Hi Andrew,

It does sound like a trojan.

Just to eliminate the possibility that NAV has been compromised, I'd try doing some online scanning. Below are links to the most popular online scanners:

Symantec:
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Trend Micro:
http://housecall.antivirus.com/housecall/start_corp.asp

Panda ActiveScan:
http://www.pandasoftware.com/activescan/

PC PitStop:
http://www.pcpitstop.com/antivirus/default.asp

Good Vibes!

Lobo

Also check with stinger:

http://vil.nai.com/vil/stinger/

i recommend avast anti virus, its free and good, it is also customizable to your needs www.avast.com, i use it and so far no problems, the anti virus is very very stable

Thanks guys for the suggestions.

I just finished an online scan with Symantec and there's no virus or trojan detected.

Maybe it's spyware, will try that.

Any other possibilities?

find hijack this in the link above and post your log file and we'll see what you got running.

Hi Wakeup, please see the log file below and advise:

Logfile of HijackThis v1.98.0
Scan saved at 11:32:30 PM, on 30/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\sbnet\ShowBehind.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\SSCFBTN.EXE
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\PROGRA~1\WIRELE~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\WIRELE~1\Mouse\Amoumain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iHateSpam4.0\siService.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\iHateSpam4.0\siSpamFilterEngine.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\winini.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\MS Office 2000\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iHateSpam4.0\siMain.exe
C:\WINDOWS\System32\MSCStat2.exe
C:\PROGRA~1\POPUPB~1\PopupBeGone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=135343
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=135343
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=135343
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://sg.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: IPInsigtObj Class - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: IEHlprObj Class - {19075736-64F1-4BD4-95B0-EE218D6C8FDB} - C:\WINDOWS\system32\m030106shop.dll
O2 - BHO: IE 4.x-6.x BHO - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\PROGRA~1\POPUPB~1\IEHelper.dll
O2 - BHO: Xbrowse Class - {AC109D01-32D6-4EB5-8300-D3C5EBAC7C83} - C:\Documents and Settings\All Users\Application Data\X0FF\X0FF0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
O2 - BHO: Xbrowse Class - {D319662B-D5BF-4538-ADF3-8D3E36362608} - C:\Documents and Settings\All Users\Application Data\x0ff\x0ff.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: (no name) - {856D6A8E-A24C-498A-A55A-2B25C606A6B4} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x83d8e5\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ShowBehind] C:\WINDOWS\sbnet\ShowBehind.exe
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [RAS2000] C:\WINDOWS\System32\Ras2000.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSCFBTN.EXE] SSCFBTN.EXE
O4 - HKLM\..\Run: [Power Scan] C:\Documents and Settings\Andrew\Local Settings\Temp\powerscan.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\WIRELE~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\WIRELE~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\iHateSpam4.0\siService.exe"
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Microsoft Update Machine] winini.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winini.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKLM\..\RunOnce: [mscrp] C:\WINDOWS\System32\\winbpupd.exe /s C:\WINDOWS\System32\\mbho2.dll C:\WINDOWS\System32\\mbho.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [Microsoft Update Machine] winini.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MS Office 2000\Office10\OSA.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOFFI~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Advisor - {9EBC1900-098C-40D1-9AA0-66CF60B8268C} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.imgfarm.com/images/nocache/funwebproducts/CursorManiaInitialSetup1.0.0.6.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {359F7E49-1EA0-4671-92E9-61E32FE25C5E} - http://69.0.137.190/version3/Netster.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSEWC.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0014.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC25245A-CC4C-470E-B821-B4D76DF49BE5}: NameServer = 165.21.83.88 165.21.100.88

By the way, I'm getting the high network volume even if I don't open the Internet Explorer. So is Hijack This supposed to solve this problem?

Hi!
You have a number of things on your computer - among them are:
Gator/Gain
Istbar
WildTangent
Kontiki
just to mention a few.
Going through your log right now.
Regards...
RF

just so you know, i am a computer tech, and when I clean peoples computers, I usually use about 10 different tools to remove spyware and viruses.  Most of the tools, will only pick up certain ones.  And not other forms of spyware etc.  That is why I suggested that list.  

Bullet proof spyware is my alltime favorite tho. (trial only unless you purchase)  comes with pop up blocker, spyware remover, spyware watcher, and a form of hijackthis (which actually catches some things hijackthis wont. But most people use hijackthis, and is easy to use.  

Anyway let us know how it goes.

