Windows protection Suite virus, Pls Help...

Traceybaby · 08-17-2009, 08:27 AM

Hey, yesterday I caught Windows protection suite virus, which affected all my hardware on computer. I am using Xp windows and my PC is laptop ASUS. I tried to scan PC with Eset nod32 newest version (it found 4 viruses), then with Malwarebytes (found about 96 threats), with spyware doctor and ad aware programs. Yesterday I wasnt able to open Task manager, but after scannin PC several more times I was finally able to do it. Now it seems everything is ok, just when I start the PC it is very slow, when I click on any desktop icons, they open after a minute or so. Later, the PC is running normally, just the beginning when I turn it on for about 10 minutes it's real slow. My friends say I should reinstall windows in order to delete all the viruses and malwares, but I dont want to lose my programs. Do you think the slow PC might be because of several Antispyware and antivirus programs installed? I have now ESET NOD32, Spyware doctor, Ad aware, Malwarebytes, Tune up. Which of these should I delete? Here is my log on DDS, do u think virus is still in here?

DDS (Ver_09-07-30.01) - NTFSx86
Run by ASU at 16:42:55,70 on 2009.08.17
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1257.370.1033.18.2047.1293 [GMT 3:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Windows Protection Suite *On-access scanning enabled* (Updated) {05D485D9-EDFB-4B66-B50B-7F064B3648FE}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Windows Protection Suite *enabled* {7A79F5D3-0425-4C45-AC37-20F665C97331}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Tildes Biuras\DicBrowser.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://games.yahoo.com/play/pl&cat=beginner&ss=1
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.vub.lt:8080
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader saitų pagalbininkas: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Tildes Biuras: {1e6700f0-0f85-40fd-8022-7eb60ab46f10} - c:\program files\tildes biuras\IEjosla.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: VirtualNetwork module: {6c517674-de1c-4493-977c-34a1bfab35ba} - VirtualNetwork Class
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll
TB: Tildes Biuras: {1e6700f0-0f85-40fd-8022-7eb60ab46f10} - c:\program files\tildes biuras\IEjosla.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [BitComet] "c:\program files\bitlord\BitLord.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DicBrowser] c:\program files\tildes biuras\DicBrowser.exe /startup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\asu\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Versti naudojant „Tilde“ žodyną - c:\program files\tildes biuras\DicBrowserBHO.dll/201
IE: {10954C80-4F0F-11d3-B17C-00C0DFE39333} - c:\program files\kzod\KZod.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {F9DA8389-45DF-4669-A446-70907B1008CB} = 86.100.200.11,86.100.200.15
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\asu\applic~1\mozilla\firefox\profiles\szkvqw89.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.ftp - proxy.vub.lt
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.vub.lt
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy.vub.lt
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy.vub.lt
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy.vub.lt
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-8-16 42376]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-16 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-16 130936]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-8-16 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-8-16 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-8-16 159112]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-8-16 747912]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-8-16 948616]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-8-16 604488]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008-3-21 37376]

=============== Created Last 30 ================

2009-08-16 23:24 29,000 a------- c:\windows\system32\uxtuneup.dll
2009-08-16 23:24 361,288 a------- c:\windows\system32\TuneUpDefragService.exe
2009-08-16 22:22 <DIR> --d----- c:\program files\Trend Micro
2009-08-16 20:13 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-08-16 20:08 15,688 a------- c:\windows\system32\lsdelete.exe
2009-08-16 19:47 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-08-16 19:44 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-16 19:44 <DIR> --d----- c:\program files\Lavasoft
2009-08-16 18:16 604,488 a------- c:\windows\system32\TUProgSt.exe
2009-08-16 18:15 <DIR> --d----- c:\docume~1\asu\applic~1\TuneUp Software
2009-08-16 18:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2009-08-16 18:15 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2009-08-16 18:14 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-16 18:12 <DIR> --d----- c:\windows\Internet Logs
2009-08-16 17:58 1,024 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-16 17:44 159,112 a------- c:\windows\system32\drivers\pctfw2.sys
2009-08-16 17:43 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-08-16 17:43 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-08-16 17:43 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-08-16 17:43 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-08-16 17:38 <DIR> --d----- c:\docume~1\asu\applic~1\GetRightToGo
2009-08-16 17:30 <DIR> --d----- c:\docume~1\asu\applic~1\Malwarebytes
2009-08-16 17:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 17:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-16 17:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-16 17:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-08-16 15:54 <DIR> --d----- c:\program files\common files\iS3
2009-08-16 15:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-08-16 15:35 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-16 15:34 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-16 15:34 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-16 15:34 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-16 15:34 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-16 15:34 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-16 15:34 <DIR> --d----- c:\docume~1\asu\applic~1\PC Tools
2009-08-16 15:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-08-16 14:21 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\7109d3d
2009-08-16 12:25 <DIR> --d----- c:\program files\Tildes Biuras
2009-08-16 12:25 <DIR> --d----- c:\program files\common files\Tilde Shared
2009-08-16 12:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2009-08-16 12:16 <DIR> --d----- c:\program files\DAEMON Tools Pro
2009-08-16 02:43 722,416 a------- c:\windows\system32\drivers\sptd.sys
2009-08-16 02:43 <DIR> --d----- c:\docume~1\asu\applic~1\DAEMON Tools Pro
2009-08-02 00:15 <DIR> --d----- c:\program files\Previous Install
2009-08-02 00:14 306,688 a------- c:\windows\IsUninst.exe
2009-07-29 20:44 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-29 00:21 <DIR> --d----- c:\program files\Flash Player Win v7.0.19

==================== Find3M ====================

2009-08-16 12:23 357,896 a------- c:\windows\system32\LayoutSetup.dll
2009-08-13 10:41 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2009-05-24 22:36 20,481 a------- c:\windows\system32\SystemsHook.dll
2009-05-16 13:19 87,608 a------- c:\docume~1\asu\applic~1\inst.exe
2009-05-16 13:19 47,360 a------- c:\docume~1\asu\applic~1\pcouffin.sys
2008-03-22 15:32 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 16:43:36,51 ===============

I am also attaching other logs. If anyone could help me, I would be very grateful.

Ried · 08-17-2009, 10:14 AM

Hello Traceybaby,

Quote:

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Windows Protection Suite *On-access scanning enabled* (Updated) {05D485D9-EDFB-4B66-B50B-7F064B3648FE}AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Windows Protection Suite *enabled* {7A79F5D3-0425-4C45-AC37-20F665C97331}

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

====================================================

Download ComboFix from here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools.

Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.

Click on Open AVG Interface.
Double click on Resident Shield
Deselect the option to "Enable Resident Shield."
Save changes, and exit the application.
To re-enable AVG 8.5, please select "Enable Resident Shield" again.

====================================================

Double click on combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Traceybaby · 08-17-2009, 12:31 PM

Thanks, I did what was said,though I didnt get those windows which was mentioned, probably I had windows console recovery, though I dont know anything about it. My computer has just been rebooted and I got the Log. So here it is:

ComboFix Beta_09-08-16.01 - ASU 2009.08.17 21:14.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1257.370.1033.18.2047.1216 [GMT 3:00]
Running from: c:\documents and settings\ASU\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 3
Ā was unexpected at this time.

PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\searchplugins\search.xml
C:\restore

Infected copy of c:\windows\system32\mstsc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mstsc.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-16 20:24 . 2009-07-15 08:48 29000 ----a-w- c:\windows\system32\uxtuneup.dll
2009-08-16 20:24 . 2009-08-16 20:24 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-16 19:22 . 2009-08-16 19:22 -------- d-----w- c:\program files\Trend Micro
2009-08-16 17:13 . 2009-08-16 17:13 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-16 17:08 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-16 16:47 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-16 16:44 . 2009-08-16 16:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-16 16:44 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-16 16:44 . 2009-08-16 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-16 16:44 . 2009-08-16 16:44 -------- d-----w- c:\program files\Lavasoft
2009-08-16 15:16 . 2009-08-16 20:24 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-16 15:15 . 2009-08-16 15:15 -------- d-----w- c:\documents and settings\ASU\Application Data\TuneUp Software
2009-08-16 15:15 . 2009-08-16 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-08-16 15:15 . 2009-08-16 20:23 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-16 15:14 . 2009-08-16 20:22 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-16 15:12 . 2009-08-16 15:33 -------- d-----w- c:\windows\Internet Logs
2009-08-16 14:44 . 2008-03-04 14:49 159112 ----a-w- c:\windows\system32\drivers\pctfw2.sys
2009-08-16 14:43 . 2008-02-01 09:55 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-08-16 14:43 . 2007-12-10 11:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-08-16 14:43 . 2007-12-10 11:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-08-16 14:43 . 2007-12-10 11:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-08-16 14:38 . 2009-08-16 14:41 -------- d-----w- c:\documents and settings\ASU\Application Data\GetRightToGo
2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\documents and settings\ASU\Application Data\Malwarebytes
2009-08-16 14:30 . 2009-08-03 10:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 14:30 . 2009-08-03 10:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 12:55 . 2009-08-16 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-16 12:54 . 2009-08-16 12:54 -------- d-----w- c:\program files\Common Files\iS3
2009-08-16 12:54 . 2009-08-16 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-16 12:35 . 2008-12-11 05:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-16 12:34 . 2009-04-03 07:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-16 12:34 . 2008-12-18 08:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-16 12:34 . 2009-08-16 12:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-16 12:34 . 2008-12-10 08:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-16 12:34 . 2009-08-17 18:13 -------- d-----w- c:\program files\Spyware Doctor
2009-08-16 12:34 . 2009-08-16 12:34 -------- d-----w- c:\documents and settings\ASU\Application Data\PC Tools
2009-08-16 12:34 . 2009-08-16 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-16 11:22 . 2009-08-13 17:36 710136 ----a-w- c:\documents and settings\All Users\Application Data\7109d3d\mozcrt19.dll
2009-08-16 11:22 . 2009-08-13 17:36 443384 ----a-w- c:\documents and settings\All Users\Application Data\7109d3d\sqlite3.dll
2009-08-16 11:21 . 2009-08-16 14:53 -------- d-sh--w- c:\documents and settings\All Users\Application Data\7109d3d
2009-08-16 09:25 . 2009-08-16 09:27 -------- d-----w- c:\program files\Tildes Biuras
2009-08-16 09:25 . 2009-08-16 09:27 -------- d-----w- c:\program files\Common Files\Tilde Shared
2009-08-16 09:16 . 2009-08-16 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-08-16 09:16 . 2009-08-16 09:18 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-08-15 23:43 . 2009-08-15 23:43 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-15 23:43 . 2009-08-16 09:21 -------- d-----w- c:\documents and settings\ASU\Application Data\DAEMON Tools Pro
2009-08-01 21:15 . 2009-08-01 21:15 -------- d-----w- c:\program files\Previous Install
2009-08-01 21:14 . 1998-10-29 13:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-08-01 20:23 . 2009-08-01 20:23 -------- d-----w- c:\documents and settings\ASU\Local Settings\Application Data\GHISLER
2009-07-29 17:44 . 2009-07-29 17:44 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\program files\Flash Player Win v7.0.19

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 18:21 . 2008-07-16 16:41 -------- d-----w- c:\documents and settings\ASU\Application Data\Skype
2009-08-17 18:14 . 2008-03-27 18:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-16 14:58 . 2009-08-16 14:58 1024 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-16 13:40 . 2008-03-25 15:58 -------- d-----w- c:\program files\FlashGet
2009-08-16 13:10 . 2009-02-28 19:32 -------- d-----w- c:\program files\Webshots
2009-08-16 11:46 . 2008-03-22 10:55 96456 ----a-w- c:\documents and settings\ASU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 11:34 . 2009-05-24 19:35 -------- d-----w- c:\program files\XAimer
2009-08-16 09:25 . 2009-05-29 13:08 -------- d-----w- c:\program files\Tildes Biuras 2006
2009-08-16 09:23 . 2009-06-12 20:24 357896 ----a-w- c:\windows\system32\LayoutSetup.dll
2009-08-13 07:41 . 2008-03-28 17:56 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-08-03 11:46 . 2008-03-22 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-01 21:16 . 2008-07-05 12:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-28 09:41 . 2008-03-22 12:28 -------- d-----w- c:\documents and settings\ASU\Application Data\Winamp
2009-07-28 08:27 . 2008-03-22 12:28 -------- d-----w- c:\program files\Winamp
2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\documents and settings\ASU\Application Data\NCH Swift Sound
2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\program files\NCH Swift Sound
2009-05-24 19:36 . 2009-05-24 19:35 20481 ----a-w- c:\windows\system32\SystemsHook.dll
.

------- Sigcheck -------

[-] 2008-03-15 13:45 1580544 32272BF10467C8ACF1F83138C61D541E c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-06-08 23233576]
"BitComet"="c:\program files\BitLord\BitLord.exe" [2005-05-07 2224128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"DicBrowser"="c:\program files\Tildes Biuras\DicBrowser.exe" [2009-03-05 5395712]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-22 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

c:\documents and settings\ASU\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-2 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SMSERIAL"=c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"d:\\My Documents\\Documents\\crack-TotalCm\\TOTALCMD.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Tildes Biuras\\TLWS.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009.08.16 19:47 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009.08.16 15:34 130936]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007.12.21 09:21 33800]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009.08.16 17:44 159112]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007.12.21 09:21 468224]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009.07.03 17:49 1029456]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009.08.16 18:16 604488]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006.11.03 20:19 13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008.03.21 09:00 37376]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009.08.16 17:43 747912]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 07:54]

2009-08-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]

2009-08-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-08-17 c:\windows\Tasks\Tildes automatic update.job
- c:\progra~1\TILDES~2\UpdateLauncher.exe [2009-02-05 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://games.yahoo.com/play/pl&cat=beginner&ss=1
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.vub.lt:8080
uInternet Settings,ProxyOverride = <local>
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Versti naudojant „Tilde“ žodyną - c:\program files\Tildes Biuras\DicBrowserBHO.dll/201
IE: {{10954C80-4F0F-11d3-B17C-00C0DFE39333} - c:\program files\KZod\KZod.exe
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: {F9DA8389-45DF-4669-A446-70907B1008CB} = 86.100.200.11,86.100.200.15
FF - ProfilePath - c:\documents and settings\ASU\Application Data\Mozilla\Firefox\Profiles\szkvqw89.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.ftp - proxy.vub.lt
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.vub.lt
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy.vub.lt
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy.vub.lt
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy.vub.lt
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 21:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-2111687655-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Microsoft Office\Office12\WINWORD.EXE
.
**************************************************************************
.
Completion time: 2009-08-17 21:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-17 18:24

Pre-Run: 19.070.963.712 bytes free
Post-Run: 19.308.437.504 bytes free

259 --- E O F --- 2008-03-22 12:56

Wow, now i saw I had no Windows console but I didnt get the window to install it, I just got some error message or sth, couldn't quickly read it coz then PC was rebooted. I will wait for further instructions, Thank u very much for helping me!

