Solved Please look @ my DDS logs. Trojans/backdoor/viruses.

DDS (Ver_09-02-01.01) - NTFSx86
Run by mom at 16:56:14.03 on Fri 03/13/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1126 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\mom\Desktop\dds.scr
C:\Program Files\AVG\AVG8\avgrsx.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe "
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe "
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1208896645531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
TCP: {417BAF00-08F8-42BA-92E4-045A1691F2EE} = 209.244.0.3 209.244.0.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: avgrsstx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mom\applic~1\mozilla\firefox\profiles\c9cxfovx.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\mom\application data\mozilla\firefox\profiles\c9cxfovx.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\wildblue.js - pref( "network.proxy.type ", 2);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-17 96520]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-17 26824]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-17 231192]
S2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 607576]
S3 mbr;mbr;\??\c:\docume~1\mom\locals~1\temp\mbr.sys --> c:\docume~1\mom\locals~1\temp\mbr.sys [?]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2009-1-8 320384]
S3 PCnetHL;AMD PCnet-Home Adapter Driver;c:\windows\system32\drivers\pcntn5hl.sys --> c:\windows\system32\drivers\pcntn5hl.sys [?]
S3 XPAD910;XPADFilter Service 910;c:\windows\system32\drivers\xpad910.sys [2008-9-10 29405]

=============== Created Last 30 ================

2009-03-11 21:00 <DIR> --d----- c:\docume~1\mom\applic~1\Malwarebytes
2009-03-11 21:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-11 21:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 21:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-11 21:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 14:44 <DIR> --d----- C:\Lop SD
2009-03-11 12:53 <DIR> a-dshr-- C:\autorun.inf
2009-03-09 14:14 <DIR> a-dshr-- C:\cmdcons
2009-03-08 21:30 161,792 a------- c:\windows\SWREG.exe
2009-03-08 21:30 98,816 a------- c:\windows\sed.exe
2009-03-06 13:54 4,344 a------- C:\Ls92.exe
2009-03-06 13:47 8,150 a------- C:\mvagP.bat
2009-03-03 21:27 <DIR> --d----- c:\program files\Trend Micro
2009-03-03 21:25 <DIR> --d----- C:\hjt
2009-03-02 01:00 0 a------- C:\proxy.log.2009.03.02
2009-02-28 17:34 3,576 a------- C:\proxy.log.2009.02.28
2009-02-28 16:00 <DIR> --d----- c:\program files\Maxis
2009-02-20 00:40 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-20 00:40 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2008-12-09 20:42 31 a------- c:\documents and settings\mom\jagex_runescape_preferences.dat

============= FINISH: 16:56:26.31 ===============

 

omg.....this looks better!!....soooooooo much better!

I have been so worried about your computer. The infection you had is very bad, some are not as lucky.

Glad to hear that it is running good.
Did you do all the instructions I gave or just some?

This might be the last scan through we have to do.


Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Post the ComboFix.txt in your next reply.

 

Wow Juliet, that's great news! I new the infection was bad.