Hi!
Do not have HijackThis "fix" Twain-tec:
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
Twaintec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis.
This is because of the remaining registry entries and files which can be dangerous.
RF

http://www.pchell.com/support/twaintec.shtml

http://www.pestpatrol.com/PestInfo/t/twain-tech.asp
more info on twain tech

Below is the logfile after removing those items according to Wakeup, and I still have high network activity, and as mentioned, I will receive high network activity even if I don't run IE.

Logfile of HijackThis v1.98.0
Scan saved at 10:39:32 AM, on 31/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\SSCFBTN.EXE
C:\PROGRA~1\WIRELE~1\Keyboard\Ikeymain.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\PROGRA~1\WIRELE~1\Mouse\Amoumain.exe
C:\Program Files\iHateSpam4.0\siService.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\WINDOWS\System32\winini.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iHateSpam4.0\siSpamFilterEngine.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MSCStat2.exe
C:\PROGRA~1\POPUPB~1\PopupBeGone.exe
C:\PROGRA~1\POPUPB~1\PopupBeGone.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://sg.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x83d8e5\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\WIRELE~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\WIRELE~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\iHateSpam4.0\siService.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] winini.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winini.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] winini.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MS Office 2000\Office10\OSA.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOFFI~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Advisor - {9EBC1900-098C-40D1-9AA0-66CF60B8268C} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab

Andrew, you could try LavaSoft's Adaware. It's good and able to remove a lot of spyware. It's a commercial software but it's free for evaluation and individual use. Try it and remove any possible spywares in your PC. It shall do you good.

After using Hijack This, I just tried Adware, and removed ALL remaining. However, still have network traffic going on, but now less at 500 bytes/second instead of 10,000 bytes/second.

Oh no, actually, it's still high at 5000 bytes/second on the sending side. Please help.

Take a look at the running Processes?

C:\WINDOWS\System32\SSCFBTN.EXE
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\iHateSpam4.0\siService.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\WINDOWS\System32\winini.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\iHateSpam4.0\siSpamFilterEngine.exe
C:\WINDOWS\System32\MSCStat2.exe
C:\PROGRA~1\POPUPB~1\PopupBeGone.exe
C:\PROGRA~1\POPUPB~1\PopupBeGone.exe
Your running processes here look like some might be spam.  IE: cashback.exe, nls.exe, popupbegone.exe (run twice), SSCFBTN.EXE

O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\iHateSpam4.0\siService.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] winini.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winini.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] winini.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
All the rest of these things too some are the same as whats in your process so removing them or using hijack to remove these from startup will help.. (if hijackthis can do that)  some spyware will just reinstall or put it back in right after you stop them.

I would suggest using Bullet Proof Spyware(BPS) remover.  Again that is my all time favorite.  IE: Adaware and spybot search and destroy and X-clearner may catch (for example) 400 or 500 instances of spyware, whereas end result with BPS, it may detect several thousand after you've used all the other ones.  However as I stated earlier, I use MULTIPLE tools, not just one.  Try CWShredder as well, and get spybot search and destroy, it's free.  Suggest picking up X-cleaner free version as well.  These will all pick up different ones that one or the other may not be able to find or remove.  Also try running these programs in safe mode.  That may be part of the problem is that some of these may be running in memory and the removal programs may not be able to touch them.

also if you get BPS, try using their hijack scanner and post it's log here as well...it may pick up stuff that hijackthis may not.

ok, let me try a few of the applications you mentioned, but probably take a day to complete...

By the way, I am still not clear if spyware/adware remover applications will help my case, because as I mentioned network traffic continues even if I don't open IE. I mean, do spyware/adwares only work with when I open IE? Or they work as long as I turn on the internet?

Thanks again.

Lobo, below is after running Process Explorer, any comments?

