Windows will not shutdown without Winlogon.exe running, and resuming that process will revert the changes made by the scanner).
These steps will removal all relevant registry entries and identified Vundo components.

Still no luck.

Popups appear to read the sites and searches I do and then popup an advert e.g. for McAfee

Anyway here's the info ..... hope someone can help?

DDS info


DDS (Version 1.1.0) - NTFSx86
Run by Niall Dew at 18:50:22.31 on 28/12/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.479 [GMT 0:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\System Control Manager\MSIService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Niall Dew\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.thetechguys.com/
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {716fb59c-6259-274a-4c64-99abee9d60ba}: {ab06d9ee-ba99-46c4-a472-9526c95bf617} - c:\windows\system32\rbbodm.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [MGSysCtrl] c:\program files\system control manager\MGSysCtrl.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [8860814f] rundll32.exe "c:\windows\system32\wikjxqkw.dll",b
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: rbbodm.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnmKBuS

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-27 340592]
R2 McAfeeEngineService;McAfee Engine Service;"c:\program files\mcafee\virusscan enterprise\EngineServer.exe" [2008-9-29 19456]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2008-3-14 103744]
R2 McShield;McAfee McShield;"c:\program files\mcafee\virusscan enterprise\Mcshield.exe" [2008-9-29 143088]
R2 McTaskManager;McAfee Task Manager;"c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe" [2008-9-29 62800]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-12-27 67904]
R2 Micro Star SCM;Micro Star SCM;c:\program files\system control manager\MSIService.exe [2008-5-30 159744]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-27 90360]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-27 42424]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2008-5-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\drivers\rtl8187Se.sys [2008-5-30 306176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-12-27 64432]

=============== Created Last 30 ================

2008-12-28 18:50 <DIR> --d-h--- c:\windows\PIF
2008-12-27 16:11 <DIR> --d----- C:\QUARANTINE
2008-12-27 15:35 74,648 a------- c:\windows\system32\drivers\mfeapfk.sys
2008-12-27 15:35 64,432 a------- c:\windows\system32\drivers\mferkdet.sys
2008-12-27 15:35 42,424 a------- c:\windows\system32\drivers\mfebopk.sys
2008-12-27 15:35 90,360 a------- c:\windows\system32\drivers\mfeavfk.sys
2008-12-27 15:35 62,704 a------- c:\windows\system32\drivers\mfetdik.sys
2008-12-27 15:35 340,592 a------- c:\windows\system32\drivers\mfehidk.sys
2008-12-27 15:35 67,904 a------- c:\windows\system32\mfevtps.exe
2008-12-27 15:34 <DIR> --d----- c:\program files\common files\Cisco Systems
2008-12-27 15:34 <DIR> --d----- c:\program files\McAfee
2008-12-27 15:34 <DIR> --d----- c:\program files\common files\McAfee
2008-12-27 15:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2008-12-26 18:26 <DIR> --d----- C:\VundoFix Backups
2008-12-26 16:24 250 a------- c:\windows\gmer.ini
2008-12-25 20:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-25 20:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-25 20:56 <DIR> --d----- c:\docume~1\nialld~1\applic~1\SUPERAntiSpyware.com
2008-12-25 20:34 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-25 20:20 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-25 20:19 19,569 a------- c:\windows\000001_.tmp
2008-12-25 20:18 <DIR> --d----- c:\windows\EHome
2008-12-25 11:18 1,733,149 ---sh--- c:\windows\system32\wkqxjkiw.ini
2008-12-25 11:18 137,216 a------- c:\windows\system32\rbbodm.dll
2008-12-25 11:18 137,216 a------- c:\windows\system32\ammepcmw.dll
2008-12-25 11:18 88,576 a------- c:\windows\system32\wikjxqkw.dll
2008-12-25 11:06 1,639,241 ---sh--- c:\windows\system32\akpwsbuf.ini
2008-12-25 11:06 88,576 a------- c:\windows\system32\fubswpka.dll
2008-12-25 11:03 137,216 a------- c:\windows\system32\ffqbwt.dll
2008-12-25 11:03 137,216 a------- c:\windows\system32\xuuihfdv.dll
2008-12-25 08:40 143 a------- c:\windows\system32\mcrh.tmp
2008-12-24 11:03 86,528 a------- c:\windows\system32\jpaakfcc.dll
2008-12-24 11:03 1,639,241 ---sh--- c:\windows\system32\ccfkaapj.ini
2008-12-24 11:00 135,168 a------- c:\windows\system32\yytuih.dll
2008-12-24 10:59 135,168 a------- c:\windows\system32\isbthwkm.dll
2008-12-23 10:58 1,639,241 ---sh--- c:\windows\system32\qslipvuu.ini
2008-12-23 10:57 788,547 a--sh--- c:\windows\system32\SuBKmnpo.ini2
2008-12-23 10:57 788,547 a--sh--- c:\windows\system32\SuBKmnpo.ini