Traceybaby · 08-17-2009, 02:15 PM

Should I run ComboFix one more time? Is my computer clean now?

Traceybaby · 08-17-2009, 04:07 PM

Bump please

Ried · 08-17-2009, 04:11 PM

Patience, please. I just got back online from being away. As much as I'd like to be, I cannot be online 24/7. As mentioned in our pre-posting topic, we volunteer our time and many of us have jobs, families, etc.

Additionally, your thread is not the only one I am working on, I'll get to yours as soon as possible.

Traceybaby · 08-17-2009, 04:16 PM

Ok, I'm very sorry...

Ried · 08-17-2009, 04:44 PM

No, do not run ComboFix again just yet.

Quote:

Wow, now i saw I had no Windows console but I didnt get the window to install it, I just got some error message or sth, couldn't quickly read it coz then PC was rebooted.

Download BootCheck.exe to your desktop.

Double click BootCheck.exe to run the check
When complete, a Notepad window will open with some text in it
Save the Notepad file to your desktop as BootCheck.txt
Copy the contents of BootCheck.txt and post it in your next reply

Traceybaby · 08-17-2009, 04:45 PM

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of C:\boot.ini:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Ried · 08-17-2009, 04:50 PM

Thank you. Delete your existing ComboFix.exe and download it again from here

Same as earilier, disable your AV and FW then double click ComboFix.exe. You should see the prompt to install the Recovery Console, please ok your way through that.

Post the C:\ComboFix.txt when finished.

Traceybaby · 08-17-2009, 05:00 PM

ComboFix 09-08-10.06 - ASU 2009.08.18 1:54.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1257.370.1033.18.2047.1325 [GMT 3:00]
Running from: d:\downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 3
Ā was unexpected at this time.

PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder

((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-17 21:32 . 2009-08-17 21:50 117760 ----a-w- c:\documents and settings\ASU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-17 21:30 . 2009-08-17 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-17 21:30 . 2009-08-17 21:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-17 21:30 . 2009-08-17 21:30 -------- d-----w- c:\documents and settings\ASU\Application Data\SUPERAntiSpyware.com
2009-08-17 21:30 . 2009-08-17 21:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-16 20:24 . 2009-07-15 08:48 29000 ----a-w- c:\windows\system32\uxtuneup.dll
2009-08-16 20:24 . 2009-08-16 20:24 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-16 19:22 . 2009-08-16 19:22 -------- d-----w- c:\program files\Trend Micro
2009-08-16 17:13 . 2009-08-16 17:13 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-16 17:08 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-16 16:47 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-16 16:44 . 2009-08-16 16:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-16 16:44 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-16 16:44 . 2009-08-16 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-16 16:44 . 2009-08-16 16:44 -------- d-----w- c:\program files\Lavasoft
2009-08-16 15:16 . 2009-08-16 20:24 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-16 15:15 . 2009-08-16 15:15 -------- d-----w- c:\documents and settings\ASU\Application Data\TuneUp Software
2009-08-16 15:15 . 2009-08-16 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-08-16 15:15 . 2009-08-16 20:23 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-16 15:14 . 2009-08-16 20:22 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-16 15:12 . 2009-08-16 15:33 -------- d-----w- c:\windows\Internet Logs
2009-08-16 14:44 . 2008-03-04 14:49 159112 ----a-w- c:\windows\system32\drivers\pctfw2.sys
2009-08-16 14:43 . 2008-02-01 09:55 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-08-16 14:43 . 2007-12-10 11:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-08-16 14:43 . 2007-12-10 11:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-08-16 14:43 . 2007-12-10 11:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-08-16 14:38 . 2009-08-16 14:41 -------- d-----w- c:\documents and settings\ASU\Application Data\GetRightToGo
2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\documents and settings\ASU\Application Data\Malwarebytes
2009-08-16 14:30 . 2009-08-03 10:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 14:30 . 2009-08-03 10:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-16 14:30 . 2009-08-17 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 12:55 . 2009-08-16 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-16 12:54 . 2009-08-16 12:54 -------- d-----w- c:\program files\Common Files\iS3
2009-08-16 12:54 . 2009-08-16 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-16 12:35 . 2008-12-11 05:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-16 12:34 . 2009-04-03 07:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-16 12:34 . 2008-12-18 08:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-16 12:34 . 2009-08-16 12:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-16 12:34 . 2008-12-10 08:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-16 12:34 . 2009-08-17 22:33 -------- d-----w- c:\program files\Spyware Doctor
2009-08-16 12:34 . 2009-08-16 12:34 -------- d-----w- c:\documents and settings\ASU\Application Data\PC Tools
2009-08-16 12:34 . 2009-08-16 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-16 11:22 . 2009-08-13 17:36 710136 ----a-w- c:\documents and settings\All Users\Application Data\7109d3d\mozcrt19.dll
2009-08-16 11:22 . 2009-08-13 17:36 443384 ----a-w- c:\documents and settings\All Users\Application Data\7109d3d\sqlite3.dll
2009-08-16 11:21 . 2009-08-16 14:53 -------- d-sh--w- c:\documents and settings\All Users\Application Data\7109d3d
2009-08-16 09:25 . 2009-08-17 20:05 -------- d-----w- c:\program files\Tildes Biuras
2009-08-16 09:25 . 2009-08-16 09:27 -------- d-----w- c:\program files\Common Files\Tilde Shared
2009-08-16 09:16 . 2009-08-16 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-08-16 09:16 . 2009-08-16 09:18 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-08-15 23:43 . 2009-08-15 23:43 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-15 23:43 . 2009-08-16 09:21 -------- d-----w- c:\documents and settings\ASU\Application Data\DAEMON Tools Pro
2009-08-01 21:15 . 2009-08-01 21:15 -------- d-----w- c:\program files\Previous Install
2009-08-01 21:14 . 1998-10-29 13:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-08-01 20:23 . 2009-08-01 20:23 -------- d-----w- c:\documents and settings\ASU\Local Settings\Application Data\GHISLER
2009-07-29 17:44 . 2009-07-29 17:44 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\program files\Flash Player Win v7.0.19

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 22:49 . 2008-07-16 16:41 -------- d-----w- c:\documents and settings\ASU\Application Data\Skype
2009-08-17 19:24 . 2008-03-27 18:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-16 14:58 . 2009-08-16 14:58 1024 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-16 13:40 . 2008-03-25 15:58 -------- d-----w- c:\program files\FlashGet
2009-08-16 13:10 . 2009-02-28 19:32 -------- d-----w- c:\program files\Webshots
2009-08-16 11:46 . 2008-03-22 10:55 96456 ----a-w- c:\documents and settings\ASU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 11:34 . 2009-05-24 19:35 -------- d-----w- c:\program files\XAimer
2009-08-16 09:25 . 2009-05-29 13:08 -------- d-----w- c:\program files\Tildes Biuras 2006
2009-08-16 09:23 . 2009-06-12 20:24 357896 ----a-w- c:\windows\system32\LayoutSetup.dll
2009-08-13 07:41 . 2008-03-28 17:56 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-08-03 11:46 . 2008-03-22 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-01 21:16 . 2008-07-05 12:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-28 09:41 . 2008-03-22 12:28 -------- d-----w- c:\documents and settings\ASU\Application Data\Winamp
2009-07-28 08:27 . 2008-03-22 12:28 -------- d-----w- c:\program files\Winamp
2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\documents and settings\ASU\Application Data\NCH Swift Sound
2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\program files\NCH Swift Sound
2009-05-24 19:36 . 2009-05-24 19:35 20481 ----a-w- c:\windows\system32\SystemsHook.dll
.