Process      PID      CPU      Description      Company Name
System Idle Process      0      77            
 DPCs      n/a      1      Hardware Interrupts      
 DPCs      n/a      3      Deferred Procedure Calls      
 System      4                  
  smss.exe      608            Windows NT Session Manager      Microsoft Corporation
   csrss.exe      664            Client Server Runtime Process      Microsoft Corporation
   winlogon.exe      688            Windows NT Logon Application      Microsoft Corporation
    services.exe      732      3      Services and Controller app      Microsoft Corporation
     svchost.exe      1016            Generic Host Process for Win32 Services      Microsoft Corporation
      siSpamFilterEngine.exe      528                  GIANT Company Software
     svchost.exe      1116            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1388            Generic Host Process for Win32 Services      Microsoft Corporation
     svchost.exe      1432            Generic Host Process for Win32 Services      Microsoft Corporation
     spoolsv.exe      1728            Spooler SubSystem App      Microsoft Corporation
     alg.exe      1856            Application Layer Gateway Service      Microsoft Corporation
     CCEVTMGR.EXE      1888            Event Manager Service      Symantec Corporation
     compaq-rba.exe      1900            RBA      NeoPlanet
     NAVAPSVC.EXE      1596            Norton AntiVirus Auto-Protect Service      Symantec Corporation
     NPROTECT.EXE      180            Norton Protection Status      Symantec Corporation
     NOPDB.EXE      784            NOPDB      Symantec Corporation
     svchost.exe      1396            Generic Host Process for Win32 Services      Microsoft Corporation
    lsass.exe      744            LSA Shell (Export Version)      Microsoft Corporation
explorer.exe      1664            Windows Explorer      Microsoft Corporation
 atiptaxx.exe      2016            ATI Desktop Control Panel      ATI Technologies, Inc.
 SynTPLpr.exe      2024            TouchPad Driver Helper Application      Synaptics, Inc.
 SynTPEnh.exe      2032            Synaptics TouchPad Enhancements      Synaptics, Inc.
 eabservr.exe      2040            eabsrvr      Compaq
 ccApp.exe      168            Common Client CC App      Symantec Corporation
 Portctrl.exe      216            Fax printer driver control program for SmarThru      Samsung Electronics Co., Ltd., Samsung Software Center.
 Ikeymain.exe      232                  
 Amoumain.exe      220                  
 siService.exe      264      1            GIANT Company Software, inc.
 winini.exe      328      3            
 cashback.exe      336            CashBack Module      eXact Advertising
 nls.exe      348            NLS Module      eXact Advertising
 msmsgs.exe      388            Messenger      Microsoft Corporation
 ctfmon.exe      416            CTF Loader      Microsoft Corporation
 iexplore.exe      2788      1      Internet Explorer      Microsoft Corporation
 procexp.exe      3136      11      Sysinternals Process Explorer      Sysinternals

Process: System Idle Process Pid: 0

Type      Name

Hi RF,

Just by going to Task Manager, and ending the process winini.exe, it seems to stop the internet traffic!!!

But isn't that for automatic Windows update?

You mentioned to run services.msc, but I can't find winini.exe, where can I find it in services.msc?

Thanks,
Andrew

Hi!  dearandrewlee

Winini.exe may not show up in services.msc
A good clue concerning this comes from your Process Explorer log -
you'll notice that there is no description or company name for winini.exe - that's a "Red Flag"!
Look at C:\WINDOWS\System32\winini.exe - right click on winini.exe and look at the properties -
what does it show - manufacturer - version?
Also, just because you see a "supposedly" valid name listed in your HijackThis log -
"O4 - HKCU\..\Run: [Microsoft Update Machine] winini.exe" -
does not necessarily, mean that it's a valid file - we see this quite often in HJT logs.
It's one of the ways that these "malware" writers have of trying to hide these things.

Make sure "System Restore" is disabled.
Turn on "Show all Files and Folders", including hidden and system.
Use Task Manager and Kill winini.exe.
Search your ENTIRE computer for any instances of winini.exe - particularly,
the "Prefetch", "dllcache", "System32", folders and all temp folders.
delete any that you find.
Clean out all your temp files:
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
# Empty your "Recycle Bin".
Reboot your computer and post a new HijackThis log here.

Good luck!
RF

Hi Andrew,

Ross is right. However, there's something else you can do with Process Explorer. When you run it, you can double-click on the entry for winini.exe. It'll give you more information on what is running and where, and even an IP address of where it's connecting to if available. You can post that info here.

Good Vibes!

Lobo

Thanks Lobo!

RF

No prob, Ross. We're here to help, after all.

Good Vibes!

Lobo

some of those things winini.exe is not from windows.  Some things are NAMED REAL CLOSE to the originals....and are actually spyware and viruses.  Most of the things that have DUPLICATE entries in your startup or hijackthis or anything similar to that, are usually bad. (not all...but most)

Hi Andrew,

By the way, Ikeymain.exe is an Internet Keyboard driver; and Amoumain.exe is a driver for a A4 mouse. Both are safe.

Good Vibes!

Lobo

Dear all,

I think we're very close to identifying the problem!!! Thanks guys.

Regarding the winini.exe in C:\windows\system32, it doesn't have any info on manufacturer or version, but it was created on July 23, 2004, which I believe is exactly the date I start to face this problem! So this is likely the file that causes the internet traffic. By the way, this winini.exe is a hidden, system file.

