Hello - I have tried the manual method of getting rid of Fin4U, I have tried the HijackThis method and to no avail. There must be some files that I am not erasing which are being persistant. Please help - Thank you very much, Yona. Logfile of HijackThis v1.97.7 Scan saved at 11:01:04 AM, on 2/3/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Personal Firewall\NISUM.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINNT\system32\stisvc.exe C:\Program Files\Norton Personal Firewall\SymProxySvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Norton Personal Firewall\NISSERV.exe C:\WINNT\Explorer.exe C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe C:\Program Files\Norton Personal Firewall\IAMAPP.exe C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\WINNT\System32\qttask.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.exe C:\Program Files\Logitech\ImageStudio\LogiTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\Program Files\Yahoo!\Messenger\ypager.exe C:\Documents and Settings\Yona\Application Data\uluu.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe C:\Program Files\SBC\Connection Manager\CManager.exe C:\Program Files\Logitech\ImageStudio\LowLight.exe C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe C:\WINNT\system32\svchost.exe C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe C:\WINNT\System32\rsvp.exe C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPClient.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\Office\WINWORD.exe C:\Program Files\Microsoft Works\MSWorks.exe C:\Documents and Settings\Yona\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/spc.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/indexc.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/indexc.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://qprexz.t.muxa.cc/s.php?aid=420 (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qprexz.t.muxa.cc/h.php?aid=420 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qprexz.t.muxa.cc/s.php?aid=420 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://qprexz.t.muxa.cc/s.php?aid=420 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/spc.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/indexc.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://qprexz.t.muxa.cc/h.php?aid=420 (obfuscated) R3 - URLSearchHook: SearchHookObject Class - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\Documents and Settings\Yona\Application Data\iefeatsl\msiesh.dll R3 - URLSearchHook: MailTo Class - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\pubplace.dll O1 - Hosts: 205.177.124.66 auto.search.msn.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\Yona\Application Data\iefeatsl\iefeatsl.dll O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_3_0.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe O4 - HKLM\..\Run: [CrazyTalk Serve] rundll32.exe C:\WINNT\System32\crazytalk.dll,DllServeMediaFile O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.exe O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Services] C:\WINNT\system32\dllcache\svchost.exe O4 - HKLM\..\Run: [sys] regedit -s sys.reg O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [Sebr] C:\Documents and Settings\Yona\Application Data\uluu.exe O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.exe" O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe O4 - Startup: Resume Windows Update Installation.lnk = C:\WINNT\Windows Update Setup Files\ie6setup.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: winlogon.exe O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {1CC506A7-1B8D-11D4-BDD5-0060977007E0} (CrazyTalk Player) - http://plug-in.reallusion.com/CrazyTalk.cab O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/4.1.1/Hiwire.cab O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav021210.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_3_0.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O19 - User stylesheet: C:\Program Files\Internet Explorer\readme.txt O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)

Try this link. Download and Install Spybot - Search and Destroy and then run the update feature using the mirror closest to your physical location. Next run Search and Destroy to remove spyware. Also run the immunize feature. Take your time and look at what this software reveals. This might well resolve your issue and it is free, though if it does solve your issue you might want to think about donating to this guy. http://www.safer-networking.org/index.php?page=download Good Luck.

Also run cwshredder, click fix to clean. cwshredder.exe Restart computer, and post a new log file if you still have problems. abnormal

One more thing to try, other then you posting back with your results. Start your computer in safe mode navigate to C:\Documents and Settings\All Users\Start Menu\Programs\Startup, and delete winlogon.exe. Get all critical window updates also. Tips to avoid this under my name.