Knowledgeable guys & gals. I have been asked to look at a friend's computer which has "started running rather slowly". 'Puter is an Intel 2.8 Mhz chip running Windows XP & SP2. 38Gb hard drive of which 24Gb are used. No partitions.
When it started taking so long to boot up (approx 1 hour!) he took to leaving it on and connected to the net all the time and has been for about 3 weeks. During that time, something disabled his anti-virus. The firewall is Win XP. I have:
Installed Adaware, CrapCleaner, Spybot, SpywareBlaster and AVG anti-virus.
What happened:
AVG tries to do a computer scan and locks up after scanning 9 objects in the registry.
Spybot refused to scan.
Adaware took all the previous night apparently and identified 90,450 objects!!! Is this a record? Was still quarantining them when I left last night.
CrapCleaner removed 1.5Gb of crap.
Ran HijackThis and the log sheet is in the next post (otherwise this post is "too long". If one of you geniuses could cast an eye over this and tell me what needs removing, I shall have a go at stage 2. Thanks in advance.

Logfile of HijackThis v1.99.0
Scan saved at 20:22:26, on 09/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\System32\\Ati2evxx.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\WINDOWS\\System32\\CTsvcCDA.EXE
C:\\WINDOWS\\System32\\NMSSvc.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\Mixer.exe
C:\\Program Files\\Ahead\\InCD\\InCD.exe
C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
C:\\WINDOWS\\kdx\\KHost.exe
C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe
C:\\WINDOWS\\specialoffers4.exe
C:\\WINDOWS\\system32\\rundll32.exe
C:\\PROGRA~1\\soupqt\\vorouq.exe
C:\\WINDOWS\\system32\\wuauclt.exe
C:\\Program Files\\Bopfs\\Pzzfapg.exe
C:\\Program Files\\1xl709n9\\1xl709n9.exe
C:\\Program Files\\Messenger\\msmsgs.exe
C:\\Program Files\\Microsoft Office\\Office\\OSA.EXE
C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe
C:\\PROGRA~1\\COMMON~2\\ADDRES~1\\winnet.exe
C:\\PROGRA~1\\soupqt\\quorov.exe
C:\\PROGRA~1\\COMMON~2\\ADDRES~1\\comwiz.exe
C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgupsvc.exe
C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgamsvr.exe
C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe
C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe
F:\\ForIan\\HijackThis.exe

