Bagle and other viruses have trashed my system!

P

PJJames

New member
Hi,

I'm posting here as a last resort really. I've tried everything I could find and it seems nothing can remove this virus. I believe it is a bagle worm but there might be others!

1) Virus disabled McAffe Security Suite and trashed the anti-virus scanner. I removed and tried to reinstall but the installation fails.

2) I've tried to install AVG Anti-virus but the installation fails

3) I've run Windows Defender, AVG Spyware removal, Avast Cleaner, BagleGUI and FxBagle (Symantec) with no positives. Installation of Spybot S&D completes but the exe reports missing.

4) Virus keeps trying to load iexplore.exe and connect to a website. It also spawns files in the temp folder (eg. ~05.exe)

5) The system will no longer boot in safe mode - all I get is the blue screen

6) Will no longer connect to internet, simply because I cannot get access to the list of available wireless networks in order to select the correct one. For some reason the View Wireless Network has become unavailable (locked by another program?).

I completed a Kaspersky scan before the connect went down and it reported several viruses in the restore files, plus the Win32.Bagle.hw and Win32.Bagle.hx in the files:

C:\WINDOWS\exefld\1051375.exe
C:\WINDOWS\exefld\1116953.exe
C:\WINDOWS\exefld\1119312.exe etc tec - 12 in total

I have HijackThis on the machine but at the moment have no way of posting the log (My laptop has a floppy drive and my desktop has a cd!).

Is there anyone able to help me sort this mess out!

Many thanks, Paul
 
I have HijackThis on the machine but at the moment have no way of posting the log (My laptop has a floppy drive and my desktop has a cd!).
Click to expand...

I'm sorry but I do not understand...Is the problem on another machine or your laptop? You could always use a diskette or a flash drive to move the HijackThis log to another pc if you need to..
 
Sorry.

The problem is my desktop pc. I'm using my laptop to post to the forum as the desktop has lost connectivity. I will try and use some other method to get a Hijackthis log on here.
 
Here is the Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 14:25:13, on 14/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonemillionmasterpiece.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB2.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Paul\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093018633843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
 
Hi,

*Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.


*Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware.

If you decided to remove Viewpoint,

Please download Viewpoint Killer

  • Save it to your Desktop
  • Create a new folder in your desktop by right clicking on the background > New > Folder > name the folder Viewpoint Killer
  • Unzip the contents of the zip file to the newly created folder.
  • Open the Viewpoint Killer folder then run ViewpointKiller, and select File > Do All Killings.
  • Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with.
  • A logfile will be created in the folder you unzipped ViewpointKiller to, please copy and paste the contents of the logfile here.

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB2.dll (file missing)
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
________________________

*Configure your machine to view hidden files:

Windows XP
  • Click Start.
  • Open My Computer..
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the "Hidden files and folders" heading select Show hidden files and folders.
  • Uncheck the Hide Protected Operating System Files Option.
  • Click Yes to confirm.
  • Click OK.
*Using Windows Explorer, find and delete these folders

C:\WINDOWS\exefld

Empty your Recycle bin.
________________________

*Download ATF Cleaner by Atribune

Important: Make sure all your browsers are closed before running ATF Cleaner..

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

*First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
[*]Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Antispyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system.

*Download ComboScan to your Desktop.

1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

On your next reply, please include a fresh HijackThis log, AVG Antispyware log and the comboscan log.
 
Last edited:
Thank you so much for your help.

Here are the Viewpoint Killer log

############################################

Viewpoint Killer:

----------------------------------
ViewpointKiller is now attempting to remove VIEWPOINT MEDIA PLAYER...
The removal process was started at Fri Feb 16 09:29:44 2007

ViewpointKiller determined that "aim.exe" was not running.
ViewpointKiller determined that "aolsoftware.exe" was not running.
ViewpointKiller determined that "aim6.exe" was not running.
ViewpointKiller determined that "aol.exe" was not running.
ViewpointKiller determined that "MtsAxInstaller.exe" was not running.
ViewpointKiller was not able to close "ViewpointService.exe"!
Trying again, ViewpointKiller was not able to close "ViewpointService.exe"!


Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "C:\Program Files".

ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Media Player" does exist.
ViewpointKiller was able to remove the "C:\Program Files\Viewpoint\Viewpoint Media Player" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Experience Technology" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Viewpoint Experience Technology".
ViewpointKiller determined that the path "C:\Documents and Settings\All Users\Application Data\Viewpoint" does exist.
ViewpointKiller was able to remove the "C:\Documents and Settings\All Users\Application Data\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\MetaStream" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\MetaStream".
ViewpointKiller determined that the path "C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint".
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Common" does exist.
ViewpointKiller was unable to delete a file in the folder "C:\Program Files\Viewpoint\Common". The error was ACCESS_DENIED.

Finished reporting.
----------------------------------

----------------------------------
ViewpointKiller is now attempting to remove VIEWPOINT MANAGER...
The removal process was started at Fri Feb 16 09:30:36 2007

ViewpointKiller was not able to close "ViewMgr.exe"!
Call to ShellExecute("msconfig.exe") returned 42.


Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "C:\Program Files".

ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Manager" does exist.
ViewpointKiller was unable to delete a file in the folder "C:\Program Files\Viewpoint\Viewpoint Manager". The error was ACCESS_DENIED.
ViewpointKiller determined that the path "C:\Documents and Settings\All Users\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users\Application Data\Viewpoint".

Finished reporting.
----------------------------------

----------------------------------
ViewpointKiller is now attempting to remove VIEWPOINT TOOLBAR...
The removal process was started at Fri Feb 16 09:33:13 2007

ViewpointKiller determined that "FotomatDeviceConnect.exe" was not running.
ViewpointKiller determined that "iexplore.exe" was not running.
Call to ShellExecute("msconfig.exe") returned 42.


Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES varible was set to "C:\Program Files".

Attempting to rename "C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewpointPhotosShellExt.dll" to "C:\Program Files\Viewpoint\Viewpoint Toolbar V35\KillMe.dll". The error returned was 1026.
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Toolbar V35" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Viewpoint Toolbar V35".
ViewpointKiller determined that the path "C:\Documents and Settings\Paul\Local Settings\Application Data\Viewpoint" does exist.
ViewpointKiller was able to remove the "C:\Documents and Settings\Paul\Local Settings\Application Data\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Toolbar" does exist.
ViewpointKiller was able to remove the "C:\Program Files\Viewpoint\Viewpoint Toolbar" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\Common Files\Viewpoint" does exist.
ViewpointKiller was able to remove the "C:\Program Files\Common Files\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Documents and Settings\All Users\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users\Application Data\Viewpoint".

Finished reporting.
----------------------------------
 
Here is the AVG Log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:37:13 16/02/2007

+ Scan result:



HKU\S-1-5-21-590106497-879705582-844896293-1006_Classes\Interface\{8148A489-F54E-4D74-B6F3-81901D0AA54A}\TypeLib\\Version -> Adware.ActivityMonitor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Alexa Internet -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Alexa Internet\Hosts -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AlxTB.BHO.1 -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AlxTB.BHO\CLSID -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AlxTB.BHO\CurVer -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PopMenu.Menu -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PopMenu.Menu.1 -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PopMenu.Menu\CLSID -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PopMenu.Menu\CurVer -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CLSID -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CurVer -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.PopupKiller\CLSID -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.PopupKiller\CurVer -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EMediaCodec.Chl -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EMediaCodec.Chl\CLSID -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-590106497-879705582-844896293-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-590106497-879705582-844896293-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP811\A0104085.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP812\A0104963.dll -> Dialer.BT.c : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.63:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.66:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.67:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.68:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.69:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.70:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.71:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.26:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.27:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.79:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.80:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.81:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.82:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.83:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.88:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.92:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\george@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.90:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.91:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.


