Tech Support Forum - View Single Post

jarekexe · 07-02-2008, 11:08 AM

ComboFix:

ComboFix 08-06-30.2 - JarekCz 2008-07-02 18:49:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1486 [GMT 2:00]
Running from: E:\Download\ComboFix.exe
Command switches used :: E:\Download\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\WINDOWS\BMe7092d04.txt
D:\WINDOWS\cookies.ini
D:\WINDOWS\pskt.ini
D:\WINDOWS\system32\adtrayyj.ini
D:\WINDOWS\system32\bgjaunhm.ini
D:\WINDOWS\system32\jhbmwmaq.ini
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\opiyfnge.ini
D:\WINDOWS\system32\qoMcyaXR.dll
D:\WINDOWS\system32\RXaycMoq.ini
D:\WINDOWS\system32\RXaycMoq.ini2
D:\WINDOWS\system32\rywgnees.ini
D:\WINDOWS\system32\seengwyr.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-01 22:47 . 2008-07-01 22:47 <DIR> d-------- D:\Program Files\ESET
2008-07-01 22:47 . 2008-07-01 22:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET
2008-06-29 23:36 . 2008-06-29 23:36 <DIR> d-------- D:\Deckard
2008-06-29 23:26 . 2008-06-29 23:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\TEMP
2008-06-29 23:25 . 2008-06-29 23:27 <DIR> d-------- D:\Program Files\SpywareBlaster
2008-06-29 23:21 . 2008-07-01 15:55 <DIR> d-------- D:\Program Files\Panda Security
2008-06-28 19:12 . 2008-07-02 14:50 110,419 --a------ D:\WINDOWS\BMe7092d04.xml
2008-06-26 23:32 . 2008-06-26 23:32 <DIR> d-------- D:\Program Files\JitBit
2008-06-23 16:25 . 2008-06-23 16:25 278,984 --a------ D:\WINDOWS\system32\drivers\atksgt.sys
2008-06-23 16:25 . 2008-06-23 16:25 25,416 --a------ D:\WINDOWS\system32\drivers\lirsgt.sys
2008-06-16 09:11 . 2008-06-16 09:11 <DIR> d-------- D:\Program Files\IrfanView
2008-06-15 10:04 . 2008-06-15 10:04 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\Diino
2008-06-15 09:58 . 2004-08-03 23:08 26,496 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-11 11:33 . 2008-06-13 15:10 272,128 --------- D:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 11:33 . 2008-06-13 15:10 272,128 -----c--- D:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 10:14 . 2008-06-11 10:14 <DIR> d-------- D:\Program Files\OpenAL
2008-06-11 09:02 . 2008-06-11 10:14 409,600 --a------ D:\WINDOWS\system32\wrap_oal.dll
2008-06-11 09:02 . 2008-06-11 10:14 114,688 --a------ D:\WINDOWS\system32\OpenAL32.dll
2008-06-10 20:53 . 2008-06-10 20:53 <DIR> dr-h----- D:\Documents and Settings\JarekCz\Application Data\SecuROM
2008-06-10 20:53 . 2008-07-01 16:45 108,144 --a------ D:\WINDOWS\system32\CmdLineExt.dll
2008-06-10 19:30 . 2008-06-10 19:30 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\InstallShield
2008-06-10 19:13 . 2008-06-10 19:13 51 --a------ D:\WINDOWS\system32\blue.SITENAME
2008-06-10 19:08 . 2008-06-10 19:14 455 --a------ D:\WINDOWS\VFO.VST
2008-06-10 18:17 . 2004-03-03 11:50 2,079,232 --a------ D:\WINDOWS\system32\LTCLR13s.dll
2008-06-10 18:16 . 2008-06-10 18:16 <DIR> d-------- D:\WINDOWS\Cache
2008-06-10 18:16 . 2003-03-19 04:04 765,952 --a------ D:\WINDOWS\system32\msvcp71d.dll
2008-06-10 18:16 . 2003-03-19 04:03 544,768 --a------ D:\WINDOWS\system32\msvcr71d.dll
2008-06-10 18:13 . 2008-06-10 18:13 <DIR> d-------- D:\WINDOWS\system32\URTTEMP
2008-06-10 18:10 . 2008-06-10 18:10 <DIR> d-------- D:\Program Files\SmartSound Software
2008-06-10 18:10 . 2008-06-10 18:10 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2008-06-10 18:08 . 2008-06-10 18:08 <DIR> d-------- D:\Program Files\DivX
2008-06-10 18:08 . 2003-11-25 05:02 196,096 --a------ D:\WINDOWS\system32\macd32.dll
2008-06-10 18:08 . 2005-06-02 19:28 171,008 --a------ D:\WINDOWS\system32\drivers\MarvinBus.sys
2008-06-10 18:08 . 2003-11-25 05:02 138,752 --a------ D:\WINDOWS\system32\mase32.dll
2008-06-10 18:08 . 2003-11-25 05:02 136,192 --a------ D:\WINDOWS\system32\mamc32.dll
2008-06-10 18:08 . 2004-07-02 16:28 89,088 --a------ D:\WINDOWS\system32\atl71.dll
2008-06-10 18:08 . 2004-07-02 16:28 84,992 --a------ D:\WINDOWS\system32\ATL70.DLL
