help with browser hijacker

I'm trying to help a friend whose PC has become the victim of some nasty spyware. He's running WinME and IE6. His home page has been hijacked to something called 'here4search'. If you reset it to anything else, it works until you close explorer and reboot the machine, then it's back.

I have turned off system restore and run the following in safe mode (all with current updates);
AVG
Spybot
Adaware
CWShredder

There were some viruses cleaned up by AVG, both Spybot and Adaware found some things that have been removed. CWS found one thing and cleared it.

He has a DSL connection for internet use, but as I have the machine at my house I cannot tell if the problem is resolved. I have downloaded Hijackthis and run it and would appreciate it if some of the gurus here would take a look at it to see if anything else needs to be removed. Here's the log;

Logfile of HijackThis v1.98.0
Scan saved at 5:59:10 PM, on 7/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NET NANNY\NNSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NET NANNY\NNTRAY.EXE
C:\PROGRAM FILES\AT&T\DSL\PROGRAMS\DSLPCA.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\APYPUH75O8.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [NNTray] C:\PROGRAM FILES\NET NANNY\nnstart.exe
O4 - HKLM\..\Run: [zzzHPSETUP] M:\Setup.exe
O4 - HKLM\..\Run: [MDT] C:\WINDOWS\MDT.exe
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\DSL\programs\dslpca.exe /ws
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [NNSvc] C:\PROGRAM FILES\NET NANNY\nnsvc.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://online.excite.com/att/
O15 - Trusted Zone: *.greg-search.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Any help would be greatly appreciated.

 

Hi BillB

Sorry I didn't get to this sooner. Here's my recommendation so far.

Disable system restore until all clean.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\APYPUH75O8.DLL
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [zzzHPSETUP] M:\Setup.exe
O4 - HKLM\..\Run: [MDT] C:\WINDOWS\MDT.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: PowerReg Scheduler.exe


Go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode.

You will need to show hidden files and folders.

Search for and delete the files M:\Setup.exe and MDT.exe if present.
Search for and delete all instances of the following files and folder found.

powerreg scheduler.exe
powerreg schedulerv2.exe
powerregschedulerv3.exe
powerreg<<<<<Program Files folder.

Open C:\Temp (if present), select all and delete.
Open C:\Windows\Temp, select all and delete.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all except compress old files and OK.
Uncheck the box to 'enable start menu' in msconfig and OK out. Reboot.

Back in Windows, run another HijackThis scan and post the log. I also recommend you scan with RAV.

Unless these two entries were intentionally set, fix them also, but not with HijackThis.

O14 - IERESET.INF: START_PAGE_URL=http://online.excite.com/att/
O15 - Trusted Zone: *.greg-search.com

The 014 can be fixed by clicking the 'reset web settings' button on the programs tab of internet options. And of course, you need only remove that entry from the trusted sites.

 

Hi Dave,

I appreciate the reply. I printed your response and will follow your suggestions. I'll post back with the new Hijackthis log when done.

Thanks again,

Bill

 

Hi Dave,

I followed your instructions and I am including the new Hijackthis log in this post. I didn't find any occurrence of M:\Setup.exe or MDT.exe. I also didn't find any powerreg folder or files called scheduler*.exe. I cleaned the Windows\Temp folder, but there was no C:\Temp.

I left these two entries in Hijackthis;
O14 - IERESET.INF: START_PAGE_URL=http://online.excite.com/att/
O15 - Trusted Zone: *.greg-search.com

He has ATT DSL and I wasn't sure if the first one was related to that or not, and I figured my friend might have added the other one.

Since RAV is an online scanner, I am unable to use that. I have scanned with AVG in safe mode with system restore off and it comes up clean now.

System restore will be left off until I'm sure this mess is cleaned up.

Thanks again for your help with this.

Hijackthis log;

Logfile of HijackThis v1.98.0
Scan saved at 11:44:59 AM, on 7/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NET NANNY\NNSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\AT&T\DSL\PROGRAMS\DSLPCA.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\NET NANNY\NNTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [NNTray] C:\PROGRAM FILES\NET NANNY\nnstart.exe
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\DSL\programs\dslpca.exe /ws
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE "
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [NNSvc] C:\PROGRAM FILES\NET NANNY\nnsvc.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://online.excite.com/att/
O15 - Trusted Zone: *.greg-search.com
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

 

Log looks clean. Need an internet connection now.

 

Dave,

Thanks very much for the help. I'll post back after I return the machine and check out his internet access.

Bill

 

Hi Bill,

Now that I've said all clean, let me back up and say not yet. Did some more checking on that trusted site. It's a CWS domain. Lets do some more checking.

Download: "StartDreck ", from here:
http://www.niksoft.at/download/startdreck.htm

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
Files> Autostart Folders
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)
Exit StartDreck
And Post the log

 

Dave,

I didn't see your last post until tonight and I have already returned the PC. He is up and running at full DSL speed for internet and email and everything looked fine when I left. I gave him written instructions on keeping Spybot, Adaware and AVG updated and running scans in each. I just hope he will do it.

Do I need to revisit the PC? Is it possibly still infected with spyware?

 

I don't think so. Just have him remove that entry from the trusted sites, then download and run CWShredder v1.59.1, first closing ALL other windows then clicking fix. Send him this link for it.
http://radiosplace.com/

Glad to hear it's up to speed again. He should also do the following.

 

Dave,

I'll have him call me and I'll walk him through removing that site. He has the current version of SpyBot, I made sure of that and set it up while I had it. I'll send him your other recommendations as well, hopefully he will follow them.

I went through this once before with him, when he had a dial-up connection, and explained the importance of keeping the virus and spyware software up to date and running the scans. Unfortunately, he is just like most of the other people I've done this for, they start out good but tend to let it go after a while and end up calling me again in about 6 months or less. He's the third person in the last two months whose PC I've revisited this year due to spyware and/or viruses. I guess you can lead a horse to water, but......


Thanks again for your help, I really appreciate it. I hadn't seen this little nuisance before and couldn't seem to get rid of it.


Bill

 

You're welcome Bill. Have him scan with RAV too, unless you already did that.

 

We did that as soon as he was back online. It came up clean. Hopefully he is good to go for a while.

 

If you charge $$ for the advice and the work they tend to listen more closely when you suggest things. Sad, but true.

We can get by doing it for free since the user has to do all the work which, again, helps them listen. But those lucky enough to have a PC savy friend doing the work are certain you will enjoy doing it all again at some point.