Ran both Adware SE and Spybot S&D.. fully updated, fully immunized.. ran Spybot S&D in safe mode as well. Thought all was well until I came back online and a browser window popped up advertising some kind of cell phone.

Here is my HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 2:45:32 AM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\{4062BE82-072D-1033-1205-030523010001}\Update.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/VideoSignSetup/setup.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\kt0ql7d51.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

Welcome aboard :)

Please download Combofix (http://download.bleepingcomputer.com/sUBs/combofix.exe) to your desktop:
Double-click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Here you go - I think the popups might have stopped..

Shall I post a new HJT as well? Thanks by the way!



Craig Flannagan - 06-09-17 3:26:21.00 Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Craig Flannagan\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\jt6407jqe.dll
C:\WINDOWS\system32\kt0ql7d51.dll
C:\WINDOWS\system32\wgnsta.dll
C:\WINDOWS\system32\guard.tmp


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{4062BE82-072D-1033-1205-030523010001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Craig Flannagan\Application Data\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2006-08-17 to 2006-09-17 ))))))))))))))))))))))))))))))))))


2006-09-17 03:17 40,960 --a------ C:\Look2Me-Destroyer.exe
2006-09-17 00:08 240,000 -r-hs---- C:\WINDOWS\eenyseaA.exe
2006-09-17 00:07 1,147,824 -r-hs---- C:\WINDOWS\eenysea.exe
2006-08-31 00:40 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2006-08-29 21:41 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-17 03:26 -------- d-------- C:\Program Files\Common Files
2006-09-17 02:01 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-17 01:43 -------- d-------- C:\Program Files\Lavasoft
2006-09-17 01:43 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Lavasoft
2006-09-17 00:10 -------- d-------- C:\Program Files\PartyPoker
2006-09-17 00:07 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-09-17 00:07 -------- d-------- C:\Program Files\NetMeeting
2006-09-17 00:07 -------- d-------- C:\Program Files\Internet Explorer
2006-09-16 22:37 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-08 22:17 -------- d-------- C:\Program Files\Lumigent
2006-09-07 07:31 -------- d-------- C:\Program Files\Symantec
2006-09-05 19:21 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-05 19:21 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Symantec
2006-09-03 21:07 -------- d---s---- C:\Documents and Settings\Craig Flannagan\Application Data\Microsoft
2006-09-01 20:02 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Azureus
2006-09-01 17:21 -------- d-------- C:\Program Files\Azureus
2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-30 23:28 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\AdobeUM
2006-08-29 21:41 -------- d-------- C:\Program Files\Railroad Tycoon 3
2006-08-29 21:34 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-29 21:33 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-14 17:52 78848 --a------ C:\WINDOWS\system32\nsc2FF.dll
2006-08-14 17:52 78848 --a------ C:\WINDOWS\system32\nsc299.dll
2006-08-08 23:17 -------- d-------- C:\Program Files\VoxCode
2006-08-08 23:01 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-08 22:58 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-08-08 22:48 -------- d-------- C:\Program Files\SQLXML 4.0
2006-08-08 22:38 -------- d-------- C:\Program Files\Microsoft Analysis Services
2006-08-08 22:23 -------- d-------- C:\Program Files\IGN
2006-08-08 22:12 -------- d-------- C:\Program Files\Crimson Editor
2006-08-08 22:11 -------- d-------- C:\Program Files\Macromedia
2006-08-08 22:11 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Macromedia
2006-08-08 21:46 -------- d-------- C:\Program Files\MSDN
2006-08-08 21:42 -------- d-------- C:\Program Files\Microsoft.NET
2006-08-08 21:41 -------- d-------- C:\Program Files\Microsoft Device Emulator
2006-08-08 21:40 -------- d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2006-08-08 21:33 -------- d-------- C:\Program Files\MSBuild
2006-08-08 21:33 -------- d-------- C:\Program Files\Microsoft Visual Studio 8
2006-08-08 21:33 -------- d-------- C:\Program Files\HTML Help Workshop
2006-08-08 21:32 -------- d-------- C:\Program Files\Common Files\Merge Modules
2006-08-08 21:26 -------- d-------- C:\Program Files\Common Files\Business Objects
2006-08-08 21:24 -------- d-------- C:\Program Files\CE Remote Tools
2006-08-08 21:22 -------- d-------- C:\Program Files\Microsoft Office
2006-08-07 08:17 61440 --a------ C:\WINDOWS\system32\BattyRun2.dll
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 18:46 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Mozilla
2006-07-25 00:39 -------- d-------- C:\Program Files\Messenger
2006-07-25 00:38 -------- d-------- C:\Program Files\Windows Media Player
2006-07-25 00:35 -------- d-------- C:\Program Files\Outlook Express
2006-07-25 00:35 -------- d-------- C:\Program Files\Common Files\System
2006-07-24 22:41 -------- d-------- C:\Program Files\D-Link
2006-07-24 22:41 -------- d-------- C:\Program Files\ANI
2006-07-24 22:21 -------- d-------- C:\Program Files\Movie Maker
2006-07-24 22:16 -------- d-------- C:\Program Files\Windows NT
2006-07-24 22:07 -------- d-------- C:\Program Files\Google
2006-07-24 21:44 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\POPFile
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 00:19 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-06-21 22:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-21 22:06 1435648 --a------ C:\WINDOWS\system32\query.dll
2006-06-19 13:39 139264 --a------ C:\WINDOWS\876056.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"D-Link RangeBooster G WDA-2320"="C:\\Program Files\\D-Link\\RangeBooster G WDA-2320\\AirPlusCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"nwiz"="nwiz.exe /install"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\NetMeeting\\podoci.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Internet Explorer\\mebezane.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp psc 1000 series.lnk"
"backup"="C:\\WINDOWS\\pss\\hp psc 1000 series.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpohmr08.exe "
"item"="hp psc 1000 series"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hpoddt01.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\hpoddt01.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpotdd01.exe "
"item"="hpoddt01.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^odduo.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\odduo.exe"
"backup"="C:\\WINDOWS\\pss\\odduo.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\odduo.exe"
"item"="odduo"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run POPFile.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Run POPFile.lnk"
"backup"="C:\\WINDOWS\\pss\\Run POPFile.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\POPFile\\RUNPOP~1.EXE /startup"
"item"="Run POPFile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_e5"
"hkey"="HKLM"
"command"="c:\\\\dfndrff_e5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\eenyseaA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eenyseaA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\eenyseaA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_e5"
"hkey"="HKLM"
"command"="c:\\\\kybrdff_e5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\loaddr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="topaff"
"hkey"="HKLM"
"command"="c:\\topaff.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LVCOMSX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMSX"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_e5"
"hkey"="HKLM"
"command"="c:\\\\nwnmff_e5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMCTRAY"
"hkey"="HKCU"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NVMCTRAY.DLL,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSCloner]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSCloner"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSCloner\\PSCloner.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\septpop06apsept]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="septpop06apsept"
"hkey"="HKLM"
"command"="c:\\program files\\popupwithcast\\septpop06apsept.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ToolbarInstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MirarSetup_876057"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\MirarSetup_876057.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Windows Overlay Components"=dword:00000002
"cmdService"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1091233308.job

