My mom's computer is infected. Help please?

[ahullsb]

She pulled a no no and clicked on spyware that appeared on her desktop.... Now it has hijacked the desktop. Avast found a few viruses, one or two of which it could not move or delete, so I was forced to ignore them. Here is what I found from Kaspersky's scan. Can anyone advise me on what I should do? Thank you in advance. I can post a hijack this as well if it will help.

Friday, August 22, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, August 22, 2008 18:44:27
Records in database: 1124860
Scan settings
Scan using the following database    extended
Scan archives    yes
Scan mail databases    yes
Scan area    My Computer
C:\
D:\
E:\
Scan statistics
Files scanned    84642
Threat name    2
Infected objects    3
Suspicious objects    0
Duration of the scan    01:24:29

File name    Threat name    Threats count
C:\Program Files\AOL Toolbar\temp.000   Infected: not-a-virus:AdWare.Win32.SearchIt.t   1   
C:\Program Files\AOL Toolbar\~GLH0004.TMP   Infected: not-a-virus:AdWare.Win32.SearchIt.t   1   
C:\Program Files\Magentic\bin\magentic_install.exe   Infected: not-a-virus:Downloader.Win32.ImLoader.f   1   
The selected area was scanned.

[DavidR]

Well as much as I dislike AOHell I would doubt that their toolbar would be considered adware, but it is unlikely that it had anything to do with the prevoius avast detection.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

What was the reason it couldn't be moved, e.g. whar error message was displayed (commonly this file is in use) ?

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

[ahullsb]

Haha, I hate aol too. I can't convince her that it sucks. Should I try harder? I did run a boot scan when I initially installed it. It caught two things, two others it could not move or delete. I will see if I can find them now. All I see in the logs are the following: error log and warning log. The computer froze last night about 75 percent through. I am running the scan again.

Here is the error log

10/3/2006 12:18:26 AM   SYSTEM   1952   AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\EntApi.dll failed, 00000005. 
10/3/2006 4:18:33 AM   SYSTEM   1952   AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\EntApi.dll failed, 00000005. 
10/3/2006 8:18:36 AM   SYSTEM   1952   AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\EntApi.dll failed, 00000005. 
10/3/2006 12:18:39 PM   SYSTEM   1952   AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\WINDOWS\system32\EntApi.dll failed, 00000005. 

[ahullsb]

Here is the warning log. I should have written them down I know, but by the time I realized it wasn't going to fix them I had hit ignore and the scan moved on...Any other programs I should try and download or run online?

10/3/2006 12:18:26 AM   SYSTEM   1952   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\EntApi.dll (C:\WINDOWS\system32\EntApi.dll) returning error, 00000005.  
10/3/2006 12:50:41 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/3/2006 12:50:41 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/3/2006 4:18:33 AM   SYSTEM   1952   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\EntApi.dll (C:\WINDOWS\system32\EntApi.dll) returning error, 00000005.  
10/3/2006 4:56:44 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/3/2006 4:56:44 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/3/2006 8:18:36 AM   SYSTEM   1952   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\EntApi.dll (C:\WINDOWS\system32\EntApi.dll) returning error, 00000005.  
10/3/2006 9:02:48 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/3/2006 9:02:48 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/3/2006 12:18:39 PM   SYSTEM   1952   AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\WINDOWS\system32\EntApi.dll (C:\WINDOWS\system32\EntApi.dll) returning error, 00000005.  
10/3/2006 1:08:51 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/3/2006 1:08:51 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/3/2006 5:14:54 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/3/2006 5:14:54 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/3/2006 9:20:58 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/3/2006 9:20:58 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/4/2006 1:27:02 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/4/2006 1:27:02 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/4/2006 5:33:05 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/4/2006 5:33:05 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/4/2006 9:39:08 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/4/2006 9:39:08 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/4/2006 1:45:11 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/4/2006 1:45:11 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/4/2006 5:51:15 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/4/2006 5:51:15 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/4/2006 9:57:18 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/4/2006 9:57:18 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/5/2006 2:03:21 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/5/2006 2:03:21 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/5/2006 6:09:24 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/5/2006 6:09:24 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/5/2006 10:15:27 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/5/2006 10:15:27 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/5/2006 2:21:31 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/5/2006 2:21:31 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/5/2006 6:27:34 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/5/2006 6:27:34 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/5/2006 10:34:19 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/5/2006 10:34:19 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/6/2006 2:40:22 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/6/2006 2:40:22 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/6/2006 6:46:25 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/6/2006 6:46:25 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/6/2006 10:52:29 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/6/2006 10:52:29 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/6/2006 2:58:32 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/6/2006 2:58:32 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/6/2006 7:04:35 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/6/2006 7:04:35 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/6/2006 11:10:38 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/6/2006 11:10:38 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/7/2006 3:16:41 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/7/2006 3:16:41 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/7/2006 7:22:46 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/7/2006 7:22:46 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/7/2006 11:28:49 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/7/2006 11:28:49 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/7/2006 3:34:52 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/7/2006 3:34:52 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/7/2006 7:40:55 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
10/7/2006 7:40:55 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs.  
10/7/2006 11:46:58 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000.  
 

