Hello, I have unknowingly downloaded a trojan virus that seems to be installing spyware all over my laptop, and I cant get rid of it. I have already used: spybot search and destroy, adaware, spy sweeper, spystopper, etc.. to remove all detected spy ware. However, there are still programs trying to get access through my firewall client and I am still getting pop up advertisements. After some investigation here is what I have found. I have noticed suspicious processes running such as: Bdeu.exe, YdicV.exe, RjaZ.exe, and Roj12unt.exe. Everytime I kill one of these processes it will regenerate with one of the above names. So, next I went to the Registry, HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ and deleted the suspicious key value: "5Z9FK624L@JD8K", data: "C:\WINDOWS\System32\Xhf5Pw5.exe" (NOTE: I have checked c:\windows\system32 and I see no signs of "Xhf5Pw5.exe" so I cannot simply delete it.) After that, I went to the c:\windows\prefetch folder and deleted all entries that referenced the above suspicious .EXEs such as "BDEU.EXE-05B9253C.pf", "YDICV.EXE-2084E07E.pf", etc. But, the virus does not die! When I shutdown/restart the computer it must be rewriting the reg keys because everything i deleted from the registry is regenerated. I need to find the root of this virus and where it lives so I can exterminate it. Does anyone have any ideas?? As another side note, I have noticed that the "wowexec" process is being used somehow. From my research on this process it emulates the Windows 3.1 16 bit environment for certain 16 applications (or viruses). Even when I try to delete this .exe from c:\windows\System32 it regenerates itself as well.

Hi Deven Hariyani, hi everyone, You seem to mix up virus, trojan and spyware. All the utilities you ran are antispyware... they are very good in their category but not enough for viruses or trojans. Scan your disk with this antivirus: -> Trend Micro online AV scan Antivirus are usually able to detect and eradicate many trojans but some are tough! Good antitrojans are not free... however try these: -> HiJackThis -> onLine scan anti-parasite -> onLine scan anti-trojan HTH Good Luck Bill! Have a good day, Gérard from Paris, France

Hi Deven Hariyani, hi everyone, >Good Luck Bill! I'm sorry for having named you Bill! I confused with the guy of my previous post! ;-) I don't know XP well enough and don't dare giving directions about system or registry! I suggest you ask question on another forum of Computing.Net: -> Windows XP -> Security and Virus Have a good day, Gérard from Paris, France

Oh yes, I did try an anti-virus software, but it didn't find anything. I also recently tried the "Trend Micro online AV scan" that Gerard reccommended, but that didn't find anything either. However, I downloaded the latest update from Adaware for their spyware removal software, and that seemed to solve the problem. I do not see the mysterious .exes appearing anymore. Thanks for the help everyone, it is much appreciated! Cheers, Deven

Hi Deven, Thanks for posting back! Cheers, Gérard from Paris, France

This is NOT Spyware you may have some running on your system but this IS NOT IT : wowexec - wowexec.exe - Process Information Process File: wowexec or wowexec.exe Process Name: Windows On Windows Execution Process Description: Windows On Windows Execution Support Process provides support for 16-bit Windows applications together with ntvdm.exe Common Errors: N/A System Process: No thx 2 : http://www.liutilities.com/products/wintaskspro/processlibrary/wowexec/

Don't jump the gun 'gazassassin'. If the user has a wowexec.exe in the process list, it is a valid windows component used to run 16bit apps. BUT, if you have _wowexec.exe (prefixed with a space), then it is Adware. Use 'Spybot Search and Destroy' (freeware) to remove this and other bollox on your system. Laters