I was clean, no longer.

Thanks to meticulously following ALL the instructions then posting and receiving tons of help I cleaned my computer. Well, my 13 year old went and visited a bunch of sex sites and my 16 year old installed Kazaa. Now, if I run Adaware, reboot and run Adaware immediately again it finds the same stuff.
My question: do I have to go through ALL the steps outlined in the sticky or can I post a HT logfile right away?

 

Do everything in the Sticky first, as follwoing those steps may remove may of the problems. After you have completed the step post your HJT log as an attachment.

 

I did the entire routine and sure enough a lot of stuff was removed.
One thing, when downloadeing the latest update for Spybot the download seem to go well but then I got this messagein the info column of the update window: !!!Badchecksum!

 

That happens from time to time, try a diferent download server.

 

Using Add or Remove Programs Uninstall the following:

ENUFF appears to be broken Uninstall it, you can reinstall it later.

Download
- Pocket Killbox

Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process.

Now scan and have HJT Fix the following:

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

f Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE andopen Windows Explorer navigate to and DELETE the following:

Now run CCleaner and delete all the files in the C:\Windows\Prefetch folder.

Now reboot in normal mode and post a new HJT log.

 

I added Windows/prefetch under advanced in CCleaner before running it.
Then I saw nothing had been removed so I deleted everything manually. Why were all the files stuffit archives?

When we cleaned my system last June the only file we couldn't get rid of was that W815DM.EXE thing. Do you know what it is?

I removed Enuff but something has stayed in the HT logfile I see.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to ENXPSVC ( ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

ENXPSVC

Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight

C:\WINDOWS\system32\CVSEXPSS.EXE

Choose Kill Process

Now scan and have HJT Fix this line if it exists:

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O23 - Service: ENUFF XP Service (ENXPSVC) - Unknown owner - C:\WINDOWS\system32\CVSEXPSS.EXE (file missing)

Reboot post a new HJT log.

 

Neither of these items were found. However when I tried to delete ENXPSVC as an NT service in HJT I received the message that the service was running.

OK I did that.

 

It may be listed as ENUFF XP Service. Try this.
Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to ENUFF XP Service ( ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

ENXPSVC

Next In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight

C:\WINDOWS\system32\CVSEXPSS.EXE

Choose Kill Process

Now scan and have HJT Fix this line if it exists:

O23 - Service: ENUFF XP Service (ENXPSVC) - Unknown owner - C:\WINDOWS\system32\CVSEXPSS.EXE (file missing)

Reboot post a new HJT log.

 

It wasn't there in HJT process manager.

 

It's gone and your log looks good. Make sure to reset your web settings.

 

What do you mean?

 

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.

2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.

3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

 

I use Firefox. I only use IE for Windows Updates.

 

OK, cool, same here.

 

I think I'm still in trouble. I just ran Adaware and it found Reg values and Keys and a couple of files. Does Claria ring a bell? It came up in all the categories and had a TAC rating of 7. The Claria file is named fsg_4203.exe.
I'm sure if I quarantine it and re-boot it'll be right back.

 

Yes, it is what used to be Gator, same thing different name. Have Ad-Aware clean what it finds, then run Spybot S&D, have it clean what it finds, the run a full system scan with Microsoft Anti-Spyware just to make sure.

You can post a new HJT log as an attachment you if wish.