Trojans and Spyware....Hijack this log

Ok, looks like there is fair amount to deal with here. I'll be back later in the day with my fix.

And no I don't think a reformat will be necessary.

 

Ok we're going to do some registry modifying so lets first back up your registry.

Then please download the Killbox.
Save it to the desktop, but do not run it yet, we will shortly.

Next click the Windows 'Start' button, seleect 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggf

We want to hi-lite and select:
hgggf

Then right-click it, and select 'delete'

Then move onto this next key which sould be visable alos:
wincsg32

Now go back to Killbox and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\fgggh.bak2
C:\WINDOWS\system32\fgggh.bak1
C:\WINDOWS\system32\hgggf.dll
C:\WINDOWS\system32\wincsg32.dll


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot your system and search for and delete the following if found:
C:\Documents and Settings\Mom\Application Data\WhenU<<<<---this folder

Then please give me another ComboFix log and a new HJT log file as well.

 

Sorry this has been such a PIA......I really do appreciate your help....

New reports....

om - 06-08-21 19:50:14.35
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Mom\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1\??crosoft


((((((((((((((((((((((((((((((( Files Created from 2006-07-21 to 2006-08-21 ))))))))))))))))))))))))))))))))))


2006-08-20 11:17 53,248 C:\WINDOWS\system32\Process.exe
2006-08-20 11:17 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-20 11:17 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-20 11:17 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-15 06:53 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-08-15 06:53 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-08-14 20:00 573,492 C:\WINDOWS\system32\hgggf.dll
2006-07-28 11:39 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-28 11:30 22,752 C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-21 19:27 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-21 19:23 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-21 06:20 -------- d-a------ C:\Program Files\Common Files
2006-08-21 03:57 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-20 20:43 -------- d-------- C:\Program Files\Index.dat Suite
2006-08-20 01:19 -------- d-------- C:\Program Files\mIRC
2006-08-20 01:16 -------- d-------- C:\Program Files\UOGateway
2006-08-19 00:24 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-19 00:23 -------- d-------- C:\Program Files\Norton SystemWorks
2006-08-16 00:43 -------- d-------- C:\Program Files\Internet Explorer
2006-08-15 06:53 -------- d-------- C:\Documents and Settings\Mom\Application Data\PC Tools
2006-08-14 20:02 573492 ---hs---- C:\WINDOWS\system32\hgggf.dll
2006-08-14 19:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-14 19:12 -------- d-------- C:\Program Files\Dreamcatcher
2006-08-10 16:51 -------- d-------- C:\Program Files\D-Tools
2006-08-07 10:58 -------- d-------- C:\Program Files\Razor
2006-08-04 15:39 -------- d-------- C:\Program Files\Super DVD Ripper
2006-08-02 17:12 -------- d-------- C:\Program Files\Messenger
2006-08-02 17:04 -------- d-------- C:\Program Files\Windows Media Player
2006-08-02 17:01 -------- d-------- C:\Program Files\Outlook Express
2006-08-02 17:01 -------- d-------- C:\Program Files\Common Files\System
2006-08-01 01:29 -------- d-------- C:\Program Files\Colorful Movie Editor Trial
2006-08-01 00:54 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-01 00:54 -------- d-------- C:\Program Files\DAEMON Tools
2006-08-01 00:52 96256 --a------ C:\WINDOWS\system32\drivers\sptd1357.sys
2006-08-01 00:52 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-08-01 00:42 4 --a------ C:\WINDOWS\system32\micr0st.dll