ComboFix 09-03-12.01 - mom 2009-03-13 17:46:16.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1101 [GMT -5:00]
Running from: c:\documents and settings\mom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mom\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
C:\Ls92.exe
C:\mvagP.bat
C:\proxy.log.2009.02.28
C:\proxy.log.2009.03.02
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Lop SD
c:\lop sd\App-Prog.lsd
c:\lop sd\AuDoss.lsd
c:\lop sd\AutrInf.cmd
c:\lop sd\AWF.cmd
c:\lop sd\Back.cmd
c:\lop sd\Boo.reg
c:\lop sd\BooFix.cmd
c:\lop sd\catchme.exe
c:\lop sd\catchme.log
c:\lop sd\Changelog Lop SD.txt
c:\lop sd\Crack.txt
c:\lop sd\DirectFix.cmd
c:\lop sd\Discl_en.vbs
c:\lop sd\Discl_fr.vbs
c:\lop sd\Discl_ne.vbs
c:\lop sd\Discl_sp.vbs
c:\lop sd\Discl_su.vbs
c:\lop sd\Doss.lsd
c:\lop sd\Icon_Lop.ico
c:\lop sd\iNv.exe
c:\lop sd\KILL.cmd
c:\lop sd\Langues.cmd
c:\lop sd\LopR_1.txt
c:\lop sd\LopScript.cmd
c:\lop sd\LopSD.cmd
c:\lop sd\lsTasks.exe
c:\lop sd\Orph.egd
c:\lop sd\OsV.exe
c:\lop sd\paths.bat
c:\lop sd\Proc.txt
c:\lop sd\pv.exe
c:\lop sd\RegLop.reg
c:\lop sd\Rkeys.txt
c:\lop sd\RKit.lsd
c:\lop sd\RoGUeS.lsd
c:\lop sd\RunTool.txt
c:\lop sd\S_LopV.cmd
c:\lop sd\S_LopX.cmd
c:\lop sd\sed.exe
c:\lop sd\setpath.exe
c:\lop sd\task.txt
c:\lop sd\Uninstal.exe
c:\lop sd\WhL.lsd
C:\Ls92.exe
C:\mvagP.bat
C:\proxy.log.2009.02.28
C:\proxy.log.2009.03.02

.
((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-12 21:23 . 2009-03-12 21:33 <DIR> d-------- c:\documents and settings\Administrator.HAYTER-A18A2C97.000\DoctorWeb
2009-03-12 21:19 . 2009-03-12 21:23 <DIR> d-------- c:\documents and settings\Administrator.HAYTER-A18A2C97.000
2009-03-11 21:00 . 2009-03-11 21:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 21:00 . 2009-03-11 21:00 <DIR> d-------- c:\documents and settings\mom\Application Data\Malwarebytes
2009-03-11 21:00 . 2009-03-11 21:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-11 21:00 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 21:00 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-03 21:27 . 2009-03-03 21:27 <DIR> d-------- c:\program files\Trend Micro
2009-03-03 21:25 . 2009-03-03 21:27 <DIR> d-------- C:\hjt
2009-02-28 16:00 . 2009-01-20 09:35 <DIR> d-------- c:\program files\Maxis
2009-02-20 00:40 . 2009-03-12 06:44 54,156 --ah----- c:\windows\QTFont.qfn
2009-02-20 00:40 . 2009-02-20 00:40 1,409 --a------ c:\windows\QTFont.for
2009-02-17 17:28 . 2009-03-06 23:20 <DIR> d-------- c:\documents and settings\mom\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 23:02 --------- d-----w c:\program files\Steam
2009-03-11 17:58 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-09 02:31 --------- d-----w c:\program files\BitComet
2009-03-01 02:10 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-27 14:37 --------- d-----w c:\documents and settings\mom\Application Data\LimeWire
2009-02-22 01:28 --------- d-----w c:\program files\StepMania
2009-02-08 06:25 --------- d-----w c:\program files\Shockwave.com
2009-01-31 00:13 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-31 00:13 --------- d-----w c:\documents and settings\All Users\Application Data\Age of Empires 3
2009-01-30 23:42 --------- d-----w c:\program files\Microsoft Games
2009-01-23 21:45 --------- d-----w c:\program files\Kap.SATr
2009-01-23 03:30 --------- d-----w c:\documents and settings\mom\Application Data\My The Lord of the Rings, The Rise of the Witch-king Files
2009-01-21 00:18 --------- d-----w c:\program files\Electronic Arts
2009-01-17 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-10 01:42 31 ----a-w c:\documents and settings\mom\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam "= "c:\program files\steam\steam.exe" [2008-10-07 1410296]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-07 185896]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2008-08-17 1232152]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ATICCC "= "c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"nwiz "= "nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]
"CTHelper "= "CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\mom\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-07-17 106496]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Steam\\Steam.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\BitComet\\BitComet.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Civilization4.exe "=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Gold\\Warlords\\Civ4Warlords.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Microsoft Games\\Combat Flight Simulator\\COMBATFS.EXE "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\PopCap Games\\Typer Shark Deluxe\\WinTS.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat "=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe "=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7715:TCP "= 7715:TCP:BitCometBeta 7715 TCP
"7715:UDP "= 7715:UDP:BitCometBeta 7715 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-17 96520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-17 231192]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2009-01-08 320384]
S3 PCnetHL;AMD PCnet-Home Adapter Driver;c:\windows\system32\DRIVERS\pcntn5hl.sys --> c:\windows\system32\DRIVERS\pcntn5hl.sys [?]
S3 XPAD910;XPADFilter Service 910;c:\windows\system32\drivers\xpad910.sys [2008-09-10 29405]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8fc89fb-fbc4-11dd-b5d7-00301b3a532e}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\mom\Application Data\Mozilla\Firefox\Profiles\c9cxfovx.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\documents and settings\mom\Application Data\Mozilla\Firefox\Profiles\c9cxfovx.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\wildblue.js - pref( "network.proxy.type ", 2);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 18:02:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-343818398-725345543-1003\Software\SecuROM\License information*]
"datasecu "=hex:01,0d,ff,c3,ff,c1,98,3c,1f,c0,bf,0a,51,aa,b5,fc,17,03,aa,ad,bb,
83,93,9b,b1,bb,e0,8c,54,12,1b,20,f8,68,d9,21,cd,ec,78,13,2b,de,11,10,43,c8,\
"rkeysecu "=hex:c5,61,7a,13,89,99,85,1c,32,8f,0c,85,3d,dd,17,c8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\agrsmsvc.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-13 18:06:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-13 23:06:17
ComboFix2.txt 2009-03-13 21:53:35
ComboFix3.txt 2009-03-12 00:36:28
ComboFix4.txt 2009-03-11 18:34:54
ComboFix5.txt 2009-03-13 22:45:29