==================== Find3M ====================

2008-12-27 20:55 18,520 a------- c:\docume~1\nialld~1\applic~1\wklnhst.dat
2008-11-12 19:23 410,976 a------- c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 18:51:30.53 ===============

[sjb007]

Hi there thebigun

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Please copy and paste any requested logs into replies rather than add as attachments, this makes it easier for analysis.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[thebigun]

Hi SJB007,

many thanks for helping me with this it is really very much appreciated.

I had to run ComboFix 3 times because i don't think i managed to turn of Mcafee - i disabled the service eventually - hope that did it. here's the report

ComboFix 08-12-29.02 - Niall Dew 2008-12-30 16:43:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.546 [GMT 0:00]
Running from: c:\documents and settings\Niall Dew\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-28 18:50 . 2008-12-28 18:50 <DIR> d--h----- c:\windows\PIF
2008-12-27 16:11 . 2008-12-30 10:07 <DIR> d-------- C:\QUARANTINE
2008-12-27 15:35 . 2008-09-29 08:07 340,592 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-27 15:35 . 2008-09-29 08:07 90,360 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-27 15:35 . 2008-09-29 08:07 74,648 --a------ c:\windows\system32\drivers\mfeapfk.sys
2008-12-27 15:35 . 2008-09-29 08:07 67,904 --a------ c:\windows\system32\mfevtps.exe
2008-12-27 15:35 . 2008-09-29 08:07 64,432 --a------ c:\windows\system32\drivers\mferkdet.sys
2008-12-27 15:35 . 2008-09-29 08:07 62,704 --a------ c:\windows\system32\drivers\mfetdik.sys
2008-12-27 15:35 . 2008-09-29 08:07 42,424 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-27 15:34 . 2008-12-27 15:34 <DIR> d-------- c:\program files\McAfee
2008-12-27 15:34 . 2008-12-27 15:34 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-27 15:34 . 2008-12-27 15:34 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2008-12-27 15:34 . 2008-12-27 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-27 15:31 . 2008-12-27 15:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-26 18:26 . 2008-12-26 18:26 <DIR> d-------- C:\VundoFix Backups
2008-12-26 16:24 . 2008-12-28 19:02 250 --a------ c:\windows\gmer.ini
2008-12-25 20:56 . 2008-12-27 15:43 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-25 20:56 . 2008-12-27 15:43 <DIR> d-------- c:\documents and settings\Niall Dew\Application Data\SUPERAntiSpyware.com
2008-12-25 20:56 . 2008-12-25 20:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-25 20:34 . 2008-04-14 12:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-25 20:20 . 2008-12-25 20:20 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-25 20:19 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2008-12-25 20:18 . 2008-12-25 20:18 <DIR> d-------- c:\windows\EHome
2008-11-12 19:23 . 2008-11-12 19:23 <DIR> d-------- c:\windows\Sun
2008-11-12 19:23 . 2008-11-12 19:23 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-12 19:23 . 2008-11-12 19:23 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-12 19:22 . 2008-11-12 19:22 <DIR> d-------- c:\program files\Java
2008-11-12 15:54 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-04 15:48 . 2008-11-04 16:12 754 --a------ c:\windows\WORDPAD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 20:55 18,520 ----a-w c:\documents and settings\Niall Dew\Application Data\wklnhst.dat
2008-12-25 09:55 --------- d-----w c:\program files\Common Files\Adobe
2008-10-28 18:57 --------- d-----w c:\documents and settings\Niall Dew\Application Data\Toshiba
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-29 08:07 19,480 ----a-w c:\windows\system32\MFEOtlk.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab06d9ee-ba99-46c4-a472-9526c95bf617}]
c:\windows\system32\rbbodm.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-04-23 778240]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-12 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-02-22 2938184]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rbbodm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;"c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe" [2008-09-29 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-12-27 67904]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-05-30 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-05-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\DRIVERS\rtl8187Se.sys [2008-05-30 306176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-12-27 64432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\fkybcmih.job
- c:\windows\system32\rundll32.exe [2008-04-14 12:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.thetechguys.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 16:45:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-30 16:45:54
ComboFix-quarantined-files.txt 2008-12-30 16:45:51
ComboFix2.txt 2008-12-30 16:36:00

