Errors in My XP Error Log.

John, is this machine directly connected to the Internet or do you have a hardware firewall protecting it? My first thought is some sort of attack is causing this. You can probably turn off the DCOM service without any problem to stop the first error you posted it is normally not used anyway. If you can't update and you can't restore, yes I would say it is serious. What error do you get when you try to update? When you try to restore?

I dont directly connect to the Internet on the machine, i connect using a wireless gateway. In terms of firewall i aint currently been using one (stupid i know). Was going to install Zone alarm, not a computer tech person myself.

I've been told by windows update there is 1 security update that i can download, i try and download it and all i get is an error on the page saying could not be installed.

I tried to do a system restore, it gets to the point where it reboots gets me back into XP and the window says restore unsuccessful and doesnt carry out the restore.

Only things i have done recently have been following the various guides and help to try and remove the About:Blank IE Hijacker.

The D-Com has been there for a while, never caused me any problems, however over the last two days i cant install the updates i download nor can i carry out the system restore.

I dunno if this helps but i created a system restore point and then an hour later i tried to revert back to it and it worked. It just wont restore points prior to today.

I looked at the folder where the updates download, which i believe is the wutemp folder on my c:\ drive, the update file was there but when i tried to run it and the error it came up with was:

c:\windows\system32\dlcache\nmcom.dll is open or in use by another application, close all applications then retry.

John,

I still don't have any idea if you are really directly connected to the Internet or not. Who controls the wireless gateway? Is it yours, or is it part of a campus network that you get access to the Internet through or what? Having a firewall is not optional today, it is absolutely required. I have had customers have their computers completely destroyed by Internet hackers while they were trying to setup their dsl connection! No kidding. The time delay between the time you connect an unprotected machine to the Internet and the time it is first discovered by a hacker these days is probably best figured in minutes not days.

If you have to use a software firewall, Zonealarm is ok but they are not nearly as good as a hardware firewall. I have proven in my lab that attackers can still cause windows machines to crash with softwalls running, even though they can't upload trojans. Still..way better than nothing.

I'm all but certain you are under attack.

You might try going to a command prompt and enter "netstat -n -a > c:\netstat.txt" without the quotes. Post the content of that file here and let me see it. It will show all network connections and ports listening on your pc.

nmcom.dll is part of Netmeeting are you running netmeeting?

One of the most recent MS security updates addresses a security flaw in DCOM. I would disable it at least until you get this issue cleared up.

Try to run the online virus scan from TrendMicro and see if it finds anything.

Dcom is part of windows, but it is only used for very specialized network applications which there is almost no chance that you would be using on a lone PC. Follow these instructions to disable it. Ignore the instructions for testing apps right now, you can enable it later if you want.
Click on Start | Run | and enter: C:\WinNT\System32\Dcomcnfg.exe

Then click on the Applications tab.

Many programs "support" Distributed Communication (DCOM) but rarely ever use it. This includes such programs as Windows Media and Wordpad. When examining this option, look for third-party applications that might actually REQUIRE network support, as opposed to those that simply support it. To find out if these programs really require DCOM, you must disable it, run the programs, and see what happens.

Note that it is probably only necessary to look at third-party programs here.

Microsoft programs designed to run on a non-networked, stand-a-lone computer are usually written to support but do not require DCOM. To disable DCOM, go to the Default Properties tab and uncheck the box labeled "Enable Distributed COM on this computer".

Reboot, and try running the third-party software noted as above. Odds are that everything will still run correctly. If not, go back and enable DCOM again. As you re-enable it, also go to the Default Protocols tab and remove all protocols except "Connection-oriented TCP/IP". This doesn’t create any additional security but does reduce the number of connection methods you have to keep an eye on.

If you do not have to re-enable DCOM again, then on the Default Protocols tab remove all protocols. You won't need them, and that should stop Windows from listening on Port 135.