Completion time: Sun 09/17/2006 3:28:34.67
ComboFix.txt

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download the Killbox by Option^Explicit (http://www.downloads.subratam.org/KillBox.zip).

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\eenyseaA.exe
C:\WINDOWS\eenysea.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\WINDOWS\system32\nsc2FF.dll
C:\WINDOWS\system32\nsc299.dll
C:\WINDOWS\system32\BattyRun2.dll
C:\WINDOWS\876056.exe


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try Killbox again.

-------

Once that is done.....

Please download MWav (http://www.spywareinfo.dk/download/mwav.exe):

Unzip it to its predetermined directory (C:\Kaspersky)
Locate kavupd.exe in the new folder and double-click to Update.
If your firewall gives any messages about this program accessing to internet, allow it.
If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
When you see Updates Downloaded Successfully, hit Enter to continue.
Restart onto Safe Mode (http://www.pchell.com/support/safemode.shtml) and locate the Kaspersky folder.
Locate mwavscan.com and double-click on it to launch the MWAV Scanner.Now lets do the settings:
Leave the Default Settings checked.
Add a check to Drives
This will light up All Drives
Add a check to Scan all Files
Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
Please be sure it has finished before proceeding.
Once the scan has finished, all entries identified as Infected, will be displayed in the lower panel.
Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).Reboot into normal Windows and post the results here along with a fresh HijackThis log. :bigthumb:

Thanks again -

Followup report:

Killbox process has been completed. No "PendingFileRenameOperations prompt" came up.

Upon reboot, two popups came up.

