OK....
the trojan he had was connected to something called "Internet optimizer"
-----------
Description
Internet Optimizer is an error page hijacker.
Variants
InternetOptimizer/Iopti: unknown-server errors, page-missing errors, server errors and even password-required errors are redirected to Internet Optimizer's controlling server at
www.internet-optimizer.com.
InternetOptimizer/Nem: as Iopti, but searches are hijacked to yoogee.com (a search site run by the makers of InternetOptimizer).
InternetOptimizer/Wsem: a larger version of the software, whose purpose is unclear.
InternetOptimizer/Crmrest: an ActiveX downloader control for InternetOptimizer.
Also known as
DyFuCA.
Distribution
May be installed by MoneyTree/DyFuCA, or the Crmrest variant. The latter poses as a comedy or porn video from the site movies-etc.com, and when allowed to install may forward a mail to all contacts in your Outlook address book, promoting movies-etc in your name.
What it does
Advertising
Yes. The 'DyFuCA Active Alert' component can open pop-up 'alerts' when directed by its controlling server.
Privacy violation
Suspected. The EULA at Internet Optimizer's web site states the software may send all your browsing information back to its controllers. At the time of writing, however, this has not been seen to happen with the current version of the software.
Security issues
Yes. Can download and execute arbitrary unsigned code from its controlling server, as an update feature.
Stability problems
Unknown; some unclear user reports of it causing crashes.
Removal
Check the Control Panel's Add/Remove Programs feature for 'Active Alert' and 'Internet Optimizer'. If these entries are there, using both should result in InternetOptimizer's correct removal. Afterwards, ensure MoneyTree/DyFuCA is no longer loaded.
Manual removal
For the Crmrest installer variant, open the Downloaded Program Files folder (inside the Windows folder) and remove the 'Media Manager' entry.
For other variants, open the Windows folder. You should be able to see a file 'ioptiXXX.dll' (Iopti variant), 'nemXXX.dll' (Nem variant) or 'wsemXXX.dll' (Wsem variant). The XXX differs for different versions; common versions are 'iopti130.dll', 'nem207.dll' and 'wsem210.dll'.
Open the registry (click 'Start', choose 'Run' and enter 'regedit') and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the entries 'DyFuCA' and 'DyFuCA Active Alerts'.
Now open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands (for the Iopti variant):
cd "%WinDir%\System"
regsvr32 /u ..\iopti130.dll
Or, for the Nem variant:
cd "%WinDir%\System"
regsvr32 /u ..\nem207.dll
Or, for the Wsem variant:
cd "%WinDir%\System"
regsvr32 /u ..\wsem210.dll
Restart the computer and you should be able to delete the DLL from the Windows folder, and the 'DyFuCA', 'Internet Optimizer' or 'STWSI' folder you may have inside Program Files. You can also delete the subkey 'FCI' in HKEY_LOCAL_MACHINE\Software and HKEY_CURRENT_USER\Software to clean up if you like.
------------
also you can look here.
http://securityresponse.symantec.com/avcen...toptimizer.html
and finally...if your looking for more info search for this "DyFuCA" or "internet Optimizer"
hope this helps...and pest patrol supposedly takes care of this, but they charge you for it.
