System infected and now wont switch off

[stewartm]

Hi, my son downloaded some mp3 from a new site yesterday and the system would not switch of afterwards.
I ran Adaware whcih found 53 critical viruses , and spy bot found zero, I also ran Regseeker whch cleaned up a few items, but the compuer still freezes after the windows screen has gone on shut down.
Here is my HJT log incase it helps.

Thanks for any help

Stewart

Logfile of HijackThis v1.98.2
Scan saved at 07:03:33, on 18/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S4I0F2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/northernireland
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\SYSTEM\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O7 "EPUSB1:" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O16 - DPF: GIC - https://www.ib.albb.co.uk/ebs/ie/classes.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...a/LSSupCtl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab

[greyknight17]

Hi Stewart, I don't see anything wrong in this log. Please give us these two logs:

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

[stewartm]

Thanks for having a look.

Here is the first log you requested.

StartDreck (build 2.1.7 public stable) - 2005-09-19 @ 21:00:32 (GMT +01:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as stewart maze at DELL DSFW70J

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=ctfmon.exe
»RunOnce
»Default User
»Run
*ctfmon.exe=ctfmon.exe
»RunOnce
»Local Machine
»Run
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*UpdReg=C:\WINDOWS\Updreg.exe
*EPSON Stylus Photo R300 Series=C:\WINDOWS\SYSTEM\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O7 "EPUSB1:" /M "Stylus Photo R300"
*DSLSTATEXE=C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
*DSLAGENTEXE=C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*REGSHAVE=C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
*Symantec Core LC=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
*Zone Labs Client=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*devldr16.exe=C:\WINDOWS\SYSTEM\devldr16.exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
*SchedulingAgent=mstask.exe
*MDM7="C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
*ccEvtMgr="C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
*ccSetMgr="C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
*NPFMonitor=C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
*ScriptBlocking="C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Windows Setup - Applets/AppletsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - FAT32 Converter/PerUser_CVT_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf
+Windows Setup - Fonts/FontsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf
+Windows Setup - Home Networking Wizard/PerUser_HNW_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf
+PerUser_ICW_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Windows Movie Maker/PerUser_moviemaker
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf
+MSN-Migration/>PerUser_MSN_Clean
*StubPath=C:\WINDOWS\msnmgsr1.exe
+Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06}
*StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
+Windows Setup - System Information/PerUser_Msinfo
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf
+Windows Setup - System Information/PerUser_Msinfo2
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf
+Windows Setup - Multimedia/MotownMmsysPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Multimedia/MotownAvivideoPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Messaging/PerUser_Base
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf
+CDSAMPLE/SamplerPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\WINDOWS\INF\sampler.inf
+Windows Setup - Shell/ShellPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf
+Windows Setup - Color Schemes/Shell2PerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf
+Windows Setup - Start Menu/PerUser_winbase_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf
+Windows Setup - Start Menu/PerUser_winapps_Links
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf
+Windows Setup - Links Bar/PerUser_LinkBar_URLs
*StubPath=C:\WINDOWS\COMMAND\sulfnbk.exe /L
+Windows Setup - Telephony Support/TapiPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf
+Windows Setup - Wordpad/PerUser_MSWordPad_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf
+Windows Setup - More Applets/PerUserOldLinks
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf
+Windows Setup - Sound Schemes/MmoptRegisterPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf
+Windows Setup - CD Player/PerUser_CDPlayer_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf
+Windows Setup - Online Services/OlsPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - The Microsoft Network/OlsMsnPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsMsnPerUser 64 C:\WINDOWS\INF\ols.inf
+System Restore/PerUser_PCHealth
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Windows Setup - Paint/PerUser_Paint_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - Calculator/PerUser_Calc_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf
+Windows Setup - Accessibility/PerUser_Enable_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\WINDOWS\INF\enable.inf
+Windows Setup - Classic Games/PerUser_Wingames_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\games.inf
+Windows Setup - Internet Games/PerUser_ZoneGame_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\WINDOWS\INF\games.inf
+Windows Setup - Plus! Games/PerUser_PBGame_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\WINDOWS\INF\games.inf
+Windows Setup - Multimedia/MotownRecPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Volume Control/PerUser_Vol
