Personal Guard 2009

Yeah, have you heard of it? It's really annoying. Evidently, from everythign I've experienced and my mother (who used to work for an ISP helping people with internet/virus protecion/virus removal) has tried, this is what it does:

It downloads through a backdoor trojan it places on your system frm a popup you never see. It's designed to make you think you have tons of viruses on your system and offers to 'remove' them for you - something you have to pay for. Until you do, it puts up fake firewalls to block certain applications (like MSN messenger) and runs popups from almost every site you visit. It has a ton of roots hȋdden in the registry and slows down your computer immensely. Try to get rid of it, it reinstalls from the registry. Use the 'uninstall' tool it gives you in your program menu, it 'crashes' personalGuard and removes it from your program list, but keeps sending you the "Windows Security Centerr" alerts that tell you you need it - of course, they're all fake. It crashes safe mode whenever you try to enter in order to protect itself, and it's hȋdden key root is programmed to crash regedit if you attempt to remove it without shutting down all it's proceses first.

Please help?

Edit: I have downloaded and run SpywareDoctor but it seems to keep coming back....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:29 PM, on 10/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Miranda Rian\Desktop\winlogon.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [komugemom] Rundll32.exe "c:\windows\system32\saleyako.dll",a
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: nizukipu.dll c:\windows\system32\saleyako.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SysNet - {8D4EA877-2B4E-4498-9BB9-D6438CAD6C8B} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll
O21 - SSODL: zemasojaz - {0f7b80a4-3fbd-4530-be4e-3907206c99da} - c:\windows\system32\saleyako.dll
O22 - SharedTaskScheduler: mujuzedij - {0f7b80a4-3fbd-4530-be4e-3907206c99da} - c:\windows\system32\saleyako.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9625 bytes


Here is the HijackThis file - forgot to grab it earlier ^^;;;

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  F2 - REG:system.ini: Shell=Explorer.exe logon.exe
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
  O4 - HKLM\..\Run: [komugemom] Rundll32.exe "c:\windows\system32\saleyako.dll",a
  O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
  O20 - AppInit_DLLs: nizukipu.dll c:\windows\system32\saleyako.dll
  O21 - SSODL: SysNet - {8D4EA877-2B4E-4498-9BB9-D6438CAD6C8B} - C:\Documents and Settings\All Users\Microsoft AData\sysnet.dll
  O21 - SSODL: zemasojaz - {0f7b80a4-3fbd-4530-be4e-3907206c99da} - c:\windows\system32\saleyako.dll
  O22 - SharedTaskScheduler: mujuzedij - {0f7b80a4-3fbd-4530-be4e-3907206c99da} - c:\windows\system32\saleyako.dll
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Alright, when I installed it and tried to launch it, it gave me an error message twice, saying it couldn't find a file. I'll try again before posting this post...

Nope, when I double-click on the icon on my desktop, it just says it's searching for the program - the header says "Missing Shortcut". What should I do?

EDIT: It seems that PersonalGuard now has a shortcut on my desktop and the little red shield that says I need to get it with a fake warning is gone. There is also a folder on my desktop called Backup, but I'm not sure if that's part of HijackTHis or not as it's between the HijackThis icon and the HijackThis log.

EDIT 2 (Sorry I keep doing this...) SpyWareDoctor just found it again. Should I have it try to fix the infection or leave it alone for now?

EDIT 3 (I am SOOOO sorry I keep editing): SpywreDoctor attempted to remove but crashed, saying the file was 'locked by the system'.

EDIT 4: HELP! My AVG keeps popping up with notifications that I have viruses and asking me to heal them. I try, although one said that "a forced heal could cause damage" so I told it not to. They all have 'Trojan' in the name - I really, really hope I don't have to reformat my comp, I've got tons of writing on here and I need many of the files for writing projects as well as campaigns that I'm planning on running... *nailbites*

EDIT 5: And I almost just got ALPHA as well!

Last edited by fairydraik on 1st November 2009, 3:21 pm; edited 6 times in total (Reason for editing : New developments)

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Thanks so much for all your help ^^ You're a lifesaver! This computer really is my lifeline and I'm glad you're helping me fix it.

Here's the ComboFix log:

