Yes her computer is becoming infested with all sorts of crap from the internet, particularly stubborn are "Derbiz" and "ebates money maker" who both seem to reappear after being deleted either on AdAware or Spybot.
I know it's gonna be an uphill struggle because I can't be there all day to make sure she keeps her virus software up to date all the time but I thought you good people might be able to offer some help if i post her hijackthis log.

Thanks
Kris

Logfile of HijackThis v1.99.1
Scan saved at 22:59:44, on 04/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVSCHED32.EXE
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\usxhs.exe
C:\WINDOWS\System32\rnamrr.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\rqmr\rqmrm.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\faspro.exe
C:\WINDOWS\System32\faspro.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Piolet\Piolet.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\inseng.exe
C:\Documents and Settings\Vickie\Desktop\DADA'S Utilities\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://community.derbiz.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSCHED32.EXE /min
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [c8YCifF] C:\WINDOWS\usxhs.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rnamrr.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitetbm32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [rqmr] C:\PROGRA~1\COMMON~1\rqmr\rqmrm.exe
O4 - HKCU\..\Run: [inseng] C:\WINDOWS\System32\inseng.exe
O4 - HKCU\..\Run: [faspro] C:\WINDOWS\System32\faspro.exe
O4 - HKCU\..\RunOnce: [faspro] C:\WINDOWS\System32\faspro.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Fortune Bingo by pogo - http://game4.pogo.com/applet-6.0.4.3...-ob-assets.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/62...ridge-c139.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/comput...up/qdiagcc.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol.pogo.com/game/deluxe/zuma...ploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BB5EAD9-17C3-4E45-BBFF-1CFF54D021F4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS2\Services\Tcpip\..\{2BB5EAD9-17C3-4E45-BBFF-1CFF54D021F4}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

To save some time, could you please have all the files that rkfiles finds uploaded for an online scan here;

http://virusscan.jotti.org/

Post the contents of C:\log.txt in your next reply.

You can check your Computer with 5,000,000 Anti-Virus-Softwares and spend $20,000 for it, as long as you surf the Internet with the Internet Explorer and activated ActiveX & ActiveScripting, it will be Sisyphus work.



Michael

I uploaded the file to that virus checker site and it found nothing.

Here's the log:
C:\Documents and Settings\Vickie\Desktop\New Folder

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\AUNPS2.dll: UPX!
C:\WINDOWS\system32\faspro.exe: UPX!
C:\WINDOWS\system32\naopn.dll: UPX!
C:\WINDOWS\system32\pgehppp.dll: UPX!
C:\WINDOWS\system32\qvgbq.dat: UPX!
C:\WINDOWS\system32\rnamrr.exe: UPX!
C:\WINDOWS\system32\rpen.exe: UPX!
C:\WINDOWS\system32\skytown.exe: UPX!
C:\WINDOWS\system32\thin-94-1-x-x.exe: UPX!
C:\WINDOWS\system32\winup2date.dll: UPX!
C:\WINDOWS\system32\winupdt.exe: UPX!
C:\WINDOWS\system32\wmconfig.cpl: UPX!
C:\WINDOWS\system32\elitebon32.exe: FSG!
C:\WINDOWS\system32\elitecoc32.exe: FSG!
C:\WINDOWS\system32\eliteduj32.exe: FSG!
C:\WINDOWS\system32\elitedzm32.exe: FSG!
C:\WINDOWS\system32\eliterse32.exe: FSG!
C:\WINDOWS\system32\elitersk32.exe: FSG!
C:\WINDOWS\system32\elitesla32.exe: FSG!
C:\WINDOWS\system32\elitetbm32.exe: FSG!
C:\WINDOWS\system32\elitevjd32.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\oembios.bin: peC2"y)Q

Files Found in all users startup Folder............
------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dtup.exe: UPX!
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\farmmext.exe: UPX!
C:\WINDOWS\nem220.dll: UPX!
C:\WINDOWS\sideb.exe: UPX!
C:\WINDOWS\tct101.dll: UPX!
C:\WINDOWS\usxhs.exe: UPX!
Finished
bye

LOL I take it that log has some baddies in it?

Be that as it may, but you should ensure that an adequate antivirus program is installed, set to automatically update and to perform continual background scanning. You should also ensure that adequate spyware detection/removal software is also installed and set to perform continual background scanning/blocking.

And you should ensure that a browser such as Mozilla, Firefox or Opera is installed and set as 'default', with the security settings adequately configured.

That way, you don't need to be there all day.

kriskarrera. I needed you to upload every file that rkfiles found .

Oh. Ok. What do you mean by "upload"? Do you mean literally copy these nasties onto disc from her pc and them attach them to this thread? :eek:

No. In post #2 I provided a link to an online scanner where you can have the file's scanned one at a time .

I'm in a rush, I've copied those files to disc and i'll scan them on that site later and report back here but can I just add that I ran Adaware on her pc earlier and something nasty popped up and took away some of the nasties I was about to delete!! I can't believe that some evil git has even made something that can hijack adaware!

Ad-aware Cloak 1.0 is designed to allow Ad-aware to open fully when there are items on the system which close Ad-aware when it attempts to start, such as some CoolWebSearch variants. To use Ad-aware Cloak, save it to your system, and run the program before opening Ad-aware. Once Ad-aware Cloak opens, click "Activate Cloak" and then open Ad-aware and scan as normal. When you are done using Ad-aware, close Ad-aware Cloak.

Further Information

Download the free Ad-aware Cloak program:

AAWCloak