Now running mwavscan.com as per your instructions - will follow up with a new HJT when it's done. (28 viruses found so far, 19 deleted)

(posting from my other computer :) )

Went to sleep at 4am, woke 3 hours later.. looked at the scan, thought it was done and realized I stopped it while it was still in progress.. so I ran mwscan for 2nd time (both done in safe mode as per your instructions)

Attached are the 1st and 2nd session logs.

File C:\!KillBox\876056.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos1.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos5.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos7.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00840000.VBN infected by "Email-Worm.Win32.NetSky.aa" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0000.VBN infected by "Trojan-Downloader.Win32.Qoologic.ax" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0004.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00001.VBN infected by "Trojan-Downloader.Win32.VB.wz" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00002.VBN infected by "Trojan-Clicker.Win32.VB.is" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40000.VBN infected by "Trojan-Downloader.Win32.VB.wz" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40001.VBN infected by "Trojan-Downloader.Win32.VB.wz" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40002.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40003.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40004.VBN infected by "Trojan-Downloader.Win32.Qoologic.ax" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40005.VBN infected by "Trojan-Dropper.Win32.Mudrop.bq" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40006.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40008.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000A.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80004.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07CC0001.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40001.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07DC0000.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E00000.VBN infected by "Trojan-Downloader.Win32.VB.afa" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40000.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40001.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07F00000.VBN infected by "Email-Worm.Win32.NetSky.aa" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Craig Flannagan\Desktop\For future reinstallations\Goodies.zip infected by "Trojan-Downloader.Win32.IstBar.bu" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Craig Flannagan\Desktop\For future reinstallations\Goodies.zip infected by "Trojan-Downloader.Win32.IstBar.bu" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\cfg32a.exe tagged as not-a-virus:AdWare.Win32.BookedSpace.i. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\MirarSetup_876057.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\repairs303169590.dll tagged as not-a-virus:AdWare.Win32.SurfSide.ap. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\WinNB58.dll tagged as not-a-virus:AdWare.Win32.Mirar.a. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\SET32E.tmp tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\webhdll.dll tagged as not-a-virus:AdWare.Win32.WebHancer.390. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Local Settings\Temporary Internet Files\Content.IE5\1MLBUOEN\popup[1].htm infected by "Trojan-Clicker.HTML.Agent.a" Virus. Action Taken: File Deleted.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.614. No Action Taken.

2nd session:

File C:\!KillBox\876056.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000A.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80004.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40001.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\cfg32a.exe tagged as not-a-virus:AdWare.Win32.BookedSpace.i. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\MirarSetup_876057.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\repairs303169590.dll tagged as not-a-virus:AdWare.Win32.SurfSide.ap. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\WinNB58.dll tagged as not-a-virus:AdWare.Win32.Mirar.a. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\SET32E.tmp tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\webhdll.dll tagged as not-a-virus:AdWare.Win32.WebHancer.390. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.614. No Action Taken.
File C:\Program Files\NetMeeting\podoci.html infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037194.exe infected by "Trojan-Downloader.Win32.Small.ajc" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037197.dll tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037211.exe infected by "Trojan-Downloader.Win32.Qoologic.at" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037217.exe infected by "Trojan-Downloader.Win32.Agent.aqx" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037220.exe infected by "Trojan-PSW.Win32.LdPinch.arr" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037300.exe infected by "Backdoor.Win32.Hupigon.cj" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037302.exe infected by "Backdoor.Win32.Hupigon.cj" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037303.dll infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037317.exe tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037327.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037328.dll infected by "Trojan-Downloader.Win32.Small.ctp" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037329.ocx tagged as not-a-virus:AdWare.Win32.MediaMotor.m. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037330.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037331.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037332.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037333.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037334.exe tagged as not-a-virus:Monitor.Win32.NetMon.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037335.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037336.exe infected by "Trojan-Downloader.Win32.Small.ctp" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037337.exe infected by "Trojan-Dropper.Win32.Small.qn" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037339.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037340.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037341.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037342.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037343.dll tagged as not-a-virus:AdWare.Win32.Mirar.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037344.dll tagged as not-a-virus:AdWare.Win32.Ucmore.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037345.exe tagged as not-a-virus:AdWare.Win32.MediaMotor.o. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037346.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037347.dll tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037348.dll tagged as not-a-virus:AdWare.Win32.CommAd.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037349.exe tagged as not-a-virus:AdWare.Win32.CommAd.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037353.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037358.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037363.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037364.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037365.dll infected by "Trojan-Downloader.Win32.Agent.agw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037366.exe tagged as not-a-virus:AdWare.Win32.Agent.ag. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037367.exe infected by "Trojan-Downloader.Win32.Qoologic.c" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037368.exe infected by "Trojan-Downloader.Win32.Qoologic.c" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037369.exe tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037404.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037405.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037406.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037457.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\WINDOWS\pss\odduo.exeCommon Startup infected by "Backdoor.Win32.Hupigon.cj" Virus. Action Taken: File Deleted.