------- Sigcheck -------

[-] 2008-03-15 13:45 1580544 32272BF10467C8ACF1F83138C61D541E c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-17_18.19.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-17 21:49 . 2009-08-17 21:49 16384 c:\windows\Temp\Perflib_Perfdata_340.dat
- 2009-05-14 15:11 . 2009-05-14 15:11 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-05-14 15:11 . 2009-08-17 22:10 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-08-17 21:30 . 2009-08-17 21:30 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-08-17 21:30 . 2009-08-17 21:30 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 69632 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut8_B433B04A3CE24AB692C0BBFA0DE73A62.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 69632 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut8_B433B04A3CE24AB692C0BBFA0DE73A62.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 40960 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut3_299DE88CB05342C9BF6157797228944C.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 40960 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut3_299DE88CB05342C9BF6157797228944C.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 45056 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut10_B902C848D6D044BE9D355D769A882E26.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 45056 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut10_B902C848D6D044BE9D355D769A882E26.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 40960 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut1_96EC84D89CB94D82B12EBBD7DB82EFF9.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 40960 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut1_96EC84D89CB94D82B12EBBD7DB82EFF9.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut7_401AA3F0809445268BA387838472980E.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut7_401AA3F0809445268BA387838472980E.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut6_B7A7B09C04174001BFBF29CFBEFC9674.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut6_B7A7B09C04174001BFBF29CFBEFC9674.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 147456 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut5_504C5B5E6D90488AA89F5DB9D8B21380.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 147456 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut5_504C5B5E6D90488AA89F5DB9D8B21380.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut4_666B242A72A4464A8CAA683845432122.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut4_666B242A72A4464A8CAA683845432122.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\LanguageSwitcher_35531D40206F483BAAA9EC5326CED30B.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\LanguageSwitcher_35531D40206F483BAAA9EC5326CED30B.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 275822 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\ARPPRODUCTICON.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 275822 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\ARPPRODUCTICON.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-08-17 21:30 . 2009-08-17 21:30 1516544 c:\windows\Installer\76989b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-06-08 23233576]
"BitComet"="c:\program files\BitLord\BitLord.exe" [2005-05-07 2224128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"DicBrowser"="c:\program files\Tildes Biuras\DicBrowser.exe" [2009-03-05 5395712]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-22 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

c:\documents and settings\ASU\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-2 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SMSERIAL"=c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"d:\\My Documents\\Documents\\crack-TotalCm\\TOTALCMD.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Tildes Biuras\\TLWS.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009.08.16 19:47 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009.08.16 15:34 130936]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007.12.21 09:21 33800]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009.08.16 17:44 159112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009.08.05 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009.08.05 16:06 74480]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007.12.21 09:21 468224]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009.08.16 18:16 604488]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006.11.03 20:19 13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008.03.21 09:00 37376]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009.08.05 16:06 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009.07.03 17:49 1029456]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009.08.16 17:43 747912]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 07:54]

2009-08-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]

2009-08-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-08-17 c:\windows\Tasks\Tildes automatic update.job
- c:\progra~1\TILDES~2\UpdateLauncher.exe [2009-02-05 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://games.yahoo.com/play/pl&cat=beginner&ss=1
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.vub.lt:8080
uInternet Settings,ProxyOverride = <local>
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Versti naudojant „Tilde“ žodyną - c:\program files\Tildes Biuras\DicBrowserBHO.dll/201
IE: {{10954C80-4F0F-11d3-B17C-00C0DFE39333} - c:\program files\KZod\KZod.exe
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: {F9DA8389-45DF-4669-A446-70907B1008CB} = 86.100.200.11,86.100.200.15
FF - ProfilePath - c:\documents and settings\ASU\Application Data\Mozilla\Firefox\Profiles\szkvqw89.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.ftp - proxy.vub.lt
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.vub.lt
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy.vub.lt
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy.vub.lt
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy.vub.lt
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 01:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-2111687655-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1080)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2124)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-17 1:58
ComboFix-quarantined-files.txt 2009-08-17 22:58

Pre-Run: 19.260.162.048 bytes free
Post-Run: 19.215.745.024 bytes free

284 --- E O F --- 2008-03-22 12:56

I havent seen any windows asking to install Windows Console... Dunno whats the problem. This time computer wasnt rebooted. I have some Antispywares which I dont know how to turn off, but they are not on startup, so maybe its not because of them...

Ried · 08-17-2009, 05:18 PM

Okay, let's try it this way.

Go to Microsoft's website => http://www.microsoft.com/downloads/d...displaylang=en and download the package on that page. Save it to your desktop, as it's originally named.

---------------------------------------------------------------------

Once again, disable your AV and FW

Drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
At the next prompt, click 'Yes' to run the full ComboFix scan.
When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt in your next reply.

Traceybaby · 08-17-2009, 05:27 PM

ComboFix 09-08-10.06 - ASU 2009.08.18 2:23.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1257.370.1033.18.2047.1295 [GMT 3:00]
Running from: c:\documents and settings\ASU\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ASU\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
/wow section - STAGE 3
Ā was unexpected at this time.

PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder

((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-17 21:32 . 2009-08-17 23:02 117760 ----a-w- c:\documents and settings\ASU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-17 21:30 . 2009-08-17 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-17 21:30 . 2009-08-17 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-17 21:30 . 2009-08-17 21:30 -------- d-----w- c:\documents and settings\ASU\Application Data\SUPERAntiSpyware.com
2009-08-17 21:30 . 2009-08-17 21:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-16 20:24 . 2009-07-15 08:48 29000 ----a-w- c:\windows\system32\uxtuneup.dll
2009-08-16 20:24 . 2009-08-16 20:24 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-16 19:22 . 2009-08-16 19:22 -------- d-----w- c:\program files\Trend Micro
2009-08-16 17:13 . 2009-08-16 17:13 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-16 17:08 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-08-16 16:47 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-16 16:44 . 2009-08-16 16:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-16 16:44 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-16 16:44 . 2009-08-16 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-16 16:44 . 2009-08-16 16:44 -------- d-----w- c:\program files\Lavasoft
2009-08-16 15:16 . 2009-08-16 20:24 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-16 15:15 . 2009-08-16 15:15 -------- d-----w- c:\documents and settings\ASU\Application Data\TuneUp Software
2009-08-16 15:15 . 2009-08-16 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-08-16 15:15 . 2009-08-16 20:23 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-16 15:14 . 2009-08-16 20:22 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-16 15:12 . 2009-08-16 15:33 -------- d-----w- c:\windows\Internet Logs
2009-08-16 14:44 . 2008-03-04 14:49 159112 ----a-w- c:\windows\system32\drivers\pctfw2.sys
2009-08-16 14:43 . 2008-02-01 09:55 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys
2009-08-16 14:43 . 2007-12-10 11:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys
2009-08-16 14:43 . 2007-12-10 11:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys
2009-08-16 14:43 . 2007-12-10 11:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys
2009-08-16 14:38 . 2009-08-16 14:41 -------- d-----w- c:\documents and settings\ASU\Application Data\GetRightToGo
2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\documents and settings\ASU\Application Data\Malwarebytes
2009-08-16 14:30 . 2009-08-03 10:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 14:30 . 2009-08-03 10:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-16 14:30 . 2009-08-17 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 12:55 . 2009-08-16 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-16 12:54 . 2009-08-16 12:54 -------- d-----w- c:\program files\Common Files\iS3
2009-08-16 12:54 . 2009-08-16 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-16 12:35 . 2008-12-11 05:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-16 12:34 . 2009-04-03 07:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-16 12:34 . 2008-12-18 08:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-16 12:34 . 2009-08-16 12:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-16 12:34 . 2008-12-10 08:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-16 12:34 . 2009-08-17 22:33 -------- d-----w- c:\program files\Spyware Doctor
2009-08-16 12:34 . 2009-08-16 12:34 -------- d-----w- c:\documents and settings\ASU\Application Data\PC Tools
2009-08-16 12:34 . 2009-08-16 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-16 11:22 . 2009-08-13 17:36 710136 ----a-w- c:\documents and settings\All Users\Application Data\7109d3d\mozcrt19.dll
2009-08-16 11:22 . 2009-08-13 17:36 443384 ----a-w- c:\documents and settings\All Users\Application Data\7109d3d\sqlite3.dll
2009-08-16 11:21 . 2009-08-16 14:53 -------- d-sh--w- c:\documents and settings\All Users\Application Data\7109d3d
2009-08-16 09:25 . 2009-08-17 20:05 -------- d-----w- c:\program files\Tildes Biuras
2009-08-16 09:25 . 2009-08-16 09:27 -------- d-----w- c:\program files\Common Files\Tilde Shared
2009-08-16 09:16 . 2009-08-16 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
2009-08-16 09:16 . 2009-08-16 09:18 -------- d-----w- c:\program files\DAEMON Tools Pro
2009-08-15 23:43 . 2009-08-15 23:43 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-15 23:43 . 2009-08-16 09:21 -------- d-----w- c:\documents and settings\ASU\Application Data\DAEMON Tools Pro
2009-08-01 21:15 . 2009-08-01 21:15 -------- d-----w- c:\program files\Previous Install
2009-08-01 21:14 . 1998-10-29 13:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-08-01 20:23 . 2009-08-01 20:23 -------- d-----w- c:\documents and settings\ASU\Local Settings\Application Data\GHISLER
2009-07-29 17:44 . 2009-07-29 17:44 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\program files\Flash Player Win v7.0.19

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 22:49 . 2008-07-16 16:41 -------- d-----w- c:\documents and settings\ASU\Application Data\Skype
2009-08-17 19:24 . 2008-03-27 18:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-16 14:58 . 2009-08-16 14:58 1024 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-16 13:40 . 2008-03-25 15:58 -------- d-----w- c:\program files\FlashGet
2009-08-16 13:10 . 2009-02-28 19:32 -------- d-----w- c:\program files\Webshots
2009-08-16 11:46 . 2008-03-22 10:55 96456 ----a-w- c:\documents and settings\ASU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 11:34 . 2009-05-24 19:35 -------- d-----w- c:\program files\XAimer
2009-08-16 09:25 . 2009-05-29 13:08 -------- d-----w- c:\program files\Tildes Biuras 2006
2009-08-16 09:23 . 2009-06-12 20:24 357896 ----a-w- c:\windows\system32\LayoutSetup.dll
2009-08-13 07:41 . 2008-03-28 17:56 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-08-03 11:46 . 2008-03-22 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-01 21:16 . 2008-07-05 12:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-28 09:41 . 2008-03-22 12:28 -------- d-----w- c:\documents and settings\ASU\Application Data\Winamp
2009-07-28 08:27 . 2008-03-22 12:28 -------- d-----w- c:\program files\Winamp
2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\documents and settings\ASU\Application Data\NCH Swift Sound
2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\program files\NCH Swift Sound
2009-05-24 19:36 . 2009-05-24 19:35 20481 ----a-w- c:\windows\system32\SystemsHook.dll
.

------- Sigcheck -------

[-] 2008-03-15 13:45 1580544 32272BF10467C8ACF1F83138C61D541E c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-17_18.19.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-17 21:49 . 2009-08-17 21:49 16384 c:\windows\Temp\Perflib_Perfdata_340.dat
- 2009-05-14 15:11 . 2009-05-14 15:11 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-05-14 15:11 . 2009-08-17 22:10 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-08-17 21:30 . 2009-08-17 21:30 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-08-17 21:30 . 2009-08-17 21:30 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 69632 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut8_B433B04A3CE24AB692C0BBFA0DE73A62.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 69632 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut8_B433B04A3CE24AB692C0BBFA0DE73A62.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 40960 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut3_299DE88CB05342C9BF6157797228944C.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 40960 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut3_299DE88CB05342C9BF6157797228944C.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 45056 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut10_B902C848D6D044BE9D355D769A882E26.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 45056 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut10_B902C848D6D044BE9D355D769A882E26.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 40960 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut1_96EC84D89CB94D82B12EBBD7DB82EFF9.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 40960 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut1_96EC84D89CB94D82B12EBBD7DB82EFF9.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut7_401AA3F0809445268BA387838472980E.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut7_401AA3F0809445268BA387838472980E.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut6_B7A7B09C04174001BFBF29CFBEFC9674.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut6_B7A7B09C04174001BFBF29CFBEFC9674.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 147456 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut5_504C5B5E6D90488AA89F5DB9D8B21380.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 147456 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut5_504C5B5E6D90488AA89F5DB9D8B21380.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut4_666B242A72A4464A8CAA683845432122.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\NewShortcut4_666B242A72A4464A8CAA683845432122.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\LanguageSwitcher_35531D40206F483BAAA9EC5326CED30B.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 315392 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\LanguageSwitcher_35531D40206F483BAAA9EC5326CED30B.exe
+ 2009-08-16 09:27 . 2009-08-17 20:05 275822 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\ARPPRODUCTICON.exe
- 2009-08-16 09:27 . 2009-08-16 09:27 275822 c:\windows\Installer\{77029253-6C30-4DA6-9221-9FAD3B462C84}\ARPPRODUCTICON.exe
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-08-17 21:30 . 2009-08-17 21:30 1516544 c:\windows\Installer\76989b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-06-08 23233576]
"BitComet"="c:\program files\BitLord\BitLord.exe" [2005-05-07 2224128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"DicBrowser"="c:\program files\Tildes Biuras\DicBrowser.exe" [2009-03-05 5395712]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-22 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528]

c:\documents and settings\ASU\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-2 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 09:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SMSERIAL"=c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"d:\\My Documents\\Documents\\crack-TotalCm\\TOTALCMD.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Tildes Biuras\\TLWS.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009.08.16 19:47 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009.08.16 15:34 130936]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007.12.21 09:21 33800]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009.08.16 17:44 159112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009.08.05 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009.08.05 16:06 74480]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007.12.21 09:21 468224]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009.08.16 18:16 604488]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006.11.03 20:19 13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008.03.21 09:00 37376]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009.08.05 16:06 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009.07.03 17:49 1029456]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009.08.16 17:43 747912]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 07:54]

