I have popups appear on what I believe is a timer, though am unsure what the actual cause/driver is. Log file pasted below. Please let me know if you have any fix ideas. Thanks! Logfile of HijackThis v1.96.0 Scan saved at 12:25:53 PM, on 8/10/2003 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe C:\WINNT\System32\S24EvMon.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Altiris\AClient\AClient.exe C:\WINNT\System32\Ati2evxx.exe C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe C:\Program Files\iPod\Bin\iPodSrv.exe C:\EPOAgent\naimas32.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\WINNT\System32\QCONSVC.exe C:\WINNT\System32\RegSrvc.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINNT\explorer.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINNT\AGRSMMSG.exe C:\WINNT\System32\PRPCUI.exe C:\WINNT\System32\RunDll32.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe C:\EPOAgent\naimag32.exe C:\Program Files\Winamp3\winampa.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.exe C:\Program Files\iPod\Bin\iPodWatcher.exe C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe C:\Program Files\eRoom 6\ERClient.exe C:\Program Files\MSO2000\Office\1033\msoffice.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINNT\system32\msmsgri32.exe C:\Documents and Settings\chom\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Chom\Application Data\Mozilla\Profiles\default\4vktwm1t.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chom\Application Data\Mozilla\Profiles\default\4vktwm1t.slt\prefs.js) O1 - Hosts: 208.242.192.8 citrix.blackstone.com O1 - Hosts: 208.242.192.3 tbgmsg.blackstone.com O1 - Hosts: 206.181.211.200 www.private.primark.com # Disclosure O1 - Hosts: 198.80.179.124 www.private.research.thomsonib.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.exe O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe O4 - HKLM\..\Run: [windows update] c:\winnt\web\printers\images\explorer.exe O4 - HKLM\..\Run: [mssyslanhelper] C:\WINNT\system32\msmsgri32.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Startup: Launch Microsoft Outlook (2).lnk = C:\Program Files\MSO2000\Office\OUTLOOK.exe O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe O4 - Startup: TBGmessaging.lnk = C:\Program Files\TBGMessaging\TBGmessaging.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\MSO2000\Office\OSA9.exe O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/181ad8561cd88346ba00/netzip/RdxIE601.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdccommon/download/en/IbmEgath.cab O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37729.3084490741 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://er0.deloitteonline.com/eroomsetup/client.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Blackstone.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Blackstone.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Blackstone.com

Hi DrGiggles, Before we even attempt a cleanup, Go here and run an online virus scan. Copy the report and paste it in a reply. RAV The following are virii: Backdoor.IRC.Zcrew O4 - HKLM\..\Run: [windows update] c:\winnt\web\printers\images\explorer.exe W32.Randex.D O4 - HKLM\..\Run: [mssyslanhelper] C:\WINNT\system32\msmsgri32.exe

oh geez...this doesn't look good: Scan started at 8/10/2003 1:28:10 PM Scanning memory... Scanning boot sectors... Scanning files... C:\WINNT\inf\scon.exe->(UPXW) - Tool:HideWindows -> Infected C:\WINNT\system32\inst.exe->[wise.9] - Backdoor:Win32/Pitchfork.A -> Infected C:\WINNT\system32\w32x586.exe->(PaquetBuilder)->infsrv.exe - Trojan:Win32/Delsha.C -> Infected C:\WINNT\system32\w32x586.exe->(PaquetBuilder)->msnq32.exe->(ASPack 2.12) - Tool:HideWindows -> Infected C:\WINNT\system32\w32x586.exe->(PaquetBuilder)->mtnm32.dll - IRC/Generic* -> Suspicious C:\WINNT\system32\winupdate.exe - Win32/HLLW.SpyBot -> Infected C:\WINNT\system32\ZXSTE1.exe.vir->[Instyler Ex-it!]->iiscache.dll - IRC/Generic* -> Suspicious C:\WINNT\system32\ZXSTE1.exe.vir->[Instyler Ex-it!]->svchost.exe - Backdoor:Win32/Iroffer -> Infected C:\WINNT\system32\ZXSTE1.exe.vir->[Instyler Ex-it!]->svchost32.exe->(UPXW) - Tool:HideWindows -> Infected C:\WINNT\system32\ZXSTE1.exe.vir->[Instyler Ex-it!]->v32driver.bat - Backdoor:BAT/Zcrew* -> Infected C:\WINNT\system32\dllcache\infsrv.exe - Trojan:Win32/Delsha.C -> Infected C:\WINNT\system32\dllcache\msnq32.exe->(ASPack 2.12) - Tool:HideWindows -> Infected C:\WINNT\system32\winupdate\infsrv.exe - Trojan:Win32/Delsha.C -> Infected C:\WINNT\system32\winupdate\msnq32.exe->(ASPack 2.12) - Tool:HideWindows -> Infected Scanned ============================ Objects: 25465 Directories: 2267 Archives: 1071 Size(Kb): -1877432 Infected files: 12 Found ============================ Viruses found: 6 Suspicious files: 2 Disinfected files: 0 Mail files: 50 thanks for your help