R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Window Title = Tiscali 10.0
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\\Program Files\\TV Media\\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\\WINDOWS\\System32\\Userinit.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\\PROGRA~1\\COMMON~2\\ADDRES~1\\cnbabe.dll
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\\WINDOWS\\BTGrab.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\\WINDOWS\\nem220.dll (file missing)
O2 - BHO: MSViewObj Class - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\\WINDOWS\\MSView.DLL
O2 - BHO: F1 Organizer Class - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\\WINDOWS\\System32\\mpz300.dll
O2 - BHO: (no name) - {03AA0371-5280-4801-8D1A-E6505CA3107B} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: C:\\WINDOWS\\lbbho.dll - {03E630FC-D1AB-40A8-9364-3573DA0D2127} - C:\\WINDOWS\\lbbho.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\\Program Files\\MyWay\\myBar\\1.bin\\MYBAR.DLL
O2 - BHO: (no name) - {1677048F-F0EA-40D8-95B2-5D6A2463936E} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\\WINDOWS\\system32\\hiauygd.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\\DOCUME~1\\ALLUSE~1\\APPLIC~1\\Setup\\Setup.dll (file missing)
O2 - BHO: (no name) - {32E9E1B1-6EF9-4EFD-9897-55D428C19850} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {3C63C272-F2CB-44B0-9B79-9CEC4BBB8126} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {415BB6C1-5278-480C-A69C-81B9DFCFBE09} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\\Program Files\\NewDotNet\\newdotnet6_38.dll
O2 - BHO: (no name) - {534B130C-6231-4B97-840A-4A95CED800AB} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll
O2 - BHO: (no name) - {56E2394F-9891-4F2A-9012-279E53B2CCA6} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: NetPal Class - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\\WINDOWS\\System32\\NetPal.dll (file missing)
O2 - BHO: (no name) - {636FE0EF-8FC1-44AE-9B56-8CFBAFCFC335} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {676A9CA2-C24D-4A74-814F-02F31668D9BA} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {6B18FC3C-8E0B-4723-97C9-AC84B2B2AF5F} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {8C3AB9C0-1A8C-4B9A-AE26-ECCF2AA4E9FB} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {8EF56E90-0CA0-474D-B19B-1050C7D2283D} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\\WINDOWS\\wsem303.dll (file missing)
O2 - BHO: (no name) - {975245C9-E6CF-4D56-A240-4EE7F735FB1A} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {AB036FC0-DB98-4DF5-8249-9A992C1B165D} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {BC02E26E-7845-4913-AF07-2AC45F262D1E} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {C489AEB7-09ED-4E2C-9AFA-B40E22ADBE24} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {CE4D5004-2FC3-4D4A-94B1-B4DE56B17F02} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {D3107C32-2409-4427-A742-89FBC005D6C3} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {D53CA81D-0D5F-43BC-B6AB-5C1356DE987E} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {D8A9BC96-9B76-4C0B-BAFE-A7EFF1909509} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {D9576E3D-0817-4F93-89E5-DCE4FFA3FCCB} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {DE450EDD-75FB-4824-B93F-7CA65C4B5369} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {E062922F-AC3D-4670-8B59-AD305324C55B} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: BHObj Class - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\\WINDOWS\\nem218.dll (file missing)
O2 - BHO: SDWin32 Class - {FD899702-326F-4B46-9906-6BC5D4FADC0F} - C:\\WINDOWS\\system32\\vyosj.dll
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\\Program Files\\Lycos\\sst.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\\Program Files\\MyWay\\myBar\\1.bin\\MYBAR.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\\Program Files\\MBKWBar\\IEToolBar.dll
O4 - HKLM\\..\\Run: [UpdReg] C:\\WINDOWS\\Updreg.exe
O4 - HKLM\\..\\Run: [CTStartup] C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE /run
O4 - HKLM\\..\\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\\..\\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\\..\\Run: [winnet] C:\\PROGRA~1\\COMMON~2\\ADDRES~1\\Winnet.exe
O4 - HKLM\\..\\Run: [NeroCheck] C:\\WINDOWS\\system32\\NeroCheck.exe
O4 - HKLM\\..\\Run: [InCD] C:\\Program Files\\Ahead\\InCD\\InCD.exe
O4 - HKLM\\..\\Run: [ATIPTA] C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
O4 - HKLM\\..\\Run: [SiSUSBRG] C:\\WINDOWS\\SiSUSBrg.exe
O4 - HKCU\\..\\Run: [MSMSGS] "C:\\Program Files\\Messenger\\msmsgs.exe" /background
O4 - HKCU\\..\\Run: [TV Media] C:\\Program Files\\TV Media\\Tvm.exe
O4 - HKCU\\..\\Run: [TaskTray] C:\\Program Files\\Creative\\TaskBar\\CTLTray.exe
O4 - HKCU\\..\\Run: [TaskBar] C:\\Program Files\\Creative\\TaskBar\\CTLTask.exe
O4 - HKCU\\..\\Run: [ContextUninstall] C:\\WINDOWS\\STUninstall.exe
O4 - HKCU\\..\\Run: [AVG7_Run] C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE
O4 - Startup: Microsoft Find Fast.lnk = C:\\Program Files\\Microsoft Office\\Office\\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\\Program Files\\Microsoft Office\\Office\\OSA.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: Add A Page Note - C:\\Program Files\\CommonName\\AddressBar\\createnote.htm
O8 - Extra context menu item: Bookmark This Page - C:\\Program Files\\CommonName\\AddressBar\\createbookmark.htm
O8 - Extra context menu item: Email This Link - C:\\Program Files\\CommonName\\AddressBar\\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\\Program Files\\CommonName\\AddressBar\\navigate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\WINDOWS\\System32\\msjava.dll
O9 - Extra \'Tools\' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\WINDOWS\\System32\\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .qt: C:\\Program Files\\Internet Explorer\\PLUGINS\\npqtplugin.dll
O12 - Plugin for .spop: C:\\Program Files\\Internet Explorer\\Plugins\\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_37.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.1and1.co.uk/app/static/activex/msxml4.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
O23 - Service: Ati HotKey Poller - Unknown - C:\\WINDOWS\\System32\\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\\WINDOWS\\system32\\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\\WINDOWS\\System32\\CTsvcCDA.EXE
O23 - Service: Intel(R) NMS - Intel Corporation - C:\\WINDOWS\\System32\\NMSSvc.exe

Wow! I'd love to have seen the HJT log BEFORE the 90,000 objects were removed!