2008-06-10 18:08 . 2003-11-25 05:02 57,856 --a------ D:\WINDOWS\system32\masd32.dll
2008-06-10 18:08 . 2004-02-24 12:04 41,219 --a------ D:\WINDOWS\RSETPATH.exe
2008-06-10 18:08 . 2003-11-25 05:02 27,648 --a------ D:\WINDOWS\system32\ma32.dll
2008-06-10 18:08 . 2008-06-10 19:16 1,208 --a------ D:\WINDOWS\VFO.INI
2008-06-10 18:06 . 2008-06-10 18:07 <DIR> d-------- D:\WINDOWS\Downloaded Installations
2008-06-10 18:06 . 2008-06-10 19:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Pinnacle Studio
2008-06-10 18:05 . 2008-06-10 18:05 <DIR> d-------- D:\Program Files\Pinnacle
2008-06-10 18:05 . 2008-06-10 19:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Pinnacle
2008-06-10 18:04 . 2005-02-09 11:59 14,165 --a------ D:\WINDOWS\system32\drivers\Pclepci.sys
2008-06-07 10:25 . 2008-06-07 10:25 <DIR> d-------- D:\Program Files\Common Files\Skype
2008-06-07 10:25 . 2008-06-08 07:00 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\Skype
2008-06-07 10:25 . 2008-06-07 10:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Skype
2008-06-07 10:24 . 2008-06-07 10:25 <DIR> d-------- D:\Program Files\Skype
2008-06-06 02:18 . 2008-06-06 02:18 <DIR> d-------- D:\Program Files\MSXML 4.0
2008-06-05 18:52 . 2003-06-19 01:31 17,920 --a------ D:\WINDOWS\system32\mdimon.dll
2008-06-05 18:52 . 2008-06-05 18:52 412 --a------ D:\WINDOWS\ODBC.INI
2008-06-05 18:51 . 2008-06-05 18:51 <DIR> d-------- D:\WINDOWS\SHELLNEW
2008-06-05 18:51 . 2008-06-05 18:51 <DIR> d-------- D:\Program Files\Microsoft.NET
2008-06-05 13:18 . 2008-07-02 13:40 69 --a------ D:\WINDOWS\NeroDigital.ini
2008-06-04 15:51 . 2008-06-04 15:51 <DIR> d-------- D:\Program Files\Common Files\Adobe
2008-06-04 13:29 . 2005-08-24 07:39 137,884 -ra------ D:\WINDOWS\system32\drivers\sscdmdm.sys
2008-06-04 13:29 . 2005-08-24 07:39 80,272 -ra------ D:\WINDOWS\system32\drivers\sscdbus.sys
2008-06-04 13:29 . 2005-08-24 07:39 11,877 -ra------ D:\WINDOWS\system32\drivers\sscdcmnt.sys
2008-06-04 13:29 . 2005-08-24 07:39 11,877 -ra------ D:\WINDOWS\system32\drivers\sscdcm.sys
2008-06-04 13:29 . 2005-08-24 07:39 11,188 -ra------ D:\WINDOWS\system32\drivers\sscdwhnt.sys
2008-06-04 13:29 . 2005-08-24 07:39 11,188 -ra------ D:\WINDOWS\system32\drivers\sscdwh.sys
2008-06-04 13:29 . 2005-08-24 07:39 10,864 -ra------ D:\WINDOWS\system32\drivers\sscdmdfl.sys
2008-06-04 13:15 . 2008-06-04 13:15 <DIR> d-------- D:\Program Files\Samsung
2008-06-04 13:15 . 2008-06-04 13:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Samsung
2008-06-04 05:28 . 2008-06-04 05:28 <DIR> d-------- D:\Program Files\uTorrent
2008-06-04 05:28 . 2008-07-02 13:24 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\uTorrent
2008-06-04 04:24 . 2008-06-04 04:24 <DIR> d-------- D:\WINDOWS\Logs
2008-06-04 03:32 . 2008-06-04 03:32 <DIR> d--h----- D:\WINDOWS\system32\GroupPolicy
2008-06-03 14:41 . 2008-06-03 14:41 <DIR> d-------- D:\Program Files\Seagate
2008-06-02 08:50 . 2008-07-02 00:03 <DIR> d-------- D:\Program Files\DynDNS Updater
2008-06-02 08:50 . 2008-06-02 08:50 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\Kana Solution
2008-06-02 08:44 . 2008-06-02 08:44 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\ActiveState
2008-06-02 08:38 . 2008-06-02 08:38 <DIR> d-------- D:\OpenSA
2008-06-02 08:37 . 2008-06-02 08:41 <DIR> d-------- D:\Perl
2008-06-02 07:41 . 2008-06-02 07:41 <DIR> d-------- D:\WINDOWS\system32\logs
2008-06-02 07:24 . 2008-07-02 16:41 201 --a------ D:\WINDOWS\wcx_ftp.ini
2008-06-02 04:47 . 2004-08-18 10:34 442,368 -ra------ D:\WINDOWS\system32\vp6vfw.dll
2008-06-02 03:01 . 2008-06-02 03:01 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\DAEMON Tools Pro
2008-06-02 03:01 . 2008-06-02 03:01 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-06-02 02:59 . 2008-06-02 03:03 <DIR> d-------- D:\Program Files\DAEMON Tools Pro
2008-06-02 01:19 . 2008-06-02 01:19 <DIR> d-------- D:\Program Files\Opera