::Report end
 
Here is the ComboScan supplimental log:

############################################

ComboScan v20070212.14 run by Paul on 2007-02-16 at 10:39:30
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.50GHz
Percentage of Memory in Use: 83%
Physical Memory (total/avail): 254 MiB / 41.22 MiB
Pagefile Memory (total/avail): 624.93 MiB / 407.65 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1994.71 MiB

C: is Fixed (NTFS) - 37.2 GiB total, 15.81 GiB free.
D: is CDROM (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.



-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Paul\Application Data
CLIENTNAME=Console
COLLECTIONID=wuclient
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FISHER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://h30083.www3.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Paul
ITEMID=wuclienten
LANG=2057
LOGONSERVER=\\FISHER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
OSVER=winXPP
Path=C:\Program Files\Mozilla Firefox\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONID=1092867070440wuws04-l189c036:fe878bcabd:-38a5
SESSIONNAME=Console
SWUTVER=1.0.22.20030804
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\HP\HP%20Software%20Update\install.htm
UPDATEDIR=C:\DOCUME~1\Paul\LOCALS~1\Temp\rad25345.tmp
USERDOMAIN=FISHER
USERNAME=Paul
USERPROFILE=C:\Documents and Settings\Paul
VERSION=2.0.35
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

Paul (admin)
George (admin)
Paul_2 (admin)
Administrator (admin)


-- Add/Remove Programs ----------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Reader for Palm OS, 3.05 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu" -c"C:\Program Files\Adobe\Adobe Reader for Palm OS\unpdf.dll"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Belkin Wireless Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80CD64AA-7406-4508-BFDF-2DFE7F1F8EF0}\setup.exe" -l0x9
Broadcom Management Programs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
Crimson Editor (remove only) --> C:\Program Files\Crimson Editor\uninstall.exe
CuteFTP 6 Professional --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{AB18B0BA-A08F-48B8-8D0E-AA9DDDCA22EA}
CutePDF Writer 2.2 --> C:\WINDOWS\System32\uninscpw.exe C:\Program Files\
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Documents To Go --> MsiExec.exe /X{4E7E8E6A-15F1-4E26-9352-26AD235131E9}
eMedia Codec 4.0 --> C:\Program Files\eMedia Codec\uninst.exe
eMule --> "C:\Program Files\emule\Uninstall.exe"
FUJIFILM DS SERIAL TWAIN --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> C:\Documents and Settings\Paul\Desktop\HijackThis.exe /uninstall
HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
Intel A/V Codecs V2.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\CDUninst.isu
Intel(R) 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP V9x DF PCI Modem"
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.1_04 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACD27BF3-7CDC-11D7-9D4D-00010240CE95}\Setup.exe" Anytext
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
Macromedia Dreamweaver MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 8 --> MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
MaxBulk Mailer 4.3 --> "C:\Program Files\MaxBulk Mailer\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Project Professional 2002 --> MsiExec.exe /I{913B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (1.5.0.9) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5.0.9 (en-GB)"
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
MySQL-Front 3.2 --> "C:\Program Files\MySQL-Front\unins000.exe"
overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
Paint Shop Pro 7 ESD --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Palm Desktop --> MsiExec.exe /X{4D8314D2-11FE-4397-A7CC-7015CFF50BCE}
Palm VersaMail(tm) --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B0ADD54-01D9-45E7-964A-B4A334F12034} /l1033
PocketMirror 3.1.7 (Professional XT Edition) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Chapura\PocketMirror XT\DeIsL1.isu" -cC:\PROGRA~1\Chapura\POCKET~1\UninXTEx.dll
QuickBooks Product Listing Service --> MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Sage Accounts V10.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{CD442089-F88D-4F46-8E3C-E4B2964B2415}
Sage Instant Accounting 6.0 --> C:\WINDOWS\IsUninst.exe -f"c:\program files\insacc\UNINST.ISU"
Sage MIS 3.01 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Informer50\Uninst.isu"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Sky Broadband --> C:\Program Files\Sky Broadband\Bin\uninstall.exe
Web CEO 6.0 --> "C:\Program Files\Web CEO\Uninstall\unins000.exe"
Web Savings from Ebates --> javaw -cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" ls: deletefeature ld: feature=ebateswebsavings0.xml
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- End of ComboScan: finished at 2007-02-16 at 10:41:01 -------------------------
 
