laptop dead

[gt4]

Laptop caught windows anti virus pro, I've beat it back a little, to the point where I can now scan with Malware bytes and superanti spyware,

I've also used the detective. and did as that said! but evertime I run laptop out of safe mode it hardly works.

And every time I scan both malware bytes and super anti... find something, I delete all restart and it finds stuff again, ~(sys restore is off)

I have no factory return settings nor do I have a Dvd to re install.

anyone reckon they can help?

p.s this laptop is very old and cant cope with running super anti spyware out of safe mode, cus it just gets to hot and crashes lol

Cheers

[evilfantasy]

Have you updated Malwarebytes and/or SUPERAntispyware before scanning?

Post the logs from them here please.

[gt4]

having a few probs getting it to run again, please bear with me, be back asap, thanks

[gt4]

Malwarebytes' Anti-Malware 1.40
Database version: 2689
Windows 5.1.2600 Service Pack 3 (Safe Mode)

24/08/2009 19:03:53
mbam-log-2009-08-24 (19-03-53).txt

Scan type: Quick Scan
Objects scanned: 93295
Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 7
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 25

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\services.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\csbdll.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\csbdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services\del (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msword98 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\msword98.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\services.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\csbdll.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\C.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Spyware.Festeal) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT2.tmp (Malware.Tool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0D5463NX\lo[1].htm (Backdoor.HareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\msword98.exe (Trojan.Agent) -> Quarantined and deleted successfully.


super a spywarelog...

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 08/24/2009 at 07:03 PM

Application Version : 4.27.1000

Core Rules Database Version : 4069
Trace Rules Database Version: 2009

Scan type : Quick Scan
Total Scan Time : 00:10:56

Memory items scanned : 353
Memory threats detected : 2
Registry items scanned : 515
Registry threats detected : 7
File items scanned : 5297
File threats detected : 15

Trojan.Agent/Gen-Reader_S
C:\WINDOWS\SYSTEM32\READER_S.EXE
C:\WINDOWS\SYSTEM32\READER_S.EXE
[reader_s] C:\WINDOWS\SYSTEM32\READER_S.EXE

Trojan.Spam-DAO
C:\WINDOWS\SERVICES.EXE
C:\WINDOWS\SERVICES.EXE

Trojan.Dropper/Win-NV
[msword98] C:\WINDOWS\SYSTEM32\MSWORD98.EXE
C:\WINDOWS\SYSTEM32\MSWORD98.EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\MSWORD98.EXE

Trojan.Dropper-Services/Fake
[services] C:\WINDOWS\SERVICES.EXE

Trojan.Agent/Gen-FakeAlert
[msword98] C:\DOCUMENTS AND SETTINGS\OWNER\MSWORD98.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\MSWORD98.EXE
[msword98] C:\DOCUMENTS AND SETTINGS\OWNER\MSWORD98.EXE

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg

Trojan.Agent/Gen-NumTemp
C:\WINDOWS\SYSTEM32\9.TMP

Trojan.Agent/Gen-Dropper[Temp]
C:\WINDOWS\SYSTEM32\C.TMP
C:\WINDOWS\SYSTEM32\D.TMP
C:\WINDOWS\SYSTEM32\E.TMP
C:\WINDOWS\Prefetch\D.TMP-1D59F25F.pf

Rootkit.Protect
C:\WINDOWS\SYSTEM32\DRIVERS\PROTECT.SYS

Trojan.Agent/Gen
C:\WINDOWS\TEMP\VRT2.TMP
C:\WINDOWS\Prefetch\VRT2.TMP-3703FE93.pf

Trojan.Agent/Gen-RogueDropper[ProtectionSystem]
C:\WINDOWS\TEMP\VRT3.TMP
C:\WINDOWS\Prefetch\VRT3.TMP-17FADF1F.pf

[gt4]

Hijack log after reboot request by malware bytes and super anti spyware, (still in safe mode at mo)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:10:23, on 24/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\services.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = K9 Community Portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer Provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB001" /M "Stylus DX4800"
O4 - HKLM\..\Run: [Server Application] C:\WINDOWS\system32\ServoApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus SX400 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGE.EXE /FU "C:\WINDOWS\TEMP\E_S74.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1219314492765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7442 bytes

[evilfantasy]

I don't have good news...