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Multimedia/MotownMPlayPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf
+Windows Setup - Dial-Up Networking/PerUser_RNA_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf
+Windows Setup - Phone Dialer/PerUser_Dialer_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath=rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}
+Windows Setup - America Online/OlsAolPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - AT&T WorldNet Service/OlsAttPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - Prodigy Internet/OlsProdigyPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUser 64 C:\WINDOWS\INF\ols.inf
+Windows Setup - Earthlink Internet/OlsEarthlinkPerUser
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUser 64 C:\WINDOWS\INF\ols.inf
+Web Publishing Wizard/{44BBA851-CC51-11CF-AAFA-00AA00B6015C}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
+>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
+Internet Explorer 6 SP1/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=C:\WINDOWS\SYSTEM\ie4uinit.exe
+Windows Setup - System Meter/PerUser_Sysmeter_Inis
*StubPath=rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Sysmeter_Inis 64 C:\WINDOWS\INF\appletpp.inf
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar2.dll
»Internet Explorer
»Current User
*Search Bar=http://www.google.com/ie
*Search Page=http://www.google.com
*Start Page=http://www.bbc.co.uk/northernireland
+SearchUrl
*provider=gogl
*=http://www.google.com/keyword/%s
* =+
*&=%26
*+=%2B
*#=%23
*?=%3F
*==%3D
»Default User
*Search Bar=http://www.google.com/ie
*Search Page=http://www.google.com
*Start Page=http://www.bbc.co.uk/northernireland
+SearchUrl
*provider=gogl
*=http://www.google.com/keyword/%s
* =+
*&=%26
*+=%2B
*#=%23
*?=%3F
*==%3D
»Local Machine
*Default_Page_URL=http://www.msn.com
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://www.google.com/ie
»ShellServiceObjectDelayLoad (LM)
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=C:\WINDOWS\SYSTEM\WEBCHECK.DLL
*AUHook={BCBCD383-3E06-11D3-91A9-00C04F68105C}
`InprocServer32=C:\WINDOWS\SYSTEM\AUHOOK.DLL
»Special NT Values
»Current User
*Load=
*Run=
*Programs=
*SHELL=
»Default User
*Load=
*Run=
*Programs=
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=
*Userinit=
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Adobe Gamma Loader.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=1
`BootGUI=1
`AutoScan=1
`WinVer=4.90.3000
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
*C:\config.sys
*C:\autoexec.bat
`SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
`SET PROMPT=$p$g
`SET TEMP=C:\WINDOWS\TEMP
`SET TMP=C:\WINDOWS\TEMP
`SET windir=C:\WINDOWS
`SET winbootdir=C:\WINDOWS
`SET COMSPEC=C:\WINDOWS\COMMAND.COM
`SET TVDUMPFLAGS=8
*C:\WINDOWS\wininit.bak
`[rename]
`NUL=NUL
`NUL=C:\MYDOWN~2
*C:\WINDOWS\winstart.bat
`@C:\WINDOWS\tmpcpyis.bat
*C:\WINDOWS\command\cmdinit.bat
`@echo off
`doskey /insert > nul
»Program Files
*C:\io.sys
*C:\WINDOWS\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\command.com
*C:\WINDOWS\COMMAND.PIF
*C:\WINDOWS\COMMAND.COM
+C:\UNWISE.EXE
*C:\WINDOWS\SYSTEM\UNWISE.EXE
»System/Drivers
»VMM32Files (LM)
*vdd.vxd=
*vflatd.vxd=
*biosxlat.vxd=
*combuff.vxd=
*configmg.vxd=
*dosmgr.vxd=
*dynapage.vxd=
*ebios.vxd=
*ifsmgr.vxd=
*int13.vxd=
*ios.vxd=
*mtrr.vxd=
*ntkern.vxd=
*pageswap.vxd=
*parity.vxd=
*perf.vxd=
*reboot.vxd=
*shell.vxd=
*spooler.vxd=
*udf.vxd=
*v86mmgr.vxd=
*vcache.vxd=
*vcd.vxd=
*vcdfsd.vxd=
*vcomm.vxd=
*vcond.vxd=
*vdef.vxd=
*vdmad.vxd=
*vfat.vxd=
*vfbackup.vxd=
*vkd.vxd=
*vmcpd.vxd=
*vmouse.vxd=
*vmpoll.vxd=
*vpd.vxd=
*vpicd.vxd=
*vpowerd.vxd=
*vsd.vxd=
*vtd.vxd=
*vtdapi.vxd=
*vwin32.vxd=
*vxdldr.vxd=
*vxdmon.vxd=
*enable.vxd=
»%System%\VMM32
*C:\WINDOWS\SYSTEM\VMM32\IFSMGR.VXD
*C:\WINDOWS\SYSTEM\VMM32\VMM.VXD
*C:\WINDOWS\SYSTEM\VMM32\windrvr.vxd
*C:\WINDOWS\SYSTEM\VMM32\hpziop00.vxd
*C:\WINDOWS\SYSTEM\VMM32\hpzion00.vxd
*C:\WINDOWS\SYSTEM\VMM32\hpziol00.vxd
*C:\WINDOWS\SYSTEM\VMM32\HPZIOU01.DLL
»%System%\IOSUBSYS
*C:\WINDOWS\SYSTEM\IoSubSys\BIGMEM.DRV
*C:\WINDOWS\SYSTEM\IoSubSys\ESDI_506.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\HSFLOP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\RMM.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SCSIPORT.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\APIX.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\ATAPCHNG.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDFS.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\CDVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKTSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DISKVSD.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\NECATAPI.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\SCSI1HLP.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\TORISAN3.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\VOLTRACK.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\Cdralvsd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\cdr4vsd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\Acbhlpr.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\Cdudfrw.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\UdfReadr.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\Cdudf.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\Cdrpwd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\USBMPHLP.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\Stlvsd.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\iomega.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\pfc.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\PPA3.MPD
*C:\WINDOWS\SYSTEM\IoSubSys\AFL.VXD
*C:\WINDOWS\SYSTEM\IoSubSys\DDTHINGS.vxd
*C:\WINDOWS\SYSTEM\IoSubSys\EPUSBVX2.PDR
*C:\WINDOWS\SYSTEM\IoSubSys\SMARTVSD.VXD
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

[stewartm]

Here is my log after the scan in safe mode.

