I have a popup problem that whenever I have my IE at work open, a pop up always open every 30 secs and it so annoying. The advert says " You have been awarded a polyphonice ring tone" and it in garish yellow. I tried Ad Aware and emptying all of the internet temp files. Anywhere else I should look ? the Google toolbar pop up stopper doesn't even see it.

Try Spybot Search & Destroy. It seems to complement Adaware.

If the problem persists, you could try Hijackthis, and post the log file here. Someone will probably be able to tell you what to get rid off on the basis of that log.

Ran Spybot 1.3 and it still appears, Also i got this file as infected and removed by the workstation Virus scanner : C:\WINNT\polall1t.exe => polall1t.exe also there was another one as Onspzzz.exe ?? the spelling may not be entirely correct.

Edit: According to the log, it is onpzzs.exe

I'm afraid I can't be very much help there, but, like I said earlier, try hijackthis (http://www.spychecker.com/program/hijackthis.html) and post the log here. I'm sure somebody will be able to give advice.

I found out that they all part of a trojan. So I am just following some guidances from other sites. Thanks

Here the logs with a few edits.

Logfile of HijackThis v1.97.7
Scan saved at 11:49:09, on 18/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\NWTRAY.EXE
C:\WINNT\system32\automove.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINNT\system32\MAPISP32.EXE
C:\WINNT\system32\ntvdm.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\SCtemp1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arena.xxxxxxxxx.org.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.arena.xxxxxxxxxx.org.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = xxx.xxx.x.x:80
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINNT\system32\IEEnhancer.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\system32\SWin32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http:\\www.arena.xxxxxxxxx.org.uk
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38063.3061689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxxxxxx.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{62FB587F-9903-412B-B2BF-BAE317CF1019}: NameServer = xxx.xxx.x.x,xxx.x.x.x
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxxxxxxx.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxxxxxxxxx.local

It's best to wait for someone who knows what he/she is talking about, but I think this entry looks dodgy:

O4 - HKLM\..\Run: [Adstartup] C:\WINNT\system32\automove.exe

Indeed it does :D.... I had a look in google, time to remove it :D

http://www.computercops.biz/check49666previous.html

Doesn't seem to be removed that easily, so far I removed it from startup in registry and everywhere else I could find, I removed it from the C:/winnt/system32 folder along with other stuff that were related and it still appears.

EDIT : 1pm, finally it all gone.... hehe.... damn hard thing to get rid of.