Neal
OK. I did not want to install another AV Program. I have Kaspersky AV. I searched for other Rootkit Detectors.
I ran F-Secure Blacklight (Nothing Found), I ran IceSword but not sure how to use it yet.
I ran Rootkit Revealer and it found these entries in the Registry.


HKLM\SOFTWARE\KasperskyLab\AVP6\profiles\Anti_Hack er\profiles\fw\settings\KnownNetworks\0000\IP 6/19/2006 6:08 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\SystemCertificates\SPC\Cer tificates\034C4A4A23F736BD40410D0737BE55BEBB376461 \Blob 6/19/2006 7:04 PM 1.23 KB Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Sys tem* 5/5/2006 3:50 PM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\PdmHist\d24.3BDE778601C693F5.history\0000 0000.bak 6/19/2006 7:10 PM 3.67 MB Hidden from Windows API.

Well I'm at a loss but did come up with this and try it and see if it stops that.


Click Start
Click Run
Type in services.msc
Click OK
Locate and click the Messenger service.
Right-Click on it and choose Properties.
Change the Startup type to DISABLED.
Click STOP
Click OK


If that doesn't work for giggles and grins do this:

Download the Registry Search Tool from here:
http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:
rclean.com

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Neal
I allready had the messenger service disabled a long time ago.
The Registry Search Tool did not find anything.

I guess it doesn't matter that the messenger service is disabled, still getting those messages from
the KL Dump tool on port 1026. Even after all I have done. Nothing I have found will block it.

Thank you for your help.

Rick