2009-08-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]

2009-08-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2009-08-17 c:\windows\Tasks\Tildes automatic update.job
- c:\progra~1\TILDES~2\UpdateLauncher.exe [2009-02-05 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://games.yahoo.com/play/pl&cat=beginner&ss=1
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = proxy.vub.lt:8080
uInternet Settings,ProxyOverride = <local>
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Versti naudojant „Tilde“ žodyną - c:\program files\Tildes Biuras\DicBrowserBHO.dll/201
IE: {{10954C80-4F0F-11d3-B17C-00C0DFE39333} - c:\program files\KZod\KZod.exe
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: {F9DA8389-45DF-4669-A446-70907B1008CB} = 86.100.200.11,86.100.200.15
FF - ProfilePath - c:\documents and settings\ASU\Application Data\Mozilla\Firefox\Profiles\szkvqw89.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.ftp - proxy.vub.lt
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy.vub.lt
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy.vub.lt
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy.vub.lt
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy.vub.lt
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 02:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-2111687655-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1080)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-17 2:26
ComboFix-quarantined-files.txt 2009-08-17 23:26
ComboFix2.txt 2009-08-17 22:58

Pre-Run: 19.214.184.448 bytes free
Post-Run: 19.199.066.112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

292 --- E O F --- 2008-03-22 12:56

Thx, finally I got it installed. Waitin for further instructions :)

Ried · 08-17-2009, 05:42 PM

It may seem like such a minor thing to you, and while it may not be needed at this time, infections these days tend to patch a lot of critical system files which often result in multiple problems, one of which can be an unbootable machine. Having Window's Recovery Console installed on your machine in advance can save a lot of heartache in the future. See this link http://www.bleepingcomputer.com/tuto...torial117.html for a sampling of how the Recovery Console can be used.

The first run of Combofix took care of what was needed. It's still important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Traceybaby · 08-17-2009, 07:37 PM

to my amazement, there were no files infected and no threats... Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, August 18, 2009
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 18, 2009 01:57:40
Records in database: 2646130
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 65308
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:23:34

No threats found. Scanned area is clean.

Selected area has been scanned.

Does this mean I have no virus so far or sth's not right? Waitin for further instructions

Ried · 08-17-2009, 07:45 PM

No, this is good news. :)

Your logs are coming up clean. How is the system behaving?

Traceybaby · 08-17-2009, 07:48 PM

So far it's good :) I just have one more question: I have ESET NOD 32 antivirus and Spyware Doctor on my startup, also Ad aware, Tune up, Malwarebytes, CCleaner, Superantispyware on my PC. Do u think I should uninstall any of these? I made Spyware Doctor not visible on Startup, I have to enable it for special analysis, so it wouldnt mess up with ESET NOD32. What would u suggest me?

Traceybaby · 08-17-2009, 07:50 PM

And what should I do with all these logs and programs u asked me to download on my desktop? Should I erase them?

Ried · 08-17-2009, 08:00 PM

I would say you have too many.

Keep Malwarebytes, CCleaner, Ad-Aware. If you paid for SpywareDoctor, then keep it, but there's no need to renew that subscription.

You should be very cautious when using the registry cleaning components of CCleaner and TuneUp. Our colleague miekiemoes has an excellent writeup here

What I would suggest, is adding Web of Trust to your arsenal.

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go
Yellow for caution
Red to stop

WOT has an addon available for both Firefox and IE.

========================================

This next step is important, please do not skip this...

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

Traceybaby · 08-17-2009, 08:04 PM

Ye, did it. It uninstalled Combofix, right?

