Second Request on same question Spyware Toolbar

I have been looking for answers to this question for months -  How do I remove this Spyware toolbar It only appears when I  connect to the Internet in Explorer It does not appear when I connect in Mozilla Firefox

I  think I have fixed some of the problems in my ie browser with hyjack this but I am still getting a spyware toolbar that wont go away It looks like this:


   Make money   Music   Casino
 
  Investing   Travel   Mortgage
   Dating - Singles - Personals - Escorts - Chat Rooms  Travel - Airline Tickets - Hotels - Cruises - Vacations  Careers - Job Listings - Education - Work At Home - Part Time
 Credit - Credit Cards - Cash Advance - Mortgage - Car Loans  Computers - DVD - Games - Digital Camera - Ink Cartridge  Insurance - Car Insurance - Health Ins. - Life Ins. - Renters Ins

Its properties when I right click on it look like this:

Search Now!

HyperText Transfer Protocol
   
HTM File

Not Encrypted

http://search200.com/passthrough/newpass2.html

size is 7320 bytes -

It only appears when I am connected to the internet and it goes away when I click on its close box but it always comes back when i use explorer

My Hyjack this log file now looks like this

Logfile of HijackThis v1.97.7
Scan saved at 5:10:31 AM, on 10/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\O2Micro\SuperDJ\Monitor.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\winnt\180solutions\saap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\ctfmon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Stealther\stealth26.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\Working Docs\White Papers\Computer Docs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://epihtbmqskudwyzibhl.com/AkYYb78TXyT5wHnaHCHKu4jcLLtskEhD1op16XH7d3PsEaE77JpBz/kkHC9cFZxH.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.MyCopper.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Copper.net Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:14000
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [O2PLEmonitor] C:\Program Files\O2Micro\SuperDJ\Monitor.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Datawebbinchic] C:\Documents and Settings\All Users\Application Data\Skip Bags Data Web\Proc Name.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [lcl] C:\WINNT\lcl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Dale Bend] C:\DOCUME~1\Owner\APPLIC~1\TONSNE~1\long 2.exe
O4 - Startup: Stealther Startup.lnk = C:\Program Files\Stealther\stealth26.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.MyCopper.net
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37561.2661921296
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D99612C-19B8-48F7-8629-EE97FA51D2DC}: NameServer = 65.247.64.21 209.41.196.13

Any suggestions???
MonroeDowlingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KerryGCommented:
Get the latest version of HiJackThis!
Run the results through http://www.hijackthis.de/index.php?langselect=english

Get AdAware, Spybot 1,3 and AVG Antivirus
Update all three but only run AVG

reboot into safe mode and then run AdAware and Spybot.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
adamdrayerCommented:
many people at EE have lately come out against posting HJT logs in questions.  They prefer that you use HJT only as a last resort, and you self-diagnose it by running the online analyzer here:
http://ww.hijackthis.de/ 
and come here to post only about unknowns. That being said, you do have some viruses and adware on your computer.

I believe these to be bad and would fix them:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:// epihtbmqskudwyzibhl . com/AkYYb78TXyT5wHnaHCHKu4jcLLtskEhD1op16XH7d3PsEaE77JpBz/kkHC9cFZxH.html
O4 - HKLM\..\Run: [lcl] C:\WINNT\lcl.exe
O4 - HKCU\..\Run: [Dale Bend] C:\DOCUME~1\Owner\APPLIC~1\TONSNE~1\long 2.exe
O4 - HKLM\..\Run: [Datawebbinchic] C:\Documents and Settings\All Users\Application Data\Skip Bags Data Web\Proc Name.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

But before you fix them using HJT, you should run a few virus scans and spyware scans.  HJT is a last resort.  You seem to also be running the 180Solutions program.  It's here: C:\winnt\180solutions\saap.exe.  Kill the process immediately and delete the file.  This particular program is notoriously hard to get rid of.


***
Standard HJT Disclaimer-

The above items I say are bad because of any combination of the following:
-I am familiar with them as bad programs
-I cannot find anything on the web about them.
-Naming convention for executable seems to be random letters/numbers
-Naming convention for executable contains spaces (not common among professional programs)
-Registry Value is non-descript or simply the name of the executable

I encourage you to do any research on the above programs and concluding that they are unwanted before fixing them as entries.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.