Windows 2000 OS - SP4 with all current upgrades and patches from Microsoft site.

My son uses my computer alot, and I have had many problems with
spyware and viruses.  So i have now installed a firewall, and
constantly running Adaware, Spybot and Track Eraser Delux to see what
all is on my computer. I have also installed HijackThis, but don't
have a good understanding of that application, so I haven't felt brave
enough to take full advantage of that one.
Many times, there are files in my C:\WINNT directory that I don't
think should be there because I believe them to be cookies, spyware,
etc., but I have a hard time just deleting these files  because of the
fact that they are in my WINNT directory.  When they aren't in my
WINNT or System Directory, I don't have a problem deleting them.

I will give you a couple of examples:

My firewall caught this one:  ads.xbitches.com and gave the IP address
also.  I have no problem with blocking that, but it keeps appearing in
my firewall everytime I log in.  Yet it does not give me the option to
block it "ALWAYS". So it seems that I never really get rid of it.

Another example, and one that worries me because it is in my WINNT
directory is: agekjdlo.exe.  I ran a search for it in Google but came
up empty handed.

I guess my real question is, how do I know which files to safely
delete that I suspect might be spyware, etc. when they are in a
Windows system directory, and is there any permanent fix for not
allowing certain files to never appear on my computer again.

But,I want to point out that I would hate to screw up my PC and have
to reinstall, or even worse, reformat, then reinstll Windows, and
loose everything else on my hard drive.

Your help would be greatly appreciated.

P.S.  I tried to select a subcategory below, but there were none to
select, as the drop down arrow had nothing, except "No Category".  Is
that important, or not with my query?

Much Thx

---

Clarification of Question by jharsi-ga on 22 Mar 2004 20:36 PST

I forgot to mention that my McAfee Firewall shows the
"ads.xbitches.com" in the Path  C:\WINNT\explorer.exe

but there is no file under the WINNT directory with the name of
"explorer.exe".  And if there were, how would I find this "incoming
TCP/IP, to port 14459, from port 38870, domain name ads.xbitches.com,
IP address 66.36.230.214, within this "explorer.exe" file?

I just keep blocking it, but it continues to appear.

---

Clarification of Question by jharsi-ga on 22 Mar 2004 20:40 PST

However, I did go to "Advance Rule Editor" and was able to block all
incoming from that domain name, and that particular IP address.

Is this just going to be an ongoing thing for me, having to change and
add rules on a daily basis because my son accesses sites that place
cookies, or whatever on my computer?

Sorry to drag this out, but it seems as though I just keep finding
more information, and more cookies, spyware, etc.  I just wish there
were a way to stop all of the spam in my email, cookies, spyware, etc.
without having to edit all of my settings on a daily basis.  Is this
possible?

jharsi-ga:

It's sad, isn't it, how the Internet has been such a boon to us, yet
is also such a bane.

The best tool available to you is HijackThis. However, as you quite
rightly indicated, it is not for the uninitiated or the faint of
heart.

Consider doing this: first, run HijackThis, and save a copy of the
results to a text file.

Next, go to the Computers Cops forum website at http://www.computercops.biz.

If you are so inclined, you can read the HijackThis tutorial there:

  http://computercops.biz/HijackThis.html

Register as a free user at ComputerCops, then go to the HijackThis forum:

  http://computercops.biz/forum67.html

Read the guidelines thread first:

  http://computercops.biz/postt911.html

Then, create a new thread to post your HijackThis log (from the saved
text file version), and ask for help in interpreting it.

After you get the appropriate feedback, implement the fixes that the
experts who frequent that forum recommend.

Good luck,

aht-ga
Google Answers Researcher

You could download Ad-Ware 6.0 (it's freeware) from Lavasoft in
Germany. This program will clean up of all know spywares installed on
your computer.

Here is a direkt link to the download page:
http://www.lavasoft.de/support/download/

Good luck & Best regards
webmaster@intercept.dk

I have used Ad Aware on Windows 2000 when I was unable to manually
remove the entries it works very well most of the time

regarding files with suspicious names:

From time to time, you may happen across a file that bears some kind
of weird name and you may well be tempted to get rid of it. Generally,
if the file is legitimate, then it will have been found on someone
else's system, and they might have been puzzled by it too.. So if a
search comes up with nothing, i would be inclined to treat it with
more suspicion, not less..
As a programmer i know it is very easy to write a progrm that will
create or rename a file to have a completely random name, so that no
web search will come up for it. This may be the case in your
agekjdlo.exe
Case in point.. an email went round ages ago claiming that
SULFNBAK.EXE was a virus. it wasnt, it was merely a long file name
backup utility, but a quick websearch revealed many references to it,
and the associated hoax.