And finally, the fresh Hijack This log

############################################


Logfile of HijackThis v1.99.1
Scan saved at 10:44:10, on 16/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Paul\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonemillionmasterpiece.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Paul\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093018633843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
 
Hi, the comboscan log you posted was incomplete...You only posted Supplementary.txt... Try to search yor machine for ComboScan.txt then copy and paste all the contents of that text file to your next post :bigthumb:
 
Sorry, here it is. I will have to split into two seperate posts as it exceeds the maximum limit:

ComboScan v20070212.14 run by Paul on 2007-02-16 at 14:21:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis log (run as Paul.com) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 14:22:16, on 16/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\emule\emule.exe
C:\Documents and Settings\Paul\Desktop\comboscan.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\~eqqzfxm.tmp\Paul.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonemillionmasterpiece.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Paul\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://uk.mcafee.com
O15 - Trusted Zone: http://www.thepaulfisherblog.com
O15 - Trusted Zone: http://www.webcamnow.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093018633843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


-- HijackThis Fixed Entries (C:\Documents and Settings\Paul\Desktop\backups\) ---

backup-20070212-195815-495 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20070212-195815-569 O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\System32\vnmispoisn_downloader.exe
backup-20070212-195815-789 O4 - HKLM\..\Run: [searchbar] C:\WINDOWS\System32\vnmispoisn_downloader.exe
backup-20070212-195815-934 O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)
backup-20070213-104724-284 O4 - HKLM\..\Run: [AutoConnect] "C:\Documents and Settings\Paul\Local Settings\Temp\{33DF18DE-8DC7-4FEE-8FD8-E97000244912}\{80CD64AA-7406-4508-BFDF-2DFE7F1F8EF0}\AutoConnect.exe" BCMALL
backup-20070216-093831-120 O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB2.dll (file missing)
backup-20070216-093831-225 O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
backup-20070216-093831-399 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070216-093831-709 O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070216-093831-844 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
 
and the second part...

