Need some help cleaning up my son's pc

BillB · 2006/07/06

Need some help cleaning up my son's pc[RESOLVED]

I think my son has made a real mess of his PC. AVG is popping up notices about infected files about a dozen times at every boot. I tell it to move the file to the vault but the same names come back each time. It also said that it was infected with the Look2me virus. I ran an AVG scan and let it clean up what it could. I also downloaded Look2medestroyer and ran it, it also cleaned up some files. However, I'm still getting the virus warnings. Here is the HJT log, hopefully with some help I can get this thing clean again;

Logfile of HijackThis v1.99.1
Scan saved at 12:38:32 PM, on 7/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1141078868\ee\AOLSoftware.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\cfg32.exe
C:\WINDOWS\taskmg.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
c:\program files\common files\aol\1141078868\ee\aim6.exe
C:\WINDOWS\cfg32a.exe
C:\Program Files\Microsoft Office\Office\Findfast.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MX240a\MX240a_AOL.exe
c:\dfndrd_4.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
c:\ac3_0003.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\{0877E670-0708-1033-0430-030327030001}\Update.exe
C:\tmp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RemoteControl] e:\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141078868\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrd_4.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdd_4.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmd_4.exe
O4 - HKLM\..\Run: [eioa3849] RUNDLL32.EXE w01a9636.dll,n 001a38480000000301a9636
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: MX240a.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Detect - C:\WINDOWS\system32\swsbkup.dll
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\sbdll.dll
O20 - Winlogon Notify: ShellScrap - C:\WINDOWS\system32\meutb.dll
O21 - SSODL: Vbabemak - {10F27B26-BC26-4AF5-BDEB-BBCB7742B6D1} - C:\WINDOWS\System32\hexasobj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\Conversions Plus\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Microsoft SCC Host Protocol (TaskMGM) - Unknown owner - C:\WINDOWS\taskmg.exe

PeteC · 2006/07/06

Hi Bill - you're right - some right nasties in there

Please uninstall Ewido through Add/Remove Programs - I have no way of knowing that it is the latest version - then ....

Please download and install the 30 day trial version of Ewido Anti-Spyware

Run the program either from the Desktop icon if you chose to install one or from Start > Programs. On the main screen select the Update icon followed by the "Update now" link and click on the Start Update button. The update will start and a progress bar will show the updates being installed.

When the update has completed select the Scanner icon at the top of the window and click on the Settings tab.

On the Settings screen click on Recommended actions and then on Quarantine.

Under Reports select Automatically generate report after every scan and deselect Only if threats were found.

Close Ewido Anti-spyware. Do not run a scan just yet.

Boot into Safe Mode and log onto your usual account.

To use the F8 key to start Windows XP in Safe mode
Restart the computer.
Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
As soon as the BIOS loads, begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
Using the arrow keys on the keyboard, select Safe mode and then press Enter.
Click to expand...

Do not open any other windows or programs while Ewido is scanning as this may interfere with the scanning proccess.

Start Ewido Anti-spyware by double-clicking the icon on your desktop or from Start > Programs and select the Scanner icon at the top of the window followed by the Scan tab and click on Complete System Scan. The scanning process will start and may take some time.

When the scan is complete if any infections were detected you will prompted for an action - select Apply all actions.

Then select the Reports icon at the top of the window and click on the Save report as button in the lower left hand corner of the screen and save it as a text file (be sure to remember where you saved that file, this is important).

Close Ewido and reboot your system back into Normal Mode and post the Ewido scan report here.

Download WinsockFix - do not run it yet.

Go to Add/Remove Programs and uninstall Newdot.net and reboot.

Run WinsockFix

Please download SmitfraudFix and unzip the contents to a folder on your Desktop.

Open the SmitfraudFix folder and double click on Smitfraudfix.cmd

If a Security Warning pops up hit the Run button

A command window appears > press any key to continue

On the line with the flashing cursor 'Enter your choice (1.2 ....) type 1 and press Enter

The program scans your system and when the scan has completed a Notepad window opens containing the scan report - a copy of this file is saved as C:\rapport.txt.

Boot into Safe Mode and scan with HJT and post the log here, together with the logs from Ewido and SmitfraudFix.

TeMerc · 2006/07/06

Hi Bill sorry to see you here with these troubles.

Yes it seems your son has indeed buggered up this machine, but we should be able to fix it up just fine.

This is going to be long and involved so be patient and you may also consider a reformat, depending on how much data there is to save.

We will be running several specialized fixes the first being for the Alcan Worm.

1. Please download, install, and update Ewido anti-spyware

Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful ")

Close Ewido. Do not run it yet.

