"Wot a World" <WWW@invalid.invalid> wrote in message
news:<ku3j51pfhrmarq01m1c48513t8ih0cinpj@4ax.com>. ..


** CLIP **

> Try using Autoruns from www.sysinternals.com to see what's really
> happening.
>
> Windows closes applications by sending them a WM_CLOSE message. It's
> trivial for a program to respond to this message with "ok, closing"
> and then spawn a new copy of itself with a new executable name. This
> is clearly malware.

Thanks! Think I solved my problem with your help.. they had buried another
application under the currentversion\winlogon\shell reg key that the
Autoruns program revealed. That program would startup the bad exe. That was
their failsafe to me disabling all rights on the currentversion\run reg
folder.

I do have to say that was one hell of a hack they came up with.. enough to
burn most of my afternoon :-)