Had a bit of a virus/spyware problem over the last couple of days.

My AVG antivirus software picked up a virus yesterday which I deleted. Thought no more of it until I logged on today and It picked up another virus. Then loads of pop ups appeared along with a new icon on my desk top and one on my tool bar.

I got rid of the pop ups but I was left with this in my tool bar and try as I might I cannot get rid of it.

The system intrusion detected which shows up as 'virus allert' current items is the problem. It continually flips between the red circle with white diagonal cross and the windows update icon (a cunning use of a familar safe icon!!) When I clicked on the message it brought up a web page which offered lots of anti spyware software all of which had a free scan funtion which download software onto the pc. The free scan picked up loads of stuff very quickly (in fact it was the quickest scan i've ever seen). However in order to remove the so called problems the site requires you to buy the full product on line, in fact even hitting the help button takes you to the buy online page. I'm guessing that this is a scam to either relive you of the 50$ (can't even get the dollar sign in the right place) for the product or simply get you card details. Now after my mate did lots of deleting he has stopped the system intrusion detected message opening this web page when it is clicked. He also managed to get rid of a page that came up when I opened internet explorer. Said page informed me that my pc was undere the contol of another pc and my personal documents were being looked at. It listed my i.p address and other info about my pc and had more links to sites where I could buy software to fix my problem. This page however was not online since it came up when my internet connection was disconnected.

Oh and pop ups have started appearing, from gambling sites and adult friend finder!! WTF

After updating my spybot software, installing zone alarm and adaware se personal things have got a lot better but i can still not remove this virus allert from my tool bar. I can set it to always hide which stops the anoying message popping up but it is still there and I am worried there may also be other files on the pc not being detected. Virus allert doesn't show up when you do a 'ctrl alt del' and if you right click on it nothing happens (btw microsoft antispyware and windows firewall have both been useless, the pair of them being comprehensively bipassed by the virus/spyware )

Sorry for the long waffle but I would really appreciate some advice on this one. Has anyone had this before?

Oh two more things, it doesn't appear on other accounts on the pc just mine although it still shows up in safe mode and my mate tried doing a system restore from before the problems started but it fails (a symptom of the problem?) 

micky_h wrote: Have you checked to see if theres anything new in your Add/Programs in the Control Panel? Give Spybot a try and AVG if you havent already got it. Worst case senario is you'll have to format the hard drive and re-install everything.

Yes, there's nothing at all in add/programs. Or anywhere else for that matter. My mate, who is an works with computers and maintains a network has never seen a virus/spyware that is so hard to find/eliminate. Got Spybot and AVG. Spybot has removed most of the offending files that got dumped on mp PC but these are obviously a few still there.

Reformatting the hard drive is the last option. Not something I'm looking forward to  

kbannon wrote: 1. Is AVG up to date - it is black in the pic above. Right click on the bottom right AVG icon and choose 'Check for updates'. Perform a Virus Scan. Maybe do this in safe mode also.

AVG is up to date. It is greyed out because I haven't actived the email scanner since my Email accounts are with btinternet and so emails are not actually stored on my computer. Have tried a scan in safe mode.

Thanks for the responses guys.

A few things for me to try. What I don't get is how come it is only affecting my account. Does that mean that the files are somewhere in my documents?

download "hijackthis"

http://www.merijn.org/files/hijackthis.zip - http://www.merijn.org/files/hijackthis.zip

do a scan, save the logfile and paste it up here so we can have a look

Ok stephen, here you go...

Logfile of HijackThis v1.99.1
Scan saved at 00:14:56, on 08/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\PETERF~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/ - http://www.yahoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/ - http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway - http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hpA5B.tmp (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

get rid of these....

C:\WINDOWS\system32\mssearchnet.exe

O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hpA5B.tmp (file missing)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

Got rid of those files except

C:\WINDOWS\system32\mssearchnet.exe
Which it would let me delete, because it was being used by another program......

That file does look like the one though. It's icon is a little yellow triange with an exclamation mark in.

right, next, ctrl-alt-del and check the process list

do you see mssearchnet.exe?  if so, end process

rescan with hijackthis and try removing mssearchnet.exe again

Not sure how relevant this is but when I run spybot it get a hit. It says that I have to reboot the computer in order to get rid of the problem which I do. Spybot them comes in during start up clicks and wirrs and then i click fix and hey presto probelm sorted. However when I log off and on again and rescan the problem is back.... 

