Help needed to remove add software

[sirus]

I get a frequent popup saying my computer has critical errors the messge goes "Messenger Service" Message fom system to alert on ....... windows has encountered an internal error yor registry is corrupted we recoment a complete system scan visit http://Fixregnow.com to repair now I know this a hoax Neither norton, ad-ware, spybot can put a finger on it Here is my HijackThis log Can you identify the key Thanks Logfile of HijackThis v1.99.1 Scan saved at 5:15:30 PM, on 10/7/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\Ati2evxx.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\WINDOWS\system32\Ati2evxx.exe E:\WINDOWS\Explorer.EXE E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe E:\Program Files\Analog Devices\SoundMAX\SMax4.exe E:\Program Files\HP\hpcoretech\hpcmpmgr.exe E:\Program Files\HP\HP Software Update\HPWuSchd2.exe E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe E:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\WINDOWS\System32\System.exe E:\WINDOWS\System32\ctfmon.exe E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe E:\Program Files\APC PowerChute Personal Edition\apcsystray.exe E:\Program Files\APC PowerChute Personal Edition\mainserv.exe E:\Program Files\Common Files\Symantec Shared\ccProxy.exe E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe E:\Program Files\Norton Internet Security\ ISSVC.exe E:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe E:\Program Files\Raxco\PerfectDisk\PDSched.exe E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\Program Files\Windows Media Player\wmplayer.exe E:\Program Files\Mozilla Firefox\firefox.exe E:\Program Files\Messenger\msmsgs.exe E:\WINDOWS\System32\wuauclt.exe E:\Documents and Settings\Sirus\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {58FC0047-2F99-4124-BBD0-58A939FD0BFB} - E:\WINDOWS\System32\kelfk.dll (file missing) O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray O4 - HKLM\..\Run: [HP Component Manager] "E:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] E:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Microsoft DLL Verifier] file.exe O4 - HKLM\..\Run: [Service] System.exe O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] file.exe O4 - HKLM\..\RunServices: [Service] System.exe O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled O4 - Global Startup: APC UPS Status.lnk = ? O4 - Global Startup: AutoCAD Startup Accelerator.lnk.disabled O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: hp psc 2000 Series.lnk.disabled O4 - Global Startup: hpoddt01.exe.lnk.disabled O4 - Global Startup: officejet 6100.lnk.disabled O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/c ... dot8_x.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt3_x.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/defaul ... Loader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0586782937 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZI ... b32651.cab O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/defaul ... uncher.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/defaul ... der_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{4D5453B1-F091-4E9D-98AB-D5E7D0075615}: NameServer = 206.47.244.17 206.47.244.51 O17 - HKLM\System\CS1\Services\Tcpip\..\{4D5453B1-F091-4E9D-98AB-D5E7D0075615}: NameServer = 206.47.244.17 206.47.244.51 O20 - Winlogon Notify: WB - E:\PROGRA~1\WINDOW~4\fastload.dll O23 - Service: APC UPS Service - American Power Conversion Corporation - E:\Program Files\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - E:\Program Files\Catia\intel_a\code\bin\CATSysDemon.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - E:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: PDEngine - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - E:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcSandraSrv.exe O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[PartieHonteuse]

First, maybe think of upgrading to XP SP2? Maybe you have hardware that's not yet compatible or whatever, just thought I'd offer the suggestion.. To disable the messenger service (not to be confused with Windows nor MSN messenger) click Start Menu > run > type "services.msc" (no quotes). Once you enter the Services window, find the "Messenger" service and double click it to open it's properties. Set the "startup" type to "Disabled" and then click the "stop" button. Click "apply" then "ok". Shouldn't be receiving that message anymore. Partieâ„¢

[richh0323]

I would fix the following entries then run HJ again and let me know how everything is running. E:\WINDOWS\System32\System.exe - Nasty running process. (System.exe) Added as result of a Troj/Bdoor-S worm infection O2 - BHO: (no name) - {58FC0047-2F99-4124-BBD0-58A939FD0BFB} - E:\WINDOWS\System32\kelfk.dll (file missing) - Unknown Check the IP address if you don't know it you should repair the following, O17 - HKLM\System\CCS\Services\Tcpip\..\{4D5453B1-F091-4E9D-98AB-D5E7D0075615}: NameServer = 206.47.244.17 206.47.244.51 - Possibly nasty O17 - HKLM\System\CS1\Services\Tcpip\..\{4D5453B1-F091-4E9D-98AB-D5E7D0075615}: NameServer = 206.47.244.17 206.47.244.51 - Possibly nasty Search results for: 206.47.244.51 Bell Canada WORLDLINX03 (NET-206-47-0-0-1) 206.47.0.0 - 206.47.255.255 Bell SRF0121-CA (NET-206-47-244-0-1) 206.47.244.0 - 206.47.244.255 # ARIN WHOIS database, last updated 2005-10-07 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Look familiar?

[sirus]

Thanks guys for the quick input. system.exe ended up being a keylogger on top of that there were 3 worms in my system and Norton just watched had to get a fresh install of windows to wipe out these bugs

[richh0323]

You're welcome. Glad you got it fixed. I just compleated a new install on mine. I got a new trogen a few week ago, battled it for a few. Got rid of it but the damage was done. Had to save what I could and a new install for the rest. Had all the protection in place, but it got thru.