When searching my harddisk for winini.exe, I found two instances as follows:
c:\windows\prefetch\WININI.EXE-079632A0.pf
c:\windows\system32\winini.exe

I've deleted the c:\windows\system32\winini.exe as suggested. Should I delete the .pf file as well?

Before I delete the winini.exe, I ran Process Explorer and double-click it, and there seems to be a lot of activity going on with green and red highlights turning on and off,and many IP addresses, etc, it's so much that I don't think I can post it here. But winini.exe seems like the culprit, you agree?

After deleting my temp files, emptying recycle bin, reboot, I ran the Hijack This again, and the log info is as below:

Logfile of HijackThis v1.98.0
Scan saved at 12:02:55 PM, on 2/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\PROGRA~1\WIRELE~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\WIRELE~1\Mouse\Amoumain.exe
C:\Program Files\iHateSpam4.0\siService.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iHateSpam4.0\siSpamFilterEngine.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\lexmarklexmark_x83d8e5\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\WIRELE~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\WIRELE~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\iHateSpam4.0\siService.exe"
O4 - HKLM\..\Run: [Microsoft Update Machine] winini.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winini.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Machine] winini.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MS Office 2000\Office10\OSA.EXE
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOFFI~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Advisor - {9EBC1900-098C-40D1-9AA0-66CF60B8268C} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC25245A-CC4C-470E-B821-B4D76DF49BE5}: NameServer = 165.21.83.88 165.21.100.88

Thanks,
Andrew

i believe it to be the culprit as well....
but some bad things still exist:
O4 - HKLM\..\Run: [Microsoft Update Machine] winini.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC25245A-CC4C-470E-B821-B4D76DF49BE5}: NameServer = 165.21.83.88 165.21.100.88

Try removing those.  

I also see in your running process STILL:
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe

What other programs have you used to remove or scan or check for viruses and spyware?


Again, the one's I listed earlier you should continue to use or try.

You're right, Wakeup, even though I've deleted the winini.exe file, it is still appearing in the HiJack This as O4 - HKLM\..\Run: [Microsoft Update Machine] winini.exe. I'm not sure it's appearing as a register or as a file. But I don't think it's a file because I've search my hard disk for all instances of this file.

Using HiJack This, after checking that item, and fixing it, the winini.exe still appears after rescanning. No matter how many times I do, it still reappears. Why? What should I do?

I leave the cashback.exe because I know what it is. I've deleted the O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html

I've used Norton Anti-virus, Ad-aware 6.0, Hijack This, Spyware Remover, Process Explorer so far.

However, my network traffic has stopped since I deleted the winini.exe file.

Ya, most likely something is still hijacking your system.  that is why you get these:
O4 - HKLM\..\Run: [Microsoft Update Machine] winini.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC25245A-CC4C-470E-B821-B4D76DF49BE5}: NameServer = 165.21.83.88 165.21.100.88

Try CWShredder, and Spybot Search and Destroy.
I would also suggest using a different Anti virus software just to see.  
Get Trendmicro's Syscleaner.  It too will also scan for both viruses and some spyware.

Most likely your traffic has stopped due to removal of the winini.exe file, and you may not have any probs anymore with it.  You can....if you feel like you know how is to go into the registry (regedit) and remove winini.exe from any run commands in the registry...but only do it if you feel comfortable.  You can always make a backup and then go from there.

Hi Andrew,

Run Process Explorer again and see if winini.exe is still reported. If so, double click on it to get a detailed report on its activity; it may be working in association with a DLL that, if that's the case, will have to be removed as well.

Good Vibes!

Lobo

Dear people,

Thank you very much for solving my problem. While it seems I still have a few spyware lying around, the main problem of high network traffic is solved and I do not want to bother you again. I will try other spyware remover applications when I have the time and settle on my own.

I've also run the Process Explorer and don't see winini.exe.

Thank you once again, and you guys are just amazing!
Andrew

Thanks Andrew, I'm glad we could help.

Good Vibes!

Lobo

Hi!

You're not bothering us - as Lobo said above:
"we're here to help"
Thanks - best regards - let us know if you have further problems.

Cheers and good luck!
RF

P.S. - also good to see that you spread the points around - acknowledge the efforts! :)

Hi there!

I have this problem too, and now I know what to do, thanks very much.
I have a "msjarun.exe" that is like winini.exe, have you some infos on this program?

Hi jfrich,

We may, but you'll need to start a new Question in order to get the full advantages of Experts Exchange's system.

Good Vibes!

Lobo