John,

I still don't have any idea if you are really directly connected to the Internet or not. Who controls the wireless gateway? Is it yours, or is it part of a campus network that you get access to the Internet through or what? Having a firewall is not optional today, it is absolutely required. I have had customers have their computers completely destroyed by Internet hackers while they were trying to setup their dsl connection! No kidding. The time delay between the time you connect an unprotected machine to the Internet and the time it is first discovered by a hacker these days is probably best figured in minutes not days.

Basically its a wireless adsl router in another room that i connect to via a wireless usb device. I can enable a firewall on the router i think. I have just enabled the firewall on my router i think.

John,
You might try going to a command prompt and enter "netstat -n -a > c:\netstat.txt" without the quotes. Post the content of that file here and let me see it. It will show all network connections and ports listening on your pc.

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1050 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1163 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 213.137.229.120:2206 ESTABLISHED
TCP 10.0.0.1:445 80.46.175.71:4404 ESTABLISHED
TCP 10.0.0.1:445 80.46.175.134:1310 ESTABLISHED
TCP 10.0.0.1:1025 61.163.12.56:3784 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1049 *:*
UDP 0.0.0.0:1052 *:*
UDP 10.0.0.1:123 *:*
UDP 10.0.0.1:137 *:*
UDP 10.0.0.1:138 *:*
UDP 10.0.0.1:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1035 *:*
UDP 127.0.0.1:1051 *:*
UDP 127.0.0.1:1166 *:*
UDP 127.0.0.1:1900 *:*

And this is the one after i enabled the firewall on the router:

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1050 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1163 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 10.0.0.1:139 0.0.0.0:0 LISTENING
TCP 10.0.0.1:1025 61.163.12.56:3784 ESTABLISHED
TCP 10.0.0.1:1669 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1670 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1672 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1674 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1675 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1677 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1678 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1680 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1681 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1682 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1683 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1684 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1686 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1687 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1688 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1689 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1690 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1691 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1692 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1693 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1694 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1695 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1696 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1697 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1698 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1699 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1700 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1705 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1706 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1707 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1708 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1709 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1710 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1712 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1713 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1715 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1716 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1717 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1718 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1719 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1720 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1722 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1725 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1726 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1727 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1730 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1734 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1735 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1737 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1738 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1739 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1740 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1741 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1742 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1743 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1744 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1745 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1746 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1747 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1748 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1749 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1750 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1751 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1752 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1753 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1754 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1755 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1756 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1757 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1759 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1760 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1761 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1762 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1763 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1764 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1765 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1766 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1767 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1769 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1770 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1771 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1772 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1778 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1779 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1780 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1781 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1782 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1783 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1784 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1785 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1786 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1787 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1788 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1789 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1790 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1791 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1792 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1793 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1794 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1795 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1796 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1798 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1799 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1800 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1801 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1802 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1803 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1804 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1805 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1806 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1807 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1808 67.18.73.107:80 TIME_WAIT
TCP 10.0.0.1:1809 67.18.73.107:80 TIME_WAIT
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1049 *:*
UDP 0.0.0.0:1052 *:*
UDP 10.0.0.1:123 *:*
UDP 10.0.0.1:137 *:*
UDP 10.0.0.1:138 *:*
UDP 10.0.0.1:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1035 *:*
UDP 127.0.0.1:1166 *:*
UDP 127.0.0.1:1665 *:*
UDP 127.0.0.1:1900 *:*

John,
nmcom.dll is part of Netmeeting are you running netmeeting?

I have it installed, i dont think it is running though, i bought my pc a couple months back it was probably installed by them.

John,
One of the most recent MS security updates addresses a security flaw in DCOM. I would disable it at least until you get this issue cleared up.

Try to run the online virus scan from TrendMicro and see if it finds anything.

Dcom is part of windows, but it is only used for very specialized network applications which there is almost no chance that you would be using on a lone PC. Follow these instructions to disable it. Ignore the instructions for testing apps right now, you can enable it later if you want.
Click on Start | Run | and enter: C:\WinNT\System32\Dcomcnfg.exe

Then click on the Applications tab.

