Complex issues: I'm at the end of my rope.

[Morby]

First off I'd like to thank everyone at TSF for donating time, effort, and precious brain cells to useless people like me with computer problems. I appreciate what you guys (and gals, if you're out there) do.
Aaaand.. Enough with the butt-kissing. xD On with the problems!

Apologies for the long description, the instructions asked for detail.

Recently, I downloaded a program called Game Maker 6.1, to try my hand at making my own game. In the process of creating a sprite image, my tablet driver failed. Once again. I saved the .psd and restarted, to be met with the windows welcome screen that would never load. It would come up with "loading your personal settings..." and do nothing. I restarted twice, and decided to leave it loading as I went to bed. Woke up and it was still stuck there.

I have been downloading things at random lately, stupid I know - I felt invincible to have never had a problem I couldn't fix until now.

I managed to find safe mode with networking, and googled around. I followed the advice of some forum to delete my user password. That seemed to work, normal mode started up. But then, it would freeze. Repeatedly. I could not open FF, IE, windows live messenger, or aol instant messenger. When I tried to do so, it would freeze and I'd have to restart - again - to be met with the same problem upon startup. I also uninstalled my tablet driver.

I then found that my AVG free 8.0 would not work. The taskbar icon wasn't there, the startup .exe was gone.

I tried to run it, thinking perhaps some malicious program hid it. That didn't work. So I proceeded to uninstall and attempt to reinstall. It failed.

Local machine: installation failed
Installation:
Error: Action failed for file avgemc.exe: starting service....
Error 0x8007042c
Warning: The AvgMfx86 service cannot be started in safe mode.
Warning: The AvgLdx86 service cannot be started in safe mode.
Warning: The avg8wd service cannot be started in safe mode.
Warning: Preparation to unload of the service avg8wd failed.
@AvgErrorCode_0x0127

I noticed it said it couldn't be started in safe mode, so I tried in normal mode. It wouldn't open, just froze my system and another restart.

I gave up, decided to save all 9.4gb of pictures to an older computer we had lying around. All the pictures and videos of my son are on here, I can't bear to lose that.

The network wouldn't connect correctly, I clicked 'share this folder' to transfer all the pictures over. It opened 'my pictures' on the old computer, instead of the shared folder from my computer.

I wondered if it was something to do with my Windows Firewall, so I opened it... Everything is grayed out. I can't enable it, or disable it - and it's stuck in off position.

I then tried another forum suggestion, run msconfig. I used Selective Startup with only Use Original BOOT.INI - restarted. Tried normal mode, still nothing worked(avg install, browsers, instant messengers, firewall). Tried diagnostic startup, still nothing. Checked the Load System Services and Load Startup Items after unchecking things such as aim on startup, quickbooks update, America online 9.0 tray icon, etc.

I've had no luck, and I'm starting to delve into unknown and dangerous territory.

If you have any suggestions or problem-solvers, they would be welcomed with MUCH appreciation. Thank you! Attached is the DDS.. Thingy. 3am and my brain is GONE. xD

I apologize for not attaching the GMER ark, safe mode on my computer is 640 x 480px (I can't adjust it), and I could not click 'scan' no matter what I tried. :( I will try tomorrow on normal mode to run it, and see if that works.

The DDS:


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Felicia Martin at 1:53:09.59 on Sat 02/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.223 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Felicia Martin\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.8.0\ViewBarBHO.dll
BHO: {BB113FB1-4F54-4640-A9C9-057A5FA428ED} - No File
BHO: {ca47e51a-7bf8-0f2e-dee8-0082ce6a24c5} - c:\windows\system32\rjt.dll
BHO: {db49c90f-91ff-4b90-9c6c-3a47e31ad227} - c:\windows\system32\qoMgdaAq.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.8.0\IEViewBar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {84938242-5C5B-4A55-B6B9-A1507543B418} - No File
TB: {4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: SpeedRunner Bar: {cafb2180-ba09-11dc-95ff-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\felici~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\80211g~1.lnk - c:\program files\11g usb adapter\Wifiusb.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\felicia martin\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Trusted Zone: whiteoakstables.net\www
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://morbidreality9977.spaces.live.com//PhotoUpload/MsnPUpld.cab
DPF: {56830284-4E2F-4418-8D26-3DEF348C16F1} - hxxp://www.ancientsoft.com/OSAKit.CAB
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://horsetopia.horse-for-sale.org/sellers/AurigmaImageUploader3.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} - hxxp://www.umediaserver.net/bin/UMediaControl4.cab
DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} - hxxp://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} - hxxp://www.ksolo.com/playerBase/kSoloIEHDSD.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll wjlzwh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {aed6f6a3-183c-488d-9f90-23db99f56e7f} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMgdaAq

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\felici~1\applic~1\mozilla\firefox\profiles\b50u77nd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-29 107272]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-29 325128]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-21 27656]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S2 E63A6844C7C41994;E63A6844C7C41994;c:\windows\system32\e63a6844c7c41994\E63A6844C7C41994 []
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-16 24652]
S4 Ascwvcskfsqs;Ascwvcskfsqs; [x]

=============== Created Last 30 ================

2009-02-17 20:58 <DIR> -cd----- c:\documents and settings\felicia martin\.jordan
2009-02-10 15:18 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\starters orders 3
2009-01-30 14:51 0 ac------ c:\windows\system32\(null)00202=32558=32556=32353.mpg.tmp
2009-01-24 16:16 <DIR> -cd----- c:\windows\.mpr_file_store_32

==================== Find3M ====================

2009-02-13 10:04 10,520 ac------ c:\windows\system32\avgrsstx.dll
2009-02-13 10:03 325,128 ac------ c:\windows\system32\drivers\avgldx86.sys
2009-02-13 10:03 107,272 ac------ c:\windows\system32\drivers\avgtdix.sys
2009-01-24 15:16 34 ac------ c:\documents and settings\felicia martin\jagex_runescape_preferences.dat
2008-12-15 04:56 939,304 ac-sh--- c:\windows\system32\qAadgMoq.ini2
2008-12-15 02:53 8,704 ac------ c:\windows\system32\userinit.exe
2008-12-02 22:37 49,480 ac------ c:\windows\system32\sirenacm.dll
2008-07-18 00:57 16,446 ac------ c:\docume~1\felici~1\applic~1\wklnhst.dat
2006-11-01 18:43 182,088 ac------ c:\docume~1\felici~1\applic~1\GDIPFONTCACHEV1.DAT
2004-08-23 03:31 192,512 ac------ c:\windows\inf\rmoem.exe
2002-11-14 09:32 55,808 ac------ c:\windows\inf\devcon.exe
1998-08-24 12:09 10,000 ac------ c:\windows\inf\unregpn.exe
2008-09-09 15:30 16,384 ac-sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-09-09 15:29 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 1:53:41.84 ===============

[Morby]

I attempted to run the GMER scan on normal mode, and my computer blue screened. I have no idea what is going on here. :/
Sorry about this..

[Ried]

Hello Morby,

I'd like to get that gmer scan if possible. Download WinScroll. This tool will add a scroll bar to your desktop which should enable you to see the entire tool interface while in Safe Mode.

Please attach the ark.txt in your next reply.

[Morby]

The winscroll didn't work, but I did manage to get it to scan - finally. Attached is the ark. Thank you.

[Ried]

Good work, Morby.

If necessary, download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3






--------------------------------------------------------------------

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

[Morby]

Whoo, okay. That finished without going boom, lol. Quoted is the Combo-Fix log.

ComboFix 09-02-28.01 - Felicia Martin 2009-02-28 20:23:30.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.365 [GMT -5:00]
Running from: c:\documents and settings\Felicia Martin\My Documents\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Felicia Martin\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\E63A6844C7C41994\
c:\windows\system32\E63A6844C7C41994\\E63A6844C7C41994.x86
c:\windows\system32\E63A6844C7C41994\E63A6844C7C41994
c:\windows\system32\qAadgMoq.ini
c:\windows\system32\qAadgMoq.ini2
c:\windows\system32\Vbbd.dll
c:\windows\Tasks\mvgyqhzp.job
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://b9n.org
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LSASS