Theres no way to be certain that your agekjdlo is sinister but check the following:

Submit it to kaspersky virus scanning (their system allows you to
upload a single file which they will then check and report for you)
http://www.kaspersky.com/scanforvirus.html

Check to see if it is running, press Ctrl + Alt + Del and choose task
manager, or press Ctrl + Shift + Esc, and in the PROCESSES tab, look
for the name. Try ending the process and see if it returns

Looks for strange behaviour of your system, spyware killing programs
and virus scanners mysteriously quit, as do any web browsers pointing
to online virus scans, task manager quits and the registry editor
(regedit) also shuts down immediately after you start it

Get a hex editor like the one from www.ultraedit.com and read the
contents of the suspicious exe using UltraEdit.. it should switch to
hex mode automatically, with text appearing on the right hand side.
Executable files usually start with text similar to "MZ! .... This
program cannot be run in dos mode"
Page down the file repeatedly... at some point you should find a list
(in normal text) of what functions the program uses. An unknown person
recently emailed me a file with a .PIF extension.., i read the file
with UltraEdit and found out that among other things, it used the
windows function GetInternetConnectedStateA
- An email attachment that was a program, that needed to know if the
internet was conencted or not? went straight in the recycler, i can
tell you...

If you suspect the file too much and want to delete it but cannot,
then take a look at:
http://www.diamondcs.com.au/index.php?page=dellater
its a utility that allows you to specify files to be deleted before
windows loads up fully.. best time to delete viruses etc

-

regarding your abnned sites list, im afraid that advert sites and porn
sites will always spring up faster than you can knock them out. there
is a project to add the bad sites to a huge list, which you might be
able to import into your firewall (you dont say what firewall). check
the list out at:
http://remember.mine.nu/

there appear to be quite a few people working on hosts files to the same end:
http://www.smartin-designs.com/

-
regarding hijackthis.. leave it.. it really is for power users, but
the latest version of spybot should be all that you need

as a preventative caution, you could follow my system setup (i have
never had a virus or trojan, nor have i ever had a firewall):
Install the google toolbar; it does a great job of blocking popups and
thats where a lot of this junk comes from
Install the latest version of spybot (update it regularly) and make
sure that "Block all bad pages silently" is on, as well as
immunization against spyware
Install the latest version of SpywareBlaster.. another immunize
program that offers a few extra immunizations that spybot doesnt
Most importantly, take great care to avoid problematic sites, shut
popups immediately.
Do not open email attachments with the following extensions:
.exe .com .pif .vbs .js .scr .ppt .pps .xls .mdb .doc (yes, office
documents) or anything else that is not safe.
the following are safe: .mp3 .txt .jpg .gif .mpg

beware of doubly extended files: anna_kornikova_naked.jpg.exe <- exe!

dont open anything youre not expecting to receive, and treat with
caution anything you are expecting.. if a colleague says "i'll mail
you a document with those figures in tonight after work".. then check
carefully that the .doc file you got is likely to be those figures
if you get a mail off your mate that says "hey, check this out" and
its an attachemnt.. just dont.. ieven if it;s from your mate, viruses
pose as people all the time to trick you into trusting the content.
reply to him instead and ask him what it is. most of the time youll
get a "what is what?" response, because he never even realised that
the virus sent itself out..

lastly.. do keep your computer as up to date as possible with windows
update (i can see you probably do :) )

matt

Thanks so much for all of your input.  Especially from goo_gle_ga-ga
and aht-ga.  I will follow through with all of your suggestions, and
see how it turns out.  I don't think that mrcybersex-ga read my post
very well, because as I explained, I am using, and have been using,
Adaware for quite some time now.

But thanks to all that replied to my call for help!

Or, what you *could* do (and I'm just trying to be genuinely helpful
here) is to seriously investigate switching to a Mac. No viruses
(that's true - zero), no adware, no spyware, no pop-ups. The new Macs
are really a pleasure to use, and are stable as a rock. With rare
exceptions you can find any software for a Mac that you can for a PC,
and most of the common stuff is entirely cross-platform compatible. Go
to apple.com, click on the "Mac OS X" tab and look around. (Using a
Mac, the internet is still a boon to us, not a bane at all.)

yeah randomly named spyware files.  gotta love them.  Spyware has
become somewhat intellegent.  what I would do is.
A go browse some game sites, and wait until you get one of those
INSTALL messages.  show your son and tell him to NEVER, I MEAN NEVER
click yes, NO MATTER WHAT IT SAYS!

after tham hit ALT-CTRL-DEL on your pc and terminate any of those
random named processes, then go in the winnt folder and delete them. 
there is no easy way.