I've gone to the "peperpage" and began following the steps there. I've completed the following..... With regedit I have removed the 14 character folder in the HKEY_LOCAL_MACHINES\Software I have removed the line with 14 characters in the HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run I opened/refreshed regedit to make sure it was gone. (This took a couple tries but is now gone.) Below is my HJT log I found the run line but can't identify with file(s) in the top section need to be included when I run drpeper script O4 - HKLM\..\Run: [2XNNA2A4XHTJ8Y] C:\WINNT\system32\Ryf9m24V.exe I suspect it is either C:\WINNT\system32\BkdmI.exe, C:\WINNT\system32\Cmjy.exe but would like confirmation and specific direction. The other question I have is if I run HJT "Fix It", will that correct the problem or do I still have to run the drpeper script? I do recognize there are other things I must get rid of based on the log but thought I'd tackle one at a time. Any help would be much appreciated. ========================== Logfile of HijackThis v1.97.7 Scan saved at 1:03:28 PM, on 1/23/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\CTSvcCDA.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\WINNT\system32\k9nt.exe C:\WINNT\System32\NALNTSRV.exe C:\PROGRA~1\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\wm.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\devldr32.exe C:\WINNT\Explorer.exe C:\WINNT\system32\dtmonx.exe C:\WINNT\system32\atiptaxx.exe C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe C:\Program Files\Creative\SBLive2k\Program\CTAvTray.exe C:\WINNT\System32\dpmw32.exe C:\WINNT\system32\NWTRAY.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\MS Hardware\Mouse\point32.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\NavNT\vptray.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Common files\updater\wupdater.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Creative\SBLive2k\Launcher\TaskGuide\updtray.exe C:\Hpdesk\hppddir.exe C:\HP 9100C\Link\hpnsjtr.exe C:\Program Files\Microsoft Office\Office\OSA.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Palm\hotsync.exe C:\WINNT\system32\BkdmI.exe C:\WINNT\system32\Cmjy.exe C:\Program Files\AproposClient\Apropos.exe C:\SpywareCleanup\HiJackThis\HijackThis.exe O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - (no file) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive2k\Program\CTAvTray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe O4 - HKLM\..\Run: [NWTRAY] NWTRAY.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [qnwscript.exe] C:\WINNT\system32\qnwscript.exe O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [2XNNA2A4XHTJ8Y] C:\WINNT\system32\Ryf9m24V.exe O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.exe O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background O4 - HKCU\..\Run: [qnwscript.exe] C:\WINNT\system32\qnwscript.exe O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive2k\Program\CTAvStub.exe EAX.AVI O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe O4 - Global Startup: HP Digital Sender Link.lnk = C:\HP 9100C\Link\hpnsjtr.exe O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O16 - DPF: PlaceWare Console: PWS-CC2K-3-2-6-h6a2t1 - http://www31.placeware.com/etc/pws/krm/lib/cc-full.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7879.2875462963 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ec-evalssl.webex.com/client/v_eurek...ent/ieatgpc.cab

boo, Open HijackThis, place a check beside the entries listed below. Make sure ALL Browsers and Explorer Windows are closed (most important). Then click on the "Fixed checked" button. O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\AproposClient\AproposPlugin.dll O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - (no file) O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe O4 - HKLM\..\Run: [qnwscript.exe] C:\WINNT\system32\qnwscript.exe O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.exe O4 - HKCU\..\Run: [qnwscript.exe] C:\WINNT\system32\qnwscript.exe Reboot into safe mode (tap F8 key) and find/search for and delete: C:\Program Files\AproposClient ---folder C:\WINNT\Belt.exe ----file C:\Program Files\Common files\updater\wupdater.exe ---file C:\Program Files\Common files\updater --folder C:\PROGRA~1\AUTOUP~1\AUTOUP~1.exe ----file C:\WINNT\system32\qnwscript.exe - Reboot once more..... Make sure you are connected to the net, firewall disabled for this only and: Download and run the following program: Memory Watcher Uninstaller Post a new log when through, see if we got it all Shep

Thank you for your reply. I was able to decipher most of the HJT log with the tutorial and was able to clean up most of it. I do have a couple of questions, though.... What is or why should I remove qnwscript.exe? When deleting in safe mode, should I also delete the belt.ini file? Why do I want and what will the Memory Watcher Uninstaller do?

this will help your peper problem Peper Removal D4

boo, The qnwscript.exe lines should go if you don't know what they are. No returns on Google or in any other program for that startup item. Usually not a good sign. Memory Watcher Uninstaller is a one step process for removing peper, aka Sandboxer. The latest method for the removal of this pest. Yes to the belt ini. Shep