This is a multi-part message in MIME format. ------=_NextPart_000_0040_01C450F1.8C022DF0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit > To update on my original post, the problem is still there despite > repeated anti-virus scans and running Ad-Aware and Spybot S&D, > and I'm about to give up and just wipe the HD clean and > re-install WinXP from scratch That seems like a great shame if it can be avoided. If you are down to the one intractable program now, how about giving us as much information as you can and seeing if we can't beat it together. 2. See manual removal instructions at end. 1, Consider the following If I was faced with this problem I'd try the following. You may have done all this. - Set system rollback point before starting :-) - Adaware & Spybot - Run regedit and look in startup and system.ini files. - Run "Startup Control panel" (as recommended here recently) and check the various registry locations. - Ctrl-Alt-Del and look at Applications and Processes to identify File names and locations of the miscreant. - Regedit & search for strings that related. - 45 Magnum. Below are manual remove instructions for adsvre from http://www.computercops.biz/postp175351.html I'd GUESS that just deleting the exe files while in safe mode would be a good start. Disabling System Restore would be necessary. Tell us if any of this helps. Once / If you get rid of it using the methods below you could consider using the new "Tea Timer" facility in Spybot to help protect against such things in future. Also the startup vetting system ? part of "Startup Control Panel" that asks for permission before new startup registry keys are added. Irrelevant observation: My SYSTEM32 subdir has over 5000 (presumably legitimate) files in it. What madness is this ? :-) Enjoy (hopefully) Russell McMahon ______________________ Fix these lines with HijackThis. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKLM\..\Run: [5f] C:\windows\temp\5f.exe O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost34.exe O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1 O9 - Extra button: Real.com (HKLM) O9 - Extra button: WeatherBug (HKCU) ---------------------------------------------------------------------------- --------- Next step - reboot and start up in Fail-Safe mode - Just reboot your computer and keep pressing F8 untill you see a dialog prompting you what to do. When Windows has started, disable System Restore. This link tells you how to do so - http://service1.symantec.com/SUPPORT/ts...1912274039 Now, deleting the adware exe files can commence. Delete the folder - C:\Program Files\TV Media\Tvm.exe Delete the file - C:\windows\temp\5f.exe Delete the file - C:\WINDOWS\fash.exe Delete the file - C:\WINDOWS\System32\IEHost34.exe Hold on, there are some leftovers that need to be cleaned, getting the info. Read Uninstall procedure, and Manual removal on this page - http://www.kephyr.com/spywarescanner/li...ce=bassfaq Read Uninstall procedure on this page - http://www.kephyr.com/spywarescanner/li...ndex.phtml Remember to remove the files, which stated by that page, are left behind even though the program is uninstalled. Now, enable System Restore again - http://service1.symantec.com/SUPPORT/ts...1912274039 - , reboot your computer in normal mode, and post a new HijackThis log. Did this help? If you have any problems, or questions, post away! Russell McMahon -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details. ------=_NextPart_000_0040_01C450F1.8C022DF0 Content-Type: image/gif; name="icon_smile.gif" Content-Transfer-Encoding: base64 Content-Location: http://www.computercops.biz/modules/Forums/images/smiles/icon_smile.gif R0lGODlhDwAPALMOAP/qAEVFRQAAAP/OAP/JAP+0AP6dAP/+k//9E///////xzMzM///6//lAAAA AAAAACH5BAEAAA4ALAAAAAAPAA8AAARb0EkZap3YVabOGRcWcAgCnIMRTEEnCCfwpqt2mHEOagoO nz+CKnADxoKFyiHHBBCSAdOiCVg8KwPZa7sVrgJZQWI8FhB2msGgwTXTWGqCXP4WBQr4wjDDstQm EQA7 ------=_NextPart_000_0040_01C450F1.8C022DF0--