08-17-2009, 12:31 PM	#3 (permalink)
Traceybaby Registered User Join Date: Aug 2009 Posts: 32 OS: XP	Re: Windows protection Suite virus, Pls Help... Thanks, I did what was said,though I didnt get those windows which was mentioned, probably I had windows console recovery, though I dont know anything about it. My computer has just been rebooted and I got the Log. So here it is: ComboFix Beta_09-08-16.01 - ASU 2009.08.17 21:14.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1257.370.1033.18.2047.1216 [GMT 3:00] Running from: c:\documents and settings\ASU\Desktop\ComboFix.exe AV: ESET NOD32 Antivirus 3.0 On-access scanning disabled (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} AV: Spyware Doctor with AntiVirus On-access scanning disabled (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . /wow section - STAGE 3 Ā was unexpected at this time. PEV Error: FavFile PEV Error: LocalAppDataFile PEV Error: LocalAppDataFolder PEV Error: LocalSettingsFile PEV Error: MenuFile PEV Error: MenuFolder ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Mozilla Firefox\searchplugins\search.xml C:\restore Infected copy of c:\windows\system32\mstsc.exe was found and disinfected Restored copy from - c:\windows\system32\dllcache\mstsc.exe . ((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 ))))))))))))))))))))))))))))))) . 2009-08-16 20:24 . 2009-07-15 08:48 29000 ----a-w- c:\windows\system32\uxtuneup.dll 2009-08-16 20:24 . 2009-08-16 20:24 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe 2009-08-16 19:22 . 2009-08-16 19:22 -------- d-----w- c:\program files\Trend Micro 2009-08-16 17:13 . 2009-08-16 17:13 -------- d--h--w- c:\windows\system32\GroupPolicy 2009-08-16 17:08 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-08-16 16:47 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-08-16 16:44 . 2009-08-16 16:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-08-16 16:44 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe 2009-08-16 16:44 . 2009-08-16 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-16 16:44 . 2009-08-16 16:44 -------- d-----w- c:\program files\Lavasoft 2009-08-16 15:16 . 2009-08-16 20:24 604488 ----a-w- c:\windows\system32\TUProgSt.exe 2009-08-16 15:15 . 2009-08-16 15:15 -------- d-----w- c:\documents and settings\ASU\Application Data\TuneUp Software 2009-08-16 15:15 . 2009-08-16 15:15 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software 2009-08-16 15:15 . 2009-08-16 20:23 -------- d-----w- c:\program files\TuneUp Utilities 2009 2009-08-16 15:14 . 2009-08-16 20:22 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357} 2009-08-16 15:12 . 2009-08-16 15:33 -------- d-----w- c:\windows\Internet Logs 2009-08-16 14:44 . 2008-03-04 14:49 159112 ----a-w- c:\windows\system32\drivers\pctfw2.sys 2009-08-16 14:43 . 2008-02-01 09:55 42376 ----a-w- c:\windows\system32\drivers\ikfilesec.sys 2009-08-16 14:43 . 2007-12-10 11:53 29576 ----a-w- c:\windows\system32\drivers\kcom.sys 2009-08-16 14:43 . 2007-12-10 11:53 81288 ----a-w- c:\windows\system32\drivers\iksyssec.sys 2009-08-16 14:43 . 2007-12-10 11:53 66952 ----a-w- c:\windows\system32\drivers\iksysflt.sys 2009-08-16 14:38 . 2009-08-16 14:41 -------- d-----w- c:\documents and settings\ASU\Application Data\GetRightToGo 2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\documents and settings\ASU\Application Data\Malwarebytes 2009-08-16 14:30 . 2009-08-03 10:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-16 14:30 . 2009-08-03 10:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-16 14:30 . 2009-08-16 14:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-16 12:55 . 2009-08-16 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard 2009-08-16 12:54 . 2009-08-16 12:54 -------- d-----w- c:\program files\Common Files\iS3 2009-08-16 12:54 . 2009-08-16 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla! 2009-08-16 12:35 . 2008-12-11 05:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys 2009-08-16 12:34 . 2009-04-03 07:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys 2009-08-16 12:34 . 2008-12-18 08:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys 2009-08-16 12:34 . 2009-08-16 12:41 -------- d-----w- c:\program files\Common Files\PC Tools 2009-08-16 12:34 . 2008-12-10 08:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys 2009-08-16 12:34 . 2009-08-17 18:13 -------- d-----w- c:\program files\Spyware Doctor 2009-08-16 12:34 . 2009-08-16 12:34 -------- d-----w- c:\documents and settings\ASU\Application Data\PC Tools 2009-08-16 12:34 . 2009-08-16 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-08-16 11:22 . 2009-08-13 17:36 710136 ----a-w- c:\documents and settings\All Users\Application Data\7109d3d\mozcrt19.dll 2009-08-16 11:22 . 2009-08-13 17:36 443384 ----a-w- c:\documents and settings\All Users\Application Data\7109d3d\sqlite3.dll 2009-08-16 11:21 . 2009-08-16 14:53 -------- d-sh--w- c:\documents and settings\All Users\Application Data\7109d3d 2009-08-16 09:25 . 2009-08-16 09:27 -------- d-----w- c:\program files\Tildes Biuras 2009-08-16 09:25 . 2009-08-16 09:27 -------- d-----w- c:\program files\Common Files\Tilde Shared 2009-08-16 09:16 . 2009-08-16 09:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Pro 2009-08-16 09:16 . 2009-08-16 09:18 -------- d-----w- c:\program files\DAEMON Tools Pro 2009-08-15 23:43 . 2009-08-15 23:43 722416 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-08-15 23:43 . 2009-08-16 09:21 -------- d-----w- c:\documents and settings\ASU\Application Data\DAEMON Tools Pro 2009-08-01 21:15 . 2009-08-01 21:15 -------- d-----w- c:\program files\Previous Install 2009-08-01 21:14 . 1998-10-29 13:45 306688 ----a-w- c:\windows\IsUninst.exe 2009-08-01 20:23 . 2009-08-01 20:23 -------- d-----w- c:\documents and settings\ASU\Local Settings\Application Data\GHISLER 2009-07-29 17:44 . 2009-07-29 17:44 -------- d-----w- c:\program files\Common Files\Windows Live 2009-07-28 21:21 . 2009-07-28 21:21 -------- d-----w- c:\program files\Flash Player Win v7.0.19 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-17 18:21 . 2008-07-16 16:41 -------- d-----w- c:\documents and settings\ASU\Application Data\Skype 2009-08-17 18:14 . 2008-03-27 18:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-16 14:58 . 2009-08-16 14:58 1024 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg 2009-08-16 13:40 . 2008-03-25 15:58 -------- d-----w- c:\program files\FlashGet 2009-08-16 13:10 . 2009-02-28 19:32 -------- d-----w- c:\program files\Webshots 2009-08-16 11:46 . 2008-03-22 10:55 96456 ----a-w- c:\documents and settings\ASU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-16 11:34 . 2009-05-24 19:35 -------- d-----w- c:\program files\XAimer 2009-08-16 09:25 . 2009-05-29 13:08 -------- d-----w- c:\program files\Tildes Biuras 2006 2009-08-16 09:23 . 2009-06-12 20:24 357896 ----a-w- c:\windows\system32\LayoutSetup.dll 2009-08-13 07:41 . 2008-03-28 17:56 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT 2009-08-03 11:46 . 2008-03-22 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-08-01 21:16 . 2008-07-05 12:09 -------- d-----w- c:\program files\Common Files\Adobe 2009-07-28 09:41 . 2008-03-22 12:28 -------- d-----w- c:\documents and settings\ASU\Application Data\Winamp 2009-07-28 08:27 . 2008-03-22 12:28 -------- d-----w- c:\program files\Winamp 2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound 2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\documents and settings\ASU\Application Data\NCH Swift Sound 2009-07-23 14:21 . 2008-07-07 09:50 -------- d-----w- c:\program files\NCH Swift Sound 2009-05-24 19:36 . 2009-05-24 19:35 20481 ----a-w- c:\windows\system32\SystemsHook.dll . ------- Sigcheck ------- [-] 2008-03-15 13:45 1580544 32272BF10467C8ACF1F83138C61D541E c:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-06-08 23233576] "BitComet"="c:\program files\BitLord\BitLord.exe" [2005-05-07 2224128] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-22 8433664] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "DicBrowser"="c:\program files\Tildes Biuras\DicBrowser.exe" [2009-03-05 5395712] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-05-22 1626112] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416] "SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-06-15 1826816] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-26 434528] c:\documents and settings\ASU\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-2 113664] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "SMSERIAL"=c:\program files\Motorola\SMSERIAL\sm56hlpr.exe "HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb03.exe "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime "SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\InterVideo\\DVD8\\WinDVD.exe"= "c:\\Program Files\\FlashGet\\flashget.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\ApexDC++\\ApexDC.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"= "c:\\Program Files\\BitLord\\BitLord.exe"= "d:\\My Documents\\Documents\\crack-TotalCm\\TOTALCMD.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Tildes Biuras\\TLWS.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009.08.16 19:47 64160] R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009.08.16 15:34 130936] R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007.12.21 09:21 33800] R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009.08.16 17:44 159112] R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007.12.21 09:21 468224] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009.07.03 17:49 1029456] R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009.08.16 18:16 604488] R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006.11.03 20:19 13592] R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [2008.03.21 09:00 37376] S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009.08.16 17:43 747912] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Contents of the 'Scheduled Tasks' folder 2009-08-17 c:\windows\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 07:54] 2009-08-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49] 2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34] 2009-08-17 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20] 2009-08-17 c:\windows\Tasks\Tildes automatic update.job - c:\progra~1\TILDES~2\UpdateLauncher.exe [2009-02-05 16:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://games.yahoo.com/play/pl&cat=beginner&ss=1 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = proxy.vub.lt:8080 uInternet Settings,ProxyOverride = <local> IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Versti naudojant „Tilde“ žodyną - c:\program files\Tildes Biuras\DicBrowserBHO.dll/201 IE: {{10954C80-4F0F-11d3-B17C-00C0DFE39333} - c:\program files\KZod\KZod.exe LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll TCP: {F9DA8389-45DF-4669-A446-70907B1008CB} = 86.100.200.11,86.100.200.15 FF - ProfilePath - c:\documents and settings\ASU\Application Data\Mozilla\Firefox\Profiles\szkvqw89.default\ FF - prefs.js: browser.startup.homepage - about:blank FF - prefs.js: network.proxy.ftp - proxy.vub.lt FF - prefs.js: network.proxy.ftp_port - 8080 FF - prefs.js: network.proxy.gopher - proxy.vub.lt FF - prefs.js: network.proxy.gopher_port - 8080 FF - prefs.js: network.proxy.http - proxy.vub.lt FF - prefs.js: network.proxy.http_port - 8080 FF - prefs.js: network.proxy.socks - proxy.vub.lt FF - prefs.js: network.proxy.socks_port - 8080 FF - prefs.js: network.proxy.ssl - proxy.vub.lt FF - prefs.js: network.proxy.ssl_port - 8080 FF - prefs.js: network.proxy.type - 4 ---- FIREFOX POLICIES ---- FF - user.js: network.http.max-persistent-connections-per-server - 4 FF - user.js: nglayout.initialpaint.delay - 600 FF - user.js: content.notify.interval - 600000 FF - user.js: content.max.tokenizing.time - 1800000 FF - user.js: content.switch.threshold - 600000 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-17 21:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1606980848-2111687655-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3608) c:\windows\system32\nview.dll c:\windows\system32\nvwddi.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\wscntfy.exe c:\windows\system32\rundll32.exe c:\program files\Skype\Plugin Manager\skypePM.exe c:\program files\Lavasoft\Ad-Aware\AAWTray.exe c:\program files\Microsoft Office\Office12\WINWORD.EXE . ************************************************************************* . Completion time: 2009-08-17 21:24 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-17 18:24 Pre-Run: 19.070.963.712 bytes free Post-Run: 19.308.437.504 bytes free 259 --- E O F --- 2008-03-22 12:56 Wow, now i saw I had no Windows console but I didnt get the window to install it, I just got some error message or sth, couldn't quickly read it coz then PC was rebooted. I will wait for further instructions, Thank u very much for helping me!