-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

4 abp480n5 - \SystemRoot\System32\DRIVERS\ABP480N5.SYS
4 adpu160m - \SystemRoot\System32\DRIVERS\adpu160m.sys
3 aeaudio - system32\drivers\aeaudio.sys
2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - system32\DRIVERS\AegisP.sys
4 agpCPQ (Compaq AGP Bus Filter) - \SystemRoot\System32\DRIVERS\agpCPQ.sys
4 Aha154x - \SystemRoot\System32\DRIVERS\aha154x.sys
4 aic78u2 - \SystemRoot\System32\DRIVERS\aic78u2.sys
4 aic78xx - \SystemRoot\System32\DRIVERS\aic78xx.sys
4 AliIde - \SystemRoot\System32\DRIVERS\aliide.sys
4 alim1541 (ALI AGP Bus Filter) - \SystemRoot\System32\DRIVERS\alim1541.sys
4 amdagp (AMD AGP Bus Filter Driver) - \SystemRoot\System32\DRIVERS\amdagp.sys
4 amsint - \SystemRoot\System32\DRIVERS\amsint.sys
4 asc - \SystemRoot\System32\DRIVERS\asc.sys
4 asc3350p - \SystemRoot\System32\DRIVERS\asc3350p.sys
4 asc3550 - \SystemRoot\System32\DRIVERS\asc3550.sys
1 AvgAsCln (AVG Anti-Spyware Clean Driver) - System32\DRIVERS\AvgAsCln.sys
3 b57w2k (Broadcom NetXtreme Gigabit Ethernet) - System32\DRIVERS\b57xp32.sys
3 bcm4sbxp (Broadcom 440x 10/100 Integrated Controller XP Driver) - System32\DRIVERS\bcm4sbxp.sys
4 cbidf - \SystemRoot\System32\DRIVERS\cbidf2k.sys
3 CCDECODE (Closed Caption Decoder) - System32\DRIVERS\CCDECODE.sys
3 CD-Lock - \??\D:\cdm.sys
4 cd20xrnt - \SystemRoot\System32\DRIVERS\cd20xrnt.sys
4 CmdIde - \SystemRoot\System32\DRIVERS\cmdide.sys
4 Cpqarray - \SystemRoot\System32\DRIVERS\cpqarray.sys
4 dac2w2k - \SystemRoot\System32\DRIVERS\dac2w2k.sys
4 dac960nt - \SystemRoot\System32\DRIVERS\dac960nt.sys
3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - System32\Drivers\SQcaptur.sys
4 dpti2o - \SystemRoot\System32\DRIVERS\dpti2o.sys
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - System32\DRIVERS\el90xbc5.sys
4 hpn - \SystemRoot\System32\DRIVERS\hpn.sys
3 HPZid412 (IEEE-1284.4 Driver HPZid412) - System32\DRIVERS\HPZid412.sys
3 HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - System32\DRIVERS\HPZipr12.sys
3 HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - System32\DRIVERS\HPZius12.sys
4 i2omp - \SystemRoot\System32\DRIVERS\i2omp.sys
3 i81x - System32\DRIVERS\i81xnt5.sys
3 iAimFP0 - System32\DRIVERS\wADV01nt.sys
3 iAimFP1 - System32\DRIVERS\wADV02NT.sys
3 iAimFP2 - System32\DRIVERS\wADV05NT.sys
3 iAimFP3 - System32\DRIVERS\wSiINTxx.sys
3 iAimFP4 - System32\DRIVERS\wVchNTxx.sys
3 iAimTV0 - System32\DRIVERS\wATV01nt.sys
3 iAimTV1 - System32\DRIVERS\wATV02NT.sys
3 iAimTV2 - System32\DRIVERS\wATV03nt.sys
3 iAimTV3 - System32\DRIVERS\wATV04nt.sys
3 iAimTV4 - System32\DRIVERS\wCh7xxNT.sys
3 ialm - System32\DRIVERS\ialmnt5.sys
4 ini910u - \SystemRoot\System32\DRIVERS\ini910u.sys
3 IntelC51 - System32\DRIVERS\IntelC51.sys
3 IntelC52 - System32\DRIVERS\IntelC52.sys
3 IntelC53 - System32\DRIVERS\IntelC53.sys
1 intelppm (Intel Processor Driver) - System32\DRIVERS\intelppm.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys
3 mohfilt - System32\DRIVERS\mohfilt.sys
4 mraid35x - \SystemRoot\System32\DRIVERS\mraid35x.sys
3 MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - system32\drivers\MSTEE.sys
4 m_hook (Empty) - \??\C:\Documents and Settings\Paul\Application Data\hidires\m_hook.sys
3 NABTSFEC (NABTS/FEC VBI Codec) - System32\DRIVERS\NABTSFEC.sys
3 NdisIP (Microsoft TV/Video Connection) - System32\DRIVERS\NdisIP.sys
3 nv - System32\DRIVERS\nv4_mini.sys