Many programs "support" Distributed Communication (DCOM) but rarely ever use it. This includes such programs as Windows Media and Wordpad. When examining this option, look for third-party applications that might actually REQUIRE network support, as opposed to those that simply support it. To find out if these programs really require DCOM, you must disable it, run the programs, and see what happens.

Note that it is probably only necessary to look at third-party programs here.

Microsoft programs designed to run on a non-networked, stand-a-lone computer are usually written to support but do not require DCOM. To disable DCOM, go to the Default Properties tab and uncheck the box labeled "Enable Distributed COM on this computer".

Reboot, and try running the third-party software noted as above. Odds are that everything will still run correctly. If not, go back and enable DCOM again. As you re-enable it, also go to the Default Protocols tab and remove all protocols except "Connection-oriented TCP/IP". This doesn’t create any additional security but does reduce the number of connection methods you have to keep an eye on.

If you do not have to re-enable DCOM again, then on the Default Protocols tab remove all protocols. You won't need them, and that should stop Windows from listening on Port 135.

I'm a bit lost on this sorry, i dont see an applications tab, when i run dcomcnfg.exe it opens the component services, if i click on event viewer i see an applications, security and systems error records.

Checked my error logs today and i dont have any dcom ones so far.

OK John,
Don't mean to scare you, but you are absolutely being hacked.

A little info if you look in your log at these

port 139
NetBIOS Session (TCP), Windows File and Printer Sharing
This is the single most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port. This is the first port hackers want to connect to, and the port that firewalls block.
port 445 is a secondary netbios port

port 1025 is assigned to a port of the "Active Directory logon and directory replication interface"

you had active connections on port 139 to somewhere in Russia

2 connections on port 445 to Amsterdam

1 Connection on port 1025 to China

and a whole lotta dropped connections to Texas on random ports to web port 80 since you enabled the firewall.

All doing God knows what.

Your second log shows the one on port 1025 still connected so I would guess they have a trojon on your machine phoning home.

Did you run the Virus Scan from TrendMicro ?

Oh heheh the port 80 connection is to Daniweb guess we don't need to worry about that one. Should of mentioned, before doing the scan, close all the stuff you have open to web. Makes it easier to read. But I think we got what we needed in this case anyway.

I cant get the scan to work on their site, my Internet Explorer crashes, should i install firefox for example and try and run it from that?

Hello,

Seeing the damage that is done, I think it is best for you to re-format your drives and start over. You don't know what modifications were made to the system, and could spend the next few months of your life making things work again. Sometimes it is smart to just start over.

But when you do start over, plan how you are going to stop internet attacks from the start. I have seen machines get hacked into in as little as 10 minutes after being "completed" but before proper patches are installed. A firewall should be the FIRST thing installed after the OS boots up. Have the firewall ready on CD, so that you can boot and install it pronto.

Christian

Hello,

Seeing the damage that is done, I think it is best for you to re-format your drives and start over. You don't know what modifications were made to the system, and could spend the next few months of your life making things work again. Sometimes it is smart to just start over.

But when you do start over, plan how you are going to stop internet attacks from the start. I have seen machines get hacked into in as little as 10 minutes after being "completed" but before proper patches are installed. A firewall should be the FIRST thing installed after the OS boots up. Have the firewall ready on CD, so that you can boot and install it pronto.

Christian

I have been considering it, my pc is newish bought it from Mesh at the end of May, i dont want to reformat due to a possible breach in my warranty etc, i hope i can fix it somehow first, or maybe get them to look at it.

In terms of system stablity it runs fine, only probs i have are these suspected hacks and i cant install windows updates,i can download but not install due to a program using a .dll file. And i have the annoying about:blank hijacker which resets my homepage and gives me popups, shame cause a week ago my pc was working fine, though i've had the dcom error logs for ages.

Mesh did give me a recovery disk, which lets me either:

1. roll back to last good boot.
2. roll back to the original installation- state when delivered.
3. reinstall clean windows.
4 reformat drive-and install windows.

I agree with Christian. But sometimes people have things that are just about irreplaceable installed. If you're not in that category, then by all means, reformat drive and reinstall windows. AND get that firewall ready.