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-21 01:55 . 2009-02-28 16:23 250 --a--c--- c:\windows\gmer.ini
2009-02-17 20:58 . 2009-02-17 21:00 <DIR> d----c--- c:\documents and settings\Felicia Martin\.jordan
2009-02-16 21:26 . 2009-02-16 21:26 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Symantec
2009-02-16 21:26 . 2009-02-16 21:26 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-02-15 16:20 . 2005-06-25 07:33 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Creative
2009-02-15 16:20 . 2009-02-16 21:24 <DIR> d----c--- c:\documents and settings\Administrator
2009-02-10 15:18 . 2009-02-10 15:18 <DIR> d----c--- c:\documents and settings\All Users\Application Data\starters orders 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 07:27 --------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-02-18 01:28 --------- dc----w c:\program files\Google
2009-02-18 01:22 --------- dc----w c:\documents and settings\Felicia Martin\Application Data\Lavasoft
2009-02-17 02:24 --------- dc----w c:\program files\Docking Station
2009-02-15 19:56 --------- dc----w c:\documents and settings\Felicia Martin\Application Data\U3
2009-02-15 19:11 --------- dc----w c:\program files\FinePixViewer
2009-02-13 15:03 325,128 -c--a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-13 15:03 107,272 -c--a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-24 20:16 34 -c--a-w c:\documents and settings\Felicia Martin\jagex_runescape_preferences.dat
2009-01-12 21:09 --------- dc----w c:\program files\BitLord
2009-01-12 08:50 --------- dc----w c:\program files\Virtual Villagers The Secret City
2009-01-12 08:07 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-10 21:10 --------- dc----w c:\program files\Messenger Plus! Live
2009-01-10 11:44 --------- dc----w c:\program files\Microsoft
2009-01-10 11:42 --------- dc----w c:\program files\Windows Live SkyDrive
2009-01-10 11:41 --------- dc----w c:\program files\Windows Live
2009-01-10 11:35 --------- dc----w c:\program files\Common Files\Windows Live
2009-01-10 11:18 --------- dc----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-09 13:03 --------- dc----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-01-09 10:54 --------- dc----w c:\program files\Fish Tycoon2
2008-07-18 05:57 16,446 -c--a-w c:\documents and settings\Felicia Martin\Application Data\wklnhst.dat
2006-11-01 23:43 182,088 -c--a-w c:\documents and settings\Felicia Martin\Application Data\GDIPFONTCACHEV1.DAT
2008-09-09 20:30 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-09-09 20:29 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090920080910\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