1 omci (OMCI WDM Device Driver) - System32\DRIVERS\omci.sys
1 P3 (Intel PentiumIII Processor Driver) - System32\DRIVERS\p3.sys
3 PalmUSBD - system32\drivers\PalmUSBD.sys
0 PCIIde - System32\DRIVERS\pciide.sys
4 perc2 - \SystemRoot\System32\DRIVERS\perc2.sys
4 perc2hib - \SystemRoot\System32\DRIVERS\perc2hib.sys
4 ql1080 - \SystemRoot\System32\DRIVERS\ql1080.sys
4 Ql10wnt - \SystemRoot\System32\DRIVERS\ql10wnt.sys
4 ql12160 - \SystemRoot\System32\DRIVERS\ql12160.sys
4 ql1240 - \SystemRoot\System32\DRIVERS\ql1240.sys
4 ql1280 - \SystemRoot\System32\DRIVERS\ql1280.sys
3 RT2500 (Belkin RT2500 Wireless Driver) - system32\DRIVERS\RT2500.sys
4 sisagp (SIS AGP Bus Filter) - \SystemRoot\System32\DRIVERS\sisagp.sys
3 SLIP (BDA Slip De-Framer) - System32\DRIVERS\SLIP.sys
3 smwdm - system32\drivers\smwdm.sys
4 Sparrow - \SystemRoot\System32\DRIVERS\sparrow.sys
3 streamip (BDA IPSink) - System32\DRIVERS\StreamIP.sys
4 symc810 - \SystemRoot\System32\DRIVERS\symc810.sys
4 symc8xx - \SystemRoot\System32\DRIVERS\symc8xx.sys
4 sym_hi - \SystemRoot\System32\DRIVERS\sym_hi.sys
4 sym_u3 - \SystemRoot\System32\DRIVERS\sym_u3.sys
4 TosIde - \SystemRoot\System32\DRIVERS\toside.sys
4 ultra - \SystemRoot\System32\DRIVERS\ultra.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - System32\DRIVERS\usbccgp.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys
3 USBSTOR (USB Mass Storage Driver) - System32\DRIVERS\USBSTOR.SYS
4 viaagp (VIA AGP Bus Filter) - \SystemRoot\System32\DRIVERS\viaagp.sys
4 ViaIde - \SystemRoot\System32\DRIVERS\viaide.sys
4 vsdatant -
3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - system32\DRIVERS\w810bus.sys
3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - system32\DRIVERS\w810obex.sys
3 WpdUsb - System32\Drivers\wpdusb.sys
4 WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - \SystemRoot\System32\drivers\ws2ifsl.sys
3 WSTCODEC (World Standard Teletext Codec) - System32\DRIVERS\WSTCODEC.SYS
0 WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - system32\DRIVERS\WudfPf.sys
3 WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - system32\DRIVERS\wudfrd.sys
3 {6080A529-897E-4629-A488-ABA0C29B635E} (Intel(R) Graphics Platform (SoftBIOS) Driver) - system32\drivers\ialmsbw.sys
3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (Intel(R) Graphics Chipset (KCH) Driver) - system32\drivers\ialmkchw.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2 Fax - %systemroot%\system32\fxssvc.exe
2 IISADMIN (IIS Admin) - C:\WINDOWS\System32\inetsrv\inetinfo.exe
2 LexBceS (LexBce Server) - C:\WINDOWS\system32\LEXBCES.EXE
3 Macromedia Licensing Service - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
2 MDM (Machine Debug Manager) - "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
3 Pml Driver HPZ12 - C:\WINDOWS\System32\HPZipm12.exe
2 SMTPSVC (Simple Mail Transfer Protocol (SMTP)) - C:\WINDOWS\System32\inetsrv\inetinfo.exe
2 W3SVC (World Wide Web Publishing) - %SystemRoot%\System32\inetsrv\inetinfo.exe
2 WinDefend (Windows Defender) - "C:\Program Files\Windows Defender\MsMpEng.exe"
2 wltrysvc (Broadcom Wireless LAN Tray Service) - %SystemRoot%\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe
3 WMPNetworkSvc (Windows Media Player Network Sharing Service) - "C:\Program Files\Windows Media Player\WMPNetwk.exe"
2 WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - %SystemRoot%\system32\svchost.exe -k WudfServiceGroup


