[BlackVinyl]

OK.

Lets run through it a step at a time.

1. Already had smitfraud.reg file, but I dl it again from your link and followed the instructions.
2. The 5 progs you listed were not found in 'Add/Remove Programs'.
3. I dl Killbox (New one) and followed the steps accordingly.
4. When I rebooted in SAFE mode and manually searched for those folders, I only found C:\WINNT\System32\LogFiles and I deleted it.
5. Completed HJT task and re-booted in normal mode.
6. Restored original hosts.
7. Installed Deldomains.inf
8. Ran Cleanup

The only thing that remains is the Active Scan which I will do tomorrow because it got rather late and I had to get some sleep.

FYI, here is the HJT log I generated at the end...

Logfile of HijackThis v1.99.1
Scan saved at 2:12:57 AM, on 30/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\trojfix\HJT\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Once I complete the active scan I will post a report.
FYI, my desktop is back to normal and I have 6 tabs again on the dialog box for my display properties.

However, can I delete the files I installed on the desktop? (smitfraud, killbox etc)
Also, there are a couple of short cuts on my desktop which were never before I had this virus. They are 'Online Dating' & 'Remove Spyware'. Can I delete these?

Sorry for the delay, I will speak to you tomorrow...my time.

Thank you for your help so far!

BV

[Advertisements]

Lets run through it a step at a time.

1. Already had smitfraud.reg file, but I dl it again from your link and followed the instructions.
2. The 5 progs you listed were not found in 'Add/Remove Programs'.
3. I dl Killbox (New one) and followed the steps accordingly.
4. When I rebooted in SAFE mode and manually searched for those folders, I only found C:\WINNT\System32\LogFiles and I deleted it.
5. Completed HJT task and re-booted in normal mode.
6. Restored original hosts.
7. Installed Deldomains.inf
8. Ran Cleanup

Even though some of these steps may not apply to you (files found on your system) we have everyone follow the same instructions. Some of the files may exist and some may not. Yes, this is all very tedious, but it's the only way to get it done and clean up your computer.

[coachwife6]

Lets run through it a step at a time.

1. Already had smitfraud.reg file, but I dl it again from your link and followed the instructions.
2. The 5 progs you listed were not found in 'Add/Remove Programs'.
3. I dl Killbox (New one) and followed the steps accordingly.
4. When I rebooted in SAFE mode and manually searched for those folders, I only found C:\WINNT\System32\LogFiles and I deleted it.
5. Completed HJT task and re-booted in normal mode.
6. Restored original hosts.
7. Installed Deldomains.inf
8. Ran Cleanup

Even though some of these steps may not apply to you (files found on your system) we have everyone follow the same instructions. Some of the files may exist and some may not. Yes, this is all very tedious, but it's the only way to get it done and clean up your computer.

[BlackVinyl]

I will organise the Active Scan in a few hours time when I get home and post the report when finished.

How about those 2 questions which I asked in the previous post?

Can I delete the files I installed on the desktop? (smitfraud, killbox etc)
Also, there are a couple of short cuts on my desktop which were never there before I had this virus. They are 'Online Dating' & 'Remove Spyware'. Can I delete these?

Cheers,

BV

[coachwife6]

However, can I delete the files I installed on the desktop? (smitfraud, killbox etc)

Oops, sorry about missing that. We will delete them when you are all clean behind the ears.

[BlackVinyl]

Well, I don't know if this is normal or not, but after 6 hours of scanning via Active Scan, it finally finished. (This was done via dial-up connection).

It scanned 139357 files 2778 messages and found 29 infected files.
I clicked on 'View Report' and the same window which gave me the amount of files scanned etc, now says, 'Checking your internet connection. This may take up to a minute'. Let me tell you that 30 minutes later I am still waiting for the report.

I don't know what is wrong, but it doesn't seem normal. It's taking far too long to do anything.

How much longer should I wait for the report?

Keep in mind that the icon of the 2 pc's in the system tray which show when the modem is communicating, has been steady on ever since I clicked on View Report, but I am yet to see a report. It seems that my pc is communicating with another pc but I don't know what is happening.

Another thing which may be of interest to you is that whilst the scan was in progress (6 hours) the pc was apparently infected by another 6 or so viruses, according to Norton which popped up the red warnings for each of them. I didn't note down their names, but I did notice that they were in the system32 folder. I think most of them were dll files, something along the lines of ....._disk.dll and the like.

I also constantly receive popups which state 'Message from SYSTEM to ALERT, you may be infected with spyware blah, blah, blah. Please visit this website for your windows update.' Or the latest I received...
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
Windows has found CRITICAL SYSTEM ERRORS.
To fix these errors please do the following:
1. Download Registry Repair from repairreg.com
2. Install Registry Repair
3. Run Registry Repair
4. Reboot your pc
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!

I think these are more annoying than anything, so on all of them I just close them by clicking the little 'x' in the top right hand corner. How can I stop these annoying pop ups as well?

Anyway, I guess we should tackle 1 issue at a time.

I am still waiting for this report! It hasn't appeared yet. Any ideas?

BV

[coachwife6]

Doesn't sound normal, but hard to tell. It's been so long since I've been on dial-up. Wait for the report and give me another hijack this log.

[BlackVinyl]

Sorry, no go.

