I cannot get rid of cws.alfasearch/find4u hijacker. I have run ad-aware 6.181, spybot, cwshredder, regseeker, and hijackthis. Hijackthis log is below. Can someone please help me? Appreciate it. (and I have deleted the find4u lines in HJT several times already). Logfile of HijackThis v1.97.7 Scan saved at 3:29:54 PM, on 12/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Matthew Kirby\My Documents\Downloaded Applications\aim.exe C:\WINDOWS\System32\ctfmon.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\GEARSEC.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Program Files\iPod\bin\iPodService.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Program Files\Microsoft Money\System\urlmap.exe C:\Documents and Settings\Matthew Kirby\Desktop\Clean\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/sp.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Matthew Kirby\My Documents\Downloaded Applications\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.exe O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: winlogon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://mf.hud.gov:63001/CFIDE/classes/CFJava.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab

Have only hijackthis running while offline and check the following to fix: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find4u.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.find4u.net/sp.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.find4u.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find4u.net/sp.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - (no file) O4 - HKCU\..\Run: [svchost] C:\WINDOWS\SVCHOST.exe O4 - Global Startup: winlogon.exe The following 2 files may be hidden; go to folder options in control panel and check "show hidden files and folders" click apply Click ok Reboot to safe mode and delete the svchost.exe from: C:\windows\svchost.exe <-this file If it still exists also delete the winlogon file from: C:\documents and settings\all users\start menu\programs\startup\winlogon.exe <-this file Reboot to normal mode and post new log There might be more...but that will start you off pretty good

have ht fix 04 below, along with your http://www.find4u.net/sp.htm entries O4 - Global Startup: winlogon.exe then start up in safemode and delete this version of winlogon.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe (and only delete that winlogon.exe, the other one is a valid windows file)

