MSN is logging off after about 10 minutes of use

Lobo... here you are again.  "LOL" you must be well rounded.  Yes Nortons is up to date, 2004 it is.  Think about this.  could i put in a routher or maybe a software preventing this customer kids from downloading anything and yet allow the adults to download? Their son play this game Diablo 11 expansion set version 1.07 which keep this kid online for hours.

Hi again Juarita,

Are you following me or what? *L*

What I would do is to put a password to the main account and create a separate one for the kids, with no password and with very limited rights. Having said that, in my W2K environment Diablo won't run if it's not from an acct with admin rights, so there may be some conflict there. Gimme a day to think of an alternate solution (lingo for "consult the magic 8 ball") and I'll get back to you.

Good Vibes!

Lobo

Okay, here's what the magic 8 ball told me.  Check this site:

http://www.bardon.com/

This company makes several programs that restrict a user's ability to install software in a machine without your permission. It also monitors the time that a program is used and you can even setup timeouts (great for dealing with kids spending countless hours playing games). It also monitors and logs all websites visited (good to make sure kids are not visiting adult websites) and the Administrator can access all this data plus make changes easily.  There are several programs with different degrees of complexity this company makes, so browse around and see which one(s) would help your clients better. For small kids I like WinU but for older kids or adults you may want to run a more advanced one that preserves the Windows Desktop.

Good Vibes!

Lobo

Lobo .. just starting up.  I have clients that are mostly home users.  at this time i support only 2 small companies. Would this product support a home user.  I did take a look at the web site briefly, and noticed that it mostly talks about businesses.  However, the price is right for a home user.  Your imput please

Hi Juarita,

I think it does. I haven't tried it myself (haven't had the need to) but was reading at the specs for WinU and it seems perfect for a home computer with small kids. Since they offer a free trial version what I weould do is get it for your clients, run it for a month and if they like it and feel comfortable with it then purchase it.

thanks Lobo

No problemo.  Did you try the *70 thingie yet?

Lobo ... this adware stuff is hitting home user big time inmy neighborhood ... that customer is only getting logged off ... I have three system down with adware,worms and stuff like that.  However, I will give her a call "actually tonight" and set an appointment. I will update you.  In addition, I am not reading all your stuff in full detail.  Yes I will wait for the Diablo II.  That particular system is down with much or stuff that i believe the son is downloading or being give as he shares his "whatever this stuff is that the software create with folks on line. According to Dad he has to restrict this kids two 4 hours. I really do appreciate you.  And I respect your pushy ness

Lobo ... this system with the Diablo stuff is fighting ... I am trying to clean the system it has adware all over the place ... I try to run Nortons I get this error message NT Authority Security and it begins to give me a time frame then it shuts down ... Nortons has not been able to complete.  I am troubleshooting this system now after doing some research with you.  Now I am tring to do some of the stuff and I throught I would start with Nortons, then move to ad-ware removals then highjackthis -  after all that I thought the system would be safe then i could deal with this Diablo II stuff.  However, not letting me run Nortons.  HELP i will be trying other stuff until i hear from you

Gosh ... This system is very unhappy

and is running XP, Version 2002, SP1

Lobo ... this system does not even have SP2 ... should i clean it up before installing SP 2 or should i give SP 2 a try.  

I would not install SP2 just yet until the system is clean.

Run the standard tools on it, AdAware and Spybot to clean up as much as possible first. Then we're left with the real baddies.

If you could run ProcessExplorer to check all the processes that are running that would be great. Also running HijackThis! but not fixing anyting, just to see what it detects, that would be great. After running it post the generated Log to this URL:

http://www.hijackthis.de/index.php?langselect=english

and give us the resulting URL so that we can go in and look at your Log. I wish it was possible to do with Process Explorer logs, but since it's not... if you can upload its log to your own website or somewhere that we can go in and read it up that would be great.

I do have a website. but uploading to it not sure how to do.  Email results? or could i copy and paste into this window hold on let me give it a try

first let me run adware and spybot as you requested "suggested" whatever. give me a few

okay, posting it here would do; we can ask the PE to remove it when we're finished with it. Email is a no-no at EE.

Oppp's OK. I am back and will post in a few.  