[ahullsb]

(continued)

10/7/2006 11:46:58 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/8/2006 3:53:01 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/8/2006 3:53:01 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/8/2006 7:59:05 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/8/2006 7:59:05 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/8/2006 12:05:10 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/8/2006 12:05:10 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/8/2006 4:11:13 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/8/2006 4:11:13 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/8/2006 8:17:03 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/8/2006 8:17:03 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/9/2006 12:23:07 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/9/2006 12:23:07 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/9/2006 4:29:10 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/9/2006 4:29:10 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/9/2006 8:35:14 AM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/9/2006 8:35:14 AM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/9/2006 12:41:17 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/9/2006 12:41:17 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
10/9/2006 4:47:20 PM   SYSTEM   1952   Function setifaceUpdatePackages() has failed. Return code is 0x0000A410, dwRes is 00000000. 
10/9/2006 4:47:20 PM   SYSTEM   1952   An error has occured while attempting to update. Please check the logs. 
8/21/2008 9:03:21 PM   SYSTEM   1088   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\lphcp46j0ele5.exe" file. 
8/21/2008 10:33:36 PM   Vicki Hull   2596   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP151\A0027691.exe" file.

[wyrmrider]

Yes Our British friends may be in bed
If the are lurking they may chime in

first download and run Malware Bytes Anti Malware (free) and Rogue remover
post the logs

then lets fix your AV

- In windows\system32, or anywhere else, see if you have the file entapi.dll.  When you find it, right-click on it and click on Properties.  Review the information there. Is the file from or for McAfee?

If you ever have had McAfee on this machine remove with add remove programs then the Mcafee removal tool
see here
http://www.pchell.com/virus/uninstallmcafee.shtml
then go to the bottom of the page and uninstall any other AV you have ever had
then go here
http://www.pchell.com/virus/uninstallantivir.shtml
start in the middle of the page
here
What if Windows Security Center Shows AntiVir or other muliple Antivirus products installed

One quirk with AV causes it to still show up in the Windows Security Center even when its been uninstalled properly. If this is the case, please refer to this article to resolve it.

http://www.pchell.com/support/multiple_antivirus_in_security_center.shtml

THEN
run the Antivir registry cleaner
follow the instructions
when reinstalling avast schedule a boot time scan and report the results

[DavidR]

Besides these initial errors are very old dating to 2006 and really not worth chassing as there have been many updates since then.

Well the 00000005 (windows file system error 5) is access denied and this can be for legitimate reasons as well as malware being protected. So when you see those errors google the file name that the error is for, this should give you a good idea what application the file is associated with and if the access denied is reasonable.

Also when you get these errors you could schedule a boot-time scan (as mentioned previously) where it is less likely that access would be denied as windows won't be running, this should allow avast to scan the file.

The EntApi.dll file would appear to be a part of McAfee Virus Scan so a) it would be reasonable that it is protected, b) however this shows that there ia another AV installed or remnants on your Mom's system and this can cause conflicts.

Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable. However, as I said these errors are dated 2006 so may no longer be an issue if McAfee has been removed as there have been no further errors relating to this since 2006.

So I don't know if this is the cause of many of these errors, certainly the 'Function setifaceUpdatePackages() has failed, errors.