-- Scheduled Tasks --------------------------------------------------------------

2007-02-16 10:59:09 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>


-- Files created between 2007-01-16 and 2007-02-16 ------------------------------

2007-02-16 10:57:10 0 d-------- C:\WINDOWS\exefld
2007-02-16 09:30:46 0 d-------- C:\WINDOWS\pss
2007-02-14 14:20:19 6176 -ra------ C:\WINDOWS\system32\drivers\w810cmnt.sys<Signed: MCCI>
2007-02-14 14:20:19 6176 -ra------ C:\WINDOWS\system32\drivers\w810cm.sys<Signed: MCCI>
2007-02-14 14:20:18 83344 -ra------ C:\WINDOWS\system32\drivers\w810obex.sys<Signed: MCCI>
2007-02-14 14:17:26 5808 -ra------ C:\WINDOWS\system32\drivers\w810whnt.sys<Signed: MCCI>
2007-02-14 14:17:26 5808 -ra------ C:\WINDOWS\system32\drivers\w810wh.sys<Signed: MCCI>
2007-02-14 14:17:25 58288 -ra------ C:\WINDOWS\system32\drivers\w810bus.sys<Signed: MCCI>
2007-02-13 12:51:02 0 d-------- C:\Documents and Settings\Paul\Application Data\Uniblue
2007-02-12 20:18:49 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-02-12 19:48:58 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-02-12 19:28:00 385024 --a------ C:\WINDOWS\system32\IKAutoUp.exe<Unsigned: Ikarus Software Wien>
2007-02-12 19:28:00 57748 --a------ C:\WINDOWS\system32\GuardRights.exe<GUARDR~1.EXE><Unsigned: n/a>
2007-02-12 19:27:57 385024 --a------ C:\WINDOWS\system32\IkAutoUp.dat
2007-02-12 17:20:33 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys<Unsigned: GRISOFT, s.r.o.>
2007-02-12 10:07:42 0 d--hs---- C:\WINDOWS\CSC
2007-02-09 12:21:27 0 d-------- C:\Documents and Settings\Paul\Application Data\Intuit
2007-02-09 12:18:57 1933312 --a------ C:\WINDOWS\system32\cdintf251.dll<CDINTF~1.DLL><Signed: Amyuni Technologies>
2007-02-09 12:05:58 0 d-------- C:\Program Files\Common Files\Intuit
2007-02-09 12:05:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2007-02-09 11:59:06 0 d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES<COMMON~1>
2007-02-09 11:56:56 0 d-------- C:\Program Files\Common Files\SWF Studio<SWFSTU~1>


-- Find3M Report ----------------------------------------------------------------

2007-02-16 14:21:13 0 d-------- C:\Program Files\emule
2007-02-16 13:36:36 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-16 09:43:12 0 d-------- C:\Program Files\Grisoft
2007-02-16 09:33:38 0 d-------- C:\Program Files\Viewpoint<VIEWPO~1>
2007-02-16 09:10:54 0 d-------- C:\Program Files\Google
2007-02-14 09:02:59 0 d-------- C:\Program Files\Alexa Toolbar<ALEXAT~1>
2007-02-13 14:51:48 0 d-------- C:\Program Files\Paint Shop Pro 7<PAINTS~1>
2007-02-12 15:42:11 0 d-------- C:\Program Files\McAfee.com
2007-02-12 11:42:06 0 d-------- C:\Documents and Settings\Paul\Application Data\McAfee.com Personal Firewall<MCAFEE~1.COM>
2007-01-12 09:20:59 0 d-------- C:\Program Files\e-Campaign<E-CAMP~1>
2007-01-11 13:04:26 0 d-------- C:\Documents and Settings\Paul\Application Data\AdobeUM
2007-01-10 23:47:27 0 d-------- C:\Program Files\MaxBulk Mailer<MAXBUL~1>
2007-01-10 22:50:10 37 --ah----- C:\Documents and Settings\Paul\Application Data\MaxBulk registration.ini<MAXBUL~1.INI>
2007-01-10 22:49:40 0 d-------- C:\Documents and Settings\Paul\Application Data\Maxprog
2007-01-10 14:58:36 0 d-------- C:\Program Files\Java
2007-01-10 14:58:34 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-01-10 14:57:34 0 d-------- C:\Program Files\Email-Business<EMAIL-~1>
2007-01-10 14:13:15 0 d-------- C:\Program Files\WorldCast<WORLDC~1>
2007-01-10 14:11:21 0 d-------- C:\Program Files\Atomic Mail Sender<ATOMIC~1>
2007-01-02 22:38:10 5224 --a------ C:\WINDOWS\mozver.dat
2007-01-02 20:28:08 0 d-------- C:\Program Files\Windows Media Connect 2<WINDOW~4>
2007-01-02 09:20:58 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2006-12-17 21:15:45 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys<Unsigned: Meetinghouse Data Communications>
2006-12-17 21:14:57 0 d-------- C:\Program Files\Belkin
2006-12-17 14:35:49 0 d-------- C:\Program Files\McAfee
2006-12-17 14:29:01 0 d-------- C:\Program Files\Sky Broadband<SKYBRO~1>