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 16:55 --------- d-----w D:\Program Files\AutoConnect
2008-07-01 21:11 --------- d-----w D:\Documents and Settings\All Users\Application Data\Avira
2008-07-01 10:16 --------- d-----w D:\Documents and Settings\JarekCz\Application Data\foobar2000
2008-06-30 15:11 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-06-28 05:02 716,272 ----a-w D:\WINDOWS\system32\drivers\sptd.sys
2008-06-24 16:52 --------- d-----w D:\Program Files\eMule
2008-06-04 11:15 --------- d-----w D:\Program Files\Common Files\InstallShield
2008-06-03 00:52 --------- d-----w D:\Program Files\Gadu-Gadu
2008-06-02 00:18 --------- d-----w D:\Program Files\totalcmd
2008-06-01 19:43 --------- d-----w D:\Program Files\Common Files\Ahead
2008-06-01 19:43 --------- d-----w D:\Program Files\Ahead
2008-06-01 13:28 --------- d-----w D:\Program Files\7-Zip
2008-06-01 13:25 --------- d-----w D:\Program Files\Alcohol Soft
2008-06-01 03:54 --------- d-----w D:\Documents and Settings\JarekCz\Application Data\Media Player Classic
2008-06-01 03:53 --------- d-----w D:\Program Files\MPC
2008-06-01 03:52 --------- d-----w D:\Program Files\K-Lite Codec Pack
2008-06-01 01:56 --------- d-----w D:\Program Files\foobar2000
2008-06-01 00:22 --------- d-----w D:\Documents and Settings\JarekCz\Application Data\Gadu-Gadu
2008-06-01 00:13 --------- d-----w D:\Program Files\Thomson
2008-05-31 23:57 315,392 ----a-w D:\WINDOWS\HideWin.exe
2008-05-31 23:57 --------- d-----w D:\Program Files\Realtek
2008-05-31 23:51 --------- d-----w D:\Program Files\Intel
2008-05-31 23:41 --------- d-----w D:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w D:\WINDOWS\system32\drivers\rmcast.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect"="D:\Program Files\AutoConnect\AutoConnect.exe" [2004-08-28 20:27 295424]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"DynDNS Updater"="D:\Program Files\DynDNS Updater\DynDNS.exe" [2006-09-17 19:32 1352704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2008-02-19 10:35 13500416]
"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2008-02-19 10:35 86016]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 20:50 155648]
"PinnacleDriverCheck"="D:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 00:26 406016]
"egui"="D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05 1410304]
"nwiz"="nwiz.exe" [2008-02-19 10:35 1626112 D:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