Run HT again and check the following items. Next, close all browser Windows, and have HT fix all checked. You NEED to restart your computer when you're done. O1 - Hosts: 208.242.192.8 citrix.blackstone.com O1 - Hosts: 208.242.192.3 tbgmsg.blackstone.com O1 - Hosts: 206.181.211.200 www.private.primark.com # Disclosure O1 - Hosts: 198.80.179.124 www.private.research.thomsonib.com O4 - HKLM\..\Run: [windows update] c:\winnt\web\printers\images\explorer.exe O4 - HKLM\..\Run: [mssyslanhelper] C:\WINNT\system32\msmsgri32.exe After restarting delete the following: c:\winnt\web\printers\images\explorer.exe C:\WINNT\system32\msmsgri32.exe C:\WINNT\inf\scon.exe C:\WINNT\system32\inst.exe C:\WINNT\system32\w32x586.exe C:\WINNT\system32\winupdate.exe C:\WINNT\system32\ZXSTE1.exe.vir C:\WINNT\system32\dllcache\infsrv.exe C:\WINNT\system32\dllcache\msnq32.exe C:\WINNT\system32\winupdate\infsrv.exe C:\WINNT\system32\winupdate\msnq32.exe Afterwards, run another virus scan and post a fresh HT log.

Some of the files that have virii I could not find to delete (have already specified to show hidden files/directories). Unsure how to get to them Ran another virus scan; here is the output Scan started at 8/10/2003 10:57:52 PM Scanning memory... Scanning boot sectors... Scanning files... C:\WINNT\inf\scon.exe->(UPXW) - Tool:HideWindows -> Infected C:\WINNT\system32\inst.exe->[wise.9] - Backdoor:Win32/Pitchfork.A -> Infected C:\WINNT\system32\dllcache\infsrv.exe - Trojan:Win32/Delsha.C -> Infected C:\WINNT\system32\dllcache\msnq32.exe->(ASPack 2.12) - Tool:HideWindows -> Infected Scanned ============================ Objects: 25346 Directories: 2271 Archives: 1068 Size(Kb): -1960978 Infected files: 4 Found ============================ Viruses found: 3 Suspicious files: 0 Disinfected files: 0 Mail files: 52 please let me know if you have any thoughts. thanks

figured out how to delete those files. posting new hijack log: Logfile of HijackThis v1.96.0 Scan saved at 1:10:06 AM, on 8/11/2003 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe C:\WINNT\System32\S24EvMon.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Altiris\AClient\AClient.exe C:\WINNT\System32\Ati2evxx.exe C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe C:\Program Files\iPod\Bin\iPodSrv.exe C:\EPOAgent\naimas32.exe C:\WINNT\System32\QCONSVC.exe C:\WINNT\System32\RegSrvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\WINNT\explorer.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\WINNT\AGRSMMSG.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINNT\System32\PRPCUI.exe C:\WINNT\System32\RunDll32.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe C:\EPOAgent\naimag32.exe C:\Program Files\Winamp3\winampa.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.exe C:\Program Files\iPod\Bin\iPodWatcher.exe C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe C:\Program Files\eRoom 6\ERClient.exe C:\Program Files\MSO2000\Office\1033\msoffice.exe C:\Program Files\Winamp3\winamp3.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Documents and Settings\chom\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = F0 - system.ini: Shell=explorer.exe winupdate.exe N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html"); (C:\Documents and Settings\Chom\Application Data\Mozilla\Profiles\default\4vktwm1t.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Chom\Application Data\Mozilla\Profiles\default\4vktwm1t.slt\prefs.js) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.exe O4 - HKLM\..\Run: [NaimAgent_UI] C:\EPOAgent\naimag32.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.exe O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe O4 - HKLM\..\Run: [windowsupdate] winupdate.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [windows update] c:\winnt\web\printers\images\explorer.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Startup: Launch Microsoft Outlook (2).lnk = C:\Program Files\MSO2000\Office\OUTLOOK.exe O4 - Startup: Monitor My eRooms.lnk = C:\Program Files\eRoom 6\ERClient.exe O4 - Startup: TBGmessaging.lnk = C:\Program Files\TBGMessaging\TBGmessaging.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\MSO2000\Office\OSA9.exe O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/181ad8561cd88346ba00/netzip/RdxIE601.cab O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdccommon/download/en/IbmEgath.cab O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37729.3084490741 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {E876D003-BCDE-11D3-9131-000094B61529} (ERPageAddin Class) - https://er0.deloitteonline.com/eroomsetup/client.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Blackstone.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Blackstone.com O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Blackstone.com

It's being a sneaky little bugger: F0 - system.ini: Shell=explorer.exe winupdate.exe Boot into safe mode, run HT and fix the above entry. Then delete winupdate.exe