Help will be along shortly I'm sure. I'll be watching to see if my instant dummy's diagnosis is remotely correct. I'd feel fairly confident removing every R3, O2, O3, and O10 entry, and probably the O8's as well. But that is NOT advice!

Binos,
I agree with your diagnosis, that is one loaded log, cant wait for part 2.

You are getting good at this.

I would take out the 018 line as well, it looks a bit sus. ( protocol hijack???)

Binos, if I had done a log before the Adaware scan it would have fallen off the bottom of the Forum Board. I have spotted some likely candidates for removal as well but I will wait for the professionals to stop laughing first! It's a MESS.

As we say North of Watford "Help ma Boab!"

I've had a look through the list over the last hour and I don't envy your task.

I've saved a useful link that e-liam (I think) posted here a while back and it gives a good overview of what to look for in the log. Have a look at this tutorial (http://www.pchell.com/support/hijackthistutorial.shtml) and see what you think.

Then, when you're ready to identify the dodgy stuff, try using the tools here (http://computercops.biz/CLSID.html) to identify the main Browser Helper Objects (BHOs) that are listed under the O2 items. The ones that worry me, because I can't find any reference to them anywhere, are the ones containing the path C:\\Program Files\\1xl709n9\\1xl709n9.dll. (what's with the double backslashes?)

That looks seriously dodgy, unless, of course, you know what it is.

There are others like VTrebootagent.exe that don't look good either. Judging by some of the entries the PC has been used for gaming and that's probably where a lot of the suspect stuff has come from. I find that my lads get a load of cr@p trying to pop up or offering to download itself when they visit gaming sites like fileplanet.

It all looks fixable, but it will take a bit of patience and effort.

When I get some more time I'll see if I can start doing a "liam" and be a bit more specific as to which lines need to be fixed, unless someone else beats me to it (please!)

Final question, and please don't take it the wrong way, but, would it be a disaster if the whole disk was wiped and the OS plus apps re-installed?

Good luck

ST

Soft Top.
Many thanks for your time and the references. Been there and very useful they are. I agree that "C:\\Program Files\\1xl709n9\\1xl709n9.dll." looks exceedingly sus - no-one has any idea what it is. So on that basis I have identified loads of stuff to go and highlighted the definites in red and the probables in a tasteful pink.
In answer to your final question, no, it would not be a disaster - my friend was going to do it anyway and my initial innocent thought was to save him the hassle! Give it to me instead. Doh!

The double slashes do NOT appear in the original log. Pprune seems to be doubling them every time I copy and paste (and forget to disable smilies).

Edited 'cos my initial plan didn't work

Well, that didn\\\'t work. Said the edited post was too long (true!). So, here we are with the highlights.
Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\System32\\Ati2evxx.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\Explorer.EXE
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\WINDOWS\\System32\\CTsvcCDA.EXE
C:\\WINDOWS\\System32\\NMSSvc.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\Mixer.exe
C:\\Program Files\\Ahead\\InCD\\InCD.exe
C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
C:\\WINDOWS\\kdx\\KHost.exe
C:\\Program Files\\Java\\j2re1.4.2_04\\bin\\jusched.exe
C:\\WINDOWS\\specialoffers4.exe
C:\\WINDOWS\\system32\\rundll32.exe
C:\\PROGRA~1\\soupqt\\vorouq.exe
C:\\WINDOWS\\system32\\wuauclt.exe
C:\\Program Files\\Bopfs\\Pzzfapg.exe
C:\\Program Files\\1xl709n9\\1xl709n9.exe
C:\\Program Files\\Messenger\\msmsgs.exe
C:\\Program Files\\Microsoft Office\\Office\\OSA.EXE
C:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe
C:\\PROGRA~1\\COMMON~2\\ADDRES~1\\winnet.exe
C:\\PROGRA~1\\soupqt\\quorov.exe
C:\\PROGRA~1\\COMMON~2\\ADDRES~1\\comwiz.exe
C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgupsvc.exe
C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgamsvr.exe
C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe
C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe
F:\\ForIan\\HijackThis.exe

