Hi,

I've been having a problem I've documented on these forums that I first thought was just associated with annoying full-sized popup browsers, then I thought was winfixer software. But now it appears the problem has to do with something called "Virtumonde" that I can't get rid of.

Basically, senior member Goofball kindly assisted by suggesting I run a scan via Hijackthis, which showed him nothing out of the ordinary. Then he suggested I download the ewido security suite and it came up with a spyware.virtumonde file under Windows:

windows\repair\antimsvc.dll

I got rid of it via the ewudi software, or so I thought. I re-scanned with the ewido software to check for cookies, and discovered that the windows file was still there. I got rid of it again, in case I accidentally had neglected to delete it, then restarted the computer. I looked in the Windows Explorer and it was still there under windows/repair. I attempted to delete it, but it said it couldn't be deleted as it was being used by another program. I closed everything and tried again, but it said the same thing. I restarted in Safe Mode and tried again to delete it from the Explorer, but it still wouldn't go.

I couldn't even send the file to Symantec, as it won't allow itself to be added to the quarantine area of AntiVirus, which is the way these files are sent to Symantec, apparently.

Many sites, including Symantec, refer to this virtumonde as "Adware" and many offer methods to remove it, all of which (at least from what I could find) refer to specific registry entries where this thing is. And the registry entries specified are always the same, it appears. Like the ones mentioned here:

http://securityresponse.symantec.com/avcenter/venc/data/adware.virtumonde.html#removalinstructions

The problem is, I don't appear to have these registry entries. I looked more than once and even searched the registry to possibly find the "WindowsUpd" or "SysUpd" on some other registry entry somehow. But neither is there.

I really don't know what to do to get rid of this. The symptoms described on this above Symantec page involving this Adware.virtumonde thing are definitely the symptoms I'm experiencing. I'm sure this is what I have, yet I have no idea how to get rid of it.

The ewido software only found the .dll file and other software I've tried didn't even find that! I guess I've tried five different spyware programs at this point. I think I need to dispose of some registry entry, but I have no idea where or what it is. Any help would be greatly appreciated.


The Hans

http://www.spyany.com/program/article_adw_rm_VirtuMonde.html

have you cleared your temp files from your user profile as well?

Hi,


http://www.spyany.com/program/article_adw_rm_VirtuMonde.html

The problem is, I don't have any of the files this fix is talking about. I don't have any registry keys ending with "WindowsUpd" or "SysUpd" that I could find. Nor do I have the windowsupd2.exe nor cidrules.dll files. That's what doesn't make sense. But I know I have this Virtumonde thing.


have you cleared your temp files from your user profile as well?

Where do you mean exactly? The temp files I mean?

The Hans

I know you don't want to hear this.. but How bad would it be to do a clean install??

Dealing with annoying spyware is a pain in the a**... editing registry entries is another pain in the a** and if you don't know what you are doing it can be bad.

There is a nifty little program called PC rescue.. wich fixes any kind of registry problems. It has helped in the past.. but then I know enough to not depend completely on it. As a scanning tool for the registry, it is quite useful. It might shed some light of what is going on on your registry.

C.

temp files located under user profiles

c:\documents and settings\$username$\local settings\temp

don't suppose you could do a system restore to a previous date?

temp files located under user profiles

c:\documents and settings\$username$\local settings\temp

don't suppose you could do a system restore to a previous date?

Hi,

Unfortunately, that isn't a possibility. On a couple of forums I read, people described having this problem and that the main file was sitting in System Restore. A person actually had success by disabling System Restore, then restarting and enabling it again. Unfortunately, it didn't help me. But now I also no longer have the earlier restore points.

The Hans

I know you don't want to hear this.. but How bad would it be to do a clean install??

Dealing with annoying spyware is a pain in the a**... editing registry entries is another pain in the a** and if you don't know what you are doing it can be bad.

There is a nifty little program called PC rescue.. wich fixes any kind of registry problems. It has helped in the past.. but then I know enough to not depend completely on it. As a scanning tool for the registry, it is quite useful. It might shed some light of what is going on on your registry.

C.

A clean install would be a nightmare. I could do something with the registry, but I have no idea what to do, that's the problem. I don't have the key endings that the various sites speak of.

The Hans

Have you tried the Adaware and Spybot programs?

Past that you have a lot of registry work to do...

Hi,

I'm posting my log file again from Hijackthis, because I read through it and discovered this:

O20 - Winlogon Notify: antimsvc - C:\WINDOWS\repair\antimsvc.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

One of these two is the offending file I spoke of in the first post, the one I cannot delete. The Hijackthis software indicates that these files are quite suspicious. Also, the software says that if I delete these files, they will most likely come back unless I "delete on reboot," but I don't know what that is exactly, I must admit.

If this means anything to anyone and someone could help, this might be the answer to my problem. Here's the whole log file. Any help would be appreciated, as I said.

The Hans

Logfile of HijackThis v1.99.1
Scan saved at 8:12:35 AM, on 29/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Temp\Programs\Hijackthis\hijackthis\HijackThis. exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\repair\antimsvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: Outlook (2).lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120699347000
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://encarta.msn.com/encnet/external/MSSurVid.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: antimsvc - C:\WINDOWS\repair\antimsvc.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I knew I had seen this problem before. It was a complete nightmare to get rid of.

Ok, here is what you will need to do

-boot into safe mode.
-disable system restore
-kill explorer.exe using task manager
-using task manager, do a File -> run

regsvr32 C:\WINDOWS\repair\antimsvc.dll /u
regsvr32 C:\WINDOWS\SYSTEM32\igfxsrvc.dll /u

-next, run regedit, find the folders (branches) that contain the same names (do an F3, search) and delete them
-restart explorer.exe from the File -> run.
-find those files and delete them
-reboot back into safe mode, rescan with Hijack This, see if the entries are still there.
-if clean, re-enable system restore and create a restore point asap.

I knew I had seen this problem before. It was a complete nightmare to get rid of.

Ok, here is what you will need to do

-boot into safe mode.
-disable system restore
-kill explorer.exe using task manager
-using task manager, do a File -> run

regsvr32 C:\WINDOWS\repair\antimsvc.dll /u
regsvr32 C:\WINDOWS\SYSTEM32\igfxsrvc.dll /u

-next, run regedit, find the folders (branches) that contain the same names (do an F3, search) and delete them
-restart explorer.exe from the File -> run.
-find those files and delete them
-reboot back into safe mode, rescan with Hijack This, see if the entries are still there.
-if clean, re-enable system restore and create a restore point asap.


Hi,

By "kill explorer.exe," are you referring to the iexplore.exe for the Internet Explorer from the processes area of the Task Manager?

The Hans

Hi,

By "kill explorer.exe," are you referring to the iexplore.exe for the Internet Explorer from the processes area of the Task Manager?

The Hans

No, explorer.exe

iexplore.exe is Internet Explorer
explorer.exe is Windows Explorer, the shell that Windows uses.

Once booted into Windows, press Ctrl-Shift-Esc to bring up taskman. Find explorer.exe on the processes tab, click on it and click on end process.

Have you used the Free Scan Services of TrendMicro (http://housecall.trendmicro.com/)? I had the same problem with a client's computer and TrendMicro fixed it. Just make sure you de-activate System Restore and clear your cookie cache under your IE options before you prompt TrendMicro to remove VirtuMonde.

Thanks for the tips guys. I have to go back to a customers house to finish removing this item, could not get it off after 3 hours of trying.

This is no simple removal, so a simple scan with adaware, spybot, spysweeper and whatnot some of you are suggesting will not work. The product will be there upon next reboot, along with the ads.


I'll post with the results.

Thanks for the tips guys. I have to go back to a customers house to finish removing this item, could not get it off after 3 hours of trying.

This is no simple removal, so a simple scan with adaware, spybot, spysweeper and whatnot some of you are suggesting will not work. The product will be there upon next reboot, along with the ads.


I'll post with the results.

Hi,

Are you having the same problem as me? If you have success removing it, definitely let me know.

The Hans

No, explorer.exe

iexplore.exe is Internet Explorer
explorer.exe is Windows Explorer, the shell that Windows uses.

Once booted into Windows, press Ctrl-Shift-Esc to bring up taskman. Find explorer.exe on the processes tab, click on it and click on end process.

Hi,

Thanks for clarifying. I just wanted to make sure.

The Hans

Have you used the Free Scan Services of TrendMicro (http://housecall.trendmicro.com/)? I had the same problem with a client's computer and TrendMicro fixed it. Just make sure you de-activate System Restore and clear your cookie cache under your IE options before you prompt TrendMicro to remove VirtuMonde.

Hi,

I tried Trend Micro, actually. It didn't find it. Only the ewido security suite software (and their online scanner) found it. But the software couldn't get rid of it even though it said it had. Details in the initial post.

The Hans

You could try kaspersky anti virus: http://www.kaspersky.com/
Or Spy sweeper (http://www.webroot.com/) trials.


Thanks for the tips guys. I have to go back to a customers house to finish removing this item, could not get it off after 3 hours of trying.

This is no simple removal, so a simple scan with adaware, spybot, spysweeper and whatnot some of you are suggesting will not work. The product will be there upon next reboot, along with the ads.


I'll post with the results.

Can i have a sample please?

I knew I had seen this problem before. It was a complete nightmare to get rid of.

Ok, here is what you will need to do

-boot into safe mode.
-disable system restore
-kill explorer.exe using task manager
-using task manager, do a File -> run

regsvr32 C:\WINDOWS\repair\antimsvc.dll /u
regsvr32 C:\WINDOWS\SYSTEM32\igfxsrvc.dll /u

-next, run regedit, find the folders (branches) that contain the same names (do an F3, search) and delete them
-restart explorer.exe from the File -> run.
-find those files and delete them
-reboot back into safe mode, rescan with Hijack This, see if the entries are still there.
-if clean, re-enable system restore and create a restore point asap.

Hi,

I haven't started this fix yet as I first wanted to ask about something. I'm under the impression that the igfxsrvc.dll file is something that I want. Not Adware or something. Because my husband and I have identical computers and he has that file, but no Adware problem. Plus it seems to be associated with Intel somehow.

Also, I found the antimsvc file in this area of the registry:

HKEY_USERS\S-1-5-21-1475890271-2665944409-2024770282-1006\Software\Microsoft\Search Assistant\ACMru\5603

This is an area (the 5603) that my husband's computer doesn't have at all. Inside it are the following data items:

cidrules.dll
windowsupd2.exe
antimsvc
serviceintelligence
winfixer
update


I know antimsvc is no good. I know I've had a problem with winfixer popups, and winfixer is there. Also, I'm sure I read that windowsupd.exe is an Adware-related file. So I'm certainly suspicious of windowsupd2.exe. I'm not certain what update or cidrules.dll is for. And I know what serviceintelligence *is*, but I have no idea why it would be potentially associating itself with Adware. And it could go if necessary.

So, I guess what I'm asking is: Is it possible that there's a revised set of instructions for ending my problem? It just seems like there's one thing I shouldn't be getting rid of, but other things I *should* be getting rid of. Any ideas?

The Hans

HKEY_USERS\S-1-5-21-1475890271-2665944409-2024770282-1006\Software\Microsoft\Search Assistant\ACMru\5603

This is an area (the 5603) that my husband's computer doesn't have at all. Inside it are the following data items:

cidrules.dll
windowsupd2.exe
antimsvc
serviceintelligence
winfixer
update



The Hans

that is where your winfixer problems are. it's also possible that it's under the hkey_current_user section as well.

do you have onboard video? If so, then don't do anything with igfxsrvc.dll.

really gotta start asking people to post their system spec's.

that is where your winfixer problems are. it's also possible that it's under the hkey_current_user section as well.

do you have onboard video? If so, then don't do anything with igfxsrvc.dll.

really gotta start asking people to post their system spec's.

Hi,

It's fine, not your fault or anything. We do have the on-board video, by the way. It's up to me to check-out what you say before I do anything. You're dealing with limited information regarding my computer, after all.

I do have another question. And it might seem dumb to registry experts but...Regarding this registry key I already mentioned with the offending file:

HKEY_USERS\S-1-5-21-1475890271-2665944409-2024770282-1006\Software\Microsoft\Search Assistant\ACMru\5603

That has inside the following items:

cidrules.dll
windowsupd2.exe
antimsvc
serviceintelligence
winfixer
update

Why can't I just get rid of this entire 5603 folder? I know this might sound like a dumb question, like I said. But it seems to me that all my problems are in this 5603 folder and, additionally, my husband's computer, which is the same as I said, doesn't have this folder *at all* and his seems to work just peachy without it. I guess the registry just doesn't work like that?

The Hans

Hi,

It's fine, not your fault or anything. We do have the on-board video, by the way. It's up to me to check-out what you say before I do anything. You're dealing with limited information regarding my computer, after all.

I do have another question. And it might seem dumb to registry experts but...Regarding this registry key I already mentioned with the offending file:

HKEY_USERS\S-1-5-21-1475890271-2665944409-2024770282-1006\Software\Microsoft\Search Assistant\ACMru\5603

That has inside the following items:

cidrules.dll
windowsupd2.exe
antimsvc
serviceintelligence
winfixer
update

Why can't I just get rid of this entire 5603 folder? I know this might sound like a dumb question, like I said. But it seems to me that all my problems are in this 5603 folder and, additionally, my husband's computer, which is the same as I said, doesn't have this folder *at all* and his seems to work just peachy without it. I guess the registry just doesn't work like that?

The Hans

you can if you want. I don't see why you couldn't. have you tried just deleting the whole branch?

what you should be doing though, is noting where the file locations that it mentions are (there should be values that tell you where and which file it is loading), and delete the files as well, if you can find them.

you can if you want. I don't see why you couldn't. have you tried just deleting the whole branch?

what you should be doing though, is noting where the file locations that it mentions are (there should be values that tell you where and which file it is loading), and delete the files as well, if you can find them.

Hi,

We actually haven't deleted anything yet. We've also been in touch with ewido, as their software (as per your suggestion) originally found the antismvc.dll file, but couldn't delete it. They've instructed us on what to do (it involves Killbox and some new registry entries), but it will (presumably) only get rid of the antismvc problem. Also, their instructions *don't* involve purging and disabling System Restore in advance, which surprises me a bit.

Except for the antismvc.dll file, *none* of the other registry entries appear as files, not that I can find at least. They only appear as the registry entries. What I did discover is this other key:

HKEY_USERS\S-1-5-21-1475890271-2665944409-2024770282-1006\Software\Microsoft\Search Assistant\ACMru\5604

Which is the same as the other, except the end of the branch is "5604" instead of "5603." It also includes this:

cidrules
winfixer

Can you tell me, what could happen if we deleted both 5603 and 5604? We're backing up the registry before we do any of this. But I have to wonder...

When you talk about deleting the whole branch, you mean from what point exactly? You mean the entire

HKEY_USERS\S-1-5-21-1475890271-2665944409-2024770282-1006\Software\Microsoft\Search Assistant\ACMru\5604

Thanks again for all your help, by the way.

The Hans

Can you tell me, what could happen if we deleted both 5603 and 5604? We're backing up the registry before we do any of this. But I have to wonder...

When you talk about deleting the whole branch, you mean from what point exactly? You mean the entire

HKEY_USERS\S-1-5-21-1475890271-2665944409-2024770282-1006\Software\Microsoft\Search Assistant\ACMru\5604

Thanks again for all your help, by the way.

The Hans

delete it from the ACMru point.