2006-07-28 18:40 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-07-28 12:13 -------- d---s---- C:\Documents and Settings\Mom\Application Data\Microsoft
2006-07-28 11:38 -------- d-------- C:\Program Files\Movie Maker
2006-07-28 11:34 -------- d-------- C:\Program Files\Windows NT
2006-07-28 11:34 -------- d-------- C:\Program Files\NetMeeting
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 18:55 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-07-22 18:55 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-07-22 18:55 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-07-21 18:24 -------- d-------- C:\Documents and Settings\Mom\Application Data\Symantec
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 19:32 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-07-17 19:31 -------- d-------- C:\Program Files\InterVideo
2006-07-17 19:01 -------- d-------- C:\Program Files\Yahoo SiteBuilder
2006-07-17 18:50 -------- d-------- C:\Program Files\EA Games
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Talkback
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Mozilla
2006-07-10 16:38 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-07-10 16:38 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-07-05 13:29 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-07-04 17:07 -------- d-------- C:\Documents and Settings\Mom\Application Data\Apple Computer
2006-07-04 17:02 -------- d-------- C:\Program Files\QuickTime
2006-07-04 17:01 -------- d-------- C:\Program Files\iTunes
2006-07-04 17:01 -------- d-------- C:\Program Files\iPod
2006-07-02 20:33 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-06-27 12:46 -------- d-------- C:\Documents and Settings\Mom\Application Data\G-Force
2006-06-27 12:45 -------- d-------- C:\Program Files\SoundSpectrum
2006-06-26 13:21 -------- d-------- C:\Documents and Settings\Mom\Application Data\Yahoo!
2006-06-26 01:49 -------- d-------- C:\Program Files\Yahoo!
2006-06-24 17:21 -------- d-------- C:\Program Files\PySol-4.20
2006-06-24 17:02 -------- d-------- C:\Program Files\MahJongg Solitaire 3D
2006-06-24 00:02 -------- d-------- C:\Program Files\LimeWire
2006-06-23 20:18 -------- d-------- C:\Program Files\Common Files\Scanner
2006-06-21 14:28 -------- d-------- C:\Program Files\PySolitaire
2006-06-18 03:22 88 --a------ C:\Program Files\INSTALL.LOG
2006-06-14 15:30 0 -rahs---- C:\MSDOS.SYS
2006-06-14 15:30 0 -rahs---- C:\IO.SYS
2006-06-14 15:30 0 --a------ C:\CONFIG.SYS
2006-06-14 15:30 0 --a------ C:\AUTOEXEC.BAT
2006-06-14 10:19 62 --ahs---- C:\Documents and Settings\Mom\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "nwiz.exe /install "
"NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit "
"ccApp "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "
"ccRegVfy "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe "
"GhostStartTrayApp "= "C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe "
"SoundMan "= "SOUNDMAN.EXE "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\System32\\\\NeroCheck.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"Yahoo! Pager "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk "
"backup "= "C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item "= "InterVideo WinCinema Manager "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\AudioDeck]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ADeck "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools-1033]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\iTunesHelper]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "iTunesHelper "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincsg32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Mon 08/21/2006 19:52:56.22
ComboFix.txt
ComboFix2.txt
ComboFix3.txt
*********************************************************