And my latest HJT after the mwscans. I'm still getting popups.. one that asks me to install DriverCleaner (from DriverCleaner, Inc.. a .cab file with "Install/Don't Install" option) and later 3 more popups.. just regular ads.

Logfile of HijackThis v1.99.1
Scan saved at 2:48:24 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/VideoSignSetup/setup.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

Let me know if I'm missing anything else in terms of logs

Just a follow up while I'm awaiting reply..

I know that helpers here would probably frown if I take things into my own hands, but I figured this action was easy and relatively straightforward (low risk potential)

When I noticed this line:
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab I went to IE and removed the ActiveX object from the list.

Popups has stopped.. I haven't seen any in the last few hours..

Newest HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:52 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/VideoSignSetup/setup.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

It was indeed a bad entry :)

Delete the following folder:

C:\Documents and Settings\Craig Flannagan\Desktop\infectded

Empty recycle bin...

----

Updating Java and Clearing Cache
Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
Search in the list for all previous installed versions of Java. (J2RE Runtime Environment.... )
It should have next icon next to it: http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.

Now please install the Java Runtime Environment (JRE) 5.0 Update 8 manually..
Note to reboot the computer after updating:

http://java.sun.com/javase/downloads/index.jsp (http://java.sun.com/javase/downloads/index.jsp)

After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked

Downloaded Applets
Downloaded Applications
Other Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.



---

Hows the system running? :)

I guess I spoke too soon! As I was downloading the new JRE, a popup came up.. I just ignore it (didn't click anything).. installed JRE, then deleted the temporary Internet files. I closed the popup.. this time when I close the popup additional popups didn't come.

Logfile of HijackThis v1.99.1
Scan saved at 7:53:36 AM, on 9/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Microsoft Shared\PhotoEd\PHOTOED.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/VideoSignSetup/setup.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

Go ahead and delete KillBox & MWaV. :)

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

----

Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)

Note: This scanner is for Internet Explorer only!
Follow the instructions here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs, click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and copy & paste the entire report in your next reply.

Followup:

I also deleted two suspicious looking entries in Display Properties -> Desktop Tab -> Customize Desktop.. -> Web tab

The following lines were deleted:

C:\\Program Files\\NetMeeting\\podoci.html

C:\\Program Files\\Internet Explorer\\mebezane.html


podoci.html was previously identified as bad entry in this thread; it's the first time I saw mebezane.. didn't show up in any logs? Both of those lines were checked.

Should I remove the 3rd entry that says "My Current Home Page"?

I checked REGEDIT and can confirm they're gone from the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\

Sorry, was typing my post as you sent yours.. Will do your instructions now

Many thanks for continued scrunity in removing the malware from my PC :)

No need to uncheck My current homepage..

Fprot Online scan report

Scanning Report
Monday, September 18, 2006 08:43:22 - 09:43:14
Computer name: OVERCLOCKER
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 33798
System: 4643
Not scanned: 3
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-09-18
F-Secure Libra: 2.4.1, 2006-09-16
F-Secure Orion: 1.2.37, 2006-09-18
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-14
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Its clean.

Lets run a rootkit scan...

Download GMER (http://www.gmer.net/gmer.zip):
Unzip it and double-click GMER.exe
Click the rootkit-tab and click scan.
Once done, click Copy.
This will copy the results to clipboard.
Paste the results in your next reply. :)

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-18 10:09:42
Windows 5.1.2600 Service Pack 2


---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----

Here's the same log, with "Show All" checked:

GMER 1.0.11.11349 - http://www.gmer.net
Rootkit 2006-09-18 10:53:19
Windows 5.1.2600 Service Pack 2


