My parents complained to me that their computer (running NOD32 3.0.621 or .642 (can't remember which, I've since upgraded them to .669) was giving weird popups. When I took a look there was something that kind of looked like Norton Antivirus claiming it found a bunch of viruses. Really, this was something called "AV2009" which looks like some kind of trojan pretending to be an antivirus program. It managed to put some convincing Windows Security Center icons in the system tray (which gave different results to the real Security Center launched from the control panel). It also seemed to remove the NOD32 icon from the tray, although NOD32 appeared to be loaded based on a process in the task manager. When I looked at the NOD32 log, it appeared to catch a file created by av2009.exe. Here's the log entry: "21/07/08 7:37:14 AM Real-time file system protection file C:\WINDOWS\system32\scui.cpl Win32/Adware.XPAntivirus application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Antivirus 2009\av2009.exe." I did save a copy of the av2009.exe file I found. I then proceeded to restore their system from a backup to get rid of the infection. As usual, I'm concerned that NOD32 seems to have detected the virus, yet failed to allow the virus to run. It's also concerning that if I do an on demand scan of av2009.exe NOD32 does not identify it as a virus. In fact, when I submitted it to virustotal, only 1 scanner identified it as a fake antivirus tool. So it seems like NOD32 detects at least one file created by av2009.exe, yet not av2009 itself. What's the deal with that? I'm also concerned about how this got on their system at all. I've trained them not to open random e-mail attachments. They are using an old e-mail client (Eudora Mail - the last version before it was abandoned by Qualcomm). Is there any way this could launch automatically using some known exploit allowed by Eudora? Is it time I force them to switch their client? Thanks.