To get to safe mode I had to use CTRL+ALT+DEL and close the following non responding programs to allow the system to shut down.
CCaap
Mdm
I dont know if this helps in any way.

Regards

Stewart


Object "ibis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ibis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ibis Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Push toolbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "bearshare Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "DeskAd.Service Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "istbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "favoriteman Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SpediaBar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\BridgeX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\cpcScan.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\DeskAdX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaAccX.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BB7DF450-F119-11CD-8465-00AA00425D90}" refers to invalid object "C:\Program Files\Microsoft Office\Office\". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{F57B25DE-1945-4BE1-8B3D-A1065F8B31A9}" refers to invalid object "D:\PLAYER\WMMP.EXE". Action Taken: No Action Taken.
File C:\WINDOWS\Videogames.exe infected by "Trojan.Win32.Dialer.q" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\in10b6s.dll tagged as "not-a-virus:AdWare.ToolBar.404Search.e". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\SplWbr.dll tagged as "not-a-virus:AdWare.VirtualBouncer.j". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0009781.CPY tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0009784.CPY tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0009786.CPY tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0009787.CPY tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0009788.CPY tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
File C:\_RESTORE\TEMP\A0005833.CPY tagged as "not-a-virus:AdWare.ToolBar.404Search.a". Action Taken: No Action Taken.
File C:\_RESTORE\ARCHIVE\FS2039.CAB tagged as "not-a-virus:AdWare.SaveNow.bi". Action Taken: No Action Taken.
File C:\_RESTORE\ARCHIVE\FS2033.CAB tagged as "not-a-virus:AdWare.SaveNow.bo". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\in10b6s.dll tagged as "not-a-virus:AdWare.ToolBar.404Search.e". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\SplWbr.dll tagged as "not-a-virus:AdWare.VirtualBouncer.j". Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\1015984.exe infected by "Trojan.Win32.Dialer.q" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\Videogames.exe infected by "Trojan.Win32.Dialer.q" Virus! Action Taken: No Action Taken.

[greyknight17]

So it will switch off if you end those two programs/processes?

Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back to that tab and uncheck the box to enable system restore.

Go to C:\WINDOWS\ and open up wininit.bak in Notepad. Delete these lines:

`NUL=NUL
`NUL=C:\MYDOWN~2

Save the file and close it.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\SYSTEM\SplWbr.dll
C:\WINDOWS\SYSTEM\in10b6s.dll
C:\WINDOWS\Downloaded Program Files\1015984.exe
C:\WINDOWS\Videogames.exe

Restart your computer. An problmes now?

[stewartm]

Yes the system shuts down once I close these programs.
After running the disable /enable instructions when I went to wininit.bak there is no print only a blank page.
I have moved on and downloaded the kiibo.exe fileand will finish the process.

Thanks for your help and will post what happens.

Thanks


Stewart

[stewartm]

I have run Kill box and tried to shut the system down but again it freezes at CCap and Mdm

Regards


Stewart

[tetonbob]

You've spelled the offending process differently in each reply....we need to be certain.

"ccapp.exe" belongs to Norton AntiVirus, runs auto-protect and email checking. If that is the process, then the following applies:

Sounds like your Norton has some issues. You may want to uninstall and reinstall it, or for that matter,uninstall and use a less resource intensive AV product such as AVG or Avast!. Both of those are well respected, have a smaller footprint on your system, and are FREE.

You may want this link handy if you choose to uninstall Norton....it sometimes doesn't like to go quietly:

http://service1.symantec.com/SUPPORT...01092114452606

[stewartm]

Sorry, my mistake in typing.
It was the same Ccaap tht was causing the system to freeze.
After you letting me know it was a Norton related file I visited their website and found that there was a specific help relating to this problem, which was that the system was instructed to scan remob=vable drives on shut down.
After deselecting this option it now closes ok.
I will down load one of the recommecded AV programes instead of Norton.

Thanks for your help

Stewart

[tetonbob]

Good news, Stewart! Glad to have helped. Here's some good info, and a few more chores:

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Windows ME
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Now let's flush and reset your system Restore points, so that should the need arise in the future, you'll have a clean point to restore to.

To turn off System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows.

Reboot your system.

To turn on System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then uncheck "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows. You will then need to manually create a restore point.

Click Start, point to Programs, point to Accessories, point to System Tools, and then click System Restore. Now create a new Restore Point.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[stewartm]

Thank you for the info
I do have Zonealarm pro installed so am a little confused as to how the spyware got aboard.
However I will read the tutorial items you have recommended.

Regards

Stewart