This is bugging the hell out of me, I've cleaned a PC twice now, gone into the registry totally removed OpaServ and all it's variances through the following; 1. Disconnected computer from the Internet and LAN. 2. Booted to safe mode 3. Ran both of the NOD32 Opaserv cleaners from http://www.nod32.com.au 4. Checked win.ini for any unusual references after run= 5. Check registry and delete the values: ScrSvr %windir%\ScrSvr.exe and ScrSvrOld <original worm name> from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6. Manually search for and delete the files ..... scrsvr.* brasil.* marco*.* put.ini alevir.* This time around I put on Sygate as the firewall, rescaned with Nod32, it came up all clean. My Question to the Eset Team: Why is Nod32 allowing reinfection and changes to the registry to occur. Nod32 deletes the inffection upon detection, but still allows the registry to be altered, thus upon reboot heaps of messages appear: missing brasil... missing put.ini...etc, etc. I have told this person to stop using webmail and use a pop3 account that I have set up. Your help would be appreciated, I simply do not understand why Nod32 is allowing part of the virus to get past... Cheers.