I agree with Christian. But sometimes people have things that are just about irreplaceable installed. If you're not in that category, then by all means, reformat drive and reinstall windows. AND get that firewall ready.

Concerning the firewall will the one i enabled on my router be suffcient? or should i install zone alarm for example?

And should a format/reinstall wipe the stuff clean from my hardrive, the hijacker etc?

A format and reinstall when booted from a bootable CD will destroy everything. Most any type of DSL router these days, that is set up to do NAT is sufficient for what you need. Sometimes people still use zonealarm so they can see what is trying to get out. Remember, if you're browsing the Internet and you download something like Malware, normally your firewall won't protect you from that. It's main purpose is to prevent hackers from ever even seeing your machine from the outside. They won't be able to "touch" any of your ports. But if you download something, and it "phones home", then you still have a problem. In that case something like ZoneAlarm will at least alert you that somethings trying to get out and you know something is going on. So although I never do it myself because I don't like these applications running on my machine, you probably should until you really know what's what. Hope that makes sense.

A format and reinstall when booted from a bootable CD will destroy everything. Most any type of DSL router these days, that is set up to do NAT is sufficient for what you need. Sometimes people still use zonealarm so they can see what is trying to get out. Remember, if you're browsing the Internet and you download something like Malware, normally your firewall won't protect you from that. It's main purpose is to prevent hackers from ever even seeing your machine from the outside. They won't be able to "touch" any of your ports. But if you download something, and it "phones home", then you still have a problem. In that case something like ZoneAlarm will at least alert you that somethings trying to get out and you know something is going on. So although I never do it myself because I don't like these applications running on my machine, you probably should until you really know what's what. Hope that makes sense.

Based on the two logs i posted earlier, when i turned the router firewall on did it restrict some of the activity and if so is it ok just to use that?

As bentkey alluded to- if you still see some of the activity, you still have active nasties in your system that need to go. The router may be able to be configured to block outgoing attempts to "phone home", but the programs responsible for the activity are still alive and festering on you machine.

Just posting to firstly say thankyou for the help that has been submitted in the thread.:)

In terms of my error report the dcom errors seem to have stopped a bit,
instead i get the ocasional

"The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt_qxp\com\com1x\src\events \tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error."

Secondly i am going to probably reformat and reinstall windows, first i am going to notify the company that i bought the pc from (mesh) and tell them i have probs, they will probably tell me to reformat, just doing this to make sure my ass is covered basically.

I'm hoping the reformat will fix the .dll errors i got and hopefully get rid of this browser hijacker, then making sure my router firewall is on and maybe put zonelarm on just to incrase the safety a bit more. Reason why i stupidly never used one before was i thought it would effect my gaming, in terms of ping etc, though now i see that it doesnt really. I might install a new browser instead of IE cause i read that its a security risk, firefox perhaps.

Once again thankyou for the information, i'll keep you informed or if i have any more queires after i reformat and reinstall.

So a move to the security section of this fourm and get some of the programs like ad-aware and spy-bot and hijackthis ,to help remove the Baddies from within is in order maybe!:)

So a move to the security section of this fourm and get some of the programs like ad-aware and spy-bot and hijackthis ,to help remove the Baddies from within is in orde maybe!:)

Yeah i've been in there before posted aout the about:blank hijacker, you might of seen my post. Basically i've tried loads of things, however it seems to come back 2 days later, tried that fix solution by phage but it came back also. Real pain in the arse :evil:

Ah! so you have ,someone just recomended you use a updated cwshredder to fix it

His machine has been so ravaged now, it only makes sense to format and start over. Personally I would love to have my hands on that machine for a while just to find and kill the things. Guess that's why I'm in the business. Of course, I'd still format it after I had fixed it just to be sure. :D John, I think you should go ahead and put ZoneAlarm on it, AdAware, Spybot, SpywareBlaster, Spyware Guard and some kind of up-to-date antivirus too. Do as much of it as you can with net cable unplugged too. Good Luck.