D:\Documents and Settings\JarekCz\Start Menu\Programs\Startup\
check-ip-changed.bat [2008-06-02 08:47:47 58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= vdrcodec.dll
"vidc.yv12"= yv12vfw.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-08-06 18:45 877568 D:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2007-03-21 16:49 16126464 D:\WINDOWS\RTHDCPL.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\totalcmd\\TOTALCMD.EXE"=
"D:\\OpenSA\\Apache2\\bin\\Apache.exe"=
"C:\\Perl\\bin\\perl.exe"=
"D:\\Program Files\\uTorrent\\uTorrent.exe"=
"D:\\Program Files\\Skype\\Phone\\Skype.exe"=
"E:\\Kamera\\Pinnacle\\programs\\RM.exe"=
"E:\\Kamera\\Pinnacle\\programs\\Studio.exe"=
"E:\\Kamera\\Pinnacle\\programs\\PMSRegisterFile.exe"=
"E:\\Kamera\\Pinnacle\\programs\\umi.exe"=
"E:\\Gry\\nwn2\\nwn2main.exe"=
"E:\\Gry\\nwn2\\nwn2main_amdxp.exe"=
"E:\\Gry\\nwn2\\nwupdate.exe"=
"E:\\Gry\\nwn2\\nwn2server.exe"=
"E:\\Gry\\civ 4\\Civilization4.exe"=
"E:\\Gry\\civ 4\\Warlords\\Civ4Warlords.exe"=
"E:\\Gry\\civ 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"E:\\Gry\\civ 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"E:\\Gry\\civ 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=

R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 16:48:03 D:\WINDOWS\Tasks\ipresub.job"
- c:\perl\bin\perl.exe D:\OpenSA\Apache2\heartbeat.pl
"2008-06-26 21:53:20 D:\WINDOWS\Tasks\New Task.job"
- D:\Documents and Settings\JarekCz\Desktop\1.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{20E59CA2-78B0-4431-BFD0-D8B5ADFC0056} - (no file)
HKLM-Run-a8e5e2b0 - D:\WINDOWS\system32\seengwyr.dll
HKLM-Run-BMe7092d04 - D:\WINDOWS\system32\fshbrmdd.dll
ShellExecuteHooks-{20E59CA2-78B0-4431-BFD0-D8B5ADFC0056} - (no file)
Notify-ddcBTNFV - (no file)

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 18:55:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\OpenSA\Apache2\bin\Apache.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\OpenSA\Apache2\bin\Apache.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-02 18:57:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 16:56:58

Pre-Run: 3,440,582,656 bytes free
Post-Run: 3,523,616,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Nowy" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Stary" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

237 --- E O F --- 2008-06-20 20:44:31

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:02:26, on 2008-07-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\OpenSA\Apache2\bin\Apache.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\OpenSA\Apache2\bin\Apache.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Program Files\AutoConnect\AutoConnect.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DynDNS Updater\DynDNS.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\system32\mspaint.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\totalcmd\TOTALCMD.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [AutoConnect] D:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DynDNS Updater] "D:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: check-ip-changed.bat
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7647385-9D41-44E9-A961-8E914D046F29}: NameServer = 213.241.79.37 83.238.255.76
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2 - Apache Software Foundation - D:\OpenSA\Apache2\bin\Apache.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)

--
End of file - 4111 bytes

Few more things:

At the beginning of Combofix scan, I received "Installation failed" error. Although after clicking OK, it finishsed all the scanns without any problem.

After restart I received 2 errors:

And I keep getting messages like this one:

Additionally, before the combofix scans, something kept turning off windows automatic updates :|