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"XPRepairBusiness"="C:\\Program Files\\XP Repair Pro\\xprepairpro.exe /s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Error Nuker"="C:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe autostart"
"removecpl"="RemoveCpl.exe"
"wltray.exe"="C:\\WINDOWS\\system32\\wltray.exe"
"WindowsServicesStartup"="C:\\DOCUME~1\\Paul\\LOCALS~1\\Temp\\svchost.exe 1"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_M_HOOK


-- End of ComboScan: finished at 2007-02-16 at 14:23:09 -------------------------
 
Before we continue, I want you to run one more scan..

Download Gmer
  • Disconnect from internet and close running programs.
  • There is a small chance this application may crash your computer so save any work you have open.
  • Double click gmer.exe
  • Let the gmer.sys driver load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
  • If no warning....
  • Click "Rootkit" tab and click "Scan"
  • Once done, click "Copy"
  • Open Notepad and hit "ctrl+v" to paste the log.
  • Reconnect to the internet and post the log back to this thread please.
 
Hi, I apologize for the delay...The gmer log you uploaded got expired and I didn't have a copy here in my machine..Can you please upload the whole log again and we'll have something for you soon :)
 
Hi, I'm sorry but the log you uploaded was comboscan log..What I need is the GMER log which I asked you to run on post # 13..
 
*Download avz4en.zip here
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the file tab and then click on System recovery
Put a checkmark next to Restore SafeBoot registry keys
Click on Execute selected operations

*You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
_____________________

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type gmer.bat in the File name and save it to your desktop.

Code: 
gmer.exe -del service m_hook
gmer.exe -del file "C:\Documents and Settings\Paul\Application Data\hidires\m_hook.sys"
gmer.exe -del file "C:\WINDOWS\SYSTEM32\wintems.exe"
gmer.exe -del file "C:\WINDOWS\SYSTEM32\hldrrr.exe"
gmer.exe -del file "C:\Documents and Settings\Paul\Application Data\hidires\hidr.exe"
gmer.exe -del file "C:\Documents and Settings\Paul\Local Settings\temp\svchost.exe"

Locate gmer.bat on your Desktop and double-click on it.


*Configure your machine to view hidden files:

Windows XP
  • Click Start.
  • Open My Computer..
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the "Hidden files and folders" heading select Show hidden files and folders.
  • Uncheck the Hide Protected Operating System Files Option.
  • Click Yes to confirm.
  • Click OK.
*Using Windows Explorer, find and delete these folders

C:\WINDOWS\exefld
C:\Documents and Settings\Paul\Application Data\hidires

Empty your Recycle bin.

Reboot to normal mode.
_______________________

I would like you to scan a few files for me.

Please go HERE. Click browse then, navigate to this file:

C:\WINDOWS\system32\drivers\w810cmnt.sys

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.

After all those, I want you to try and see if the Antivirus will install or work..If they work, please uninstall all other antivirus except for one.

We still have a lot to do after this..I just want to make sure that rootkit is gone so that nothing will interefere with the other fixes..

Please post back with a new HijackThis log, GMER log, jotti scan results and a description on how your machine is running.
 
You must log in or register to reply here.
Back
Top