08-17-2009, 02:15 PM	#4 (permalink)
Traceybaby Registered User Join Date: Aug 2009 Posts: 32 OS: XP	Re: Windows protection Suite virus, Pls Help... Should I run ComboFix one more time? Is my computer clean now?

08-17-2009, 04:07 PM	#5 (permalink)
Traceybaby Registered User Join Date: Aug 2009 Posts: 32 OS: XP	Re: Windows protection Suite virus, Pls Help... Bump please

08-17-2009, 04:11 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,993 OS: WinXP and Vista	Re: Windows protection Suite virus, Pls Help... Patience, please. I just got back online from being away. As much as I'd like to be, I cannot be online 24/7. As mentioned in our pre-posting topic, we volunteer our time and many of us have jobs, families, etc. Additionally, your thread is not the only one I am working on, I'll get to yours as soon as possible. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-17-2009, 04:16 PM	#7 (permalink)
Traceybaby Registered User Join Date: Aug 2009 Posts: 32 OS: XP	Re: Windows protection Suite virus, Pls Help... Ok, I'm very sorry...

08-17-2009, 04:45 PM	#9 (permalink)
Traceybaby Registered User Join Date: Aug 2009 Posts: 32 OS: XP	Re: Windows protection Suite virus, Pls Help... WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED ! Contents of C:\boot.ini: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

08-17-2009, 04:50 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,993 OS: WinXP and Vista	Re: Windows protection Suite virus, Pls Help... Thank you. Delete your existing ComboFix.exe and download it again from here Same as earilier, disable your AV and FW then double click ComboFix.exe. You should see the prompt to install the Recovery Console, please ok your way through that. Post the C:\ComboFix.txt when finished. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-17-2009, 05:18 PM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,993 OS: WinXP and Vista	Re: Windows protection Suite virus, Pls Help... Okay, let's try it this way. Go to Microsoft's website => http://www.microsoft.com/downloads/d...displaylang=en and download the package on that page. Save it to your desktop, as it's originally named. --------------------------------------------------------------------- Once again, disable your AV and FW Drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. At the next prompt, click 'Yes' to run the full ComboFix scan. When the tool is finished, it will produce a report for you. Please post the C:\ComboFix.txt in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-17-2009, 05:42 PM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,993 OS: WinXP and Vista	Re: Windows protection Suite virus, Pls Help... It may seem like such a minor thing to you, and while it may not be needed at this time, infections these days tend to patch a lot of critical system files which often result in multiple problems, one of which can be an unbootable machine. Having Window's Recovery Console installed on your machine in advance can save a lot of heartache in the future. See this link http://www.bleepingcomputer.com/tuto...torial117.html for a sampling of how the Recovery Console can be used. The first run of Combofix took care of what was needed. It's still important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan 3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-17-2009, 07:37 PM	#15 (permalink)
Traceybaby Registered User Join Date: Aug 2009 Posts: 32 OS: XP	Re: Windows protection Suite virus, Pls Help... to my amazement, there were no files infected and no threats... Here is the log: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Tuesday, August 18, 2009 Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Tuesday, August 18, 2009 01:57:40 Records in database: 2646130 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ Scan statistics: Objects scanned: 65308 Threats found: 0 Infected objects found: 0 Suspicious objects found: 0 Scan duration: 01:23:34 No threats found. Scanned area is clean. Selected area has been scanned. Does this mean I have no virus so far or sth's not right? Waitin for further instructions

08-17-2009, 07:45 PM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,993 OS: WinXP and Vista	Re: Windows protection Suite virus, Pls Help... No, this is good news. :) Your logs are coming up clean. How is the system behaving? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-17-2009, 07:48 PM	#17 (permalink)
Traceybaby Registered User Join Date: Aug 2009 Posts: 32 OS: XP	Re: Windows protection Suite virus, Pls Help... So far it's good :) I just have one more question: I have ESET NOD 32 antivirus and Spyware Doctor on my startup, also Ad aware, Tune up, Malwarebytes, CCleaner, Superantispyware on my PC. Do u think I should uninstall any of these? I made Spyware Doctor not visible on Startup, I have to enable it for special analysis, so it wouldnt mess up with ESET NOD32. What would u suggest me?

08-17-2009, 07:50 PM	#18 (permalink)
Traceybaby Registered User Join Date: Aug 2009 Posts: 32 OS: XP	Re: Windows protection Suite virus, Pls Help... And what should I do with all these logs and programs u asked me to download on my desktop? Should I erase them?

08-17-2009, 08:00 PM	#19 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,993 OS: WinXP and Vista	Re: Windows protection Suite virus, Pls Help... I would say you have too many. Keep Malwarebytes, CCleaner, Ad-Aware. If you paid for SpywareDoctor, then keep it, but there's no need to renew that subscription. You should be very cautious when using the registry cleaning components of CCleaner and TuneUp. Our colleague miekiemoes has an excellent writeup here What I would suggest, is adding Web of Trust to your arsenal. WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE. ======================================== This next step is important, please do not skip this... The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-17-2009, 08:04 PM	#20 (permalink)
Traceybaby Registered User Join Date: Aug 2009 Posts: 32 OS: XP	Re: Windows protection Suite virus, Pls Help... Ye, did it. It uninstalled Combofix, right?