07-02-2008, 11:08 AM	#5 (permalink)
jarekexe Registered User Join Date: Feb 2006 Posts: 156 OS: Win XP	Re: Some sites/addresses blocked ComboFix: ComboFix 08-06-30.2 - JarekCz 2008-07-02 18:49:18.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1486 [GMT 2:00] Running from: E:\Download\ComboFix.exe Command switches used :: E:\Download\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\WINDOWS\BMe7092d04.txt D:\WINDOWS\cookies.ini D:\WINDOWS\pskt.ini D:\WINDOWS\system32\adtrayyj.ini D:\WINDOWS\system32\bgjaunhm.ini D:\WINDOWS\system32\jhbmwmaq.ini D:\WINDOWS\system32\mcrh.tmp D:\WINDOWS\system32\opiyfnge.ini D:\WINDOWS\system32\qoMcyaXR.dll D:\WINDOWS\system32\RXaycMoq.ini D:\WINDOWS\system32\RXaycMoq.ini2 D:\WINDOWS\system32\rywgnees.ini D:\WINDOWS\system32\seengwyr.dll . ((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 ))))))))))))))))))))))))))))))) . 2008-07-01 22:47 . 2008-07-01 22:47 <DIR> d-------- D:\Program Files\ESET 2008-07-01 22:47 . 2008-07-01 22:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\ESET 2008-06-29 23:36 . 2008-06-29 23:36 <DIR> d-------- D:\Deckard 2008-06-29 23:26 . 2008-06-29 23:26 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\TEMP 2008-06-29 23:25 . 2008-06-29 23:27 <DIR> d-------- D:\Program Files\SpywareBlaster 2008-06-29 23:21 . 2008-07-01 15:55 <DIR> d-------- D:\Program Files\Panda Security 2008-06-28 19:12 . 2008-07-02 14:50 110,419 --a------ D:\WINDOWS\BMe7092d04.xml 2008-06-26 23:32 . 2008-06-26 23:32 <DIR> d-------- D:\Program Files\JitBit 2008-06-23 16:25 . 2008-06-23 16:25 278,984 --a------ D:\WINDOWS\system32\drivers\atksgt.sys 2008-06-23 16:25 . 2008-06-23 16:25 25,416 --a------ D:\WINDOWS\system32\drivers\lirsgt.sys 2008-06-16 09:11 . 2008-06-16 09:11 <DIR> d-------- D:\Program Files\IrfanView 2008-06-15 10:04 . 2008-06-15 10:04 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\Diino 2008-06-15 09:58 . 2004-08-03 23:08 26,496 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys 2008-06-11 11:33 . 2008-06-13 15:10 272,128 --------- D:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 11:33 . 2008-06-13 15:10 272,128 -----c--- D:\WINDOWS\system32\dllcache\bthport.sys 2008-06-11 10:14 . 2008-06-11 10:14 <DIR> d-------- D:\Program Files\OpenAL 2008-06-11 09:02 . 2008-06-11 10:14 409,600 --a------ D:\WINDOWS\system32\wrap_oal.dll 2008-06-11 09:02 . 2008-06-11 10:14 114,688 --a------ D:\WINDOWS\system32\OpenAL32.dll 2008-06-10 20:53 . 2008-06-10 20:53 <DIR> dr-h----- D:\Documents and Settings\JarekCz\Application Data\SecuROM 2008-06-10 20:53 . 2008-07-01 16:45 108,144 --a------ D:\WINDOWS\system32\CmdLineExt.dll 2008-06-10 19:30 . 2008-06-10 19:30 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\InstallShield 2008-06-10 19:13 . 2008-06-10 19:13 51 --a------ D:\WINDOWS\system32\blue.SITENAME 2008-06-10 19:08 . 2008-06-10 19:14 455 --a------ D:\WINDOWS\VFO.VST 2008-06-10 18:17 . 2004-03-03 11:50 2,079,232 --a------ D:\WINDOWS\system32\LTCLR13s.dll 2008-06-10 18:16 . 2008-06-10 18:16 <DIR> d-------- D:\WINDOWS\Cache 2008-06-10 18:16 . 2003-03-19 04:04 765,952 --a------ D:\WINDOWS\system32\msvcp71d.dll 2008-06-10 18:16 . 2003-03-19 04:03 544,768 --a------ D:\WINDOWS\system32\msvcr71d.dll 2008-06-10 18:13 . 2008-06-10 18:13 <DIR> d-------- D:\WINDOWS\system32\URTTEMP 2008-06-10 18:10 . 2008-06-10 18:10 <DIR> d-------- D:\Program Files\SmartSound Software 2008-06-10 18:10 . 2008-06-10 18:10 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\SmartSound Software Inc 2008-06-10 18:08 . 2008-06-10 18:08 <DIR> d-------- D:\Program Files\DivX 2008-06-10 18:08 . 