It says it has sorted them but I just did a rescan and it's back.......

newdotnet will be in add/remove programs, remove it

in fact, do a screengrab(s) of your add remove programs list too and paste them up please

does it not come up with the warning about ending a process, like this?

newdotnet isn't there but here's a screen dump. Sorry about the size..

stephenperry wrote: does it not come up with the warning about ending a process, like this?

Yes, so I clicked yes anyway

another program to run is coolwebshredder...

do a scan with this and let me know the outcome

http://download.softpedia.ro/software/ANTIVIRUS/cwshredder.exe - http://download.softpedia.ro/software/ANTIVIRUS/cwshredder.e xe

i wouldnt do that, these kinds of programs are notorious for giving you the runaround with their own uninstallers

nothing untoward in your add/remove progs list

what does cwshredder say?

It says this.... 

**** Run Keys ****

RUN: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
RUN: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
RUN: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
RUN: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
RUN: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
RUN: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

 **** Browser Helper Objects ****

 **** IE Toolbars ****

TOOLBAR: [&Google] c:\program files\google\googletoolbar1.dll

 **** IE Extensions ****

IEExt: [Create Mobile Favorite] 
IEExt: [Create Mobile Favorite] 
IEExt: [Real.com] 
IEExt: [Messenger] C:\Program Files\Messenger\msmsgs.exe

 **** Hosts File Entries ****

HOSTS: 127.0.0.1       localhost
HOSTS: 127.0.0.1       localhost

 **** IE Settings ****

Default Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&a mp;ar=msnhome
Default Search: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesea rch
Local Page: C:\WINDOWS\system32\blank.htm
Search Bar: http://home.microsoft.com/search/lobby/search.asp - http://home.microsoft.com/search/lobby/search.asp
Search Page: http://www.google.com - http://www.google.com

 **** IE Context Menu (Right click) ****

IEContext: [&Google Search] res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IEContext: [&Translate English Word] res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IEContext: [Backward Links] res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IEContext: [Cached Snapshot of Page] res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
IEContext: [Similar Pages] res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IEContext: [Translate Page into English] res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

 **** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E748D764-CF05-4928-BFCF-E239C5A18F46}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E748D764-CF05-4928-BFCF-E239C5A18F46}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9298CB3-0DE6-4A3F-A58D-8D7A77A5A4C7}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9298CB3-0DE6-4A3F-A58D-8D7A77A5A4C7}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{46FD9623-64AD-4705-98D1-B2635CFD31CC}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{46FD9623-64AD-4705-98D1-B2635CFD31CC}] DATAGRAM 4

 **** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No

 **** Downloaded Program Files ****

Microsoft XML P****r for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]

 **** Windows Services ****

[Alerter] %SystemRoot%\system32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AOL ACS] C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state. exe
[Ati HotKey Poller] %SystemRoot%\system32\Ati2evxx.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[Avg7Alrt] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
[Avg7UpdSvc] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
[BITS] %SystemRoot%\system32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\system32\svchost.exe -k netsvcs
[C-DillaCdaC11BA] C:\WINDOWS\system32\drivers\CDAC11BA.EXE
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\system32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\system32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\system32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[Fax] %systemroot%\system32\fxssvc.exe
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[ImapiService] C:\WINDOWS\system32\imapi.exe
[lanmanserver] %SystemRoot%\system32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\system32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\system32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\system32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\system32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\system32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\system32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\system32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\system32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\system32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\system32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\system32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\system32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\system32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\system32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\system32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\system32\dllhost.exe /Processid:{A445BD1E-49EE-4607-B370-5CCA447377C4}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[UMWdf] C:\WINDOWS\system32\wdfmgr.exe
[upnphost] %SystemRoot%\system32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[vsmon] C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service
[VSS] %SystemRoot%\System32\vssvc.exe
[w32time] %SystemRoot%\system32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\system32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\system32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs

 **** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://www.google.com/ie - http://www.google.com/ie
SEARCH: [CustomizeSearch] http://ie.search.msn.com/SUB_RFC1766/srchasst/srchcust.htm - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