Pre-Run: 66,937,032,704 bytes free
Post-Run: 66,924,679,168 bytes free

137 --- E O F --- 2008-12-18 16:12:35


Thanks again

TheBigUn

[sjb007]

Hi there thebigun

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/328739-pop-ups-won-t-stop-vundo-help-please.html
   
   Collect::
   c:\windows\system32\rbbodm.dll
   c:\windows\Tasks\fkybcmih.job
   
   Registry::
   [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab06d9ee-ba99-46c4-a472-9526c95bf617}]
   [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
   "AppInit_DLLs"=""

   Save this as CFScript.txt
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
[*]Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

Once done.....

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next.....

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the results from both logs in your next reply

[thebigun]

Heres the latest report after running the script ....

Posted the combofix script .... this was to bleepingcomputer - was that right?

here it is (other report to follow)

ComboFix 08-12-29.02 - Niall Dew 2008-12-30 20:15:54.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.547 [GMT 0:00]
Running from: c:\documents and settings\Niall Dew\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Niall Dew\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\fkybcmih.job

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-28 18:50 . 2008-12-28 18:50 <DIR> d--h----- c:\windows\PIF
2008-12-27 16:11 . 2008-12-30 10:07 <DIR> d-------- C:\QUARANTINE
2008-12-27 15:35 . 2008-09-29 08:07 340,592 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-27 15:35 . 2008-09-29 08:07 90,360 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-27 15:35 . 2008-09-29 08:07 74,648 --a------ c:\windows\system32\drivers\mfeapfk.sys
2008-12-27 15:35 . 2008-09-29 08:07 67,904 --a------ c:\windows\system32\mfevtps.exe
2008-12-27 15:35 . 2008-09-29 08:07 64,432 --a------ c:\windows\system32\drivers\mferkdet.sys
2008-12-27 15:35 . 2008-09-29 08:07 62,704 --a------ c:\windows\system32\drivers\mfetdik.sys
2008-12-27 15:35 . 2008-09-29 08:07 42,424 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-27 15:34 . 2008-12-27 15:34 <DIR> d-------- c:\program files\McAfee
2008-12-27 15:34 . 2008-12-27 15:34 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-27 15:34 . 2008-12-27 15:34 <DIR> d-------- c:\program files\Common Files\Cisco Systems
2008-12-27 15:34 . 2008-12-27 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-27 15:31 . 2008-12-27 15:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-26 18:26 . 2008-12-26 18:26 <DIR> d-------- C:\VundoFix Backups
2008-12-26 16:24 . 2008-12-28 19:02 250 --a------ c:\windows\gmer.ini
2008-12-25 20:56 . 2008-12-27 15:43 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-25 20:56 . 2008-12-27 15:43 <DIR> d-------- c:\documents and settings\Niall Dew\Application Data\SUPERAntiSpyware.com
2008-12-25 20:56 . 2008-12-25 20:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-25 20:34 . 2008-04-14 12:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-25 20:20 . 2008-12-25 20:20 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-25 20:19 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2008-12-25 20:18 . 2008-12-25 20:18 <DIR> d-------- c:\windows\EHome
2008-11-12 19:23 . 2008-11-12 19:23 <DIR> d-------- c:\windows\Sun
2008-11-12 19:23 . 2008-11-12 19:23 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-12 19:23 . 2008-11-12 19:23 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-12 19:22 . 2008-11-12 19:22 <DIR> d-------- c:\program files\Java
2008-11-12 15:54 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-04 15:48 . 2008-11-04 16:12 754 --a------ c:\windows\WORDPAD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 20:55 18,520 ----a-w c:\documents and settings\Niall Dew\Application Data\wklnhst.dat
2008-12-25 09:55 --------- d-----w c:\program files\Common Files\Adobe
2008-10-28 18:57 --------- d-----w c:\documents and settings\Niall Dew\Application Data\Toshiba
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-29 08:07 19,480 ----a-w c:\windows\system32\MFEOtlk.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_16.35.16.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-30 20:07:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-11 1028096]
"MGSysCtrl"="c:\program files\System Control Manager\MGSysCtrl.exe" [2008-04-23 778240]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-12 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-09-29 124240]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-02-22 2938184]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R2 McAfeeEngineService;McAfee Engine Service;"c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe" [2008-09-29 19456]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2008-12-27 67904]
R2 Micro Star SCM;Micro Star SCM;c:\program files\System Control Manager\MSIService.exe [2008-05-30 159744]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys [2008-05-30 153600]
R3 rtl8187Se;Realtek RTL8187SE Wireless LAN PCIE Network Adapter;c:\windows\system32\DRIVERS\rtl8187Se.sys [2008-05-30 306176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2008-12-27 64432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.thetechguys.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 20:17:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-30 20:18:45
ComboFix-quarantined-files.txt 2008-12-30 20:18:41
ComboFix2.txt 2008-12-30 16:45:55
ComboFix3.txt 2008-12-30 16:36:00

