TIBS? Start.chm? Access.exe? Hey all, Something isn't right here. I've been hit with that mkstore problem that auto-executes rubbish on your system. Except this one just won't go away. You know the problem I'm talking about, so let me get right to it. First, I think creating a write protected 0 byte start.chm file prevents the thing from "infecting" your machine, but not running access.exe - killing the access.exe task prevents it from coming back. Second, I've seen a new variant of this which runs a cmd.exe that takes 100% cpu - killing that solves the problem. In brief. I've run ad-aware, spybot and hijack this. I know what I'm doing and the hijack this output shows nothing unusual. I tried to procdump the exe and disassemble it, but all I got was a load of garbage. I haven't tried softice on it yet. Does anyone know exactly how to confirm whether this thing is still on my machines, or whether it's just coming back when I'm browsing sites? If I know it's not there then I can at least start from a "known good" point when hacking it apart. An observation... It seems to return shortly after I go to EBay, which is somewhat interesting. Also if you boot up, use the system normally but don't run IE, the spyware doesn't start which leads me to believe it's either some cleverly hidden browser hook (which I really doubt), it's a hidden task that waits for iexplore.exe to load (which is possible, if the footprint is small enough the process won't show up), or it's coming back when browsing to a website. Any help on confirming it's not on my system is appreciated. Then I'll attack this little POS with my trusty copy of wdasm... Rule #1 for whatever idiot wrote this, never annoy a coder.