Here is my Hijack...can someone please help...thanks Logfile of HijackThis v1.96.1 Scan saved at 3:28:25 PM, on 08/21/2003 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\PROGRAM FILES\COMMON FILES\SHUTTLE TECHNOLOGY\ICONFIG.exe C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.exe C:\WINDOWS\LOADQM.exe C:\PROGRAM FILES\CLEARSEARCH\LOADER.exe C:\WINDOWS\TASKMON.exe C:\PROGRAM FILES\ISTSVC\ISTSVC.exe C:\WINDOWS\SYSTEM\WIN32US.exe C:\PROGRAM FILES\ADELPHIA ESUPPORT ASSISTANT\SMARTBRIDGE\MOTIVESB.exe C:\PROGRAM FILES\MCAFEE\QUICKCLEAN\PLGUNI.exe C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.exe C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\ADELPHIA ESUPPORT ASSISTANT\BIN\MPBTN.exe C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.exe C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.exe C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.exe C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\WINDOWS\SYSTEM\PSTORES.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\PROGRAM FILES\MOTIVE\COMMON\MOTIVEDIRECTORY.exe C:\PROGRAM FILES\ADELPHIA ESUPPORT ASSISTANT\BIN\MAD.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.exe C:\WINDOWS\SYSTEM\WINOA386.MOD C:\WINDOWS\SYSTEM\WINOA386.MOD C:\WINDOWS\SYSTEM\RPCSS.exe C:\WINDOWS\SYSTEM\WINOA386.MOD C:\WINDOWS\SYSTEM\WINOA386.MOD C:\MY DOCUMENTS\DOWNLOADS\HIJACKTHIS\HIJACKTHIS.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sharempeg.com/find/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sharempeg.com/find/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sharempeg.com/find/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/ F1 - win.ini: run=hpfsched O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.exe "Software\Shuttle Technology\epssfd9x\SSFDC" O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.exe" O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.exe O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [win32us] c:\windows\system\win32us.exe /noconnect O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ADELPH~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.exe 1 O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR O4 - Startup: Adelphia eSupport Assistant.lnk = C:\Program Files\Adelphia eSupport Assistant\bin\matcli.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: DigiChat Applet - http://host3.digichat.com/DigiChat/DigiClasses/Client_IE.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

HI Dave, Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sharempeg.com/find/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://sharempeg.com/find/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://sharempeg.com/find/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchv.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/search.php?qq=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/ O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL ClearSearch, IGetNet variant - See http://www.doxdesk.com/parasite/IGetNet.html ****O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.exe Backdoor.Jeem is a Trojan horse that allows a hacker to remotely control an infected computer. – See http://www.symantec.com.mx/avcenter/venc/data/backdoor.jeem.html O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe Clearsearch variant of IGetNet – See http://217.115.153.73/parasite/IGetNet.html O4 - HKLM\..\Run: [win32us] c:\windows\system\win32us.exe /noconnect All-In-One-Telcom (adult content dialler) variant O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe ISTBar foistware – See http://www.doxdesk.com/parasite/ISTbar.html O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: DigiChat Applet - http://host3.digichat.com/DigiChat/DigiClasses/Client_IE.cab After reboot then delete the following: The folder ClearSearch at C:\Program Files\ClearSearch The file MSREXE.exe at C:\WINDOWS\SYSTEM\MSREXE.exe The file win32us.exe at c:\windows\system\win32us.exe The folder ISTsvc at C:\Program Files\ISTsvc You have/had at least one active Trojan (Identified by ****). HijackThis will have rendered it inactive when you did the above. And by removing the file MSREXE.exe it will not be able to execute anymore. You can also use the removal instructions provided with the link to remove any other traces. You may still have other Viruses/Trojans. Even though McAfee is a very good Anti-Virus program (with various Trojan detections) they are not in the Anti-Trojan business. I recommend either Trojanhunter or TDS-3 (both have thirty day trials) In addition you could also try an online AV scanner such as - Panda ActiveScan http://www.pandasoftware.es/activescan/activescan-com.asp - Trend Micro Housecall http://housecall.antivirus.com/ Recommend Panda ActiveScan first, Trend HouseCall second, as the two best online scans, in that order. They may detect and remove other Viruses/Trojans also. No one program finds everything. -------------- For a virtually “spyware” free future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

Thanks so much for your help, I really appreciate it. Did everything except I cant delete ISTSVC. I suppose I have to stop the process first by ctrl+alt+delete. Just seeing if that is the process cause I am at at work and will do it when I get home. Thanks

DavoD007, Hmm, strange. Spybot S&D does target ISTBar so it should have remove the start-up entry. Yes, ctrl+alt+delete is one way of ending the process.