Here is a copy of my Hijack this log Can anyone tell me if there is anythig to worry about here? Ad aware finds a registry key that it can't delete. Something about IBIS toolbar? Logfile of HijackThis v1.97.7 Scan saved at 5:16:57 PM, on 12/4/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Visual IP InSight\TDS\ARUpld32.exe C:\Program Files\Norton Internet Security\NISUM.exe C:\Program Files\Visual IP InSight\TDS\ARMon32a.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.exe C:\COMPAQ\CPQINET\CPQInet.exe C:\Compaq\EAKDRV\EAUSBKBD.exe C:\Program Files\quickenw\QAGENT.exe C:\WINDOWS\System32\qttask.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe C:\Program Files\Norton Internet Security\IAMAPP.exe C:\WINDOWS\System32\pctspk.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.exe C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton Internet Security\NISSERV.exe C:\WINDOWS\System32\mrtMngr.exe C:\Program Files\Norton Internet Security\SymProxySvc.exe C:\WINDOWS\System32\HrbjNP18.exe C:\WINDOWS\System32\DxqO.exe C:\Documents and Settings\sherrie olson\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TDS.NET R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://start.tds.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_5.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: qxfiwoaumss - {88e879d8-9803-4a79-82e7-ccdcc95a5e0e} - C:\DOCUME~1\MELISS~1\APPLIC~1\psheikngr.dll (file missing) O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing) O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [QAGENT] C:\Program Files\quickenw\QAGENT.exe O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.exe O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\SYSTEM32\USJ1V6P.exe O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: MP3.com Radio (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O9 - Extra button: Support (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/ O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt0_x.cab O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://www.britney-spears-hot-pics.com/021795.exe O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab? O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe O16 - DPF: {4226E9B7-D637-40E8-893A-13298AB41477} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_5.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = v597.tdmy.com O17 - HKLM\Software\..\Telephony: DomainName = v597.tdmy.com O17 - HKLM\System\CCS\Services\Tcpip\..\{0F72EADE-5B5F-4390-9090-7421668BB880}: Domain = v597.tdmy.com O17 - HKLM\System\CCS\Services\Tcpip\..\{0F72EADE-5B5F-4390-9090-7421668BB880}: NameServer = 148.78.255.200,148.78.255.201 O17 - HKLM\System\CCS\Services\Tcpip\..\{8E3AB4CF-2797-45A0-8481-CDA6A42CDDA2}: Domain = v597.tdmy.com O17 - HKLM\System\CCS\Services\Tcpip\..\{E3137941-3B96-48E0-9529-0F5546A8B7B8}: Domain = v597.tdmy.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = v597.tdmy.com O17 - HKLM\System\CS1\Services\Tcpip\..\{0F72EADE-5B5F-4390-9090-7421668BB880}: Domain = v597.tdmy.com O17 - HKLM\System\CS1\Services\Tcpip\..\{0F72EADE-5B5F-4390-9090-7421668BB880}: NameServer

Why is this program so popular if no one can figure out how to use it?? There must be two or three posts a day with these inane logs on them. Jimi_l

Been wonderin the same thing.

Let's give it a shot, These files are indicitave of the Peper virus: C:\WINDOWS\System32\HrbjNP18.exe C:\WINDOWS\System32\DxqO.ex Have to deal with these first, the following: Download and run this file to fix Peper Trojan: http://home01.wxs.nl/~kleyn080/uninst.exe double click on 'uninst.exe', let it run and terminate. To delete all the associated files download the following tool: http://www.mjc1.com/files/mo/drpeper.html It will self extract to C:. Find : C:\drpeper\Find backup and Delete Peper files.vbs file and double click. On the first prompt copy and paste: HrbjNP18.exe And hit ok. You will get a confirmation and proceed: On the second, paste: DxqO.ex And hit ok. It will find all the files, delete them and will make backups in the same folder. It'll open a text file (Peper.txt) with the list of all files deleted. Make sure it is saved. If need be you can post this file later along with a new HJT log Close all windows and you browser and have HJT fix the following: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://start.tds.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll O3 - Toolbar: qxfiwoaumss - {88e879d8-9803-4a79-82e7-ccdcc95a5e0e} - C:\DOCUME~1\MELISS~1\APPLIC~1\psheikngr.dll (file missing) O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing) O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm O14 - IERESET.INF: START_PAGE_URL=http://start.tds.net/ O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://www.britney-spears-hot-pics.com/021795.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = v597.tdmy.com O17 - HKLM\Software\..\Telephony: DomainName = v597.tdmy.com O17 - HKLM\System\CCS\Services\Tcpip\..\{0F72EADE-5B5F-4390-9090-7421668BB880}: Domain = v597.tdmy.com O17 - HKLM\System\CCS\Services\Tcpip\..\{0F72EADE-5B5F-4390-9090-7421668BB880}: NameServer = 148.78.255.200,148.78.255.201 O17 - HKLM\System\CCS\Services\Tcpip\..\{8E3AB4CF-2797-45A0-8481-CDA6A42CDDA2}: Domain = v597.tdmy.com O17 - HKLM\System\CCS\Services\Tcpip\..\{E3137941-3B96-48E0-9529-0F5546A8B7B8}: Domain = v597.tdmy.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = v597.tdmy.com O17 - HKLM\System\CS1\Services\Tcpip\..\{0F72EADE-5B5F-4390-9090-7421668BB880}: Domain = v597.tdmy.com O17 - HKLM\System\CS1\Services\Tcpip\..\{0F72EADE-5B5F-4390-9090-7421668BB880}: NameServer Get these programs, update and use them: Lavasoft Adaware AVG AntiVirus Spybot Search & Destroy Spyware Blaster These might help this from happening again. hth shep

Hi sxshep, been there done that! http://www.computing.net/windowsxp/wwwboard/forum/86354.html Guess he missed the prevention part. Abnormal

Guess so it would appear. Missed the earlier one. Oh well. shep