Upon viewing CWShredder, two CWS files, CWS.alfasearch and CWS affiliate: Winshow, constantly reappear, even after reboot. I would like help to fix my comp, here is my HijackThis log: Logfile of HijackThis v1.97.7 Scan saved at 1:34:01 AM, on 1/19/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.exe C:\WINNT\system32\conime.exe C:\PROGRA~1\PESTPA~1\ppmemcheck.exe C:\Program Files\PestPatrol\PPControl.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\WINNT\system32\internat.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Documents and Settings\Ramza\¹ÙÅÁ È­¸é\HijackThis.exe O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKCU\..\Run: [Internat.exe] internat.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - Startup: NTUSER.DAT O4 - Startup: ntuser.dat.LOG O4 - Startup: ntuser.ini O4 - Startup: ShareReactor - View topic - Korean Movie Collection (8-09-03).htm O4 - Global Startup: ntuser.pol O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM (HKLM) O9 - Extra button: FlashGet (HKLM) O9 - Extra 'Tools' menuitem: &FlashGet (HKLM) O15 - Trusted Zone: http://free.aol.com O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {103322A9-198F-4CAA-9EAD-2213170F3314} (GTLaunch Class) - http://www.gameting.com/download/GTLauncher.CAB O16 - DPF: {13F5D028-B4B6-4FA0-ACE6-0549DDC9056E} (GTLaunch Control) - http://www.gameting.com/server/GTLaunch.cab O16 - DPF: {14399F4E-7698-468C-B988-66486085A306} (HgbLauncher Class) - http://down.hangame.com/iservice/messenger/inst/ver1011/launcher.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} - http://www.adultoweb.com/dialershtml/dialerweb.cab O16 - DPF: {3283DF90-1733-4A79-B1F5-2D05A8E4D448} (HanGamePlugin15 Class) - http://down.hangame.com/dist/activex/HanGamePlugin15.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {4063B398-3FC7-433E-B23B-0460CE7EDC27} (MaxisMakinMagicTeleX Control) - http://thesims.ea.com/teleport/makinmagic/MaxisMakinMagicTeleX.cab O16 - DPF: {4BC4C3E9-2BBB-4F28-A449-D25CD323109B} (HGAgentClient Control) - http://bar.hangame.naver.com/bar/HGAgentClient.cab O16 - DPF: {72ED8878-6E16-4EA1-BDD6-3B21EF676E45} (CVTrace Control) - http://www.seevideo.co.kr/pub/cvideox/trace/cvtrace.cab O16 - DPF: {956C9F5B-0EEB-41B5-9D7B-FAD968AF9469} (HanGamePlugin13 Class) - http://down.hangame.com/dist/activex/HanGamePlugin13.cab O16 - DPF: {9699ACAA-934A-4156-A73E-76D004A55B8E} (InlivePlayer Control) - http://cmnt.inlive.co.kr/inlive_player/InlivePlayer.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37731.917650463 O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab O16 - DPF: {BF22698D-3BED-4CB0-BA3A-64534FBC32B1} (SVWebPlayer Control) - http://www.seevideo.co.kr/pub/seevideo2002/SVWebPlayer.cab O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {ED1EEBEE-F0AA-474B-9829-61C482E72644} (PDBox25 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox25.cab O16 - DPF: {F256FF53-8057-4F7E-996B-963E27CE5EA1} (PdBox2 Control) - http://www.pdbox.co.kr/filebox/ctrl_down/PDBox2.cab Please help if possible, thanks

I'd get rid of this one. O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - Do you know what these are? If so leave them alone. If you get rid of them, they'll be in the hjt backup file to restore. O4 - Startup: NTUSER.DAT O4 - Startup: ntuser.dat.LOG O4 - Startup: ntuser.ini O4 - Global Startup: ntuser.pol Did you put and does this belong in trusted zone? it may be ok O15 - Trusted Zone: http://free.aol.com Not familiar with aol. Frank

http://forums.spywareinfo.com/index.php?showtopic=28460&hl= Fix these and reboot O4 - HKCU\..\Run: [Internat.exe] internat.exe O15 - Trusted Zone: http://free.aol.com O16 - DPF: {2C1651EF-8827-11D6-91A2-00E02964E8E3} - http://www.adultoweb.com/dialershtml/dialerweb.cab O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplugin5094_hd3ptdmgainads.cab Delete internat.exe

Make sure you have the right one. Internat.exe is also used in startup for bilingual machines. The blue small square in the system tray where you can change the language you type in email messages, couldn't be displayed without enabling internat.exe. This applies to bilingual Windows only. And, to quote from the Symantec web site: " Please note that there is a legitimate Windows application called %windir%\%system%\Internat.exe. The Trojan file (also known as internat.exe) is 82.5 KB in length and uses a zip file icon. The "real" Internat.exe is generally about 20 KB in length with a "?" icon. Have a nice day. :) Trpm

Thanks for adding that Tprm, your time is welcome here.