Hi, I was advised over on the Security forum to post a message in my OS forum. A couple of us are having trouble with some malware called Registry Cleaner 2.5. This little red shield pops up down by the time on the start bar and a message appears that says "You're computer is infected! Windows has detected a spyware infection that has corrupted the registry. It is reccomended to load update to prevent data loss. Windows will now download and install the most up to date software for you. Click here to protect your computer." When clicked, it automatically downloads registrycleanersetup.exe to your C:\Windows\system 32 folder. You have to agree to a liceness thing before it installs, and I've never agreed to install it, but I seem to recall having had to remove something like this a few years ago. This was the suggested course of action in the other forum. "Download ATF Cleaner and Super AntiSpyware and install these programs Boot into safe mode, (F8 while booting up) then , Go to start /control panel /add&remove programs and delete/remove the Registry cleaner 2.5 Then run the ATF Cleaner, then the Super AntiSpyware and also your AntiVirus Then reboot to normal mode." I did all of it, and the Super AntiSpyware program removed a bunch of files, but when I rebooted to normal mode, the popup was still there. I ran a search of my hard drive, lookig for the word registry and turned up a file in C:\Windows\Prefetch that's called REGISTRYCLEANERSETUP.EXE-1FE49650.pf which I'm pretty sure is the thing that's causing the problem, but I want to ask around and before I actually try to just delete the file. If it makes any difference, there's something screwy going on with my browser as well. I can't get to google (and a few other sites) with either IE 7 or Firefox 2. Thanks for any help you can give (if you've read all that!)

Use HiJackThis to track down the infections. Read this link 1st, it has step by step. http://www.wilderssecurity.com/show... Important: Create a specific folder on your hard drive called HijackThis to keep its backups. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HijackThis. Download and unzip HijackThis.exe into this folder. http://www.merijn.org/downloads.html Or, http://tomcoyote.com/hjt/ If possible run HJT in Normal mode ( not Safe ) with all your normal startup's working. HijackThis Tutorial - How to Analyse your own log. http://spywarewarrior.com/viewtopic... http://hometown.aol.co.uk/jrmc137/h... http://www.bleepingcomputer.com/tut... http://www.malwarehelp.org/understa... HijackThis log file analysis ( online ) http://hijackthis.de/index.php?lang... Or, http://startup.networktechs.com/pag... http://hjt.iamnotageek.com Malware Prevention: Prevent Re-infection http://wiki.castlecops.com/Malware_...

Just linking to the other post, as always great links Johnw. http://computing.net/security/wwwbo... Main problem file is ctpmon.exe http://www.castlecops.com/s13842-ct... http://fileinfo.prevx.com/fileinfo.... http://www.castlecops.com/postlite1... http://sandbox.norman.no/live_2.htm...

I had the same, start menu / run / type msconfig.exe, than the last tab about the automatic programs which starts with the windows, find ctpmon.exe and be sure its not thicked, than press, ok and start the windows again so you be able to delete ctpmon.exe from the windows/system32 directory.

Thanks Abnormal

here is removal guide for Registry Cleaner 2.5 don't do it