2. Please download Brute Force Uninstaller to your desktop.

Right click the BFU folder on your desktop, and choose Extract All

Click "Next "

In the box to choose where to extract the files to, click "Browse "

Click on the + sign next to "My Computer "

Click on "Local Disk (C: ) or whatever your primary drive is

Click "Make New Folder "

Type in BFU

Click "Next ", and Uncheck the "Show Extracted Files" box and then click "Finish ".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As ") in order to download Alcan worm remover.
Save it in the same folder you made earlier (c :\BFU).

Do not do anything with these yet!

3. Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

4. Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the scriptline to execute field click the folder icon and select alcanshorty.bfu

Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)

Wait for the complete script execution box to pop up and press OK.

Press exit to terminate the BFU program.

5. Ewido Scan

Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.

Click on "Save Report ", then "Save Report As ". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Restart back into Normal Mode.

Please perform another scan with Hijack This, and then post the contents of the Ewido text report that you saved and a new HijackThis log.

PeteC · 2006/07/06

Bill

You'd better stick with TeMerc now that he has posted - I'm outa here

TeMerc · 2006/07/06

PeteC said:

Bill

You'd better stick with TeMerc now that he has posted - I'm outa here
Click to expand...

OOpps.........sorry Pete, didn't mean to step on your toes!!

I hadn't seen the reply, guess it was while I was looking up some things.

This logs gonna be long fix.

PeteC · 2006/07/06

Good Luck - I'm sure you're better equippped than I am

BillB · 2006/07/07

Sorry to be so long posting back, work got in the way of getting started. I've done the BFU scan and I'm doing the Ewido scan now. I will post back with the results shortly.

BillB · 2006/07/07

TeMerc,

Ok, the Ewido scan is finally finished, it found 50 things to correct. Here is the new HJT log along with the Ewido report.

Logfile of HijackThis v1.99.1
Scan saved at 4:20:54 PM, on 7/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\devldr32.exe
E:\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1141078868\ee\AOLSoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
c:\program files\common files\aol\1141078868\ee\aim6.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\Program Files\MX240a\MX240a_AOL.exe
C:\tmp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RemoteControl] e:\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141078868\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [eioa3849] RUNDLL32.EXE w01a9636.dll,n 001a38480000000301a9636
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: MX240a.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\irj8l51u1.dll (file missing)
O21 - SSODL: Vbabemak - {10F27B26-BC26-4AF5-BDEB-BBCB7742B6D1} - C:\WINDOWS\System32\hexasobj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\Conversions Plus\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Microsoft SCC Host Protocol (TaskMGM) - Unknown owner - C:\WINDOWS\taskmg.exe (file missing)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:17:17 PM 7/7/2006

+ Scan result:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\816RK16N\stub_sca3[1].exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C2D320CE-7DD2-4E02-BF35-F0D084509C0A}\RP503\A0163615.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C2D320CE-7DD2-4E02-BF35-F0D084509C0A}\RP503\snapshot\MFEX-8.DAT -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\816RK16N\ac3[1].txt -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\aaa00000.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\eioa3849.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C2D320CE-7DD2-4E02-BF35-F0D084509C0A}\RP503\A0163612.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C2D320CE-7DD2-4E02-BF35-F0D084509C0A}\RP503\A0163613.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C2D320CE-7DD2-4E02-BF35-F0D084509C0A}\RP503\A0163614.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\guard.tmp_tobedeleted -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\hrno0553e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ir82l5lo1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41EBO5ER\NNSCAA638[1].EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\newdotnet7_22.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41EBO5ER\drsmartload[1].exe -> Downloader.Adload.ct : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41EBO5ER\kybrdd_4[1].exe -> Downloader.Adload.cu : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\816RK16N\nwnmd_4[1].exe -> Downloader.Adload.cu : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\dfndrd_4[1].exe -> Downloader.Adload.cu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C2D320CE-7DD2-4E02-BF35-F0D084509C0A}\RP503\A0163659.exe -> Downloader.Adload.cu : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN\drsmartload45a[1].exe -> Downloader.Adload.cv : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41EBO5ER\drsmartload46a[1].exe -> Downloader.Adload.cw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\816RK16N\drsmartload849a[1].exe -> Downloader.Adload.cw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\al3[1].txt -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C2D320CE-7DD2-4E02-BF35-F0D084509C0A}\RP503\A0163661.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\w0030178.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\w01a9636.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\ac3_0003[1].exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\ac3_0003.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\41EBO5ER\626_101[1].exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\Alex Bocock\Cookies\alex bocock@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Alex Bocock\Cookies\alex bocock@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Alex Bocock\Cookies\alex bocock@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Alex Bocock\Cookies\alex bocock@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Alex Bocock\Cookies\alex bocock@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Alex Bocock\Cookies\alex bocock@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
C:\Documents and Settings\Alex Bocock\Cookies\alex bocock@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Alex Bocock\Cookies\alex bocock@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Alex Bocock\Cookies\alex bocock@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

TeMerc · 2006/07/07

Well clearly Ewido did quite some cleaning up!!