c:\documents and settings\Felicia Martin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
802.11g USB adapter.lnk - c:\program files\11g USB adapter\Wifiusb.exe [2004-09-06 487424]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Exif Launcher 2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-12-08 294912]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-13 10:04 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.MPG4"= msscmc32.dll
"VIDC.TR20"= tr2032.dll
"msacm.voxacm119"= vdk32119.acm
"vidc.vivo"= ivvideo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g USB adapter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\802.11g USB adapter.lnk
backup=c:\windows\pss\802.11g USB adapter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Felicia Martin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Felicia Martin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Felicia Martin^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Felicia Martin\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-09-17 10:43 57344 c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2007-03-15 10:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-05-31 05:33 122941 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
--a--c--- 1998-11-30 18:04 497376 c:\windows\p_981116.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
--a------ 2006-04-16 17:31 190024 c:\program files\MessengerPlus! 3\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 22:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
--a--c--- 2008-06-29 17:01 52168 c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
-----c--- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2004-06-10 16:51 60928 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DSBrokerService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-29 107272]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-29 325128]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-02-16 24652]
S4 Ascwvcskfsqs;Ascwvcskfsqs; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ffd8373-c023-11dd-ad58-0003c94ed711}]
\Shell\AutoRun\command - F:\launcher.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-23 c:\windows\Tasks\C687C6158710B1DD.job
- c:\docume~1\felici~1\applic~1\second~1\Time junk dent.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{BB113FB1-4F54-4640-A9C9-057A5FA428ED} - (no file)
BHO-{CA47E51A-7BF8-0F2E-DEE8-0082CE6A24C5} - c:\windows\system32\rjt.dll
BHO-{DB49C90F-91FF-4B90-9C6C-3A47E31AD227} - c:\windows\system32\qoMgdaAq.dll
WebBrowser-{84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
WebBrowser-{4E7BD74F-2B8D-469E-85B2-BC27FE9AAE2E} - (no file)
HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
SharedTaskScheduler-{aed6f6a3-183c-488d-9f90-23db99f56e7f} - (no file)
MSConfigStartUp-AIM - c:\program files\AIM95\aim.exe
MSConfigStartUp-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-QBReminderFlash - c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-SpeedRunner - c:\documents and settings\Felicia Martin\Application Data\SpeedRunner\SpeedRunner.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
MSConfigStartUp-Twain - c:\documents and settings\Felicia Martin\Application Data\Twain\Twain.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Felicia Martin\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: whiteoakstables.net\www
DPF: {56830284-4E2F-4418-8D26-3DEF348C16F1} - hxxp://www.ancientsoft.com/OSAKit.CAB
DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} - hxxp://www.umediaserver.net/bin/UMediaControl4.cab
DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} - hxxp://www.ksolo.com/playerBase/kSoloIEHDSD.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Felicia Martin\Application Data\Mozilla\Firefox\Profiles\b50u77nd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-28 20:31:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2573562343-371298778-2058988066-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:aa,2a,08,56,c8,92,c5,6c,45,60,e4,d2,9e,d8,41,2e,d7,5a,12,76,b2,af,aa,
f7,63,a0,d3,bf,21,09,94,9e,be,9e,dd,fc,6e,1f,1f,5c,bf,92,de,4f,b3,30,3c,30,\
"??"=hex:8a,dc,4a,02,44,f2,77,67,8a,fb,0f,ca,21,32,ab,6d

[HKEY_USERS\S-1-5-21-2573562343-371298778-2058988066-1006\Software\SecuROM\License information*]
"datasecu"=hex:0c,48,bf,b2,50,56,d6,94,0d,b7,96,29,e8,71,75,fc,2d,29,60,d4,6f,
e5,d6,33,85,47,a7,26,f5,29,e6,34,f3,17,4b,20,70,27,41,7f,82,78,c3,06,66,6b,\
"rkeysecu"=hex:a7,cd,09,ba,26,57,9a,bc,45,d0,ea,db,01,95,f4,f1
.
Completion time: 2009-02-28 20:39:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 01:38:14

Pre-Run: 13,274,353,664 bytes free
Post-Run: 14,117,289,984 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
257 --- E O F --- 2009-02-18 16:10:05

[Ried]

Quote:

Whoo, okay. That finished without going boom, lol.

We have a bit more to do. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

You have installed Messenger Plus! 3. This program is known to install the some of the malware that I see, a LOP infection. If the program is a must have, reinstall it and decline when asked to install the sponsor's software.

Uninstall the following via the Add/Remove Panel (Start->Control Panel->Add or Remove Programs)

Messenger Plus! 3 & Sponsor
Messenger Plus! Live & Sponsor (CiD)

Ignore any prompt to reboot.


=======================================


Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
c:\windows\Tasks\C687C6158710B1DD.job

Folder::
c:\docume~1\alluse~1\applic~1\starters orders 3
c:\docume~1\felici~1\applic~1\second~1

DDS::
uInternet Connection Wizard,ShellNext = iexplore

Driver::
Ascwvcskfsqs

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]

Fixcset::

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Download fl.zip

• Extract the contents of the fl.zip to a new folder on Desktop.
• Within the folder, locate & double-click fl.bat.
• It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

----------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
c:\findlop.txt
Update on system behavior

[Morby]

If this posts twice, please delete one. My internet dropped out for a second just as I clicked the submit reply button.

Whatever you had me do seems to have done the trick! AVG reinstalled and updated, the firewall is no longer grayed-out and is functioning correctly, my instant messengers are working, and so is Firefox - all in normal mode. Oh, and now that I'm not confined to safe mode, I can listen to music again, after weeks without. Hallelujah! xD Here are the logs you requested.