ComboFix 09-10-30.01 - Miranda Rian 11/01/2009 18:04.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1529 [GMT -5:00]
Running from: c:\documents and settings\Miranda Rian\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Microsoft AData
c:\documents and settings\All Users\Microsoft AData\setup.exe
c:\documents and settings\All Users\Microsoft AData\t.sid
c:\documents and settings\Miranda Rian\Start Menu\Programs\Personal Guard 2009
c:\documents and settings\Miranda Rian\Start Menu\Programs\Personal Guard 2009\Personal Guard 2009.lnk
c:\documents and settings\Miranda Rian\Start Menu\Programs\Personal Guard 2009\Uninstall.lnk
c:\program files\Personal Guard 2009
c:\program files\Personal Guard 2009\config.scf
c:\program files\Personal Guard 2009\mmbase.sdb
c:\program files\Personal Guard 2009\q.sdb
c:\program files\Personal Guard 2009\vvbase.sdb
c:\windows\microsoftdef.dll
c:\windows\system32\Data
c:\windows\system32\feviliru.dll
c:\windows\system32\fulemege.dll
c:\windows\system32\kopurege.dll
c:\windows\system32\latabaye.dll
c:\windows\system32\logon.exe
c:\windows\system32\pusekudu.dll
c:\windows\system32\sirifiwi.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-11-01 22:55 . 2009-11-01 22:59 -------- dc----w- C:\Combo-Fix
2009-10-31 20:20 . 2009-10-31 20:20 -------- d-----w- c:\documents and settings\Miranda Rian\Application Data\Malwarebytes
2009-10-31 20:20 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-31 20:19 . 2009-11-01 17:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 20:19 . 2009-10-31 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-31 20:19 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 04:25 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-31 04:25 . 2009-08-24 18:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-31 04:25 . 2009-08-19 15:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-31 04:25 . 2009-10-31 04:26 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-31 04:25 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-31 04:25 . 2009-10-31 18:29 -------- d-----w- c:\program files\Spyware Doctor
2009-10-31 04:25 . 2009-10-31 04:25 -------- d-----w- c:\documents and settings\Nelwyn Rian\Application Data\PC Tools
2009-10-31 04:25 . 2009-10-31 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-31 04:24 . 2009-11-01 02:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 01:49 . 2009-10-31 01:49 -------- d-----w- c:\documents and settings\Nelwyn Rian\Application Data\CyberLink
2009-10-31 01:49 . 2009-10-31 01:49 -------- d-----w- c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\PowerDVD
2009-10-31 00:50 . 2009-11-01 17:01 51197 ----a-w- c:\windows\spoov.exe
2009-10-31 00:50 . 2009-11-01 17:01 47872 ----a-w- c:\windows\certsystem.exe
2009-10-31 00:50 . 2009-11-01 17:01 38352 ----a-w- c:\windows\regred.exe
2009-10-31 00:50 . 2009-11-01 17:01 33149 ----a-w- c:\windows\usexplorer.exe
2009-10-31 00:50 . 2009-11-01 17:01 28320 ----a-w- c:\windows\securits.com
2009-10-29 02:03 . 2009-10-29 02:05 -------- d-----w- c:\program files\Rhapsody
2009-10-28 19:35 . 2009-10-28 19:35 -------- d-----w- c:\documents and settings\Miranda Rian\Local Settings\Application Data\Wizards_of_the_Coast
2009-10-26 01:25 . 2009-10-26 02:14 -------- d-----w- c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\Deployment
2009-10-26 00:14 . 2009-10-29 03:45 797664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 21:18 . 2009-10-25 21:18 -------- d-----w- c:\documents and settings\Miranda Rian\Local Settings\Application Data\AdventureTools
2009-10-25 21:16 . 2009-10-25 21:18 -------- d-----w- c:\documents and settings\Miranda Rian\Application Data\AdventureTools
2009-10-25 20:50 . 2009-10-28 19:18 -------- d-----w- c:\program files\Wizards of the Coast
2009-10-16 18:25 . 2009-10-16 18:25 -------- d-----w- c:\documents and settings\Miranda Rian\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 22:46 . 2009-01-11 04:46 -------- d-----w- c:\documents and settings\Miranda Rian\Application Data\uTorrent
2009-11-01 17:10 . 2008-06-08 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-31 18:30 . 2008-01-03 01:58 33640 ----a-w- c:\documents and settings\Miranda Rian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-31 04:08 . 2007-02-20 13:18 33640 ----a-w- c:\documents and settings\Nelwyn Rian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-31 01:47 . 2009-01-12 21:30 -------- d-----w- c:\documents and settings\Miranda Rian\Application Data\Corel
2009-10-31 01:47 . 2007-07-23 20:24 -------- d-----w- c:\documents and settings\Nelwyn Rian\Application Data\Corel
2009-10-31 01:47 . 2005-05-06 19:37 -------- d-----w- c:\documents and settings\Richard Rian\Application Data\Corel
2009-10-31 01:46 . 2009-07-29 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2009-10-31 01:43 . 2009-07-30 13:26 -------- d-----w- c:\program files\Pando Networks
2009-10-27 19:31 . 2009-07-29 15:59 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-10-27 19:31 . 2009-07-29 15:59 168 --sh--r- c:\documents and settings\All Users\Application Data\2E4DFE5E92.sys
2009-10-26 01:52 . 2005-04-23 04:41 -------- d-----w- c:\program files\Intel
2009-10-26 01:51 . 2005-04-23 04:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-22 20:54 . 2009-03-21 02:12 -------- d-----w- c:\program files\StepMania
2009-09-13 20:51 . 2005-04-23 04:49 -------- d-----w- c:\program files\Common Files\Real
2009-09-12 22:33 . 2008-06-03 23:43 -------- d-----w- c:\program files\Windows Live
2009-09-12 22:26 . 2009-02-21 18:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-12 15:20 . 2009-09-12 15:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-12 15:20 . 2005-04-23 04:40 -------- d-----w- c:\program files\Java
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-04 10:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-27 17:06 . 2008-06-08 19:02 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 17:06 . 2008-06-08 19:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-27 17:06 . 2007-01-02 10:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 20:51 . 2009-08-21 20:51 52338 ----a-w- c:\windows\system32\RadLightOggUninstall.exe
2009-08-06 23:24 . 2004-08-04 10:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-04 10:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2005-04-26 19:17 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-04 10:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 10:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-04 10:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2006-05-07 18:35 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2005-05-26 08:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-04 10:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 1980-01-01 05:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 1980-01-01 05:00 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-08 289072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-12 149280]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-16 2025752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2004-06-10 60928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-27 17:06 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:*:Disabled:Blizzard Downloader
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader
"12933:TCP"= 12933:TCP:BitComet 12933 TCP
"12933:UDP"= 12933:UDP:BitComet 12933 UDP