We still have some work to do tho.

We need to move HJT to a permanant folder.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

We need to stop this Microsoft SCC Host Protocol service:
Go to: Start > Run > type " services.msc ", then click OK

Scroll down to the Microsoft SCC Host Protocolservice.

Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled ", click Apply, then OK.

Please go to Add/Remove, and if found, uninstall the following:
NEEWDOTNET or any variant of the name
Toolbar888

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

O4 - HKLM\..\Run: [eioa3849] RUNDLL32.EXE w01a9636.dll,n 001a38480000000301a9636

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\irj8l51u1.dll (file missing)

O21 - SSODL: Vbabemak - {10F27B26-BC26-4AF5-BDEB-BBCB7742B6D1} - C:\WINDOWS\System32\hexasobj.dll

O23 - Service: Microsoft SCC Host Protocol (TaskMGM) - Unknown owner - C:\WINDOWS\taskmg.exe (file missing)

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\ToolBar888<<<<---folder
C:\PROGRA~1\NEWDOTNET<<<<---folder
C:\WINDOWS\System32\hexasobj.dll<<<--file
C:\WINDOWS\taskmg.exe<<<--file Pay attention to spelling!! The legit task manager is:taskmgr.exe, not the 'r'
C:\WINDOWS\system32\irj8l51u1.dll <<<--file
w01a9636.dll<<<--file[/b]

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

BillB · 2006/07/07

TeMerc,

New HJT log as requested. It already seems to be working a lot better.

Logfile of HijackThis v1.99.1
Scan saved at 8:22:51 PM, on 7/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1141078868\ee\AOLSoftware.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Steam\Steam.exe
c:\program files\common files\aol\1141078868\ee\aim6.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\Program Files\MX240a\MX240a_AOL.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RemoteControl] e:\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141078868\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - Startup: MX240a.lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\Conversions Plus\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

TeMerc · 2006/07/07

Everything looks good, any more problems? Let me know please.

Please note: Microsift will end support for Windows XP SP1 on Oct. 10, 2006. It is imperitive that you update your system to XP SP2. Read More @ MS

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

BillB · 2006/07/07

Hi Tom,

All the problems that I saw seem to be gone, there were some advertising pop-ups and the AVG warnings but they are gone now.

I'll delete the temporary files and cookies that you mentioned. I know I need to update this machine to SP2, I haven't had time but I think this weekend it will get done. I already have Spywareblaster installed, I keep it and spybot, adaware, and avg updated weekly and run scans at the same time. I had just scanned this machine on Monday and it was fine. Whatever he did to it happened on Tuesday. I have tracking software on it so I'm going to go into the logs and see where he's been. May give me some idea how it got this way. I'll also do the spyads and mvps host file things too, and I'm going to check out the other links you mentioned.

I really appreciate the help with this, I knew he had it really messed up, I'm glad we were able to get it cleaned up without a reformat. I'm getting so I can recognize a lot of 'bad stuff', but there is a lot of that I don't know about. Doing these kind of cleanups is a real learning experience.

Thanks again for the help,

Bill

TeMerc · 2006/07/08

Depending on what your son does online, it may be a good idea to have him run under a limited user account. In this manner it's a bit more difficult for him to DL anything off the Net.

Another thing I would suggest, and as of tonite I'll be including it in my final canned speeches, is to install SiteAdvisor. I gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

You can read about using 'LUAs' here

Hope that's been helpful, and good luck keeping things clear.

Log in or Sign up

Need some help cleaning up my son's pc

BillB Well-Known Member Thread Starter

PeteC SuperGeek Staff

TeMerc Inactive Alumni

PeteC SuperGeek Staff

TeMerc Inactive Alumni

PeteC SuperGeek Staff

BillB Well-Known Member Thread Starter

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

Need some help cleaning up my son's pc

BillB Well-Known Member Thread Starter

PeteC SuperGeek Staff

TeMerc Inactive Alumni

PeteC SuperGeek Staff

TeMerc Inactive Alumni

PeteC SuperGeek Staff

BillB Well-Known Member Thread Starter

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

BillB Well-Known Member Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches