Thanks Spot - I will look into this. But I also have found all these new little things running that I have never seen before - see my post above for the "addon" for one of them - but since getting rid of this I also found all these running process that I have no idea about, and mostly cannot find anything on -

sys5435.exe <<<== (Reg Setting under "MDS Search Booster")
sys5318.exe
sys543.exe
init32m..exe

(EDIT - HOLY ****!!!. I am looking in my system - there ar elike 50 files, all dated today - that start with sys and end with a number - sys024.exe, sys025.exe, sys046.exe and so on. I find no info on these, I find no install info on these - I certianly did not install anything over the last few hours, and they start at 11am)

Any idea on this? Cheking firewall log I see that my system has tried to connect to (And attemted access from) :
============
McAfee Visual Trace Version 3.27 Results
Target: 64.154.80.250
Date: 1/17/2005 (Monday), 2:09:03 PM
Nodes: 22


Node Data
Node Net Reg IP Address Location Node Name
22 1 - 64.154.80.250 San Diego


Packet Data
Node High Low Avg Tot Lost
22 95 95 95 1 0


Network Data
Network id#: 1

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

NetRange: 64.152.0.0 - 64.159.255.255
CIDR: 64.152.0.0/13
NetName: LC-ORG-ARIN
NetHandle: NET-64-152-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LEVEL3.NET
NameServer: NS2.LEVEL3.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-06-08
Updated: 2001-05-30

TechHandle: LC-ORG-ARIN
TechName: level Communications
TechPhone: +1-877-453-8353
TechEmail: ipaddressing@level3.com

OrgAbuseHandle: APL8-ARIN
OrgAbuseName: Abuse POC LVLT
OrgAbusePhone: +1-877-453-8353
OrgAbuseEmail: abuse@level3.com

OrgTechHandle: TPL1-ARIN
OrgTechName: Tech POC LVLT
OrgTechPhone: +1-877-453-8353
OrgTechEmail: ipaddressing@level3.com

OrgTechHandle: ARINC4-ARIN
OrgTechName: ARIN Contact
OrgTechPhone: +1-800-436-8489
OrgTechEmail: arin-contact@genuity.com

ARIN WHOIS database, last updated 2005-01-16 19:10
================

And my system has also attempted to access:


===============
McAfee Visual Trace Version 3.27 Results
Target: 61.135.142.78
Date: 1/17/2005 (Monday), 2:11:34 PM
Nodes: 26


Node Data
Node Net Reg IP Address Location Node Name
26 1 - 61.135.142.78 BEIJING (PEKING)


Packet Data
Node High Low Avg Tot Lost
26 316 316 316 1 0


Network Data
Network id#: 1

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 61.0.0.0 - 61.255.255.255
CIDR: 61.0.0.0/8
NetName: APNIC3
NetHandle: NET-61-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: TINNIE.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1997-04-25
Updated: 2004-03-30

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net

ARIN WHOIS database, last updated 2005-01-16 19:10

===============


ANyone have any ideas about all of this now? All of this since yesterday. Not installed anything new. (Well I did install the SP2 updates - not the update *to* SP2 but the updates *for* SP2 last week) I don't get any email on this system. Virus scan comes up clean. This all seems to be Java related - like all of this was installed via some website yesterdsay.

>>>Acrobat has audio drivers in it now, and the AWE drivers installed with it are known issues. I'm on a slow dialup, so you'll have to search Adobe's FAQs, but it's come up in a few forums already.<<<

I am searching right now - so far nothing comes up by searching for "AWE" under acrobat. Searching for "Vegas" returns one thread but there is no mention of Vegas in the thread, so I am not sure whay it even comes back as a hit.

Searching the knowledge base for various items returns:
Your search - AWE "Acrobat" - did not match any documents.

Your search - Sony Vegas "Acrobat" - did not match any documents.

Searching for "audio" returns items but not anyting that relates to Vegas or AWE.

So where did you find the info? Of what did you search for

You have a serious infestation of adware/spyware. Download and use Ad-Aware and SpyBot. Make sure that you get Ad-Aware, not adware. I also recommend HiJackThis and CWShredder. I also recommend using Firefox instead of Internet Explorer.

I keep my edit machine off the internet for just these reasons.

Good luck,
-Don

Thanks - already run Ad-aware and it isn't found. hijack this returns lots of bogus info, none on the mentioned files. I think this is something brand new,namely because of the dates on the files. See my other thread on this for more info.

remember Ad-aware and Spybot Search and Destroy should be run in Windows Safe mode.

Also I believe they recommend turning off System Restore, until you are sure that the Spyware is gone.

The files that you talk about may by the symptoms and not the disease. Some spyware has a hidden file that launches other files. I have had a problem where my firewall catches a file called "abcd.bat" and if you go and delete that file, the next day a file like "efgh.bat" is created and launched. It makes it very hard to find the original cause.

If you find that Ad-Aware or Spybot, cannot delete a file they find because it is protected, there is a program called killbox that will delete files on the next relaunch before they load themselves at startup.