Can't get rid of this spyware!!

Posted on 2004-12-01
Last Modified: 2013-12-04
I have some spyware on my laptop that I have not been able to get rid of using Ad-Aware or Spybot.  The processes that I see running that I know are bad are CxtPls.exe, AutoUpdate.exe, and SED.exe.  Here is my HijackThis log.  Can someone please help me?!?!

Logfile of HijackThis v1.97.7
Scan saved at 12:01:22 PM, on 12/1/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\WS_FTP Pro\ftpsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Softex\Winroute\winroute.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\SED\SED.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =;;;;<local>
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\Carrie_Cardon\Application Data\Mozilla\Profiles\default\9l2ie1ie.slt\prefs.js)
N2 - Netscape 6: user_pref("", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Carrie_Cardon\Application Data\Mozilla\Profiles\default\9l2ie1ie.slt\prefs.js)
O1 - Hosts:
O1 - Hosts:
O1 - Hosts:
O1 - Hosts: ATLDHPDC01
O1 - Hosts: ATLDHSQL01
O1 - Hosts: ATLDHAPP01
O1 - Hosts: ATLDHAPP02
O1 - Hosts: ATLDHSVC01
O1 - Hosts: ATLDHWEB01
O1 - Hosts: ATLDHWEB02
O1 - Hosts: ATLDHTAP01
O1 - Hosts:
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [winroute] C:\Program Files\Softex\Winroute\winroute.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [SetupType] Portable
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [clcxnw] C:\WINNT\System32\quszbwq.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [ekggdy] C:\WINNT\System32\ytmcln\ekggdy.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [v77W37P] lab2cenu.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ewo6RXjFV] cfmmem07.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Configuration Utility.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O16 - DPF: {024A73C6-2766-11D3-821F-00105A272719} (ESMART_DTPicker.ESMARTDTPicker) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {5A4BFFB1-2D6E-11D3-A7CD-00C04F8F83CD} (GetHTTP APPLET) -
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
Question by:ag99carrie
    LVL 65

    Accepted Solution

    Hello ag99carrie =)

    You are using an old version on hijackthis, so Download HijackThis v1.98.2 from here, run it and Save the LOG file:

    Then Post that log at this site >>
    and it will automatically analyse it for u,,, Fix the entries which it labels as Nasty :)
    To Fix, check the lines in Hijackthis scan and click on Fix Checked !!

    HJT Log Tutoriol >>

    CAUTION: Before fixing the entries in hijackthis, make sure that they are really Nasty and can be deleted, better u first research for it on Google and then when u will confirm that they shud be deleted, Fix them. And whenever u run Hijackthis, run it from a New folder on ur desktop, so that in case of any problem, u can take advantages of its created backups of fixed items. And in case if u still face problems in dealing with it, just analyse ur log at the above site, and then scroll down where u will see a Save Analyse button, hit it and it will save ur Log Analysation, then copy the link of that page and paste it here, and we will check it for u :)
    LVL 65

    Expert Comment

    Then use msconfig to untick unwanted progrmas as described here >>
    After that Download these tools and install and update Adaware and Spybot:
    AdAware ==>
    SpyBot  ==>
    CoolWebShredder ==>
    LSPFix ==>
    Stinger ==>

    Turn off your System Restore before cleaning the system if its WinME\XP >>
    Boot your system in safemode, use LSPFix to remove those aklsp.dll & calsp.dll files
    Then Run all the rest four tools one by one and delete everything they detect.
    Delete the offending exe files manually from the hard drive if they are present on the hard drive
    Then delete the temporary internet files and history of IE
    and run Disk Cleanup on your hard drive to delete those temp and junk files.
    Restart back in Normal Mode to check for the problems now ?? :)
    LVL 6

    Expert Comment

    Advise: Remove This is a very high risk threat and should be removed immediately as to prevent harm to your computer or your privacy.

    Author: PeopleOnPage, Inc.
    Author URL:
    Author description: "PeopleOnPage (POP) is software that allows you to see everybody who's either been to or is currently on the same Web page as you, wherever you go on the Web. You can then chat with them using POP's instant messaging client, send an e-mail, or leave graffiti messages on the Web page for others to see. Use POP in World mode with your friends, or strike up a conversation with someone on your favorite Web site whose picture or tagline intrigues you. Dating mode helps you find someone who not only fits your dating criteria but also visits the sites that matter to you. Then just click their Chat or E-mail button to make contact. POP safeguards your privacy, so it couldn't be simpler or safer to meet people online."

    "POP! is a US-incorporated business with its headquarters in Seattle, Washington. The company is the first to develop the technology necessary to make one-on-one chatting possible on any website on the world wide web - not just on specialist chat sites or on sites with added chat features. So for the first time ever, instead of having to visit a particular community or dating website to chat, you can TAKE chat to any website."

    Distribution details: PeopleOnPage was bundled with Grokster around June 2003, and it installed by pop-up ActiveX drive-by download.

    Security details: PeopleOnPage includes an updater component which can silently download and execute arbitrary code form its controlling server.

    PeopleOnPage Signature Details: The following information includes some of the standard signatures* associated with this spyware threat. Please do not attempt to manually remove these items from your computer; Removing these items incorrectly or partially can cause your computer to experience critical errors, prevent your computer from restarting or cause loss of Internet connectivity.

    Author Comment

    Thanks SheharyaarSaahil!!  That did the trick!!
    LVL 65

    Expert Comment


    Expert Comment

    I deal with spyware removal daily, below is a brief overview of the process I usually follow when removing some of these nasty programs.  I tried to simplify it a bit..

    1. Boot in safe mode, and disable all the items in startup using msconfig.  If you are using Windows XP, it may be a good idea to turn off system restore temporarily as well.

    2. Search the registry for keys containing 'run', this will show you the various folders used to start applications with the system.  You may also want to search for 'startup' keys.  I usually search the registry for the known spyware apps listed in msconfig as well

    3. Run some spyware scanning utilities.  I have a lot of success using hijackthis, spybot, ad-aware, and spysweeper, sometimes Bazooka...

    4. Empty all temp folders, and check the Program Files folder for signs of spyware remains... Folders like 'Toolbar' and 'Myway' are bad.

    5. I usually also go through the Windows and /system or /system32 folders, and arrange the files by date.  This is useful in spotting files all installed at the same time/date.  You can right-click the files, and select properties.  If the file displays information about its creator under the version tab, such as Company: Microsoft Corporation, then it is more than likely legitimate.  If there is a file that you are wary about, and it dispalys no information in these fields, try looking it up on google to see what the exe or dll may be before deleting it.

    6. You can start to enable the startup items in msconfig.  If you recognize all the items in startup, then it is safe to enable all the items.

    7. It's not a bad idea to run scans again to ensure the applications haven't been reinstalled, may also want to try 's free online scan.  It does a good job finding some of the trojans associated with certain spyware applications.

    8. Don't forget to re-enable system restore when you're finished, and if at this point you are still having issues.. well..

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    This video discusses moving either the default database or any database to a new volume.
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now