 **** Complete IE Options ****

IEOPT: [NoUpdateCheck] 
IEOPT: [NoJITSetup] 
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search] 
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.yahoo.co.uk/ - http://www.yahoo.co.uk/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.google.com - http://www.google.com
IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&a mp;ar=msnhome
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [check_associations] 
IEOPT: [AddToFavoritesExpanded] 
IEOPT: [Use FormSuggest] no
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [Save Directory] C:\Documents and Settings\Peter Fenwick\My Documents\
IEOPT: [Use Search Asst] no
IEOPT: [Search Bar] http://home.microsoft.com/search/lobby/search.asp - http://home.microsoft.com/search/lobby/search.asp
IEOPT: [Enable Browser Extensions] yes
IEOPT: [FormSuggest Passwords] yes
IEOPT: [FormSuggest PW Ask] yes
IEOPT: [HistoryViewType] 
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand] 
IEOPT: [DisableScriptDebuggerIE] yes
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [NoWebJITSetup] 
IEOPT: [Page_Transitions] 
IEOPT: [FavIntelliMenus] no
IEOPT: [UseThemes] 
IEOPT: [Force Offscreen Composition] 
IEOPT: [AllowWindowReuse] 
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll] 
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders] 
IEOPT: [Print_Background] no
IEOPT: [AutoSearch] 
IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome - http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&a mp;ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesea rch
IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesea rch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk] 
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon] 
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width] 
IEOPT: [Placeholder_Height] 
IEOPT: [Start Page] http://www.yahoo.co.uk/ - http://www.yahoo.co.uk/
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Search Bar] http://home.microsoft.com/search/lobby/search.asp - http://home.microsoft.com/search/lobby/search.asp

kbannon wrote: stephenperry wrote: firefox... it has its own problems Nothing compared to IE!

as the dominant force with almost 90% of the browser market it stands to reason that ie is going to attract more people looking for exploits

kbannon wrote: ( http://www.scanspyware.net/info/NewDotNet.htm - http://www.scanspyware.net/info/NewDotNet.htm )

Found 5 problems but wants me to buy it before it will remove them........is it worth it?

Anyway i'm going to bed now, thanks for the help guys, much appreciated

http://www.softpedia.com/progDownload/CWShredder-Download-8114.html - http://www.softpedia.com/progDownload/CWShredder-Download-81 14.html

try that link for coolwebshredder, it should look like this

Peter Fenwick wrote: kbannon wrote: ( http://www.scanspyware.net/info/NewDotNet.htm - http://www.scanspyware.net/info/NewDotNet.htm ) Found 5 problems but wants me to buy it before it will remove them........is it worth it? Anyway i'm going to bed now, thanks for the help guys, much appreciated

christ thats just as bad as the crap youre trying to get rid of!!!

listen up people

STICK TO THE WELL KNOWN ANTISPYWARE AND ANTIVIRUS PRODUCTS (mcafee, norton, avg, ad aware, spybot, spy sweeper, coolwebshredder)

in answer, no its not worth buying - grokster, kazaa and media gateway - NONE of those are malware

remove that program asap, you might have made it worse!

make a new system restore point and actually let that program install so you can get a clue as to what its called (the one that you're asking about)

stephenperry wrote: remove that program asap, you might have made it worse!

I already have. did it as soon as i'd run  the scan. The old 'you have all these bad files on your computer but you have to pay us before we will remove them' line feels a bit like extorsion to me

stephenperry wrote: make a new system restore point and actually let that program install so you can get a clue as to what its called (the one that you're asking about)

How do i do that?

stephenperry wrote: try that link for coolwebshredder, it should look like this

Ran it and it found no problems. I then tried trend mirco antispyware which was a link from the CWS site and it found 23 items in the registry which it has now removed. Most were remnants of a brush with Edonkey.

My little toolbar icon is still there and i still get the same ones picked up in spybot...Vcodec

spokey wrote: I don't know why http://download.drweb.com/win/ - this guy's AV is better than others but it is very highly recommended (by me and others!) If that doesn't work, try http://www.tomcoyote.org/hjt/ - these guys . Good luck!

Tried Dr web and I just end up with 'this page cannot be displayed'

to create a new restore point....

start.... all programs... accessories... system tools.... system restore...create new restore point

give it a name, like "before running spyware program"

when its created successfully, double click on the annoying toolbar icon and let it install, then let us know what it does, this should help in identifying how to remove it once its installed

It's sorted. It turned out to be malware known as spyaxe. Relatively new I think and designed to force you to buy it.

These two links got me sorted. The first explains what it is, but then links to a downloadable program that does a free scan then asks you to susbscribe before it will clean your pc. The second takes you through a free process. Time consuming but it worked.

http://www.spywaredb.com/remove-spyaxe/ - http://www.spywaredb.com/remove-spyaxe/

http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=48&blogId=3 - http://malwareremoval.com/plog/index.php?op=ViewArticle& articleId=48&blogId=3

Thanks for all your help guys, especially you Stephen.

no problem, i'm glad its sorted, thanks for the links, they'll be going into my toolkit