Ensure that McAfee has been uninstalled and also run the uninstall tool, I have supplied more information as I have no idea what version she might have had.
McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525

####
8/21/2008 9:03:21 PM   SYSTEM   1088   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\SYSTEM32\lphcp46j0ele5.exe" file.
8/21/2008 10:33:36 PM   Vicki Hull   2596   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{3029B316-1FD5-455A-B12F-DF32771AB5DB}\RP151\A0027691.exe" file.

These seem valid detections and the only recent ones 21/8/2008, but the main thing is what action did your Mom choose on the detection, Move to chest, Delete, etc. ?

Just about to go to bed

[ahullsb]

I am heading to her house now and will follow all the steps you two suggested. I know she had McAffee a long time ago, I didn't realize there were still stuff left over. I will post the logs as soon as I get them. To answer the last question, she and I have both followed Avast's suggestions to move the files to the vault. Two of them could not be moved or deleted in the boot scan and were forced to be ignored. She still has some fake windows security alert message that is locked on her desktop. I will post as soon as I get some logs.

On another note, my own computer runs Vista and I just came across a thread stating that to install and uninstall applications properly I would have to right click the .exe file and select "run as administrator?" Does anyone have more info about whether this really is necessary or not? I have never done that once in the year and a half that I've used Vista.

[ahullsb]

I'm running the anti malware right now. Rogue remover found nothing. Maybe I'm missing something but I don't see a log anywhere to post for rogue remover. Is there one?

[ahullsb]

Here is my mom's mbam log. Should I remove selected or wait for further instruction?

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

2:21:01 PM 8/23/2008
mbam-log-08-23-2008 (14-20-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 137109
Time elapsed: 59 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> No action taken.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelNE.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelQC.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelqx.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSlnchr.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelUpdate.exe (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\WiseInstallUtility.dll (Adware.Hotbar) -> No action taken.
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> No action taken.
C:\WINDOWS\SYSTEM32\blphcp46j0ele5.scr (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\SYSTEM32\phcp46j0ele5.bmp (Trojan.FakeAlert) -> No action taken.

[ahullsb]

- In windows\system32, or anywhere else, see if you have the file entapi.dll.  When you find it, right-click on it and click on Properties.  Review the information there. Is the file from or for McAfee?

This file was nowhere to be found. I searched for it as well. I will use the removal tool as you suggested

[wyrmrider]

Hi
yes REMOVE with MBAM it will create a backup/quarantine
That RR did not find anything is good
That old Mcafee hit was somewhere in your error log or
anyway McAffe, even when old can cause major interference so do the whole 9 yards removal thing
If the Antivir reg tool finds anything the McAfee removal tool missed let me know

Do not worry about files in Chest or Quarantine
as you noticed Kaspersky does not remove anything but does tell where to look:)

Is that fake message still there?
if it's gone run CCleaner
Defrag
set a new restore point
If not gone
Or if you wish to double check run a different on line scan and Super Anti Spyware first


On your vista question- I'd post separately in the Avast 4 forum

[ahullsb]

Well my mom had leftovers of all kinds of av's. Specifically, Norton, McAffee and AVG...Norton is the only one who's removal tool worked so far. McAffee's seemed to freeze. I restarted, and tried to run the program again, and it tells me it is still running. I followed the steps for AVG, erased all of the program files etc. To be sure I followed the steps in the link to download the latest version of AVG, and that their would be an option to uninstall. I don't see that option anywhere. I felt like I had made it to the last step and was about to install it. Which I do not want to do. Any advice? I am about to uninstall Avast in the hopes that I will be ready for a clean install soon. Is there any sort of log I could post for someone to tell whether all the other AV's are still lurking somewhere?

[ahullsb]

Ya the McAffee cleanup tool is a POS. I've restarted the computer like three times. When I try and run it, I get: Clean up failed. Clean up is already running. It's been over an hour, I'm doubting it could take that long to run...

The good news is that malwarebytes got the hijack desktop stuff off successfully. Once I figure out the proper way to clean up her antivirus stuff I think she will be back in business!

[DavidR]

Don't know which McAfee tool you used as I gave lots of options before:

The last one I gave previously (see below) might be more relevant if your Mom had the Internet Security Suite.

Also see - How do I uninstall SecurityCenter? http://ts.mcafeehelp.com/faq3.asp?docid=71525

For AVG Remover, download tool from here, http://www.grisoft.com/ww.download-tools there is a 32bit and 64 bit windows version, ensure you use the correct one.