mark- thank you so much for your help so far. i checked the items you told me to and went to delete the files/folders as well. i found a file named "bridge" in c:\windows\system32\drivers and deleted it, but it came back in about 5 seconds. i was unable to find a winfavorites folder, but did find two winfavorites.exe files in a search which i deleted. the slycfqqu.exe and a.exe files were found and deleted. here is my new log... Logfile of HijackThis v1.97.7 Scan saved at 6:23:36 PM, on 1/30/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\aim\aim.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\Cisco Systems\VPN Client\vpngui.exe C:\Documents and Settings\Adam W. Smith\Application Data\DownloadPlus.exe C:\Program Files\Cisco Systems\VPN Client\ipseclog.exe C:\WINDOWS\System32\wuauclt.exe C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.lib.muohio.edu:3128 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe" N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\Adam W. Smith\Application Data\Mozilla\Profiles\default\fiq1l3dk.slt\prefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Adam W. Smith\Application Data\Mozilla\Profiles\default\fiq1l3dk.slt\prefs.js) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Adam W. Smith\Application Data\DownloadPlus.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O9 - Extra button: ICQ (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: AOL Instant Messenger (SM) (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/bridge.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{2515AC8B-7277-4EDA-813C-B3679DC5AE86}: Domain = muohio.edu O17 - HKLM\System\CCS\Services\Tcpip\..\{2515AC8B-7277-4EDA-813C-B3679DC5AE86}: NameServer = 134.53.253.1,134.53.253.5 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = muohio.edu O17 - HKLM\System\CS1\Services\Tcpip\..\{2515AC8B-7277-4EDA-813C-B3679DC5AE86}: Domain = muohio.edu O17 - HKLM\System\CS1\Services\Tcpip\..\{2515AC8B-7277-4EDA-813C-B3679DC5AE86}: NameServer = 134.53.253.1,134.53.253.5 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = muohio.edu

Have Hjt fix checked this item: O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingstone.com/cab/2000XP/bridge.cab * Get the Google toolbar to stop pop ups. ** Get the system updated at Windows Updates. [ESSENTIAL] hth, Ice

O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Adam W. Smith\Application Data\DownloadPlus.exe Click Start and open the Programs menu. Open the Startup submenu, right-click 'Download Plus' and choose 'Delete'. Restart the computer and you should be able to delete DownloadPlus.exe which can be found in the Application Data folder. (On Windows 95/98/Me, the Application Data folder can be found inside the Windows folder; on Windows NT it is inside your user 'Profiles' folder in the Windows folder; on Windows 2000 and XP it is inside your user Documents and Settings folder.) http://www.doxdesk.com/parasite/DownloadPlus.html You need to stay with original post, it gets confusing and knocks others down the page faster. Mark may still be waiting on this page; http://www.computing.net/security/wwwboard/forum/9304.html