I have been trying to recover from this find4u hijack myself, and this string has been very helpful, I have followed much of your advise and have deleted the bogus winlogon along with lines hijackthis found pointing to find4u, and I finally got find4u to stop popping up. I still see some things in my log that I am not sure of like khooker.exe or AGRSMMSG.exe, here is both my latest hijackthis log and my recent spybot log, could you please tell me if anything still looks buggy, thanks in advance, Robert Logfile of HijackThis v1.97.7 Scan saved at 11:19:18 PM, on 12/14/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Personal Firewall\NISUM.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\htpatch.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\ezSP_Px.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton Personal Firewall\ccPxySvc.exe C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe C:\WINDOWS\system32\gearsec.exe C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\WINDOWS\system32\cba\pds.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.exe C:\Program Files\sony\giga pocket\usbsircs.exe C:\Program Files\Sony\giga pocket\ReserveModule.exe C:\Program Files\SSC\NSCTOP.exe C:\Program Files\Sony\VAIO Action Setup\VAServ.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe C:\Program Files\sony\giga pocket\gps.exe C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe C:\Program Files\Sony\giga pocket\GPVSvr.exe C:\WINDOWS\system32\ams_ii\hndlrsvc.exe C:\WINDOWS\system32\MsgSys.exe C:\WINDOWS\system32\cba\xfr.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe C:\PROGRA~1\Sony\GIGAPO~1\Sgpcom.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Robert Silva\Desktop\AntiSpyware\new hijack\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://clinic.mcafee.com/clinic/vso/en-us/vso4/setexp.asp?register=yes&oemid=1794-656 O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe O4 - HKLM\..\Run: [VAIOSURVEY] C:\Program Files\Sony\VAIO Survey\SurveySA.exe O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Giga Pocket Remocon Driver.lnk = ? O4 - Global Startup: Timer Recording Manager.lnk = C:\Program Files\Sony\giga pocket\ReserveModule.exe O4 - Global Startup: VAIO Action Setup (Server).lnk = ? O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Run DAP (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: ComcastHSI (HKCU) O9 - Extra button: Support (HKCU) O9 - Extra button: Help (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,71/mcinsctl.cab O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37966.4526041667 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab SPYBOT LOG: --- Report generated: 2003-12-15 01:42 --- Alexa Related: What's related link (Replace file, fixed) C:\WINDOWS\Web\related.htm AUpdate: Autorun settings (Registry value, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAUpdate Avenue A, Inc.: Tracking cookie or cookie of tracking site (File, fixed) C:\Documents and Settings\Robert Silva\Cookies\robert silva@atdmt[1].txt BackWeb lite: File extension link (Registry key, fixed) HKEY_CLASSES_ROOT\.bwp BackWeb lite: File extension link (Registry key, fixed) HKEY_CLASSES_ROOT\bwpfile BackWeb lite: Global settings (Registry key, fixed) HKEY_LOCAL_MACHINE\Software\BackWeb BackWeb lite: Interface ( (IBackWebChannel4_2)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{025632A0-BCEC-11D1-8B35-00609761C47A} BackWeb lite: Interface ( (IBackWebDirectoryEntry)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{0C6E0440-0B50-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebGeneralSettings)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{12473FC3-61A7-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWebSetup)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{12473FC7-61A7-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWebInfoPakDownloadServices)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{2DE07D90-DC04-11D0-A875-0000B43699FC} BackWeb lite: Interface ( (IBackWebSetup4)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{3667E7B0-4F28-11D1-8ADB-00609761C47A} BackWeb lite: Interface ( (IBackWebChannelTableNotifications)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{2F523082-5A0B-11D0-9B9C-444553540000} BackWeb lite: Interface ( (IBackWebSetupNotifications)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{2F099AF0-6329-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWeb2)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{23F43240-F78D-11D0-9A50-00AA004812C2} BackWeb lite: Interface ( (IBackWebStoryFieldCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{1D91D9E0-004B-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebDirectory)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{15030BC0-0B52-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebDisplaySettings)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{12473FC6-61A7-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWebCommSettings)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{12473FC5-61A7-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWebDialerSettings)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{12473FC4-61A7-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWebExtension)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{0F4FE440-983F-11D0-9B9C-444553540000} BackWeb lite: Interface ( (IBackWebDownloadTimeConstraintCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{0D1F7C84-8123-11D0-B5CA-0000B43698D6} BackWeb lite: Interface ( (IBackWebDownloadTimeConstraint)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{0D1F7C83-8123-11D0-B5CA-0000B43698D6} BackWeb lite: Interface ( (IBackWebFileAccess)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{3AF78A6E-6F14-11D1-A884-0000B43699FC} BackWeb lite: Interface ( (IBackWebInfoPakFile)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{3AF78A74-6F14-11D1-A884-0000B43699FC} BackWeb lite: Interface ( (IBackWebDirectoryNotifications)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{41CEBDC0-32C1-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebInfoPakNotifications)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{4A3666F3-5F2D-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWebChannelCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{53FCF35A-5323-11D0-A864-0000B43699FC} BackWeb lite: Interface ( (IBackWebStoryField)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{5B1E13A0-004B-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebFileAccessViaDir)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{608FE360-6FB2-11D1-A885-0000B43699FC} BackWeb lite: Interface ( (IBackWebAlertSettings)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{72B62B40-17D1-11D1-96A7-F8E906C10000} BackWeb lite: Interface ( (IBackWebPlayer)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{8028B940-4932-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebChannelDownloadServices)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{9132E380-DC21-11D0-A875-0000B43699FC} BackWeb lite: Interface ( (IBackWebChannel2)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{9647FB70-DC0F-11D0-A875-0000B43699FC} BackWeb lite: Interface ( (IBackWebAllStoryCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{9DB46423-FF61-11D0-9951-444553540000} BackWeb lite: Interface ( (IBackWebChannelVariableCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{A4BC67F0-6C90-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWebCommunications)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{BAD37BC0-2231-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebFilterSettings)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{C8CEEEE0-17D6-11D1-96A7-F8E906C10000} BackWeb