40 replies to this topic

[ward]

Jee !
Here's what I did today :
First ran Norton antivirus ( always active and updated anyway ) : all clear.

Then tried Housecall online scan ( which I use to do about every other week ) : also ok.

Then the one from Panda : came up with 4 files

Virus:Trj/StartPage.FH Disinfected
D:\Documents and Settings\pj\Local settings\Temp\sp.html
Virus:Trj/Xoad.A Renamed
D:\Documents and Settings\pj\Local Settings\Temp\xwxload.exe
Virus:Trojan Horse Disinfected D:\ht.hta
Virus:Trj/Nethost.A Disinfected
D:\wmssys.exe

Then to the CA :
This one found
D:\...\video.asx ( HTML link replacer ) and
F:\..\Q3567836.exe ( win32.winshow.F )
which were removed.

Finally I ran RAV and again 4 items were detected :
xwxload_exe.vir (already renamed by Panda)
D:\WINNT\fairdailer.exe
D:\WINNT\Downloaded Program Files\diver32.exe
F:\TempInternet\Pil\TempInternetFiles\ContentIE5\W16ZENGT\exitpop[1].htm

Autoclean did not work, so I deleted all manually, exept diver32.exe which I can't find ( map options for hidden files and system files ok ).

For yr info on the drives :
First I had one HD with two partitions, Win2K installed.
Then I added another HD, with again new installation of Win2K.
Normally I boot from the latter, and the old HD becomes then D and F.
If other members of the family use the PC they boot from the old HD and have no access to the newest HD. That's why there are WINNT dir on different locations.

Here's the new HJT log :
Logfile of HijackThis v1.98.2
Scan saved at 20:21:09, on 06/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\EnterNet.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\RVS\WCOM\SYSTEM\ccsrv.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\Program Files\Legato\AgentSrv.EXE
C:\Program Files\Legato\CBSYSTRAY.EXE
C:\PROGRA~1\SONYER~1\Mobile\AUFILE~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\Ecfmserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe
O4 - HKCU\..\RunOnce: [CommCenter] C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe
O4 - Startup: Connected TaskBar Icon.LNK = C:\Program Files\Legato\CBSysTray.exe
O4 - Startup: Legato TaskBar Icon.LNK = C:\Program Files\Legato\CBSysTray.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab

[little eagle]

Log looks clean.

Please read through the ideas and free software listed below that will help to keep your computer clean.
Some of these you may already have installed or may have done already.

Install a firewall.ZoneAlarm FREE

Ensure that an Antivirus is updated weekly and running. AVG antivirus from Grisoft is a very good FREE antivirus program.

Make sure you have the latest critical updates from windows update.

SpywareBlaster will prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.

IE-SPYAD puts over 4000 known 'bad' sites into your IE restricted zone so that they cannot install malware on your PC.

Google toolbar has a very good built in popup blocker with a nice search bar. To provide privacy, select disable advanced features when installing.

Check your system for latest virus definitions with an online virus scan every week or two.
TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan

Check your system for latest trojan definitions with an Online trojan scan also every week or two.

And also see this link for additional security information.
So how did I get infected in the first place?

Please consider using Firefox
http://texturizer.ne...efox/index.html

Please read this

[ward]

Thanks for your reply. I'll follow your advice. Should I worry about this D:\WINNT\Downloaded Program Files\diver32.exe ? RAV keeps finding it, saying it's a dialer, but it does not seem to show in explorer even with map settings on view system files on, and also show hidden files on. The other antivirus programs don't seem to find it.

[little eagle]

If you have other users. Post a Hijackthis log for them.

If other members of the family use the PC they boot from the old HD

[Simplicity]

Should I worry about this D:\WINNT\Downloaded Program Files\diver32.exe ?
RAV keeps finding it, saying it's a dialer, but it does not seem to show in explorer even with map settings on view system files on, and also show hidden files on.

Try doing Disk Cleanup, check "Downloaded Program Files" for removal.

[ChrisRLG]

Simplicity & ward

You might like to look at this topic regarding the helpers at this forum.

http://forums.tomcoy...showtopic=10110

Simplicity

If you are interested in helping others on this forum could I suggest you read this one too.

http://forums.tomcoy...?showtopic=1421

We are always looking for others to train to help here.

[ward]

Finally succeeded to get my son's password.
Logged in from the second HD.

Here's HIS HJT log. Looks bad.
I don't like the lines with "sp.html", "about:blank" and "npqtplugin3.dll" and even less the "olpl.dll". Tell me if I'm wrong.
Maybe some of the evil has already been removed earlier.