R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = http://www.ntlworld.com/
R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Window Title = Tiscali 10.0
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\\Program Files\\TV Media\\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\\WINDOWS\\System32\\Userinit.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\\PROGRA~1\\COMMON~2\\ADDRES~1\\cnbabe.dll
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\\WINDOWS\\BTGrab.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\\WINDOWS\\nem220.dll (file missing)
O2 - BHO: MSViewObj Class - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\\WINDOWS\\MSView.DLL
O2 - BHO: F1 Organizer Class - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\\WINDOWS\\System32\\mpz300.dll
O2 - BHO: (no name) - {03AA0371-5280-4801-8D1A-E6505CA3107B} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: C:\\WINDOWS\\lbbho.dll - {03E630FC-D1AB-40A8-9364-3573DA0D2127} - C:\\WINDOWS\\lbbho.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\\Program Files\\MyWay\\myBar\\1.bin\\MYBAR.DLL
O2 - BHO: (no name) - {1677048F-F0EA-40D8-95B2-5D6A2463936E} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\\WINDOWS\\system32\\hiauygd.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\\DOCUME~1\\ALLUSE~1\\APPLIC~1\\Setup\\Setup.dll (file missing)
O2 - BHO: (no name) - {32E9E1B1-6EF9-4EFD-9897-55D428C19850} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {3C63C272-F2CB-44B0-9B79-9CEC4BBB8126} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {415BB6C1-5278-480C-A69C-81B9DFCFBE09} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\\Program Files\\NewDotNet\\newdotnet6_38.dll
O2 - BHO: (no name) - {534B130C-6231-4B97-840A-4A95CED800AB} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll
O2 - BHO: (no name) - {56E2394F-9891-4F2A-9012-279E53B2CCA6} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: NetPal Class - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\\WINDOWS\\System32\\NetPal.dll (file missing)
O2 - BHO: (no name) - {636FE0EF-8FC1-44AE-9B56-8CFBAFCFC335} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {676A9CA2-C24D-4A74-814F-02F31668D9BA} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {6B18FC3C-8E0B-4723-97C9-AC84B2B2AF5F} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {8C3AB9C0-1A8C-4B9A-AE26-ECCF2AA4E9FB} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {8EF56E90-0CA0-474D-B19B-1050C7D2283D} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\\WINDOWS\\wsem303.dll (file missing)
O2 - BHO: (no name) - {975245C9-E6CF-4D56-A240-4EE7F735FB1A} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {AB036FC0-DB98-4DF5-8249-9A992C1B165D} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {BC02E26E-7845-4913-AF07-2AC45F262D1E} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {C489AEB7-09ED-4E2C-9AFA-B40E22ADBE24} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {CE4D5004-2FC3-4D4A-94B1-B4DE56B17F02} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {D3107C32-2409-4427-A742-89FBC005D6C3} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {D53CA81D-0D5F-43BC-B6AB-5C1356DE987E} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {D8A9BC96-9B76-4C0B-BAFE-A7EFF1909509} - C:\\Program Files\\1xl709n9\\1xl709n9.dll
O2 - BHO: (no name) - {D9576E3D-0817-4F93-89E5-DCE4FFA3FCCB} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {DE450EDD-75FB-4824-B93F-7CA65C4B5369} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: (no name) - {E062922F-AC3D-4670-8B59-AD305324C55B} - C:\\Program Files\\CSBB\\CSBB.dll (file missing)