Combo Fix Log:




ComboFix 09-02-28.01 - Felicia Martin 2009-03-01 11:01:55.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.119 [GMT -5:00]
Running from: c:\documents and settings\Felicia Martin\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Felicia Martin\My Documents\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::
c:\windows\Tasks\C687C6158710B1DD.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\starters orders 3
c:\docume~1\alluse~1\applic~1\starters orders 3\data\2\edited names\jockeys.txt
c:\docume~1\alluse~1\applic~1\starters orders 3\data\2\edited names\trainers.txt
c:\docume~1\alluse~1\applic~1\starters orders 3\saves\bd.i
c:\docume~1\felici~1\applic~1\second~1
c:\docume~1\felici~1\applic~1\second~1\1DA952C
c:\windows\Tasks\C687C6158710B1DD.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ascwvcskfsqs


((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-02-21 01:55 . 2009-02-28 16:23 250 --a--c--- c:\windows\gmer.ini
2009-02-17 20:58 . 2009-02-17 21:00 <DIR> d----c--- c:\documents and settings\Felicia Martin\.jordan
2009-02-16 21:26 . 2009-02-16 21:26 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Symantec
2009-02-16 21:26 . 2009-02-16 21:26 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-02-15 16:20 . 2005-06-25 07:33 <DIR> d----c--- c:\documents and settings\Administrator\Application Data\Creative
2009-02-15 16:20 . 2009-02-16 21:24 <DIR> d----c--- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 07:27 --------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-02-18 01:28 --------- dc----w c:\program files\Google
2009-02-18 01:22 --------- dc----w c:\documents and settings\Felicia Martin\Application Data\Lavasoft
2009-02-17 02:24 --------- dc----w c:\program files\Docking Station
2009-02-15 19:56 --------- dc----w c:\documents and settings\Felicia Martin\Application Data\U3
2009-02-15 19:11 --------- dc----w c:\program files\FinePixViewer
2009-02-13 15:03 325,128 -c--a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-13 15:03 107,272 -c--a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-24 20:16 34 -c--a-w c:\documents and settings\Felicia Martin\jagex_runescape_preferences.dat
2009-01-12 21:09 --------- dc----w c:\program files\BitLord
2009-01-12 08:50 --------- dc----w c:\program files\Virtual Villagers The Secret City
2009-01-12 08:07 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-10 11:44 --------- dc----w c:\program files\Microsoft
2009-01-10 11:42 --------- dc----w c:\program files\Windows Live SkyDrive
2009-01-10 11:41 --------- dc----w c:\program files\Windows Live
2009-01-10 11:35 --------- dc----w c:\program files\Common Files\Windows Live
2009-01-10 11:18 --------- dc----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-09 13:03 --------- dc----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-01-09 10:54 --------- dc----w c:\program files\Fish Tycoon2
2008-07-18 05:57 16,446 -c--a-w c:\documents and settings\Felicia Martin\Application Data\wklnhst.dat
2006-11-01 23:43 182,088 -c--a-w c:\documents and settings\Felicia Martin\Application Data\GDIPFONTCACHEV1.DAT
2008-09-09 20:30 16,384 -csha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-09-09 20:29 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090920080910\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