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [10/30/2009 11:25 PM 206256]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [6/8/2008 2:02 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [6/8/2008 2:02 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/9/2008 6:28 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/9/2008 6:28 PM 297752]
S3 dump_wmimmc;dump_wmimmc;\??\f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys --> f:\the chronicles of spellborn\bin\client\GameGuard\dump_wmimmc.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/30/2009 11:25 PM 348824]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
FF - ProfilePath - c:\documents and settings\Miranda Rian\Application Data\Mozilla\Firefox\Profiles\ouel5a2r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{149066cb-9998-4b6b-9c8c-e83ff86eb6d5} - sirifiwi.dll
HKCU-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAgent.exe
HKLM-Run-komugemom - c:\windows\system32\musesiwo.dll
HKLM-Run-janakebimo - fulemege.dll
SharedTaskScheduler-{7dda203d-cbad-4203-9b1c-cc6a8bbd4b9d} - c:\windows\system32\musesiwo.dll
SSODL-SysNet-{CE412F8E-B8CB-426C-8BCF-DBED9635E113} - c:\documents and settings\All Users\Microsoft AData\sysnet.dll
SSODL-fezonorob-{7dda203d-cbad-4203-9b1c-cc6a8bbd4b9d} - c:\windows\system32\musesiwo.dll
AddRemove-HijackThis - c:\documents and settings\Miranda Rian\Desktop\HijackThis.exe
AddRemove-Mabinogi - f:\mab\Mabinogi.exe
AddRemove-Station Launcher - f:\sony\Station\Station Launcher\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 18:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2232)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-11-01 18:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-01 23:26

Pre-Run: 3,963,588,608 bytes free
Post-Run: 10,670,538,752 bytes free

- - End Of File - - 7C6768ED1A54386FBE1E8072A4110217

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\windows\spoov.exe
  c:\windows\certsystem.exe
  c:\windows\regred.exe
  c:\windows\usexplorer.exe
  c:\windows\securits.com
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Seems to have worked. Thanks again, Belahzur! ^^ Here's the OTM log:

========== FILES ==========
c:\windows\spoov.exe moved successfully.
c:\windows\certsystem.exe moved successfully.
c:\windows\regred.exe moved successfully.
c:\windows\usexplorer.exe moved successfully.
c:\windows\securits.com moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 11012009_200407

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Running pretty well, and the only security alert is because I turned off AVG to run Combofix. It does say that Windows Firewall got turned on somehow - how'd that happen? I started with it off.

Windows automatically turns it back on, safety feature like.

Turn AVG back on now too. If there is no more problems after that, then this should be fine.

Alright! Thank you so much, Belahzur! I've been recommending you guys to all my friends, just in case, just like it was one of my friends who recommended you all to me. I'm really thankful for everything you've done to help me, and if I had any money at ALL right now, I'd donate, but... well... my family's kinda broke... *shrug*

Anyway, thanks again for all your help! In fact, it's all cleared up in time for online D&D every Tuesday night... so BIG THANKS to all of you! I hope I never have any problems again, but if I do, I'll turn to you guys!

Um, except, one more thing - how do I get OTM off my computer? Just delete it?

Bingo.

Okay, thanks again! I will do so ^^

Honestly, thanks again, Belahzur.

Actually.... there IS one more thing.

A folder called 'backups' is sitting on my desktop and has been since I ran HJT. Is this a part of HJT? Can I delete that, too?

Yes, it's part of Hijack This. As you have probably guessed, it's a backup folder of the items fȋxed in Hijack This, just in case a mistake is made.

Delete that too.

Okay, thank you. SOrry I'm so much trouble...