My internet connection failed just on an hour of waiting for the scan report. Looks like I will have to do it again.
I will not do it right now though because I don't have 6 hours to spare.
I'll do the scan later and hopefully give you a report his time tomorrow.

In the meantime, here's another HJT log for you to analyze.

Logfile of HijackThis v1.99.1
Scan saved at 3:07:33 PM, on 2/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUUPDATE.EXE
C:\WINNT\system32\221.exe
C:\trojfix\HJT\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\RunOnce: [UnRegCmd] C:\Program Files\Norton AntiVirus\UnRegCmd.exe -i
O4 - HKLM\..\RunOnce: [K2Patch] C:\WINNT\K2Setup.exe
O4 - HKLM\..\RunOnce: [LUSETUP-LT] C:\PROGRA~1\Symantec\LIVEUP~1\LUSETU~1.EXE -s -a -q -log
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D367D2A7-B1F3-475D-B77E-2EBCB0631B10}: NameServer = 192.189.54.17 203.8.183.1
O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Universal Plug and Play device driver (upnpdrv) - Unknown owner - C:\WINNT\system32\221.exe

I don't know too much about what to look for in these logs, but from what we have covered so far, I think there is another virus or two on my pc.

What do you think?

BV

[coachwife6]

Hey BV. Don't worry about the scan for now.

You did a great job. You are running an old version of Internet Explorer. It needs to be updated May make a big diffeence in how your system runs.

Run hijack this and put a check mark next to this one.

O20 - Winlogon Notify: style2 - C:\WINNT\q556549255_disk.dll (file missing)

Run CleanUp! and use your computer and see how it works.

is this your isp?

edited

Edited by coachwife6, 02 July 2005 - 08:44 AM.

[BlackVinyl]

Hi again,

No need to give me credit, I am simply following your instructions & guidance.
But thank you anyway. By the time we finish with this problem I could be knowledgeable enough to help others with similar issues....oh wait! I forgot that I can't really decipher much in HJT logs. I better leave it to those who know.

Now, I followed your steps and got rid of that file from HJT.
Then I ran Cleanup.
Now I am dl'ing IE6 + IE6 update for SP1.

Once that's done we'll see how it goes.
Luckily I don't have to leave the pc running overnight while it goes through another Active Scan.

My computer is not too bad at the moment, except for those annoying popups I mentioned in my previous post. Perhaps IE6 will fix that.

YES, that is my ISP!
How did you get that information? It's not listed in any of the logs!

I am curious to know...please!

Thank you.

BV

[coachwife6]

YES, that is my ISP!
How did you get that information? It's not listed in any of the logs!

I am trying to check out if that is causing a problem. I have tools to run to find that out. Can you tell me what the popups are from?

I want you to run something else.

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.

[BlackVinyl]

OK.

Here is the log from Silent...

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"wextract_cleanup0" = "rundll32.exe C:\WINNT\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{6AC3806F-8B39-4746-9C38-6B01CB7331FF}" = "Memory monitor"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\q556549255_disk.dll" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Default executables:
--------------------

.HTA: HKLM\SOFTWARE\Classes\htafile\shell\open\command\
INFECTION WARNING! "Default" = "C:\WINDOWS\system32\mshta.exe "" "


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [file not found]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Missing lines (compared with English-language version):
[DeleteAutosearch.reg]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Universal Plug and Play device driver, upnpdrv, "C:\WINNT\system32\221.exe" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 42 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 30 seconds.
---------- (total run time: 295 seconds)


With regards to the popups, they are not IE popups, but 'Messenger Service' popups. A grey box, blue title bar, info in the middle and an OK button at the bottom.
The info always varies, and I can only assume their origin is from the site they are trying to direct me to.

Here is a list of addresses from 5 popups I received within 10 minutes, not too long ago.

-http://swipespy.com
-http://e-regpatch.com
-www.wupdate.net
-http://www.winregrepair.com
http://NeatReg.com

I have never willingly visited these sites.

OK, let me know if you need anything else.

BV

[coachwife6]

I also constantly receive popups which state 'Message from SYSTEM to ALERT, you may be infected with spyware blah, blah, blah. Please visit this website for your windows update.

That means something is hidden in your system. Just tough to find it now. I'm still searching.

[coachwife6]

Make a backup of your registry.

Go to Start>>Run>> and type in the word regedit

Navigate to:

[B]HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
{6AC3806F-8B39-4746-9C38-6B01CB7331FF}"

Go on the right hand side and delete this:

{6AC3806F-8B39-4746-9C38-6B01CB7331FF}

REboot and tell me how it's running.

[BlackVinyl]

Hi there,
I did as u asked (except for the backing up of the registry-I just exported that key and value to my desktop as a reg file).

Now, I am not sure if u know, but the value data of what u asked me to delete was called 'Memory monitor'.

Although I deleted it, nothing much seems to have changed.
At one stage I thought u managed to get rid of those popups, but while writing this post, 2 appeared.

Oops, now a 3rd.

Sorry.

What next?

BV

[BlackVinyl]

Ooh! and something else which I may not have mentioned.
Everytime I connect to the net ( I have du connection), the modem does not stop RX & TX information. The 2 little pc icons in the system tray remain on without flashing until I disconnect.

Who knows what's being install or what info is being gathered?

If we have no luck with this by weeks end, I may just reformat and start from scratch.

Cheers,

BV