Pre-Run: 66,912,186,368 bytes free
Post-Run: 66,901,639,168 bytes free

139 --- E O F --- 2008-12-18 16:12:35

[thebigun]

In addittion to the previous post ......

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, December 30, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, December 30, 2008 18:10:45
Records in database: 1533181
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 34500
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:32:39

No malware has been detected. The scan area is clean.

The selected area was scanned.

Thanks

TheBigUn

[sjb007]

Howdy there

All is looking much better, just your java to update....

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11"
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

How are things running, anymore problems to report at all?

[thebigun]

Everything seems to be running OK now - I'll let people loose on it today and see what happens!

Thank you very much once again for your help with this - I really do appreciate it! Do you accept donations then, or is it just through the forum link?

Don't know if you offer this, but wondered if you knew how it got by AVG - it's mostly my eldest who uses this and I'm suspecting they recieved a file or perhaps through java. Even so would AVG not have picked it up?
I obviously have McAfee Enterprise + anti-spyware module installed now, but is the PC still vulnerable if they download stuff?

Thanks again,

TheBigUn

[sjb007]

Howdy thebigun

A virus checker is only as good as its heuristics/viral databases allow it to be, each AV (Anti Virus) uses its own methods for heuristics and some work better than others in certain areas.

Quote:

is the PC still vulnerable if they download stuff?

That mainly depends on safe browsing habits, if they are looking to download genuine programs or trial programs make sure that they download from a reputable site and that is not supported by pop ups, prefably the software authors site itself or the supported mirrors, this also then depends on what they are seeking to download, for instance visiting sites that contain cracks or keygens to "get around" software limitations are more likely to get you infected as these sites are one of the main conduits for spreading malware infections. (not that I am suggesting you do visit such sites!)

Quote:

Do you accept donations then, or is it just through the forum link?

We only accept donations through the forum link - this can be found in my signature at the bottom of each of my post. Any money donated goes directly towards the upkeep of the server itself, the staff here all provide our work free of charge in our spare time to help others who need it. This enables TSF to survive as it does and allows us to provide the help for others in need. All donations are welcome, and fully appreciated, no matter how big or small.

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there
Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing
Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

[thebigun]

sjb007,

There has been no further problems with this and the problem now seems resolved.

Many thanks once more for your help and support with this.

TheBigUn

[sjb007]

Only too glad to help.

I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums

Happy safe surfing for 2009