Hi, I have wowex32 on my machine (and who knows what else). I've run Spybot and Adaware and cleaned up my pop-up and search toolbar problems but my machine is still slow and balky. I'ved looked at the other threads about wowex32 but am not experienced enough to know if the solutions given apply to my machine. Any help you can give is appreciated. Here is my Hijackthis log: Logfile of HijackThis v1.97.7 Scan saved at 7:03:21 PM, on 12/12/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSDTCW.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\RPCSS.exe C:\WINDOWS\SYSTEM\CMMPU.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.exe C:\WINDOWS\SYSTEM\BTCPOWER.exe C:\WINDOWS\SYSTEM\PWSTRAY.exe C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHERBUG.exe C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.exe C:\WINDOWS\SYSTEM\PRINTRAY.exe C:\PROGRAM FILES\LEXMARKX83\ACMONITOR_X83.exe C:\PROGRAM FILES\LEXMARKX83\ACBTNMGR_X83.exe C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.exe C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.exe C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\STSJCILI.exe C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.exe C:\WINDOWS\SYSTEM\VHD6.exe C:\WINDOWS\DESKTOP\LAURA'S STUFF\HIJACKTHIS\HIJACKTHIS.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.washingtonpost.com/ F1 - win.ini: run=c:\windows\SYSTEM\cmmpu.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {1ED91040-1FA0-11D8-A919-00606E33D1E7} - C:\WINDOWS\SYSTEM\MFECUIW32.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: (no name) - {75247C40-21CC-11D8-A91A-00606E33D1E7} - (no file) O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.exe" O4 - HKLM\..\Run: [PowerKB] c:\windows\SYSTEM\btcpower.exe O4 - HKLM\..\Run: [PWSTray] PwsTray.exe O4 - HKLM\..\Run: [Tray Temperature] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHERBUG.exe 1 O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.exe O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe O4 - HKLM\..\Run: [388LXAS2WM94RG] C:\WINDOWS\SYSTEM\Dwy14U.exe O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Real.com (HKLM) O9 - Extra button: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Turbo Download (HKLM) O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37812.665775463 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFullSInst.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab O19 - User stylesheet: (file missing)

Just removing the wowex32 only first, Close all browser windows and Have HjT fix this: O4 - HKLM\..\Run: [388LXAS2WM94RG] C:\WINDOWS\SYSTEM\Dwy14U.exe Disable system restore and Reboot into safe mode and delete: C:\WINDOWS\SYSTEM\STSJCILI.exe Reboot and run an online AV scan, and quarantine/delete all files found. RAV http://www.ravantivirus.com/scan/indexie.php House Call http://housecall.trendmicro.com/housecall/start_corp.asp Rescan with HjT and repost the new log here, when ready to remove the next batch.

correction and update for Response #1 [bleary eyed and misread the notes] wowex32 Removal: 1. Use the uninstall tool - download from: http://home01.wxs.nl/~kleyn080/uninst.exe. Double click on uninst.exe, let it run and terminate. 2. To delete all the associated files with drpeper, download from http://www.mjc1.com/files/mo/drpeper.html then go offline and close all browser windows. Double click drpepertobackup, it will self extract to C:. With the text in the box highlighted and the 'overwrite' existing files checked, click start. 3. Go to the file C:\drpeper\Find backup and Delete Peper files.vbs and double click this file. 4. A box will appear, copy and paste: STSJCILI.exe and hit ok. 5. A second box will appear, copy and paste: Dwy14U.exe and hit ok. *Note: Sometimes you will get a VBS script error during this process. If that happens, INVERT the order of the files ie....the first one second;and the second one first. in the event of the VBS script error. 6. It will find all the files, delete them and will make backups in the same folder. It'll open a text file (Peper.txt) with the list of all files deleted. Make sure it is saved. Reboot. Make sure all browsers are closed. Then rescan with HJT, post a new HJT log and the contents of the Peper.txt file - the next stage will be to remove the rest of the bad stuff. If by any chance you have already followed Response #1, reply and repost a new HjT log; and we will repeat the process with the updated filenames.

Thanks for your help iceblue. I've done all the steps of response 2. Here are my HjT log and Peper file: Logfile of HijackThis v1.97.7 Scan saved at 2:43:36 PM, on 12/13/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\MSDTCW.exe C:\WINDOWS\SYSTEM\RPCSS.exe C:\WINDOWS\SYSTEM\CMMPU.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.exe C:\WINDOWS\SYSTEM\BTCPOWER.exe C:\WINDOWS\SYSTEM\PWSTRAY.exe C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.exe C:\WINDOWS\SYSTEM\STIMON.exe C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.exe C:\WINDOWS\SYSTEM\PRINTRAY.exe C:\PROGRAM FILES\LEXMARKX83\ACMONITOR_X83.exe C:\PROGRAM FILES\LEXMARKX83\ACBTNMGR_X83.exe C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.exe C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.exe C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.exe C:\WINDOWS\DESKTOP\LAURA'S STUFF\HIJACKTHIS\HIJACKTHIS.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.washingtonpost.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.washingtonpost.com/ F1 - win.ini: run=c:\windows\SYSTEM\cmmpu.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {1ED91040-1FA0-11D8-A919-00606E33D1E7} - C:\WINDOWS\SYSTEM\MFECUIW32.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: (no name) - {75247C40-21CC-11D8-A91A-00606E33D1E7} - (no file) O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.exe" O4 - HKLM\..\Run: [PowerKB] c:\windows\SYSTEM\btcpower.exe O4 - HKLM\..\Run: [PWSTray] PwsTray.exe O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.exe O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.exe O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Real.com (HKLM) O9 - Extra button: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Turbo Download (HKLM) O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37812.665775463 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFullSInst.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,74/mcinsctl.cab O19 - User stylesheet: (file missing) 12/13/03 2:36:10 PM C:\WINDOWS\SYSTEM\Lpu5ipZ.exe C:\WINDOWS\SYSTEM\StsJCILI.exe C:\WINDOWS\SYSTEM\KsoyX.exe C:\WINDOWS\SYSTEM\Rydo82.exe C:\WINDOWS\SYSTEM\Csbjci7.exe C:\WINDOWS\SYSTEM\Vhd6.exe 12/13/03 2:37:12 PM C:\WINDOWS\SYSTEM\Cxe0n.exe C:\WINDOWS\SYSTEM\Dwy14U.exe C:\WINDOWS\SYSTEM\WilQj.exe

Close all browser windows and have HjT fix the following: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.washingtonpost.com/ O3 - Toolbar: (no name) - {75247C40-21CC-11D8-A91A-00606E33D1E7} - (no file) O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFullSInst.cab O19 - User stylesheet: (file missing) check up on your windowupdates.... and may I suggest running spywareblaster and spywareguard on your system. Feel free to rescan with HjT and repost; there is one entry that i'm still looking up: O2 - BHO: (no name) - {1ED91040-1FA0-11D8-A919-00606E33D1E7} - C:\WINDOWS\SYSTEM\MFECUIW32.DLL [It's familiar, but can't pin it down yet.]