---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db:encryptable
ADS C:\Documents and Settings\All Users\Documents\SmitfraudFix.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\ATF-Cleaner.exe:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\combofix.exe:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\gmer.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\Hammer.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\HAMMER_WEBSITE.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\hijackthis.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\jre-1_5_0_08-windows-i586-p.exe:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\MGADiag.exe:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\Old HDD\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\Desktop\ResHack.zip:Zone.Identifier
ADS C:\Documents and Settings\Craig Flannagan\Desktop\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004-06 (Jun)\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004-09 (Sep)\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004.05.31 pixs\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004.07.01 pixs\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\2004.07.19 pixs\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\Anita's Graduate Pixs\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\BMS workspace\Deafworkspcsm.com\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\BMS workspace\images\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\BMS workspace\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\digital camera\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\Microsoft Clip Organizer\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\My Slideshow\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Pictures\Zephan's 2nd bday party photos\Thumbs.db:encryptable
ADS C:\Documents and Settings\Craig Flannagan\My Documents\My Webs\Flannagan\images\Thumbs.db:encryptable
ADS C:\Look2Me-Destroyer.exe:Zone.Identifier
ADS C:\Projects\GLOBALPARTNERS_WEBSITE\_img\hc\Thumbs.db:encryptable
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP241\A0023909.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP253\A0031999.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037200.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037416.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037417.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037422.exe:Zone.Identifier
ADS C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP273\A0037952.exe:Zone.Identifier

---- EOF - GMER 1.0.11 ----

Looking good :)

Hows the system running now? Popups? Problems?

If you get warnings from your Anti-virus app, then please let me know and also let me know the filepaths if it gives you any.

Well after running HJT and a few other "scanners" I've used in this thread.. the computer runs very slowly.. ie: it takes 2 seconds to write to the drive when I change a value in table in MS SQL 2005.

But rebooting fixed this problem - the computer's at normal speed now. No popup whatsoever other than the strange "Make sure your language is set in IE" popups (about 5 of them) or something of that effect, but I think that is because I left an IE window open at gmail.com while disabling wireless networking overnight and the Gmail page was trying to "call home" or something like that. The dialog popups does not look suspicoius to me.

I will go home lunchtime to see if there are any further popups.. I disabled wireless networking again but this time no IE windows are open.. so I'll see if I'm still getting those strange dialog windows that I saw before, but I'm confident that everything's running ok now.

Good news, I can confirm that there are no further popups.. so those earlier popups I saw today are probably from IE with Gmail page open but offline from the networking.

Many thanks for your help in getting me out of this mess.. one of many ;)

You're welcome :)

Please read here how to clear old restore points and create a new one (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx).

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Kerio Personal Firewall (http://www.kerio.com/us/kpf_download.html) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp). (Note to only use 1 at-the-time)
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html)

Sure - I'll be happy to give my story about my experience w/malware -

Do you know what I've been attacked with?

My Norton AV shows the following:
Trojan.Cmapp
Trojan.Popper
Downloader
Trojan Dropper
Trojan.Adclicker
Trojan.Elitebar
Bloodhound Morphine

Anything else I can add to this list before I give my story? :)

Sure - I'll be happy to give my story about my experience w/malware -

Do you know what I've been attacked with?

My Norton AV shows the following:
Trojan.Cmapp
Trojan.Popper
Downloader
Trojan Dropper
Trojan.Adclicker
Trojan.Elitebar
Bloodhound Morphine

Anything else I can add to this list before I give my story? :)
You also had Adware Look2Me, PurityScan aswell as SurfSideKick. It's a safe bet to go with them; the others are a bit more random and not so clearly recognized :)

One more thing I need to ask you (no, no new attack here thank god! :) )

How do I remove a number of those bad entries from the "Startup" tab in MSCONFIG - files that no longer exist? (see attached image)

http://i26.photobucket.com/albums/c110/cflannagan/entries.jpg

Thanks again

I need to see the entire thing to make you a regfix.. :)

Post more screenshots, the others from the Location part (it got cut off) + all the startup items.

here you go

http://i26.photobucket.com/albums/c110/cflannagan/entries-1.jpg

http://i26.photobucket.com/albums/c110/cflannagan/entries2.jpg

http://i26.photobucket.com/albums/c110/cflannagan/entries3.jpg

The 2nd part of the list (the unchecked entries).. the location is not cut off - I sized it as small as possible so you can still see the first 2 columns.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Configuration Manager]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\eenyseaA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\loaddr]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSCloner]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\septpop06apsept]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ToolbarInstall]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^odduo.exe]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]

Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Reboot.

Msconfig still listing stuff? :)

Not anymore, that did the trick.

Computer's still running perfectly.

Once again, thanks ;)

As the problem appears to be resolved this Topic has been archived.

If you need it re-opened please send me or another moderator a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad I could help :)