All of your questions should be answered below.

This is a Virut infection. Unfortunately the only reliable cure is a complete reformat and reinstall. See here for more information. Virut and other File infectors - Throwing in the Towel?

Many of the major antivirus vendors have Virut removal tools but many times Virut not repairable. The only reliable way to remove Virut is removing the system files it has infected and in turn crippling the system and calling for a reformat/reinstall anyway. Remember it is always spreading so trying to contain it is impossible. See this article on why it is so destructive. Under the Hood: Virut

If you do try to repair this without reformatting then your best chance is using the Avira AntiVir Rescue CD. (free) And/or the Dr Web LiveCD. (also free)

Backing up files before formatting

If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace like text documents and personal photos.

Do not back up to another machine! It will likely become infected by Virut. Burn to DVD/CD, a flash drive or to an external drive which has nothing else on it and which you can format should it become infected from the backups.

I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.

-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows Malicious Software Removal Tool

If you do not know how to perform a fresh install, use this website -> Windowsreinstall.com - Windows 7, XP, Vista reinstall, uninstall, repair, and upgrade guides

Very important, do the following immediately or as soon as possible!

If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.

From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc.

DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information.

[gt4]

ok, well this laptop was used purely for web browsing, so no real worrieas and all our accounts are still ok! have benn for weeks,

1st thing i noticed was the windows anti virus pro! and this occured after looking for bench grinders on google? do you think that is possible or is this virut from another source? (see below)


I have nothing to loose on this pc so i'm happy to have a play with links you gave me!

Thanks for the effort,

when I used a mem stick on another pc it did pop up, avg detected upon open sys 32 virut, and that computer still seems to be fine? I ran several scans with no hits at all. could it be still be infected?

I looked at hidden files on the stick and found 3, which I deleted and then formatted all of my memory devices.

I think this has been caught by my 12 year old because, I system restored his pc 7 or so times and ran scans in several different ways to get it back to normal (he's now banned from net) but it jumped accross on the mem stick is my best theory.

[evilfantasy]

I have no idea where it could have come from but I would imagine it was from a bad download.

could it be still be infected?

I would run Dr.Web CureIt! on it to be sure. Dr Web is one of the best scanners at finding Virut. Removing it however is a toss up.

I think this has been caught by my 12 year old because, I system restored his pc 7 or so times and ran scans in several different ways to get it back to normal (he's now banned from net) but it jumped accross on the mem stick is my best theory.

You might find out if he is downloading torrents. That is the most likely source of where it came from.

Also use this on your portable drives to help protect them in the future.

Panda USB and AutoRun Vaccine

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Panda USB and AutoRun Vaccine and save it to your desktop. - Alternate download link

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

[gt4]

ok really really good news!

dr web found nothing on my game rig! so I'm happier now.

as for laptop I got annoyed and formatted the hard drive. thinking I'll re install using a another xp copy I have for my dual booting gaming rig, and use laptops code.

after format I thought, it prob wont work cus I wasn't sure if laptop had home edition, but after putting key in connecting to net and registering it all was good.

its updating fine and obviously clean from evil nasty stuff,


on another note: thanks for the links for the usb fixes thats alot easier than digging around in the hidden files for them.

fortunatly the last one I found gave instruction to open a file that wasn't there! so I deleted the .inf files and that drive is now fine: there were 2 .inf files the bad one and the normal one, so if I right clicked on the drive I got to autoplay funbctions

Many thanks for the links, I'll keep my gaurd up, should be fine now the child internetless.

oh is spywareblaster worth installing?

[evilfantasy]

oh is spywareblaster worth installing?

I was going to suggest that.

Use the Secunia Software Inspector to check for out of date software.
Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

----------

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Learn more about how to protect yourself while on the Internet from the following link. So how did I get infected in the first place? by Tony Klien.