Transition for a recently discovered worm-virus?

Hi,

For a month I was certain that there was some type of cyclic syndrome taking place on my computer. It seemed that a number of files were being replaced on a weekly basis related to Windows IE6Sp1. As I suspected that this was taking place I decided to completely re-install my IE6Sp1 & Directx9b files every Sunday afternoon, for that was when the cycle seemed to be repeating. Confirmation of this syndrome was reported recently on some security sites.

Today I discovered 2 new items. One was that my pop3 server information had been replaced by a new domain in the 207 area, and my pop3 address had been given an additional extended suffix address simular to the original actual pop3 address. Of course I corrected that. It suggested to me that someone was possibly preparing my Outlook Express pop3 account to be used as some type of access point to my computer or at the least my pop3 mail account.

In addition to this, by deleting settings in my Sygate Firewall and watching very carefully the requests to connect to the web, I have today become aware of a situation in which dual connection points from my IE6sp1 setup program, Outlook Express and other programs in Windows have been requested. One connection would be a legitimate domain (Microsoft.ctrl.com ?: <I may have that figure wrong, this is from memory> ) and another would also be requested for the same device to a 600 domain address. Being as all of these devices were legitimate devices being used at the moment to perform an action on my computer, I had previously let them go, but no more! I'm certain that others in their haste would likely also let the illegitimate connection take place as well.

I am seeing this in my mind as a transition hyjack attempt which could be an extension of the weekly problem which I mentioned earlier in this comment. It is as if the discovery of the original method to hyjack Windows systems had brought about what you might call "hyjack scenario 2". I would be interested in whether anyone might have further insight on this scenario (perhaps better informed than my own) or simular experiences. From my point of view (which may simply be ignorant to information previously published) I am tracking a ongoing worm-virus phenomenom.

Anyone?