Removeal of spywares/adware programs (HJT log included)

can someone please help me remove any unecessary spywares/adware programs shown in the log below.. I cleaned watever I could out, but i think there are several more pgrms in there that messes my computer up last night.. especially on hotmail frontpage and yahoo.. i know for a fact, that's not how the frontpage should look like.. this is an image of what it look like..
http://www.geocities.com/johnple3/hotmail.jpg

thanks in advance!
another thing is i try removing all the 010s with LSPfix and it keep on coming back!

Logfile of HijackThis v1.97.7
Scan saved at 4:11:05 PM, on 10/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\Ati2evxx.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\gearsec.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\Ati2evxx.exe
F:\WINNT\Explorer.EXE
F:\WINNT\soundman.exe
F:\WINNT\system32\pctspk.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINNT\system32\P2P Networking\P2P Networking.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINNT\system32\internat.exe
H:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
H:\Program Files\Yahoo\Messenger\ymsgr_tray.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
f:\winnt\system32\mrkscr.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] F:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [P2P Networking] F:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ViewMgr] F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [Detect] H:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] H:\Program Files\Yahoo\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = H:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Download with &DAP - H:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - H:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: AbsolutePoker.com (HKLM)
O9 - Extra 'Tools' menuitem: AbsolutePoker.com (HKLM)
O10 - Unknown file in Winsock LSP: f:\winnt\system32\mkls.dll
O10 - Unknown file in Winsock LSP: f:\winnt\system32\mkls.dll
O10 - Unknown file in Winsock LSP: f:\winnt\system32\mkls.dll
O10 - Unknown file in Winsock LSP: f:\winnt\system32\mkls.dll
O10 - Unknown file in Winsock LSP: f:\winnt\system32\mkls.dll
O10 - Unknown file in Winsock LSP: f:\winnt\system32\mkls.dll
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124752691312
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37806.5108101852
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{65897CF4-41A7-490C-91FE-643BF9BA4E70}: NameServer = 64.40.40.53 66.54.140.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A831C50-33C5-4A14-8457-95F253E65C38}: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

 

You have at least two critters on your PC that should have been removed by any good spyware removal app. Get (see quicklinks in my signature) Ad-aware and Spybot Search & Destroy and after updating each, run it and let it clean.

Get the latest version of Hijackthis. Run a scan and removal all the 016 entries (they will be reloaded as needed from later versions on the internet).

Create a blank html page and name it safe-page.htm then save/store it on your PC. Change your home page to that page until we get things cleaned.

Post another HJT log after you've done the above.

 

done all of the above..
and here's the new log.. i still have problems with hotmail and yahoo frontpage..


Logfile of HijackThis v1.99.1
Scan saved at 8:38:55 PM, on 10/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\Ati2evxx.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\gearsec.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\system32\stisvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\Ati2evxx.exe
F:\WINNT\Explorer.EXE
F:\WINNT\soundman.exe
F:\WINNT\system32\pctspk.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
F:\WINNT\system32\internat.exe
H:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
H:\Program Files\Yahoo\Messenger\ymsgr_tray.exe
F:\Program Files\Microsoft Office\Office\1033\msoffice.exe
H:\Downloads\hijackthis\HijackThis.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINNT\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///F:/Documents%20and%20Settings/Administrator/Desktop/safe-page.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] F:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] F:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [P2P Networking] F:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [ViewMgr] F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [Detect] H:\Program Files\iNTERNET Turbo\iDetect.exe /auto
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yahoo! Pager] H:\Program Files\Yahoo\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = H:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = F:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Download with &DAP - H:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - H:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - F:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - H:\Program Files\Yahoo\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - H:\Program Files\Yahoo\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - H:\Program Files\Aim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - F:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - F:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{65897CF4-41A7-490C-91FE-643BF9BA4E70}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - F:\WINNT\system32\gearsec.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

These are legit but are just sludge. They don't do anything good for you and do slow your system down a little by running at every startup. I'd suggest using HJT and getting rid of them.
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime

This is adware/spyware and needs to go.
O4 - HKLM\..\Run: [P2P Networking] F:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
Removal instructions Here

This one is a little tricky. Internat.exe if located in \winnt\system32 and if a check of properties indicates it is from Microsoft then it is legit and needs to run. Otherwise, it is probably part of a trojan and needs to be removed. You basically need to locate the file on your PC (or files if there are multiple copies) and if you find any other than the legit version, you need to remove the trojan.
O4 - HKCU\..\Run: [internat.exe] internat.exe
PWSteal.Netsnake Symantec ( http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.netsnake.html ) and
Win32.HLLW.Ghotex.A [KAV] Symantec ( http://securityresponse.symantec.com/avcenter/venc/data/w32.ghotex.a.html ) both drop a file by that name as part of their infection.

I'm not really sure about these but they smell bad to me. However, they would only be an indicator of a problem so you need to wait for some expert advice before messing with them. Note that they may be perfectly legit but since I can't match 65897CF4-41A7-490C-91FE-643BF9BA4E70 to anything after some searching, I'm betting on it being a random CSLID that a critter has put in your registry.
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{65897CF4-41A7-490C-91FE-643BF9BA4E70}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com

 

ok.. thank you very much.. everything seemed to be in order..
however, i still have problems with my browser.. i can't seem to find the bug that's causing this! if you could click on the picture below.. you may get an idea of what i am talking about..they are in the red boxes, and that advertisement is what pop up after i hover the front page.. it just happened a couple days ago..
http://www.geocities.com/johnple3/buggy.jpg

i tried scanning with adware, Spybot S&D, and norton antivirus, but they dont seem to remove that little bug.. are there any indications in the HJT log that can tell what's causing it?

 

Those popups are quite normal for registered members and non-members. They will go away if you become a contributing member. Keywords are highlighted here and a popup with info on those keywords is the result of moving your mouse over them.

The 017 entries appear to be related to Juno. If using it, they are quite alright. If you were but are not now, you can safely fix those entries.

 

Thanks for the 017 info Dave. Whew!!!

 

TY, i do use Juno sometimes so those O17 are a keeper