Logfile of HijackThis v1.99.1
Scan saved at 7:47:02 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mom\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\\Netscape\\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150324656506
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDCB3439-230C-4D16-BAB0-1311C8161FE9}: NameServer = 205.188.146.145
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

 

Ok, there are just a couple of items remaining, for the registry entries I may need to consult someone, but lets try to rid the one file.

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\hgggf.dll

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot your system, and give me yet another combofix log to see that we got it. Hopefully by then, I'll have more definitive instructions about the registry. My knowledge in that area is not what I'd like it to be.

 

I think we (you) have fixed this thing.....

Haven't had a Norton popup about trojans all day......

I'm one happy camper....Thank you!!!!

Mom - 06-08-22 21:22:22.24
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Mom\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1\??crosoft


((((((((((((((((((((((((((((((( Files Created from 2006-07-22 to 2006-08-22 ))))))))))))))))))))))))))))))))))


2006-08-20 11:17 53,248 C:\WINDOWS\system32\Process.exe
2006-08-20 11:17 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-20 11:17 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-20 11:17 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-15 06:53 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-08-15 06:53 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-08-14 20:00 573,492 C:\WINDOWS\system32\hgggf.dll
2006-07-28 11:39 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-28 11:30 22,752 C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-22 21:21 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-22 21:19 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-22 08:24 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-21 06:20 -------- d-a------ C:\Program Files\Common Files
2006-08-20 20:43 -------- d-------- C:\Program Files\Index.dat Suite
2006-08-20 01:19 -------- d-------- C:\Program Files\mIRC
2006-08-20 01:16 -------- d-------- C:\Program Files\UOGateway
2006-08-19 00:24 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-19 00:23 -------- d-------- C:\Program Files\Norton SystemWorks
2006-08-16 00:43 -------- d-------- C:\Program Files\Internet Explorer
2006-08-15 06:53 -------- d-------- C:\Documents and Settings\Mom\Application Data\PC Tools
2006-08-14 20:02 573492 --------- C:\WINDOWS\system32\hgggf.dll
2006-08-14 19:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-14 19:12 -------- d-------- C:\Program Files\Dreamcatcher
2006-08-10 16:51 -------- d-------- C:\Program Files\D-Tools
2006-08-07 10:58 -------- d-------- C:\Program Files\Razor
2006-08-04 15:39 -------- d-------- C:\Program Files\Super DVD Ripper
2006-08-02 17:12 -------- d-------- C:\Program Files\Messenger
2006-08-02 17:04 -------- d-------- C:\Program Files\Windows Media Player
2006-08-02 17:01 -------- d-------- C:\Program Files\Outlook Express
2006-08-02 17:01 -------- d-------- C:\Program Files\Common Files\System
2006-08-01 01:29 -------- d-------- C:\Program Files\Colorful Movie Editor Trial
2006-08-01 00:54 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-01 00:54 -------- d-------- C:\Program Files\DAEMON Tools
2006-08-01 00:52 96256 --a------ C:\WINDOWS\system32\drivers\sptd1357.sys
2006-08-01 00:52 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-08-01 00:42 4 --a------ C:\WINDOWS\system32\micr0st.dll
2006-07-28 18:40 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-07-28 12:13 -------- d---s---- C:\Documents and Settings\Mom\Application Data\Microsoft
2006-07-28 11:38 -------- d-------- C:\Program Files\Movie Maker
2006-07-28 11:34 -------- d-------- C:\Program Files\Windows NT
2006-07-28 11:34 -------- d-------- C:\Program Files\NetMeeting
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 18:55 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-07-22 18:55 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-07-22 18:55 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-07-21 18:24 -------- d-------- C:\Documents and Settings\Mom\Application Data\Symantec
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 19:32 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-07-17 19:31 -------- d-------- C:\Program Files\InterVideo
2006-07-17 19:01 -------- d-------- C:\Program Files\Yahoo SiteBuilder
2006-07-17 18:50 -------- d-------- C:\Program Files\EA Games
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Talkback
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Mozilla
2006-07-10 16:38 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-07-10 16:38 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-07-05 13:29 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-07-04 17:07 -------- d-------- C:\Documents and Settings\Mom\Application Data\Apple Computer
2006-07-04 17:02 -------- d-------- C:\Program Files\QuickTime
2006-07-04 17:01 -------- d-------- C:\Program Files\iTunes
2006-07-04 17:01 -------- d-------- C:\Program Files\iPod
2006-07-02 20:33 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-06-27 12:46 -------- d-------- C:\Documents and Settings\Mom\Application Data\G-Force
2006-06-27 12:45 -------- d-------- C:\Program Files\SoundSpectrum
2006-06-26 13:21 -------- d-------- C:\Documents and Settings\Mom\Application Data\Yahoo!
2006-06-26 01:49 -------- d-------- C:\Program Files\Yahoo!
2006-06-24 17:21 -------- d-------- C:\Program Files\PySol-4.20
2006-06-24 17:02 -------- d-------- C:\Program Files\MahJongg Solitaire 3D
2006-06-24 00:02 -------- d-------- C:\Program Files\LimeWire
2006-06-23 20:18 -------- d-------- C:\Program Files\Common Files\Scanner
2006-06-18 03:22 88 --a------ C:\Program Files\INSTALL.LOG
2006-06-14 15:30 0 -rahs---- C:\MSDOS.SYS
2006-06-14 15:30 0 -rahs---- C:\IO.SYS
2006-06-14 15:30 0 --a------ C:\CONFIG.SYS
2006-06-14 15:30 0 --a------ C:\AUTOEXEC.BAT
2006-06-14 10:19 62 --ahs---- C:\Documents and Settings\Mom\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "nwiz.exe /install "
"NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit "
"ccApp "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "
"ccRegVfy "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe "
"GhostStartTrayApp "= "C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe "
"SoundMan "= "SOUNDMAN.EXE "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\System32\\\\NeroCheck.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"Yahoo! Pager "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk "
"backup "= "C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item "= "InterVideo WinCinema Manager "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\AudioDeck]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ADeck "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools-1033]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\iTunesHelper]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "iTunesHelper "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincsg32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 08/22/2006 21:26:06.80
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