O2 - BHO: BHObj Class - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\\WINDOWS\\nem218.dll (file missing)
O2 - BHO: SDWin32 Class - {FD899702-326F-4B46-9906-6BC5D4FADC0F} - C:\\WINDOWS\\system32\\vyosj.dll
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\\Program Files\\Lycos\\sst.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\\Program Files\\MyWay\\myBar\\1.bin\\MYBAR.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\\Program Files\\MBKWBar\\IEToolBar.dll
O4 - HKLM\\..\\Run: [UpdReg] C:\\WINDOWS\\Updreg.exe
O4 - HKLM\\..\\Run: [CTStartup] C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE /run
O4 - HKLM\\..\\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\\..\\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\\..\\Run: [winnet] C:\\PROGRA~1\\COMMON~2\\ADDRES~1\\Winnet.exe
O4 - HKLM\\..\\Run: [NeroCheck] C:\\WINDOWS\\system32\\NeroCheck.exe
O4 - HKLM\\..\\Run: [InCD] C:\\Program Files\\Ahead\\InCD\\InCD.exe
O4 - HKLM\\..\\Run: [ATIPTA] C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe
O4 - HKLM\\..\\Run: [SiSUSBRG] C:\\WINDOWS\\SiSUSBrg.exe
O4 - HKCU\\..\\Run: [MSMSGS] \\\\\"C:\\Program Files\\Messenger\\msmsgs.exe\\\\\" /background
O4 - HKCU\\..\\Run: [TV Media] C:\\Program Files\\TV Media\\Tvm.exe
O4 - HKCU\\..\\Run: [TaskTray] C:\\Program Files\\Creative\\TaskBar\\CTLTray.exe
O4 - HKCU\\..\\Run: [TaskBar] C:\\Program Files\\Creative\\TaskBar\\CTLTask.exe
O4 - HKCU\\..\\Run: [ContextUninstall] C:\\WINDOWS\\STUninstall.exe
O4 - HKCU\\..\\Run: [AVG7_Run] C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE
O4 - Startup: Microsoft Find Fast.lnk = C:\\Program Files\\Microsoft Office\\Office\\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\\Program Files\\Microsoft Office\\Office\\OSA.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe
O4 - Global Startup: VTAgentReboot.exe
O8 - Extra context menu item: Add A Page Note - C:\\Program Files\\CommonName\\AddressBar\\createnote.htm
O8 - Extra context menu item: Bookmark This Page - C:\\Program Files\\CommonName\\AddressBar\\createbookmark.htm
O8 - Extra context menu item: Email This Link - C:\\Program Files\\CommonName\\AddressBar\\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\\Program Files\\CommonName\\AddressBar\\navigate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\WINDOWS\\System32\\msjava.dll
O9 - Extra \\\\\\\'Tools\\\\\\\' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\\WINDOWS\\System32\\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra \\\\\\\'Tools\\\\\\\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .qt: C:\\Program Files\\Internet Explorer\\PLUGINS\\npqtplugin.dll
O12 - Plugin for .spop: C:\\Program Files\\Internet Explorer\\Plugins\\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_37.cab
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - http://www.turntool.com/ViewerInstall.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://cm4all04.1and1.co.uk/app/static/activex/msxml4.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} (TestingCtl Control) - http://esb.alcena.com/ESBAdultInstaller.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
O23 - Service: Ati HotKey Poller - Unknown - C:\\WINDOWS\\System32\\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\\WINDOWS\\system32\\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\\WINDOWS\\System32\\CTsvcCDA.EXE
O23 - Service: Intel(R) NMS - Intel Corporation - C:\\WINDOWS\\System32\\NMSSvc.exe

