Hello, I got some great help from this site about 2 weeks ago so i've been trying to return the favor by replying to posts when i have free time. I keep seeing recurring references to Adaware, Spybot, HijackThis and CWShredder so i decided to run them all myself. I hadn't noticed any problems with my system, this was just a preventitive measure in running them but Spybot was unable to remove a few things it found and asked if it could restart on reboot so i said yes but then my system wouldn't come back on until about the 10th reboot (just a mild heart attack! <lol>) Adaware found 12 things and i let it remove them and Spybot found about 20 (mostly cookies) and i let it remove them. I ran HijackThis and got the following log file: =========================================================================== Logfile of HijackThis v1.97.7 Scan saved at 6:18:08 PM, on 09/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\SYSTEM32\USRmlnkA.exe C:\WINDOWS\SYSTEM32\USRshutA.exe C:\WINDOWS\SYSTEM32\USRmlnkA.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Programs\System\OmniPage\opware32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\svchost.exe C:\Programs\Internet\Netscape\Netscp.exe C:\Programs\Grafx\Thumbs32\Thumbs.exe C:\Programs\Internet\HTMLed32\HTMLED32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft Office\Office\WINWORD.exe C:\Programs\Internet\Spybot\SpybotSD.exe C:\Programs\Internet\Ad-aware 6\Ad-aware.exe C:\Documents and Settings\Pat\Local Settings\Temp\Temporary Directory 1 for HijackThis 1.97-Dec03.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/~Data/HTML/~index.html N3 - Netscape 7: user_pref("browser.startup.homepage", "file:///c:/~Data/HTML/~index.html"); (C:\Documents and Settings\Pat\Application Data\Mozilla\Profiles\default\hgl7f6ew.slt\prefs.js) N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPrograms%5CInternet%5CNetscape%5Csearchplugins%5CNetscape_Canada.src"); (C:\Documents and Settings\Pat\Application Data\Mozilla\Profiles\default\hgl7f6ew.slt\prefs.js) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\programs\internet\Acrobat\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [Omnipage] C:\Programs\System\OmniPage\opware32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0893398c46a5cd8a2822/netzip/RdxIE601.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37847.0601388889 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1D7CA8F8-04B9-4F9B-AF2B-7F3EC4841E97}: NameServer = 192.168.254.2,192.168.253.2 ============================================================================= I'm a little concerned about rebooting again so if anyone can offer any advice i'd appreciate it. Also i don't see HiJackThis under Programs even though i obviously installed it to get this log file? I also went to the link provided in a post concerning CWShredder but it only describes the different variants of CoolWebSearch but there's no program to download, so if someone could give me the link to the program i'd appreciate it? The link i was given would probably come in real handy after running the program if i found out i did have one of the variants described there. Any advice on any of this would be greatly appreciated as well as any opinions on what i should look inot before rebooting again as i'd hate to get locked out of my OS. thanks in advance, wired

CWshredder.exe

Jack, That solves getting the program fine and good news, i came up clean with that one! ;o) thanx much, wired

You will not find hijack under add/rem prog because when you run the program...you don't actually install it ....it's just an exe that runs when you d. click it. If you want to remove it...just delete the hijack this.exe file. I don't see anything serious in your log file...but did you add this? R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/~Data/HTML/~index.html I'm not sure what that is all about...someone else here likely has a better idea...unless you set up your IE to start there..I mean you may have set up IE to start on a html file you made?