 

Ok, almost got em all, but there seems to be one stragler, holding on for dea life.

Lets try a safe mode Killbox delete.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Go into Killbox once again, run it, same as before selecting 'Delete on reboot' and copying and pasting in the following file:
C:\WINDOWS\system32\hgggf.dll

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot and lets see another ComboFix log. I think this will get it, and then all we'll have is a couple of registry entries which should be easy to remove and will cause no consequence one the file is gone.

 

I did what you said and checked and that sucker (file) is still there.....

Mom - 06-08-23 13:18:56.63
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Mom\Desktop\spyware cleaners and stuff

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1\??crosoft


((((((((((((((((((((((((((((((( Files Created from 2006-07-23 to 2006-08-23 ))))))))))))))))))))))))))))))))))


2006-08-20 11:17 53,248 C:\WINDOWS\system32\Process.exe
2006-08-20 11:17 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-20 11:17 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-20 11:17 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-15 06:53 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-08-15 06:53 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-08-14 20:00 573,492 C:\WINDOWS\system32\hgggf.dll
2006-07-28 11:39 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-28 11:30 22,752 C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-23 13:17 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-23 12:43 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-23 11:02 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-23 07:11 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-21 06:20 -------- d-a------ C:\Program Files\Common Files
2006-08-20 20:43 -------- d-------- C:\Program Files\Index.dat Suite
2006-08-20 01:19 -------- d-------- C:\Program Files\mIRC
2006-08-20 01:16 -------- d-------- C:\Program Files\UOGateway
2006-08-19 00:24 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-19 00:23 -------- d-------- C:\Program Files\Norton SystemWorks
2006-08-16 00:43 -------- d-------- C:\Program Files\Internet Explorer
2006-08-15 06:53 -------- d-------- C:\Documents and Settings\Mom\Application Data\PC Tools
2006-08-14 20:02 573492 --------- C:\WINDOWS\system32\hgggf.dll
2006-08-14 19:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-14 19:12 -------- d-------- C:\Program Files\Dreamcatcher
2006-08-10 16:51 -------- d-------- C:\Program Files\D-Tools
2006-08-07 10:58 -------- d-------- C:\Program Files\Razor
2006-08-04 15:39 -------- d-------- C:\Program Files\Super DVD Ripper
2006-08-02 17:12 -------- d-------- C:\Program Files\Messenger
2006-08-02 17:04 -------- d-------- C:\Program Files\Windows Media Player
2006-08-02 17:01 -------- d-------- C:\Program Files\Outlook Express
2006-08-02 17:01 -------- d-------- C:\Program Files\Common Files\System
2006-08-01 01:29 -------- d-------- C:\Program Files\Colorful Movie Editor Trial
2006-08-01 00:54 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-01 00:54 -------- d-------- C:\Program Files\DAEMON Tools
2006-08-01 00:52 96256 --a------ C:\WINDOWS\system32\drivers\sptd1357.sys
2006-08-01 00:52 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-08-01 00:42 4 --a------ C:\WINDOWS\system32\micr0st.dll
2006-07-28 18:40 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-07-28 12:13 -------- d---s---- C:\Documents and Settings\Mom\Application Data\Microsoft
2006-07-28 11:38 -------- d-------- C:\Program Files\Movie Maker
2006-07-28 11:34 -------- d-------- C:\Program Files\Windows NT
2006-07-28 11:34 -------- d-------- C:\Program Files\NetMeeting
