My HijackThis log... O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Administrator\Application Data\winshow\winshow.dll O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Administrator\Application Data\winlink\winlink.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\MSDXM.OCX O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.exe /q O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio2K\PROGRAM\CTMIX32.exe /t O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.exe O4 - Startup: Folding@home 3.24.lnk = D:\Folding@Home\winfah.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office\OSA9.exe O4 - Global Startup: MSupdater.exe O9 - Extra button: ATI TV (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: Microsoft WFC Forms Designer - file://G:\VJ98\wfcforms.cab O16 - DPF: Visual Studio 6 Extensibility Libraries - file://G:\VJ98\vstudio6.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37836.8787847222 O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/updater//MaxisSimCity4PatcherX.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Has anyone had any success in removing the winshow.dll and winlink.dll permanently? I've removed them both using HijackThis (and Winshow also using the uninstall program at 8ad.com) but they reappear upon system reboot, so I'm obviously missing a step. Any help is greatly appreciated! Thanks in advance.

Okay you have to go into your system registry in safe mode. When going into system registry find winshow.dll and winlink.dll and delete them.

Run HT again and check the following items. Next, close all browser Windows, and have HT 'fix checked'. You Must restart your computer when you're done. O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Administrator\Application Data\winshow\winshow.dll O2 - BHO: winlink module - {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} - C:\Documents and Settings\Administrator\Application Data\winlink\winlink.dll O4 - Global Startup: MSupdater.exe

Thanks guys! I appreciate the help.

That fix is the bomb! Thanks. I spent like an hour fooling around in the registry and as mentioned above, the problem kept coming back. I used your safe mode fix with HT and it worked. Thanks again.

These fixes are fine, but they don't go far enough. First of all, HijackThis is a dangerous tool that shows all kinds of things that you shouldn't delete. Second, be careful what you delete re: winlink. Winlink is integral to Windows. It's a video-editing tool. Winlink.dll is scumware associated with Winshow. Third, to eliminate the Winshow pestilence, you need to edit the Registry. Like this: Navigate to and delete the keys: HKEY_CLASSES_ROOT\CLSID\{6CC1C918-AE8B-4373-A5B4-28BA1851E39A} HKEY_CLASSES_ROOT\WinShow.ViewSource HKEY_CLASSES_ROOT\WinShow.ViewSource.1 HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{6CC1C918-AE8B-4373-A5B4-28BA1851E39A} HKEY_LOCAL_MACHINE\Software\CLASSES\WinShow.ViewSource HKEY_LOCAL_MACHINE\Software\CLASSES\WinShow.ViewSource.1 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6CC1C918-AE8B-4373-A5B4-28BA1851E39A} Next, search the Registry for Winshow and delete all. Then, search your system for Winshow and delete all, if still present. Finally, reboot. That should elminate the scum. --DK--

I'm a somewhat less sophisticated user, so rather than try to prevent winshow.dll and winlink.dll from reappearing, I found and deleted them but replaced them with dummy MS Word documents which I renamed in MS Dos to the same names (including the file extension). This seems to have helped somewhat, as the pop-ups that were crashing my IE browser are no longer doing so.