c:\documents and settings\Felicia Martin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
802.11g USB adapter.lnk - c:\program files\11g USB adapter\Wifiusb.exe [2004-09-06 487424]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Exif Launcher 2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-12-08 294912]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-13 10:04 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.MPG4"= msscmc32.dll
"VIDC.TR20"= tr2032.dll
"msacm.voxacm119"= vdk32119.acm
"vidc.vivo"= ivvideo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g USB adapter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\802.11g USB adapter.lnk
backup=c:\windows\pss\802.11g USB adapter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Felicia Martin^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Felicia Martin\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Felicia Martin^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Felicia Martin\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-09-17 10:43 57344 c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a--c--- 2007-03-15 10:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-05-31 05:33 122941 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
--a--c--- 1998-11-30 18:04 497376 c:\windows\p_981116.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 09:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 09:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a--c--- 2005-09-20 09:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 20:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 16:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
-----c--- 2002-02-04 22:32 53248 c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
--a--c--- 2008-06-29 17:01 52168 c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
-----c--- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2004-06-10 16:51 60928 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"DSBrokerService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-06-29 107272]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-06-29 325128]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-02-16 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ffd8373-c023-11dd-ad58-0003c94ed711}]
\Shell\AutoRun\command - F:\launcher.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MessengerPlus3 - c:\program files\MessengerPlus! 3\MsgPlus.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:9090
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Felicia Martin\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: whiteoakstables.net\www
DPF: {56830284-4E2F-4418-8D26-3DEF348C16F1} - hxxp://www.ancientsoft.com/OSAKit.CAB
DPF: {CA11EB7C-1C85-4577-8A49-9E28EFB30184} - hxxp://www.umediaserver.net/bin/UMediaControl4.cab
DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} - hxxp://www.ksolo.com/playerBase/kSoloIEHDSD.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Felicia Martin\Application Data\Mozilla\Firefox\Profiles\b50u77nd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 11:09:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2573562343-371298778-2058988066-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:aa,2a,08,56,c8,92,c5,6c,45,60,e4,d2,9e,d8,41,2e,d7,5a,12,76,b2,af,aa,
f7,63,a0,d3,bf,21,09,94,9e,be,9e,dd,fc,6e,1f,1f,5c,bf,92,de,4f,b3,30,3c,30,\
"??"=hex:8a,dc,4a,02,44,f2,77,67,8a,fb,0f,ca,21,32,ab,6d

[HKEY_USERS\S-1-5-21-2573562343-371298778-2058988066-1006\Software\SecuROM\License information*]
"datasecu"=hex:0c,48,bf,b2,50,56,d6,94,0d,b7,96,29,e8,71,75,fc,2d,29,60,d4,6f,
e5,d6,33,85,47,a7,26,f5,29,e6,34,f3,17,4b,20,70,27,41,7f,82,78,c3,06,66,6b,\
"rkeysecu"=hex:a7,cd,09,ba,26,57,9a,bc,45,d0,ea,db,01,95,f4,f1
.
Completion time: 2009-03-01 11:16:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 16:15:38
ComboFix2.txt 2009-03-01 01:39:32

Pre-Run: 14,185,934,848 bytes free
Post-Run: 14,183,636,992 bytes free

220 --- E O F --- 2009-02-18 16:10:05




Kaspersky Report:




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 1, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 01, 2009 16:45:15
Records in database: 1859647
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 147309
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:40:42


File name / Threat name / Threats count
C:\Program Files\BitLord\Virtual villagers 3 + Crack\VirtualVillagersTheSecretCitySetup.exe Infected: Trojan-Downloader.Win32.Agent.bfrf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Downloader.Win32.Agent.auff 1

The selected area was scanned.





FindLop Log:




Volume in drive C has no label.
Volume Serial Number is 74D1-31FD

Directory of C:\Documents and Settings\Administrator\Application Data

06/25/2005 07:33 AM <DIR> Creative
02/16/2009 09:26 PM <DIR> Identities
02/16/2009 09:26 PM <DIR> Jasc Software Inc
02/16/2009 09:26 PM <DIR> Sun
02/16/2009 09:26 PM <DIR> Symantec
0 File(s) 0 bytes
5 Dir(s) 14,142,607,360 bytes free
Volume in drive C has no label.
Volume Serial Number is 74D1-31FD