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 18:55 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-07-22 18:55 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-07-22 18:55 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-07-21 18:24 -------- d-------- C:\Documents and Settings\Mom\Application Data\Symantec
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 19:32 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-07-17 19:31 -------- d-------- C:\Program Files\InterVideo
2006-07-17 19:01 -------- d-------- C:\Program Files\Yahoo SiteBuilder
2006-07-17 18:50 -------- d-------- C:\Program Files\EA Games
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Talkback
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Mozilla
2006-07-10 16:38 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-07-10 16:38 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-07-05 13:29 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-07-04 17:07 -------- d-------- C:\Documents and Settings\Mom\Application Data\Apple Computer
2006-07-04 17:02 -------- d-------- C:\Program Files\QuickTime
2006-07-04 17:01 -------- d-------- C:\Program Files\iTunes
2006-07-04 17:01 -------- d-------- C:\Program Files\iPod
2006-07-02 20:33 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-06-27 12:46 -------- d-------- C:\Documents and Settings\Mom\Application Data\G-Force
2006-06-27 12:45 -------- d-------- C:\Program Files\SoundSpectrum
2006-06-26 13:21 -------- d-------- C:\Documents and Settings\Mom\Application Data\Yahoo!
2006-06-26 01:49 -------- d-------- C:\Program Files\Yahoo!
2006-06-24 17:21 -------- d-------- C:\Program Files\PySol-4.20
2006-06-24 17:02 -------- d-------- C:\Program Files\MahJongg Solitaire 3D
2006-06-24 00:02 -------- d-------- C:\Program Files\LimeWire
2006-06-23 20:18 -------- d-------- C:\Program Files\Common Files\Scanner
2006-06-18 03:22 88 --a------ C:\Program Files\INSTALL.LOG
2006-06-14 15:30 0 -rahs---- C:\MSDOS.SYS
2006-06-14 15:30 0 -rahs---- C:\IO.SYS
2006-06-14 15:30 0 --a------ C:\CONFIG.SYS
2006-06-14 15:30 0 --a------ C:\AUTOEXEC.BAT
2006-06-14 10:19 62 --ahs---- C:\Documents and Settings\Mom\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "nwiz.exe /install "
"NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit "
"ccApp "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "
"ccRegVfy "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe "
"GhostStartTrayApp "= "C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe "
"SoundMan "= "SOUNDMAN.EXE "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\System32\\\\NeroCheck.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"Yahoo! Pager "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk "
"backup "= "C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item "= "InterVideo WinCinema Manager "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\AudioDeck]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ADeck "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools-1033]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\iTunesHelper]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "iTunesHelper "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgggf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincsg32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Wed 08/23/2006 13:22:18.13
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

 

OK, I'm looking into some other mehtods of getting that file. I'll be back later in the day.

We'll get it.

 

OK, I have this figured out I hope. >fingers crossed<

Extract combofix & place it on the desktop. Then run the tool from Start > Run ...and enter the following and hit Enter

"%userprofile%\desktop\combofix.exe" /v hgggf

Reboot, post new Combo Log. that better word darnit!! LOL

 

I think we (you) got it this time!.....