Pre-Run: 64,635,944,960 bytes free
Post-Run: 64,619,524,096 bytes free

219 --- E O F --- 2008-11-13 09:05:15

 

Let's do this first.

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below

To be honest, I was about to tell you we had lost the game.

Did you do all the instructions I gave or just some? <--referring to post 39

Now I want to talk to you about a few things on the computer that are high risk.
LimeWire
BitComet
Some of these games on this computer can be hacked.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.



******Now Get you a good firewall.***********

The following FREE Firewall versions are:
Zone Alarm free:
http://www.zonealarm.com/store/content/cat...ry=US〈=en
PDF documention for Zone Alarm available here:
http://www.zonealarm.com/store/content/sup...a/znalmMain.jsp
If you are going to try Zone Alarm I suggest to just install the basic firewall so the bundled trial Antivirus does not get installed, Also I recommend NOT installing the new optional feature Spy Blocker, as it's run by the questionable search engine Ask.com. You can read more about Ask.com http://www.benedelman.org/spyware/installa...kjeeves-banner/

Comodo free:
http://www.personalfirewall.comodo.com/
If you want only the Firewall, you can de-select Install Comodo AntiVirus during the installation process.
http://forums.comodo.com/firewall_faq/where_is_the_standalone_firewall-t27112.0.html
Comodo (Uncheck during installation "Install Comodo SafeSurf.. ", Make Comodo my default search provider" and "Make Comodo Search my homepage ")

Sunbelt kerio:
http://www.sunbelt-software.com/Home-Home-...ewall/Download/
PDF documentation for Sunbelt Kerio available here:
http://www.sunbelt-software.com/Home-Home-.../Documentation/

Online Armor Free
http://www.tallemu.com/free-firewall-prote...n-software.html

Jetico free:
http://www.jetico.com/index.htm#/jpfirewall.htm

Note: You must only use 1 (one) Firewall at a time because if you have 2 or more Firewalls running at the same time, they will conflict with each other and make your security less reliable.
The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

For a tutorial on Firewalls and a listing of available ones see the link Here

 

Hey Juliet,

I am so thrilled. WE DID IT! Thanks so much. You are my shero (she+hero)!

BTW, I did followed every instruction you gave me, including all in #39!

Couldn't have done it w/out you, that's for sure!

Thanks again, JBH

 

LOL

This is all good news.

Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/



Safe Surfing