Logfile of HijackThis v1.98.2
Scan saved at 9:14:20 PM, on 11/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\America Online 9.0g\aoltray.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis_198.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://twisted%20window/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [Task Loader] {rdprM@Y
VO^
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0g\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,77/mcinsctl.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50099/QDow_AS2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,18/mcgdmgr.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

Hi Juarita,

There's a few baddies in there, most of them toolbars or sarch hijackers. I'll prepare a full report for you in the morning.

Good Vibes!

Lobo

A warm thanks

Whew!!  okay, here's the digs:

C:\PROGRA~1\Toolbar\TBPSSvc.exe ------- This is part of the WebSearch Huntbar or Ibis.WinTools toolbar. Bad guy. Removable with Giant Antispyware.

C:\Program Files\Common Files\WinTools\WToolsS.exe ------  Same

C:\PROGRA~1\Toolbar\TBPS.exe ----- Same

C:\PROGRA~1\Toolbar\PIB.exe ------ same

C:\Program Files\AOL Companion\companion.exe -----  Not sure about this one. If your client installed this AOL Companion then leave it.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa ------------- part of the same toolbar hijacker as the previous ones.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa ----------------- same

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://twisted%20window/  ---------  not sure about this one. If your client doesn't know this URL then it should be removed (the URL redirects to the browser's default Search page)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0. ------- unless your client is using the browser's Proxy settings for IP masking this should not be there.

R3 - Default URLSearchHook is missing -----  should be fixed.

O2 - BHO: (no name) - SOFTWARE - (no file) ---- very suspicious. Should not be there.

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dl --------- This is a toolbar addon that pays you $$$ for viewing ads. If your client didn't install it then it should be removed.

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll -------  Also part of the WebSearch Huntbar or Ibis.WinTools toolbar. Bad guy.

O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe  ------  another toolbar hijacker. Removable with Giant Antispyware.

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe ----  Also part of the WebSearch Huntbar or Ibis.WinTools toolbar.

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe ----- same

O4 - HKLM\..\RunServices: [Task Loader] {rdprM@Y
VO^  -----  VERY suspicious. Should be removed.

O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe ------ Also part of the WebSearch Huntbar or Ibis.WinTools toolbar.

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029 ------  MyWebSearch hijacker. Baaaad.

O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab -----  BAD guy. Not sure what the URL is but when I loaded it in my browser it shrunk it to a 1x1 inch square and could not be resized up.

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50099/QDow_AS2.cab -----  MyWebSearch. Bad.

O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx ----- SpyBouncer is a hoax. If your client installed it it should be removed. It reports false positives and makes you purchase the fixes.

-------------------

Okay, so a couple of those (Ibis and WinTools) can be removed easily using Giant Antispyware (http://www.giantcompany.com) free download. I believe MyWebSearch can be removed from Settings>ControlPanel>Add/Remove Software but it can also be removed using Giant.

This is what I'd do. Download Giant, run it in that machine and let it cleanup as much as it can. See if you can remove MyWebSearch from the Control Panel. After that is done, run HijackThis! again and let it clean the remaining baddies, specially the following:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O4 - HKLM\..\RunServices: [Task Loader] {rdprM@Y
VO^
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab

and that Twisted Window one which looks very suspicious.

Let's see how that goes.  Good Vibes!

Lobo

Oh, and don't forget to uninstall SpyBouncer.

K ... starting to work on this now

Oh... thanks.  Will brb

Was able to do much of the work... However, This system reboots after about 5 minutes of running Ad-Adware SE Personal.  Ad-Adware is finding stuff.  But because of the reboot I am unable to clean it further.  System is better but not stable.  Ran the Giant Anitvirus and Hijackthis now working with Lavasoft.  

Hi Juarita,

 A reboot seems to indicate that a trojan is loaded and trying to prevent AdAware from doing its job. Suggestion:  Run it in Safe Mode.  If that doesn't work, let me know and I'll guide you though using Process Explorer or KillBox to stop the process that is rebooting the machine.

Good Vibes!

Lobo

You are the best... OK

Unable to run Lavasoft... actually, this system reboots a lot sooner in Safemode.  

Okay. This may sound strange but....  disconnect the machine from the net and reboot. If that works then we have a smart Process that we can kill with ProcessExplorer and KillBox.