Mom - 06-08-24 7:23:18.41
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Mom\desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hgggf.dll
C:\WINDOWS\system32\fgggh.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1\??crosoft


((((((((((((((((((((((((((((((( Files Created from 2006-07-24 to 2006-08-24 ))))))))))))))))))))))))))))))))))


2006-08-20 11:17 53,248 C:\WINDOWS\system32\Process.exe
2006-08-20 11:17 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-20 11:17 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-20 11:17 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-15 06:53 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-08-15 06:53 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-28 11:39 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-28 11:30 22,752 C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-24 07:15 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-24 06:38 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-23 18:08 -------- d-------- C:\Program Files\mIRC
2006-08-23 11:02 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-23 07:11 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-21 06:20 -------- d-a------ C:\Program Files\Common Files
2006-08-20 20:43 -------- d-------- C:\Program Files\Index.dat Suite
2006-08-20 01:16 -------- d-------- C:\Program Files\UOGateway
2006-08-19 00:24 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-19 00:23 -------- d-------- C:\Program Files\Norton SystemWorks
2006-08-16 00:43 -------- d-------- C:\Program Files\Internet Explorer
2006-08-15 06:53 -------- d-------- C:\Documents and Settings\Mom\Application Data\PC Tools
2006-08-14 19:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-14 19:12 -------- d-------- C:\Program Files\Dreamcatcher
2006-08-10 16:51 -------- d-------- C:\Program Files\D-Tools
2006-08-07 10:58 -------- d-------- C:\Program Files\Razor
2006-08-04 15:39 -------- d-------- C:\Program Files\Super DVD Ripper
2006-08-02 17:12 -------- d-------- C:\Program Files\Messenger
2006-08-02 17:04 -------- d-------- C:\Program Files\Windows Media Player
2006-08-02 17:01 -------- d-------- C:\Program Files\Outlook Express
2006-08-02 17:01 -------- d-------- C:\Program Files\Common Files\System
2006-08-01 01:29 -------- d-------- C:\Program Files\Colorful Movie Editor Trial
2006-08-01 00:54 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-01 00:54 -------- d-------- C:\Program Files\DAEMON Tools
2006-08-01 00:52 96256 --a------ C:\WINDOWS\system32\drivers\sptd1357.sys
2006-08-01 00:52 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-08-01 00:42 4 --a------ C:\WINDOWS\system32\micr0st.dll
2006-07-28 18:40 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-07-28 12:13 -------- d---s---- C:\Documents and Settings\Mom\Application Data\Microsoft
2006-07-28 11:38 -------- d-------- C:\Program Files\Movie Maker
2006-07-28 11:34 -------- d-------- C:\Program Files\Windows NT
2006-07-28 11:34 -------- d-------- C:\Program Files\NetMeeting
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 18:55 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-07-22 18:55 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-07-22 18:55 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-07-21 18:24 -------- d-------- C:\Documents and Settings\Mom\Application Data\Symantec
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 19:32 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-07-17 19:31 -------- d-------- C:\Program Files\InterVideo
2006-07-17 19:01 -------- d-------- C:\Program Files\Yahoo SiteBuilder
2006-07-17 18:50 -------- d-------- C:\Program Files\EA Games
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Talkback
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Mozilla
2006-07-10 16:38 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-07-10 16:38 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-07-05 13:29 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-07-04 17:07 -------- d-------- C:\Documents and Settings\Mom\Application Data\Apple Computer
2006-07-04 17:02 -------- d-------- C:\Program Files\QuickTime
2006-07-04 17:01 -------- d-------- C:\Program Files\iTunes
2006-07-04 17:01 -------- d-------- C:\Program Files\iPod
2006-07-02 20:33 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-06-27 12:46 -------- d-------- C:\Documents and Settings\Mom\Application Data\G-Force
2006-06-27 12:45 -------- d-------- C:\Program Files\SoundSpectrum
2006-06-26 13:21 -------- d-------- C:\Documents and Settings\Mom\Application Data\Yahoo!
2006-06-26 01:49 -------- d-------- C:\Program Files\Yahoo!
2006-06-24 17:21 -------- d-------- C:\Program Files\PySol-4.20
2006-06-24 17:02 -------- d-------- C:\Program Files\MahJongg Solitaire 3D
2006-06-24 00:02 -------- d-------- C:\Program Files\LimeWire
2006-06-18 03:22 88 --a------ C:\Program Files\INSTALL.LOG
2006-06-14 15:30 0 -rahs---- C:\MSDOS.SYS
2006-06-14 15:30 0 -rahs---- C:\IO.SYS
2006-06-14 15:30 0 --a------ C:\CONFIG.SYS
2006-06-14 15:30 0 --a------ C:\AUTOEXEC.BAT
2006-06-14 10:19 62 --ahs---- C:\Documents and Settings\Mom\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "nwiz.exe /install "
"NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit "
"ccApp "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "
"ccRegVfy "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe "
"GhostStartTrayApp "= "C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe "
"SoundMan "= "SOUNDMAN.EXE "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\System32\\\\NeroCheck.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"Yahoo! Pager "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor "= "\ "C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk "
"backup "= "C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item "= "InterVideo WinCinema Manager "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\AudioDeck]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ADeck "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools-1033]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\iTunesHelper]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "iTunesHelper "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincsg32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Thu 08/24/2006 7:27:06.92
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