lite: Interface ( (IBackWebGeneralSettings2)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{E01AD640-F87D-11D0-9A50-00AA004812C2} BackWeb lite: Interface ( (IBackWebInfoPak)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{EB1FFFC2-5688-11D0-A865-0000B43699FC} BackWeb lite: Interface ( (IBackWebChannelVariable)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{FEFCA7F0-6C8E-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWebInfoPakCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{EB1FFFC1-5688-11D0-A865-0000B43699FC} BackWeb lite: Interface ( (IBackWebApplicationNotifications)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{D0894D60-6C6C-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWebChannelCollection4)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{BCD0C200-69C1-11D1-8AF8-00609761C47A} BackWeb lite: Interface ( (IBackWebChannel4)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{AEE96320-2131-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebStory)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{9DB46424-FF61-11D0-9951-444553540000} BackWeb lite: Interface ( (IBackWebStoryCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{9DB46422-FF61-11D0-9951-444553540000} BackWeb lite: Interface ( (IBackWebItemDownloadServices)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{93BF8F00-DBE8-11D0-A875-0000B43699FC} BackWeb lite: Interface ( (IBackWebAllInfoPakCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{8131F530-649E-11D0-A866-0000B43699FC} BackWeb lite: Interface ( (IBackWeb4)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{740904E0-0BFB-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebInfoPak4_2)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{610141C2-7701-11D1-B042-004095903824} BackWeb lite: Interface ( (IBackWebDirectoryEntryCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{5DF6CE40-0B50-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebChannel)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{53FCF35B-5323-11D0-A864-0000B43699FC} BackWeb lite: Interface ( (IBackWeb)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{53FCF355-5323-11D0-A864-0000B43699FC} BackWeb lite: Interface ( (IBackWebStoryTableNotifications)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{44230BC0-3105-11D1-9951-444553540000} BackWeb lite: Interface ( (IBackWebOpenInfoPakFile)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{3AF78A77-6F14-11D1-A884-0000B43699FC} BackWeb lite: Interface ( (IBackWebInfoPakFilesCollection)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{3AF78A71-6F14-11D1-A884-0000B43699FC} BackWeb lite: Interface ( (IBackWebDisplaySettings4_2)) (Registry key, fixed) HKEY_CLASSES_ROOT\Interface\{001B3F20-D866-11D1-8B4C-00609761C47A} BackWeb lite: Main executable (File, fixed) C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe BackWeb lite: Netscape viewer (Registry value, fixed) HKEY_USERS\S-1-5-21-4252379429-1418258077-1035699850-1005\Software\Netscape\Netscape Navigator\Viewers\application/x-iad BackWeb lite: Netscape viewer (Registry value, fixed) HKEY_USERS\S-1-5-21-4252379429-1418258077-1035699850-1005\Software\Netscape\Netscape Navigator\Viewers\application/x-bwpreview Comet Cursors: Typelib ( (ComUtil 1.0 Type Library)) (Registry key, fixed) HKEY_CLASSES_ROOT\Typelib\{FA6F74E5-0277-11D3-9B19-00104B279EC4} Download Accelerator Plus: Default ad server (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSDefaultServer=http://127.0.0.1 Download Accelerator Plus ads: Ad category (Registry key, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSSecondMedia Download Accelerator Plus ads: Banner (Replace file, nothing done) C:\PROGRA~1\DAP\dap.gif Download Accelerator Plus ads: Browser helper object (Registry key, nothing done) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0000CC75-ACF3-4cac-A0A9-DD3868E06852} Download Accelerator Plus ads: Class (Registry key, nothing done) HKEY_CLASSES_ROOT\DAPIEBar.CBAREventer.1 Download Accelerator Plus ads: Class (Registry key, nothing done) HKEY_CLASSES_ROOT\DAPIEBar.DAPIEBarBand.1 Download Accelerator Plus ads: Class (Registry key, nothing done) HKEY_CLASSES_ROOT\DAPIEBar.DAPIEBarBand Download Accelerator Plus ads: Class (Registry key, nothing done) HKEY_CLASSES_ROOT\DAPIEBar.CBAREventer Download Accelerator Plus ads: Class (Registry key, nothing done) HKEY_CLASSES_ROOT\CLSID\{0000CC75-ACF3-4cac-A0A9-DD3868E06852} Download Accelerator Plus ads: Class ID (Registry key, nothing done) HKEY_CLASSES_ROOT\CLSID\{235D7A27-DE65-49F0-BFCF-D5C3BC3B2E67} Download Accelerator Plus ads: Class ID (Registry key, nothing done) HKEY_CLASSES_ROOT\CLSID\{62999427-33FC-4baf-9C9C-BCE6BD127F08} Download Accelerator Plus ads: Default ad category (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\SpeedBit\Download Accelerator\ADSDefaultCategory=Default Download Accelerator Plus ads: IE extension (Registry key, nothing done) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C} Download Accelerator Plus ads: Typelib (Registry key, nothing done) HKEY_CLASSES_ROOT\Typelib\{79516451-3E3E-453a-8968-37942F7979F3} Download Accelerator Plus ads: Typelib ( (DAPBHO 1.0 Type Library)) (Registry key, nothing done) HKEY_CLASSES_ROOT\Typelib\{095006D5-6DA6-4CDC-864E-7498015816BC} Download Accelerator Plus ads: Typelib (Registry key, nothing done) HKEY_CLASSES_ROOT\Typelib\{72920511-E300-44c1-8565-2FD66D7A7246} DSO Exploit: Data source object exploit (Registry change, fixed) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3 DSO Exploit: Data source object exploit (Registry change, fixed) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3 DSO Exploit: Data source object exploit (Registry change, fixed) HKEY_USERS\S-1-5-21-4252379429-1418258077-1035699850-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3 DSO Exploit: Data source object exploit (Registry change, fixed) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3 DSO Exploit: Data source object exploit (Registry change, fixed) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3 --- Spybot-S&D version: 1.2 --- 2003-11-05 Includes\Cookies.sbi 2003-11-05 Includes\Dialer.sbi 2003-11-24 Includes\Hijackers.sbi 2003-11-11 Includes\Keyloggers.sbi 2003-11-20 Includes\Malware.sbi 2003-03-16 Includes\plugin-ignore.ini 2003-11-12 Includes\QA Tests.sbi 2003-11-05 Includes\Security.sbi 2003-11-24 Includes\Spybots.sbi 2003-11-21 Includes\Temporary.sbi 2003-11-05 Includes\Tracks.uti 2003-11-21 Includes\Trojans.sbi

thanks www and blender...your advice worked. hopefully that's the end of that debacle. happy holidays!

mtk Glad all worked well...now to help protect yourself from more of these problems. 2 small programs both free Spyware blaster..needs regular updates and is designed to help protect your pc from that junk from installing in the first place by installing a "killbit" in the registry for known baddies. Spywre guard...also periodically updated helps to monitor your start/home search pages in IE and will alert you if something attempts to change it...gives you the option to allow or block the change spywareblaster http://www.javacoolsoftware.com/spywareblaster.html spyware guard http://www.wilderssecurity.net/spywareguard.html Click on the full set-up link at bottom of page And for more info to help prevent future infections... http://www.boards.cexx.org/viewtopic.php?t=957 Good luck and Happy Holidays.