[SOLVED] Random pop-ups, disabled windows auto update, bsod

[SprinterDave]

First, let me pat all the site volunteers on the back. The service you provide is honorable!

I've recently been infected with something that is exhibiting a few symptoms.

1. Random pop-ups to various sites (some bogus Antivirus sites, some seemingly innocent).
2. I'm getting warnings that windows automatic updates are not turned on but they appear to be. The Automatic Updates service is not running and I cannot get it to run (getting error 1058.)
3. Not sure if this is related but a recently installed McAfee suite (via AT&T internet service) is giving me occasional BSOD with mfehidk.sys as the probable culprit (via windbg)

I haven't been able to make headway on this myself and would appreciate any advice.


DDS (Ver_09-01-07.01) - NTFSx86
Run by David at 1012.43 on Fri 01/16/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1391 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\STacSV.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\windows\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\windows\system32\wscntfy.exe
C:\windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\winsys2.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Norton Save and Restore\Agent\VProTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\windows\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Documents and Settings\David\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uStart Page = hxxp://att.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
uInternet Settings,ProxyServer = 192.168.1.1
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {329be4bf-0fdf-4ced-8744-aa9be146ae71} - c:\windows\system32\awtsRKee.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkJdEtu.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SACert Class: {740fe5fb-65f1-46c5-9e54-a19c8a8d7ac2} - c:\windows\system32\SoftAheadCert.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: IEHlprObj Class: {8ca5ed52-f3fb-4414-a105-2e3491156990} - c:\progra~1\iwinga~1\IWINGA~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {f1a71ab5-6d47-1d39-a404-4f9c170923cd}: {dc329071-c9f4-404a-93d1-74d65ba17a1f} - c:\windows\system32\mafmxl.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [LaunchList] c:\program files\pinnacle\studio 11\LaunchList2.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SW20] c:\windows\system32\sw20.exe
mRun: [SW24] c:\windows\system32\sw24.exe
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [YOP] c:\progra~1\yahoo!\yop\yop.exe /autostart
mRun: [MaxtorOneTouch] c:\program files\maxtor\onetouch\utils\Onetouch.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Norton Save and Restore 2.0] "c:\program files\norton save and restore\agent\VProTray.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: turbotax.com
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: jkkJdEtu - jkkJdEtu.dll
AppInit_DLLs: mafmxl.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\jkkJdEtu.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtsRKee

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\2ognrpm9.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.yahoo.com/
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\2ognrpm9.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\blsfflock.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R0 pe3ah4nc;DiRT Environment Driver (pe3ah4nc);c:\windows\system32\drivers\pe3ah4nc.sys [2007-5-18 64880]
R0 ps6ah4nc;DiRT Synchronization Driver (ps6ah4nc);c:\windows\system32\drivers\ps6ah4nc.sys [2007-5-18 55160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-15 201320]
R1 SSHDRV64;SSHDRV64;c:\windows\system32\drivers\SSHDRV64.sys [2008-6-10 109568]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-15 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-15 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-15 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-15 40488]
R4 AWService;Admin Works Agent X8;c:\program files\intel\idu\awServ.exe [2006-12-27 74520]
R4 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-15 206112]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-15 359248]
R4 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-1-15 144704]
R4 Norton Save and Restore;Norton Save and Restore;c:\program files\norton save and restore\agent\VProSvc.exe [2007-2-13 3425632]
R4 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2007-9-2 6784]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\system32\drivers\ocde.sys --> c:\windows\system32\drivers\OCDE.sys [?]
S3 mdxgthkn;mdxgthkn;c:\docume~1\michelle\locals~1\temp\mdxgthkn.sys [2004-8-8 31744]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-15 33832]
S4 pr2ah4nc;DiRT Drivers Auto Removal (pr2ah4nc);c:\windows\system32\pr2ah4nc.exe svc --> c:\windows\system32\pr2ah4nc.exe svc [?]

=============== Created Last 30 ================

2009-01-15 22:43 <DIR> --d----- C:\WERb26d.dir00
2009-01-15 21:26 590 a------- C:\foo.bat
2009-01-15 21:06 7,079 a------- c:\windows\system32\Config.MPF
2009-01-15 21:03 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-01-15 21:03 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-15 21:03 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-15 21:03 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-15 21:03 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-15 21:03 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-01-15 21:02 <DIR> --d----- c:\program files\McAfee.com
2009-01-15 21:01 <DIR> --d----- c:\program files\common files\McAfee
2009-01-15 21:01 <DIR> --d----- c:\program files\McAfee
2009-01-15 20:00 <DIR> --d----- C:\WER62f5.dir00
2009-01-15 19:43 <DIR> --d----- c:\program files\Debugging Tools for Windows (x86)
2009-01-15 19:43 1,375,225 ---sh--- c:\windows\system32\lbrmqjaf.ini
2009-01-15 19:43 72,704 a------- c:\windows\system32\fajqmrbl.dll
2009-01-15 19:40 129,024 a------- c:\windows\system32\mafmxl.dll
2009-01-15 19:40 129,024 a------- c:\windows\system32\dohifima.dll
2009-01-15 19:38 40,960 a------- c:\windows\system32\detkgmfl.dll
2009-01-15 19:37 1,673,374 a--sh--- c:\windows\system32\eeKRstwa.ini2
2009-01-15 19:37 1,673,374 a--sh--- c:\windows\system32\eeKRstwa.ini
2009-01-15 19:37 302,592 a------- c:\windows\system32\awtsRKee.dll
2009-01-15 19:32 36,352 a------- c:\windows\system32\jkkJdEtu.dll
2009-01-15 19:32 22,528 a------- c:\windows\system32\~.exe
2009-01-14 21:22 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-01-14 21:22 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-01-14 21:13 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-01-13 14:16 <DIR> --d----- c:\windows\system32\scripting
2009-01-13 14:16 <DIR> --d----- c:\windows\l2schemas
2009-01-13 14:16 <DIR> --d----- c:\windows\system32\en
2009-01-13 14:16 <DIR> --d----- c:\windows\system32\bits
2009-01-13 14:14 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-12 06:53 <DIR> --d----- C:\bootvis
2009-01-10 07:55 0 a------- C:\dump_dvd.vob
2009-01-09 22:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Genie-Soft
2009-01-09 22:06 <DIR> --d----- c:\docume~1\david\applic~1\Genie-Soft
2009-01-09 21:55 <DIR> --d----- C:\PSFONTS
2009-01-09 21:54 <DIR> --d----- c:\program files\Finale SongWriter 2007
2009-01-06 13:17 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0
2009-01-05 21:42 <DIR> --d----- c:\windows\MVUNINST
2009-01-05 21:42 <DIR> --d----- c:\program files\Memorex exPressit Label Design Studio
2009-01-05 21:42 <DIR> --d----- c:\program files\common files\SureThing Shared
2009-01-05 16:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-03 08:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PIXELA
2008-12-30 22:43 <DIR> --d----- C:\Canon Vixia

==================== Find3M ====================

2009-01-14 21:32 139,936 a---h--- c:\windows\system32\mlfcache.dat
2009-01-13 14:18 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-22 15:47 6 a------- c:\windows\fonts\wfonts.key
2007-10-28 12:31 5,743 a------- c:\program files\install.log
2008-06-28 08:20 12,208 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:07:04.39 ===============

[SprinterDave]

Okay, I eventually figured this one out on my own. It was Virtumonde. I used Malwarebytes' Anti-Malware to clean it.

A McAfee scan found nothing.
Ad-Aware found Virtumonde but was unable to clean it.

-Dave

[tetonbob]

Thanks for letting us know.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?