help needed.. dont know what to do.. egroup/instant access..

Hey guys,

Great site you have here. Fair play!

I am having the same problem as many others, it seems.. with zipzappromos/instant access/egroup. I've tried loads of things to get rid of it, using old posts from here, but no matter what I do, it keeps re-appearing. I guess everyones case is probably different, so thought I'd better post here if I have any chance of ever getting rid of it.

I've downloaded ms antispyware, hijackthis, ad-aware, amongst others. Still no joy. It doesn't seem to be dialling any numbers - possibly because I'm in Ireland? - but, it is really annoying, and keeps shutting down IE and stuff like that. Dying to be rid!

Okay, so here is my HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 14:49:23, on 25/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\RTE\RTEGPRS.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\wicklowbayhostel\Desktop\Diagnosis Tools\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ireland.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ireland.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [RTEGPRS] "C:\Program Files\Common Files\RTE\RTEGPRS.exe" tray
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\Software\..\Telephony: DomainName = addressisp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A68DBE8C-68D2-47CC-9025-E53C0909BF22}: NameServer = 194.145.128.1 194.125.2.206
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


I don't know which entries are bad and which not.. would really, really appreciate help, if anyone has the time..

thanks a million, karen.

 

and here are the installed programs...

INSTALLED SOFTWARE (69) - 25/03/2005 15:00:24

Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0 Ver: 6.0 Installed: 19/09/2003
ArcSoft Funhouse 1.0
ArcSoft PhotoImpression 4
Broadcom Management Programs Ver: 4.01.0000 Installed: 10/09/2003
Broadcom Management Programs Ver: 4.01.0000 Installed: 10/09/2003
CM 03-04 Ver: 4.1.0 Installed: 16/08/2004
CM 03-04 Ver: 4.1.0 Installed: 16/08/2004
Conexant SmartHSFi V92 56K DF PCI Modem
Dell Solution Center Ver: 1.00.0000 Installed: 10/09/2003
Digital Line Detect Ver: 1.06.2
DVD Decrypter (Remove Only)
FinePixViewer Ver.4.2
FUJIFILM USB Driver
Help and Support Customization Ver: 1.00.0000 Installed: 10/09/2003
HijackThis 1.99.0 Ver: 1.99.0
ImageMixer VCD2 for FinePix
Intel(R) Extreme Graphics Driver
kuhofzpy
Lexmark Supplies Monitor
Lexmark Z55
LiveReg (Symantec Corporation) Ver: 2.2.5.1678
LiveUpdate 2.5 (Symantec Corporation) Ver: 2.5.55.0
Microsoft Age of Empires Gold
Microsoft AntiSpyware Ver: 1.0 Installed: 02/02/2005
Microsoft Data Access Components KB870669
Microsoft Office 2000 Premium Ver: 9.00.2720 Installed: 25/11/2004
Microsoft PowerPoint Viewer 97
Microsoft Works 7.0 Ver: 07.02.0620 Installed: 10/09/2003
MicroStaff WINASPI
Modem Helper
MSN Gaming Zone
MyDsc2 Ver: 1.00.000
NetWaiting Ver: 2.5.4
Norton AntiVirus 2003 Ver: 9.01.0 Installed: 10/09/2003
Norton WMI Update Ver: 2005.1.2.20 Installed: 18/11/2004
Pacific Poker
Paint Shop Pro 7 Ver: 7.06.0000 Installed: 10/09/2003
Pop-Up Stopper Free Edition Ver: 3.1
QualifaX 3.01
RAW FILE CONVERTER LE
RealPlayer
Shockwave Flash
SimCity 3000
Spybot - Search & Destroy 1.3 Ver: 1.3
Ulead Photo Express 3.0 SE
WebFldrs XP Ver: 9.50.6513 Installed: 03/09/2002
WellPhone
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB887742 Ver: 20041103.095002
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
Windows XP Service Pack 2 Ver: 20040803.231319
WinDriversBackup
WinMX


~ k.

 

Welcome to WindowsBBS suaimhneas (Karen)

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in kuhofzpy then click OK. When wordpad opens, copy that back here please.

Would you also download HijackThis.exe from here, overwriting the one you currently have, then post a new log. It's an updated version and may show us more.

Also, do you intentionally have SearchAnt chosen for a search engine?

 

hey noahdfear

thanks so much for your reply.

results of registry search:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "kuhofzpy" 26/03/2005 14:39:48

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kuhofzpy "= "c:\\windows\\system32\\kuhofzpy.exe -start "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kuhofzpy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kuhofzpy]
"UninstallString "= "c:\\windows\\system32\\kuhofzpy.exe -uninstall "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kuhofzpy]
"DisplayName "= "kuhofzpy "

[HKEY_USERS\S-1-5-21-1439552318-2363524333-3162854727-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\windows\\system32\\kuhofzpy.exe "= "kuhofzpy "

---


new hijackthis log:

ogfile of HijackThis v1.99.1
Scan saved at 14:42:01, on 26/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\RTE\RTEGPRS.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\wicklowbayhostel\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ireland.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ireland.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [RTEGPRS] "C:\Program Files\Common Files\RTE\RTEGPRS.exe" tray
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\Software\..\Telephony: DomainName = addressisp.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A68DBE8C-68D2-47CC-9025-E53C0909BF22}: NameServer = 194.145.128.1 194.125.2.206
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---

no, i don't intentionally have searchant as my search engine.. im guessing i should change that somehow so

thanks again...

karen

 

Download the RemInstAcc.zip file attached to this post. Save it to your desktop. If it saves as attachment.php, right click and rename to RemInstAcc.zip You may need to enable viewing extensions for known file types to see the zip and bat extensions. To do that, open My Computer and click Tools on the menu, then folder options. Click the view tab of the window that opens and uncheck the box to Hide extensions...... and click OK. Now right click the zip and extract the RemInstAcc.bat file to your desktop. Note to others.....the attachment was written specifically for this machine. Please do not use if you have zipzap popups too. Start your own thread and someone will gladly assist you.

Right click the desktop and choose new>folder. Name it HJT. Cut and paste HijackThis.exe to that folder.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

Double click the RemInstAcc.bat file.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.searchant.com/r=6&s=%s
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess


Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK.

Run another HijackThis scan and post the log. Let us know if the popups stop.

 

hey dave

thanks so much for that. it's looking okay so far. no popups. maybe too early to say though? but so far so good! here is the hjt log, hopefully now minus instant access.

you are a lifesaver!

karen

Logfile of HijackThis v1.99.1
Scan saved at 17:42:25, on 26/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\RTE\RTEGPRS.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\wicklowbayhostel\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ireland.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ireland.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKCU\..\Run: [RTEGPRS] "C:\Program Files\Common Files\RTE\RTEGPRS.exe" tray
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\Software\..\Telephony: DomainName = addressisp.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

 

Looks good. Re-enable System Restore and create a manual restore point. If you haven't already done so, I also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly and watch for any protection being disabled. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

That will give you some added layers of protection against unwanted parasites.

Happy to help.

 

fantastic, much much much much appreciated!!

karen