Directory of C:\Documents and Settings\All Users\Application Data

11/19/2008 02:25 AM <DIR> acccore
11/21/2006 07:36 PM <DIR> Adobe
09/22/2006 11:25 PM <DIR> Adobe Systems
04/13/2008 08:44 PM <DIR> AOL
11/19/2008 02:23 AM <DIR> AOL Downloads
01/20/2007 12:38 PM <DIR> AOL OCP
09/07/2007 03:34 PM <DIR> Apple
12/17/2006 06:27 PM <DIR> Apple Computer
02/21/2009 02:27 AM <DIR> avg8
01/09/2009 08:03 AM <DIR> BigFishGamesCache
02/26/2008 05:03 PM <DIR> Dell
12/15/2008 03:20 AM <DIR> Dragon's Eye Productions
08/13/2007 07:10 AM <DIR> Elaborate Bytes
05/18/2008 05:14 PM <DIR> Google
06/29/2008 02:50 PM <DIR> Grisoft
06/25/2005 07:17 AM <DIR> InstallShield
06/25/2005 07:23 AM <DIR> Intuit
12/15/2007 07:09 PM <DIR> iWin Games
12/15/2008 05:29 AM <DIR> Lavasoft
12/14/2005 07:18 PM <DIR> Macromedia
11/01/2005 01:25 AM <DIR> Macrovision
12/15/2008 05:36 AM <DIR> Malwarebytes
01/31/2006 04:13 PM <DIR> Microsoft Games
10/31/2005 02:46 AM <DIR> MSN6
05/20/2006 12:11 PM <DIR> OkayOpenGlueAmok
02/06/2007 07:59 AM <DIR> pixelStorm
01/07/2006 03:01 PM <DIR> PopCap
12/01/2007 01:41 PM 1,755 QTSBandwidthCache
03/31/2006 01:23 AM <DIR> QuickTime
03/20/2007 07:36 PM <DIR> Sandlot Games
08/10/2004 01:13 PM <DIR> SBSI
10/27/2008 09:09 AM <DIR> Skype
12/15/2008 04:32 AM <DIR> SupportSoft
03/21/2007 09:30 PM <DIR> Symantec
01/12/2009 03:07 AM <DIR> TEMP
03/20/2007 07:33 PM <DIR> Trymedia
07/30/2005 03:20 AM <DIR> Ulead Systems
11/19/2008 02:25 AM <DIR> Viewpoint
12/29/2005 05:12 PM <DIR> Windows Genuine Advantage
01/10/2009 06:18 AM <DIR> WLInstaller
10/28/2006 02:54 AM <DIR> {137E54F6-3421-4EAC-89EB-A08622409B6F}
09/25/2008 05:24 PM <DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}
1 File(s) 1,755 bytes
41 Dir(s) 14,142,541,824 bytes free
Volume in drive C has no label.
Volume Serial Number is 74D1-31FD

Directory of C:\Documents and Settings\Felicia Martin\Application Data

09/13/2008 10:55 PM <DIR> .purple
04/13/2008 08:52 PM <DIR> acccore
12/15/2008 03:44 AM <DIR> Adobe
11/21/2006 07:37 PM <DIR> AdobeUM
07/31/2007 08:15 PM <DIR> Aim
07/31/2007 08:14 PM <DIR> AOL
10/04/2007 06:51 PM <DIR> Apple Computer
12/15/2008 03:15 AM <DIR> AVGTOOLBAR
10/07/2005 12:59 PM <DIR> Creative
08/11/2005 12:34 AM <DIR> CyberLink
11/28/2006 08:20 PM <DIR> DivX
04/05/2007 12:45 AM <DIR> Flickr
12/08/2007 08:37 AM <DIR> FUJIFILM
11/01/2006 06:43 PM 182,088 GDIPFONTCACHEV1.DAT
06/21/2007 08:48 AM <DIR> Google
03/12/2008 09:30 PM <DIR> gtk-2.0
08/17/2005 01:25 AM <DIR> Help
08/10/2004 01:08 PM <DIR> Identities
07/26/2007 07:11 PM <DIR> IMVU
12/15/2007 07:09 PM <DIR> iWinArcade
07/31/2007 08:30 PM <DIR> Jasc Software Inc
02/17/2009 08:22 PM <DIR> Lavasoft
06/29/2005 01:42 AM <DIR> Leadertech
12/15/2005 09:24 PM <DIR> Macromedia
12/15/2008 05:37 AM <DIR> Malwarebytes
01/31/2006 04:13 PM <DIR> Microsoft Games
11/15/2008 12:53 AM <DIR> Move Networks
08/07/2008 10:49 PM <DIR> Mozilla
10/11/2006 07:41 PM <DIR> MSN6
10/30/2005 01:57 PM <DIR> MSNInstaller
07/31/2007 08:41 PM <DIR> Neopets Toolbar
08/07/2006 01:12 PM <DIR> Nova Development
10/30/2006 04:28 AM <DIR> Opera
04/13/2008 08:52 PM <DIR> QQ Games Plugin
02/25/2008 10:58 AM <DIR> Real
03/19/2007 10:54 AM <DIR> Screenshot Sender
09/29/2008 07:58 AM <DIR> skypePM
06/29/2005 01:43 AM <DIR> Sonic
06/25/2005 07:10 AM <DIR> Sun
06/28/2005 09:14 PM <DIR> Symantec
12/25/2005 11:28 AM <DIR> Talkback
12/15/2008 03:47 AM <DIR> Twain
02/15/2009 02:56 PM <DIR> U3
10/31/2005 04:16 PM <DIR> Ulead Systems
01/16/2007 12:59 PM <DIR> Viewpoint
04/02/2007 04:33 PM <DIR> Webshots
08/13/2007 07:38 AM <DIR> WinRAR
07/18/2008 12:57 AM 16,446 wklnhst.dat
07/31/2007 08:24 PM <DIR> Yahoo!
07/31/2005 06:38 PM <DIR> Yahoo! Messenger
2 File(s) 198,534 bytes
48 Dir(s) 14,142,541,824 bytes free
Volume in drive C has no label.
Volume Serial Number is 74D1-31FD