 

Yes, looks like we got that sucker. I'll need some time to go thru things better tho.

Jr. is home sick today so time is semi-limited.

I'll be back later on with final analysis.

 

Thanks, your my Hero today!

Take car of Jr.!

 

Well it looks as tho all we need to do is delete one regustry point and we're done. About time eh?

Click the Windows 'Start' button, seleect 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wincsg32

We want to hi-lite this key: wincsg32

Right-click it, select 'delete'.

Reboot, post one more ComboFix log and a new HJT log file as well.

 

Thanks so much for fixing my computer....

You guys/girls do a great service!....

Logfile of HijackThis v1.99.1
Scan saved at 12:47:03 PM, on 8/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Mom\Desktop\hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\\Netscape\\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150324656506
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDCB3439-230C-4D16-BAB0-1311C8161FE9}: NameServer = 205.188.146.145
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe




Mom - 06-08-25 12:49:09.51
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Mom\Desktop\spyware cleaners and stuff

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Mom\My Documents\CROSOF~1\??crosoft


((((((((((((((((((((((((((((((( Files Created from 2006-07-25 to 2006-08-25 ))))))))))))))))))))))))))))))))))


2006-08-20 11:17 53,248 C:\WINDOWS\system32\Process.exe
2006-08-20 11:17 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-20 11:17 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-20 11:17 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-08-15 06:53 499,712 C:\WINDOWS\system32\msvcp71.dll
2006-08-15 06:53 348,160 C:\WINDOWS\system32\msvcr71.dll
2006-07-28 11:39 221,184 C:\WINDOWS\system32\wmpns.dll
2006-07-28 11:30 22,752 C:\WINDOWS\system32\spupdsvc.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-25 12:46 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-25 12:44 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-25 12:15 -------- d-------- C:\Program Files\PySol-4.20
2006-08-25 11:20 -------- d-------- C:\Program Files\mIRC
2006-08-25 09:28 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-24 17:18 -------- d-------- C:\Program Files\PySolitaire
2006-08-23 07:11 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-21 06:20 -------- d-a------ C:\Program Files\Common Files
2006-08-20 20:43 -------- d-------- C:\Program Files\Index.dat Suite
2006-08-20 01:16 -------- d-------- C:\Program Files\UOGateway
2006-08-19 00:23 -------- d-------- C:\Program Files\Norton SystemWorks
2006-08-16 00:43 -------- d-------- C:\Program Files\Internet Explorer
2006-08-14 19:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-14 19:12 -------- d-------- C:\Program Files\Dreamcatcher
2006-08-10 16:51 -------- d-------- C:\Program Files\D-Tools
2006-08-07 10:58 -------- d-------- C:\Program Files\Razor
2006-08-04 15:39 -------- d-------- C:\Program Files\Super DVD Ripper
2006-08-02 17:12 -------- d-------- C:\Program Files\Messenger
2006-08-02 17:04 -------- d-------- C:\Program Files\Windows Media Player
2006-08-02 17:01 -------- d-------- C:\Program Files\Outlook Express
2006-08-02 17:01 -------- d-------- C:\Program Files\Common Files\System
2006-08-01 01:29 -------- d-------- C:\Program Files\Colorful Movie Editor Trial
2006-08-01 00:54 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-01 00:54 -------- d-------- C:\Program Files\DAEMON Tools
2006-08-01 00:52 96256 --a------ C:\WINDOWS\system32\drivers\sptd1357.sys
2006-08-01 00:52 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-08-01 00:42 4 --a------ C:\WINDOWS\system32\micr0st.dll
2006-07-28 18:40 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-07-28 12:13 -------- d---s---- C:\Documents and Settings\Mom\Application Data\Microsoft
2006-07-28 11:38 -------- d-------- C:\Program Files\Movie Maker
