Can't get rid of this spyware!!

I have some spyware on my laptop that I have not been able to get rid of using Ad-Aware or Spybot.  The processes that I see running that I know are bad are CxtPls.exe, AutoUpdate.exe, and SED.exe.  Here is my HijackThis log.  Can someone please help me?!?!

Logfile of HijackThis v1.97.7
Scan saved at 12:01:22 PM, on 12/1/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\pctspk.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Softex\Winroute\winroute.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\WINNT\System32\WLANSTA.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\System32\kmw_run.exe
C:\Program Files\SED\SED.exe
C:\WINNT\System32\KMW_SHOW.EXE
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINNT\System32\lab2cenu.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\cfmmem07.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINNT\System32\omwipe32.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.appsitehosting.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall.corp.sprint.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://secure.us.dell;http://inside.us.dell;http://securedev.us.dell;http://insidedev.us.dell;<local>
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.dellhost.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.dellhost.com"); (C:\Documents and Settings\Carrie_Cardon\Application Data\Mozilla\Profiles\default\9l2ie1ie.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Carrie_Cardon\Application Data\Mozilla\Profiles\default\9l2ie1ie.slt\prefs.js)
O1 - Hosts: 209.235.107.68 app1.dellhost.com
O1 - Hosts: 209.235.107.69 app2.dellhost.com
O1 - Hosts: 209.196.6.141 tapp.dellhost.com
O1 - Hosts: 216.205.79.114 ATLDHPDC01
O1 - Hosts: 216.205.79.115 ATLDHSQL01
O1 - Hosts: 216.205.79.116 ATLDHAPP01
O1 - Hosts: 216.205.79.117 ATLDHAPP02
O1 - Hosts: 216.205.79.118 ATLDHSVC01
O1 - Hosts: 216.205.79.119 ATLDHWEB01
O1 - Hosts: 216.205.79.120 ATLDHWEB02
O1 - Hosts: 216.205.79.121 ATLDHTAP01
O1 - Hosts: 209.235.17.230 www.billy-bob.net
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [winroute] C:\Program Files\Softex\Winroute\winroute.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [SetupType] Portable
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [clcxnw] C:\WINNT\System32\quszbwq.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [ekggdy] C:\WINNT\System32\ytmcln\ekggdy.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [v77W37P] lab2cenu.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ewo6RXjFV] cfmmem07.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Configuration Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O16 - DPF: {024A73C6-2766-11D3-821F-00105A272719} (ESMART_DTPicker.ESMARTDTPicker) - http://app2.appsitehosting.com/dhsmart/client_code/ESMART_DTPicker.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {5A4BFFB1-2D6E-11D3-A7CD-00C04F8F83CD} (GetHTTP APPLET) - http://inside.us.dell.com/finance/home/getHTTPApplet.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37869.5781134259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
ag99carrieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SheharyaarSaahilCommented:
Hello ag99carrie =)

You are using an old version on hijackthis, so Download HijackThis v1.98.2 from here, run it and Save the LOG file:
http://tools.radiosplace.com/HijackThis.exe

Then Post that log at this site >> http://www.hijackthis.de/index.php?langselect=english
and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

HJT Log Tutoriol >> http://aumha.org/a/hjttutor.php

CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SheharyaarSaahilCommented:
Then use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msconfig/
After that Download these tools and install and update Adaware and Spybot:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
LSPFix ==> http://www.spychecker.com/program/lspfix.html
Stinger ==> http://vil.nai.com/vil/stinger
========================================================

Turn off your System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml
Boot your system in safemode, use LSPFix to remove those aklsp.dll & calsp.dll files
Then Run all the rest four tools one by one and delete everything they detect.
Delete the offending exe files manually from the hard drive if they are present on the hard drive
Then delete the temporary internet files and history of IE
and run Disk Cleanup on your hard drive to delete those temp and junk files.
Restart back in Normal Mode to check for the problems now ?? :)
0
caza13Commented:
Advise: Remove This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.

Author: PeopleOnPage, Inc.
Author URL: http://www.peopleonpage.com
Author description: "PeopleOnPage (POP) is software that allows you to see everybody who's either been to or is currently on the same Web page as you, wherever you go on the Web. You can then chat with them using POP's instant messaging client, send an e-mail, or leave graffiti messages on the Web page for others to see. Use POP in World mode with your friends, or strike up a conversation with someone on your favorite Web site whose picture or tagline intrigues you. Dating mode helps you find someone who not only fits your dating criteria but also visits the sites that matter to you. Then just click their Chat or E-mail button to make contact. POP safeguards your privacy, so it couldn't be simpler or safer to meet people online."

"POP! is a US-incorporated business with its headquarters in Seattle, Washington. The company is the first to develop the technology necessary to make one-on-one chatting possible on any website on the world wide web - not just on specialist chat sites or on sites with added chat features. So for the first time ever, instead of having to visit a particular community or dating website to chat, you can TAKE chat to any website."

Distribution details: PeopleOnPage was bundled with Grokster around June 2003, and it installed by pop-up ActiveX drive-by download.

Security details: PeopleOnPage includes an updater component which can silently download and execute arbitrary code form its controlling server.

PeopleOnPage Signature Details: The following information includes some of the standard signatures* associated with this spyware threat. Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity.

http://www.spynet.com/spyware/spyware-PeopleOnPage.aspx
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

ag99carrieAuthor Commented:
Thanks SheharyaarSaahil!!  That did the trick!!
0
SheharyaarSaahilCommented:
^_^
0
ncmcnCommented:
I deal with spyware removal daily, below is a brief overview of the process I usually follow when removing some of these nasty programs.  I tried to simplify it a bit..

1. Boot in safe mode, and disable all the items in startup using msconfig.  If you are using Windows XP, it may be a good idea to turn off system restore temporarily as well.

2. Search the registry for keys containing 'run', this will show you the various folders used to start applications with the system.  You may also want to search for 'startup' keys.  I usually search the registry for the known spyware apps listed in msconfig as well

3. Run some spyware scanning utilities.  I have a lot of success using hijackthis, spybot, ad-aware, and spysweeper, sometimes Bazooka...

4. Empty all temp folders, and check the Program Files folder for signs of spyware remains... Folders like 'Toolbar' and 'Myway' are bad.

5. I usually also go through the Windows and /system or /system32 folders, and arrange the files by date.  This is useful in spotting files all installed at the same time/date.  You can right-click the files, and select properties.  If the file displays information about its creator under the version tab, such as Company: Microsoft Corporation, then it is more than likely legitimate.  If there is a file that you are wary about, and it dispalys no information in these fields, try looking it up on google to see what the exe or dll may be before deleting it.

6. You can start to enable the startup items in msconfig.  If you recognize all the items in startup, then it is safe to enable all the items.

7. It's not a bad idea to run scans again to ensure the applications haven't been reinstalled, may also want to try www.trendmicro.com 's free online scan.  It does a good job finding some of the trojans associated with certain spyware applications.

8. Don't forget to re-enable system restore when you're finished, and if at this point you are still having issues.. well..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.