Directory of C:\Documents and Settings\Owner\Application Data

06/28/2005 10:16 PM <DIR> .
06/28/2005 10:16 PM <DIR> ..
06/28/2005 10:16 PM <DIR> Creative
0 File(s) 0 bytes
3 Dir(s) 14,142,541,824 bytes free
Volume in drive C has no label.
Volume Serial Number is 74D1-31FD

Directory of C:\Documents and Settings\Default User\Application Data

04/16/2007 12:57 PM <DIR> .
04/16/2007 12:57 PM <DIR> ..
08/10/2004 12:57 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 14,142,541,824 bytes free
Volume in drive C has no label.
Volume Serial Number is 74D1-31FD

Directory of C:\Documents and Settings\LocalService\Application Data

07/21/2005 02:09 PM <DIR> GTek
0 File(s) 0 bytes
1 Dir(s) 14,142,541,824 bytes free
Volume in drive C has no label.
Volume Serial Number is 74D1-31FD

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AppleSoftwareUpdate.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Apple Software Update\SoftwareUpdate.exe'
Parameters: '-task'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 02/10/2009 18:01:00
NextRun: 03/03/2009 18:01:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Weekly
WeeksInterval: 1
DaysOfTheWeek: ..T....
StartDate: 09/25/2008
EndDate: 00/00/0000
StartTime: 18:01
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0



If there is anything else I should do, let me know. I'll keep checking to see if this thread has been updated.

[Ried]

Feels great, doesn't it..

Now have a look at the Kaspersky results and you'll see the main culprit for the state your system was in:

Quote:

C:\Program Files\BitLord\Virtual villagers 3 + Crack\VirtualVillagersTheSecretCitySetup.exe Infected: Trojan-Downloader.Win32.Agent.bfrf 1

Uninstall Virtual Villagers The Secret City via Start>Control Panel>Add or Remove programs.

Please take a few moments to read the following sticky topics we have at the top of this forum so you can keep this system running as good as it is now:

Cracked (Illegal) Software
Perils of P2P File Sharing

==========================================

After completing the uninstall of the program listed above, your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[Morby]

Oh it DOES! You are a tech GENIUS!
I did uninstall VV3 and will mourn its passing, but praise the now disinfected state. BitLord is being uninstalled and I have thoroughly learned my lesson! XD I'll be buying programs henceforth, instead of being lazy, cheap and well, stupid. Not to mention the illegality of it, lol.

ComboFix is gone, too. I've installed the site advisor and the Spyware Blaster, so my computer is protected much better than it was before. Not to mention, the new wariness instilled from nearly losing everything. Ha!

Anyway, yes. You may mark this thread resolved, as it is.

MANY thanks to you, Ried, I appreciate all that you have done. I wouldn't have my computer in working order without your extensive help. You made it so easy! I declare you my new hero. xD

Take care!

[Ried]

You're quite welcome, and thanks for the kind words.

Quote:

I appreciate what you guys (and gals, if you're out there) do

We sure are.

Take care and surf safely, Morby.