Uh Hum... disconnect the machine from the net and reboot? If what works, what in the heck am i trying?

am i trying to just disconnet the machine from the Network and then turn it off and back on

*L* Sorry, the idea is to see if the machine stays running when it's not connected to the Net; I've seen trojans do that.

Lobo after disconnecting the local system from the Wireless Network, 1. removing the 80211.B Netgear adapter and running Ad-Adware pro, the system reboots around the same folders.  I will have found about 29 critical files and then the counting starts 30, 31, 32 and so on until it reaches about 129 then it will reboot around the folders indicated as follows: c:\document and Settings\owner\desktop\username\00190-7492696.~ it s here that the system stays and finds many defective files. Reboots and here i am again.  I tried to run Ad-adware 4 times and this happens at the same location with the same amount of detected folders and so on.

also... durng cleanup i did have to remove folders on the C:\ dirive that did not look normal to me the folers were had very long names and they consist of numbers also on this same c:\ drive I had to remove duplicate folders name Windows with funny sysmbols after them... These folders were Windows, Program files it was about three of each in addition to the actual Windows file and Program files folders these folders I deleted were empty.  This system is a mess can those software you mentioned earlier do the trick

In otherwords this system had made duplicate Windows folders and Program file folders with weird names that were empty

Gosh after all this work should i re-install or what?  I was hoping to resolve the issue saving folders

Is ProcessExplorer a software and what is KillBox a software as well?

I took a look at the link you sent me to the your tools and now I see what processExplorer is and killbox is.  LOL. Had the information all the time.  However, i will wait for you to assist me

sometimes temporary folders that are created during a program installation are not properly deleted. These folder usually have long names and it's up to the program installer to cleanup after itself when it;s done. Some installers don't do a good cleanup job and leave behind those temporary folders with pieces of the installation process, sometimes empty, sometimes packed with stuff you no longer need. Removing them generally has no effect in a machine's performance since they are "leftovers".

About the c:\document and Settings\owner\desktop\username\00190-7492696.~ folders. I would first try renaming them by adding the word OLD to the beginning of the name...  i.e. "00190-7492696.~" becomes "OLD00190-7492696.~" and so.  This just to see if they are actually doing something to Windows itself. I would also take a look inside these folders with good old Windows Explorer. See if anything inside looks suspicious.

Let me know when you're ready to start the Process Explorer task.

Lobo, I am ready to start this process/procedure

I am ready to start this process explorer task.  I will be working from another system so give me a little time after you give me this first step/s

okay, one more before we get any deeper.....  There is a chance that we can clean most of the stuff reported by HJT using Giant Spyware. Would you mind downloading it and giving it a shot? the URL is:

http://www.giantcompany.com/(g1eevyn0do3kzo45v5ar41jp)/download.aspx?prodID=70

I have already used this AntiVirus on this system it no longer finds anything.  However, I ran it again with no results

In addition, this system will not re-boot while running this software.

Hold on, it is finding some stuff... I will let it finish and then try to clean and then run Ad-adware again

okay

Lobo... Giant has been scanning the desktop for about 10 minutes now at the same file location 8369 should i continue to let it scan or should we stop it and try ProcessExplorer

please write down the location of that file, the full path....  we'll see if Process Explorer finds anything in the same folder. I'd say leave Giant run for another 5 and then terminate it.

it was at this location that ad-adware se would re-boot.

I was able to clean out some files with Giant - however, adware se still not happy.  I consider myself ready

LETS GO

okay. First make sure machine is disconnected from the Net (unplug modem or network cable) and System Restore is disabled. Run Process Explorer (no need to install it). You will see a window displaying all the Processes currently running in the machine. Look for anything suspicious there. you can double-click on any Process for detailed info on each one. Go to File>Save and save a log. It'll save a TXT file in the same folder where Process Explorer is. Please copy-and-paste the contents of that log here.

File name: Ad-Adware Se = c:\DocumentsandSettings\Owner\Desktop\Username\00190-7492696.~  Giants = C:\DocumentsandSettings|Owner|Desktop\Username

cool, looks like we have a winner

I have an idea ... l back up this file and delete if from the desktop. Hold on

k

I will take a time out and talk to my client.  Will get back tomorrow.  Good night

okay. Have a good night.

Lobo I am ready to do the ProcessExplorer

see question ProcessExplorer this one has to much stuff

Hello...

okay, sorry... had guests at home.