Bern Oulli,
I agree with your chosen selections, plus if I were doing the cleaning I would add these as well,

O18 - Protocol hijack: cn - {9346A6BB-1ED0-4174-AFB4-13CD4EC0AA40}
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\\WINDOWS\\system32\\hiauygd.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\\DOCUME~1\\ALLUSE~1\\APPLIC~1\\Setup\\Setup.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\\WINDOWS\\wsem303.dll (file missing)
O2 - BHO: BHObj Class - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\\WINDOWS\\nem218.dll (file missing)
O2 - BHO: SDWin32 Class - {FD899702-326F-4B46-9906-6BC5D4FADC0F} - C:\\WINDOWS\\system32\\vyosj.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Anything with no file or file missing cant hurt, and I have a big distrust for any file names that dont spell anything or look like a shorthand for something.

You are a brave man for tackling something this bad. good luck.

The worst that could happen id that you end up having to do a complete rebuild. I hope the pay is good, or at least the beer is to your liking.

Bern, I'd also be careful about deleting C:\\WINDOWS\\system32\\wuauclt.exe

It looks like gibberish but I remember checking out something very much like that and finding it to be a perfectly legitimate system file.

Binos,

We seem to agree, we are either getting good at this, or just make the same mistakes.

An update,

google found this.

wuauclt - wuauclt.exe - Process Information

Process File: wuauclt or wuauclt.exe
Process Name: AutoUpdate for WindowsME

Description:
Wuauclt.exe is a process managing automatic updates for Windows. This process continuously checks for the latest updates by going online. This process should not be removed if you want to get informed about new updates.

so dont delete it.

Thanks for all that feedback guys. Now I take a deep breath and do the deed. I'll let you all know what happened.
Binos & Avtrician Re:wuauclt.exe. Curious that it is a WindowsME file - this puter is an XP jobber. Unless the same file is used in both OS's. I'll leave it alone for now.
Here goes...... I may be some time.

No, wait Oates! OATES!!!! COME BACK!!!

Oh no, if only he'd waited. Somebody who knew what they were talking about would have come along eventually. *sob* ... he was a good man, but he fell in with bad company and trusted too easily... :{ :{

Bern Oulli,
I think if you turn off auto updates it will not be running. The file is on my system but it doesnt seem to be used.

I have absolutely no idea when it comes to things technical and computers .. but I am thoroughly enjoying this good/bad HJT stuff - even more now thanks to Softy's post with the links .. idled away a small 3.5 hours yesterday trouble shooting the desktop .. can't wait to do the lappy!!!


Thanks Softy ..

Thanks for that vote of confidence TV.

Remind me to start adding disclaimers to any future posts - just in case :uhoh:

Hey, if it works, triffic. If it doesn't - where did I put that passport ..... :}

Well, I suppose you are all dying to know what happened. First, the good bit.

All this done in safe mode with the Set Restore Point stuff disabled. Ran HJT again and got it to do its stuff on all the entries previously highlighted. Restart and ran HJT again. New HJT log (which I can reproduce here if you really want to see it) was really the old log with all the naughty bits missing. Great. Restart not in Safe Mode. Computer started and nothing was not working. Bonus.

Now the bad bits. Ran AVG anti virus. Locked up again on the 9th registry entry. Bugga! Ran Spybot. Locked up as before. Double Bugga! Ran Adaware SE. It fairly buzzed through the early part of the scan and I thought "Yes!". Wrong. It then started clocking up a huge number of objects. Left it doing so and the following day it had 92,000 thingies quarantined. Deleted the quarantined file and ran it again. Same result.

At this point my friend said words to the effect of "Sod it - I wanted a new hard drive anyway". So there I have left it. I'd still love to know WTF was going on though.

92k's worth of cr@p - what can I say? It looks like there's been a backup of some sort done that isn't being deleted. That's an AWFUL lot of stuff to just reappear spontaneously after reboot.

Is the hard disk a single partition - i.e. just the C: drive? Or, has it been split into a couple of drive letters? Just fishing here.

If it's just a single drive, I agree, bugga! If it's partitioned into a couple of drives, that might be where the problem lies. The scanning s/w might not be set to look into all the drives.

Your mate's got a good healthy attitude. A new drive seems like a way out. Please don't be tempted to leave the old drive in the PC when you install a new drive though!

ST

By all means, leave the old drive in as a slave, but format it to return it to a usable drive.

Computers do sone strange things sometimes.

Yeah, sorry. Should have been a bit more explicit with the "don't leave it in" advice. I was thinking about the possibility of it being left in as a slave but with the old data still on it. :(

If you want additional storage, just make sure that it's been reformatted before sticking it back in. :ok:

Thanks guys. Just to clarify, it is (was) a 40Gig drive with no partitions ie just a C: drive.
Ho hum. You win some - you lose some. Such is life.