Okay I've run PC-cillin 2002 twice and even though it ran a full scan both times and cleaned or quarantined all files, it keeps finding more. I ran hijackthis and this is what it came up with: Logfile of HijackThis v1.97.6 Scan saved at 2:00:50 PM, on 11/13/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\PackethSvc.exe C:\WINDOWS\System32\drivers\CDAC11BA.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\CTHELPER.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\GWMDMMSG.exe C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe C:\Program Files\Saitek\Software\Profiler.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe C:\Program Files\MSN\MSNCoreFiles\MSN6.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\Program Files\Trend Micro\PC-cillin 2002\pccmain.exe C:\WINDOWS\System32\taskmgr.exe C:\WINDOWS\System32\cidaemon.exe C:\Documents and Settings\Mom\Desktop\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\MSDXM.OCX O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.exe /AUDIT O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.exe O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe O4 - HKLM\..\Run: [RDLL] RunDll16.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe" O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe" O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe" O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\BestBuy\HelpExpress\Client\HELPEXP.exe O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: Run DAP (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B0A84A-B23F-4C6B-BF46-9F8F685C4B69}: NameServer = 170.147.17.82 170.147.45.209 THIS IS DRIVING ME NUTS

First go download CWSchredder and run it, it should remove some stuff. You also might have the W32.Spybot.Worm and I suggest you visit House Calls and do a free online scan. I could tell you to remove some stuff from the log but start with that. Then repost a log file after you have taken those steps or you can wait for someone else to come along that can confirm what virus(es) you are infected with. KTTD

O4 - HKLM\..\Run: [RDLL] RunDll16.exe http://www.symantec.com/avcenter/venc/data/backdoor.sdbot.f.html

smithdk, I knew he was infected but I was not sure with what and as always, thanks for the assist. KTTD

Also, PE_PIRATE will not show in a Hijack log. Download and run the removal tool from here: http://www.pandasoftware.com/download/utilities/

Thank you! Hope this is the only other virus we have...