2006-07-28 11:34 -------- d-------- C:\Program Files\Windows NT
2006-07-28 11:34 -------- d-------- C:\Program Files\NetMeeting
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-22 18:55 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-07-22 18:55 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-07-22 18:55 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-07-21 18:24 -------- d-------- C:\Documents and Settings\Mom\Application Data\Symantec
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 19:32 -------- d-------- C:\Program Files\Common Files\InterVideo
2006-07-17 19:31 -------- d-------- C:\Program Files\InterVideo
2006-07-17 19:01 -------- d-------- C:\Program Files\Yahoo SiteBuilder
2006-07-17 18:50 -------- d-------- C:\Program Files\EA Games
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Talkback
2006-07-15 18:41 -------- d-------- C:\Documents and Settings\Mom\Application Data\Mozilla
2006-07-05 13:29 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-07-04 17:07 -------- d-------- C:\Documents and Settings\Mom\Application Data\Apple Computer
2006-07-04 17:02 -------- d-------- C:\Program Files\QuickTime
2006-07-04 17:01 -------- d-------- C:\Program Files\iTunes
2006-07-04 17:01 -------- d-------- C:\Program Files\iPod
2006-07-02 20:33 -------- d-------- C:\Program Files\Common Files\SWF Studio
2006-06-27 12:46 -------- d-------- C:\Documents and Settings\Mom\Application Data\G-Force
2006-06-27 12:45 -------- d-------- C:\Program Files\SoundSpectrum
2006-06-26 13:21 -------- d-------- C:\Documents and Settings\Mom\Application Data\Yahoo!
2006-06-26 01:49 -------- d-------- C:\Program Files\Yahoo!
2006-06-18 03:22 88 --a------ C:\Program Files\INSTALL.LOG
2006-06-14 15:30 0 -rahs---- C:\MSDOS.SYS
2006-06-14 15:30 0 -rahs---- C:\IO.SYS
2006-06-14 15:30 0 --a------ C:\CONFIG.SYS
2006-06-14 15:30 0 --a------ C:\AUTOEXEC.BAT
2006-06-14 10:19 62 --ahs---- C:\Documents and Settings\Mom\Application Data\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup "
"nwiz "= "nwiz.exe /install "
"NvMediaCenter "= "RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit "
"ccApp "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "
"ccRegVfy "= "C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe "
"GhostStartTrayApp "= "C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe "
"SoundMan "= "SOUNDMAN.EXE "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\System32\\\\NeroCheck.exe "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "\ "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path "= "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk "
"backup "= "C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item "= "InterVideo WinCinema Manager "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\AudioDeck]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "ADeck "
"hkey "= "HKLM "
"command "= "C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DAEMON Tools-1033]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "daemon "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\iTunesHelper]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "iTunesHelper "
"hkey "= "HKLM "
"command "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\MSMSGS]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "msmsgs "
"hkey "= "HKCU "
"command "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"inimapping "= "0 "



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Fri 08/25/2006 12:50:13.04
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

 

OK, last log files indicate everything is gone, is your machine now behaving as you would like it to be? Let us know if any unwanted symptoms persist.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

Its all good!...

Thanks again for your time, your diligence and your advice.....

jbh

 

Glad we could be of assistance. 8)

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.