Logfile of HijackThis v1.98.2
Scan saved at 17:58:27, on 7/10/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Firewall\persfw.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\pj\Mijn documenten\MSN-messenger\MSN Pro\MsgPlus.exe
C:\WINNT\System32\lexpps.exe
C:\WINNT\System32\internat.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe
C:\Program Files\RVS\WCOM\SYSTEM\ccsrv.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\EnterNet.exe
F:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.humo.be/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\pj\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Documents and Settings\pj\Mijn documenten\MSN-messenger\MSN Pro\MsgPlus.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\RunOnce: [CommCenter] C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe
O4 - Startup: SpywareGuard.lnk = SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: VanBredaOnline Security Applet - https://www.vanbreda...applets/ema.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O18 - Filter: text/html - {44843C26-9FEC-4968-9730-E3F19D4F4E68} - C:\WINNT\System32\olpl.dll
O18 - Filter: text/plain - {44843C26-9FEC-4968-9730-E3F19D4F4E68} - C:\WINNT\System32\olpl.dll
O21 - SSODL: System - {EB26EA49-2C1A-4CE2-BD66-46B86F7E3599} - C:\WINNT\system32\system32.dll

[ChrisRLG]

This variant of CWS often installs a hidden dll file which causes the infection to be reinstalled every time you Restart the computer.

1. Please download DllCompare ( http://download.broa.../DllCompare.exe )

2. Start the Program with its default settings and put a check mark in the include subdirectories. Click the Run Locate.com and wait until the scan says complete.

3. Click the Compare button to start the next process.

4. Files in the upper portion have been verified to "exist", Files in the bottom section were not able to be accessed. Very few files should be listed in the bottom section when the Compare scan is complete.

5. Click on each of the listed entries in the lower section to select them. Right-click on the file and use the Option Rescan.

6. This will cause Windows Find to see if the file does exist, and then it will be removed from the list (to reduce the number of identified files)

7. Click the Make a Log of what was found button, and post the log here in this thread using Add Reply to receive further instructions.

With this infection the smaller number of times the machine is turned off the better - if you can leave up and running while we fix it will be safer. Each time the machine is rebooted it gives a chance for the malware to mutate or morph.

[ward]

* DLLCompare Log version() Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ C:\WINNT\SYSTEM32\msvcirt.dll Tue 11 Jan 2000 2:00:00 ..SH. 77.878 76,05 K C:\WINNT\SYSTEM32\olepro32.dll Tue 8 Aug 2000 9:08:08 ..SH. 164.112 160,27 K C:\WINNT\SYSTEM32\DLLCACHE\oleaut32.dll Sat 14 Apr 2001 7:32:00 A.SHR 626.960 612,27 K ________________________________________________ 2.185 items found: 2.185 files (8 H/S), 0 directories. Total of file sizes: 344.420.295 bytes 328,46 M Administrator Account = True --------------------End log---------------------

[ward]

Hey ChrisRLG, congrats with your promotion !

[ChrisRLG]

I must have missed an email - because I did not see your last post. I am going on holiday - so I will add this to a list for another teacher or admin to take over. Thanks for the congrats. More work

[Daemon]

Your topic is like pass the parcel I'll stick with it until resolved. Whilst in this account, run CWShredder, hit 'fix' as opposed to 'scan only'. Make sure you are running version 1.59.1 Reboot when done. Then check AAW for an update and run a full system scan. Reboot again when done and post a new HJT log for the stragglers.

[ward]

Hello Daemon ! You've helped me out before !

Done as you told me.
CWShredder found one IE page item and told me I had to reboot and run again.
AdawareSE found nothing wrong ( exept 12 negligable MRU items which I removed all the same ).
During Adaware scan I got a virus warning from AVG ( JS/Psyme.K ), so I had to run the scan first, found 1x. Also ran Panda which found 5x.
Here's the new HJT log after reboot :

Logfile of HijackThis v1.98.2
Scan saved at 0:48:15, on 11/10/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\Firewall\persfw.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\EnterNet.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\Documents and Settings\pj\Mijn documenten\MSN-messenger\MSN Pro\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\RVS\WCOM\SYSTEM\ccsrv.exe
F:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.humo.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Documents and Settings\pj\Mijn documenten\MSN-messenger\MSN Pro\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\RunOnce: [CommCenter] C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe
O4 - Startup: SpywareGuard.lnk = SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: VanBredaOnline Security Applet - https://www.vanbreda...applets/ema.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab

[Daemon]

Thought I recognised you - what are you doing back here, didn't you follow our advice

The log looks OK. Click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so. Repeat for all log-in accounts on your computer.

Then run AVG and let me know if anything further is found.

[ward]

Didn't follow your advice ? My PC looks like a fortress ! Adaware full system scan today : nothing ! Spybot : all clean ! Every now and than a gorgeous looking girl on the screen, beauty unlocks many doors, I don't mind. Is this "extra button" thing ok ? It will take some time to do all suggested : I'll have to shut down and start up several times ( 3 or 4 users from ages ago, probably have to install antivirus aso ). And most of the time I need my PC booted from my HD. Far from being a PC specialist, it seems little is needed to get troubled with malware. I guess nearly every surfer who is not aware of it must be infected. Do you think someone without much theoretical background could learn more about it ?