2003-11-25 05:02 196,096 --a------ D:\WINDOWS\system32\macd32.dll 2008-06-10 18:08 . 2005-06-02 19:28 171,008 --a------ D:\WINDOWS\system32\drivers\MarvinBus.sys 2008-06-10 18:08 . 2003-11-25 05:02 138,752 --a------ D:\WINDOWS\system32\mase32.dll 2008-06-10 18:08 . 2003-11-25 05:02 136,192 --a------ D:\WINDOWS\system32\mamc32.dll 2008-06-10 18:08 . 2004-07-02 16:28 89,088 --a------ D:\WINDOWS\system32\atl71.dll 2008-06-10 18:08 . 2004-07-02 16:28 84,992 --a------ D:\WINDOWS\system32\ATL70.DLL 2008-06-10 18:08 . 2003-11-25 05:02 57,856 --a------ D:\WINDOWS\system32\masd32.dll 2008-06-10 18:08 . 2004-02-24 12:04 41,219 --a------ D:\WINDOWS\RSETPATH.exe 2008-06-10 18:08 . 2003-11-25 05:02 27,648 --a------ D:\WINDOWS\system32\ma32.dll 2008-06-10 18:08 . 2008-06-10 19:16 1,208 --a------ D:\WINDOWS\VFO.INI 2008-06-10 18:06 . 2008-06-10 18:07 <DIR> d-------- D:\WINDOWS\Downloaded Installations 2008-06-10 18:06 . 2008-06-10 19:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Pinnacle Studio 2008-06-10 18:05 . 2008-06-10 18:05 <DIR> d-------- D:\Program Files\Pinnacle 2008-06-10 18:05 . 2008-06-10 19:13 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Pinnacle 2008-06-10 18:04 . 2005-02-09 11:59 14,165 --a------ D:\WINDOWS\system32\drivers\Pclepci.sys 2008-06-07 10:25 . 2008-06-07 10:25 <DIR> d-------- D:\Program Files\Common Files\Skype 2008-06-07 10:25 . 2008-06-08 07:00 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\Skype 2008-06-07 10:25 . 2008-06-07 10:25 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Skype 2008-06-07 10:24 . 2008-06-07 10:25 <DIR> d-------- D:\Program Files\Skype 2008-06-06 02:18 . 2008-06-06 02:18 <DIR> d-------- D:\Program Files\MSXML 4.0 2008-06-05 18:52 . 2003-06-19 01:31 17,920 --a------ D:\WINDOWS\system32\mdimon.dll 2008-06-05 18:52 . 2008-06-05 18:52 412 --a------ D:\WINDOWS\ODBC.INI 2008-06-05 18:51 . 2008-06-05 18:51 <DIR> d-------- D:\WINDOWS\SHELLNEW 2008-06-05 18:51 . 2008-06-05 18:51 <DIR> d-------- D:\Program Files\Microsoft.NET 2008-06-05 13:18 . 2008-07-02 13:40 69 --a------ D:\WINDOWS\NeroDigital.ini 2008-06-04 15:51 . 2008-06-04 15:51 <DIR> d-------- D:\Program Files\Common Files\Adobe 2008-06-04 13:29 . 2005-08-24 07:39 137,884 -ra------ D:\WINDOWS\system32\drivers\sscdmdm.sys 2008-06-04 13:29 . 2005-08-24 07:39 80,272 -ra------ D:\WINDOWS\system32\drivers\sscdbus.sys 2008-06-04 13:29 . 2005-08-24 07:39 11,877 -ra------ D:\WINDOWS\system32\drivers\sscdcmnt.sys 2008-06-04 13:29 . 2005-08-24 07:39 11,877 -ra------ D:\WINDOWS\system32\drivers\sscdcm.sys 2008-06-04 13:29 . 2005-08-24 07:39 11,188 -ra------ D:\WINDOWS\system32\drivers\sscdwhnt.sys 2008-06-04 13:29 . 2005-08-24 07:39 11,188 -ra------ D:\WINDOWS\system32\drivers\sscdwh.sys 2008-06-04 13:29 . 2005-08-24 07:39 10,864 -ra------ D:\WINDOWS\system32\drivers\sscdmdfl.sys 2008-06-04 13:15 . 2008-06-04 13:15 <DIR> d-------- D:\Program Files\Samsung 2008-06-04 13:15 . 2008-06-04 13:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Samsung 2008-06-04 05:28 . 2008-06-04 05:28 <DIR> d-------- D:\Program Files\uTorrent 2008-06-04 05:28 . 2008-07-02 13:24 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\uTorrent 2008-06-04 04:24 . 2008-06-04 04:24 <DIR> d-------- D:\WINDOWS\Logs 2008-06-04 03:32 . 2008-06-04 03:32 <DIR> d--h----- D:\WINDOWS\system32\GroupPolicy 2008-06-03 14:41 . 2008-06-03 14:41 <DIR> d-------- D:\Program Files\Seagate 2008-06-02 08:50 . 2008-07-02 00:03 <DIR> d-------- D:\Program Files\DynDNS Updater 2008-06-02 08:50 . 2008-06-02 08:50 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\Kana Solution 2008-06-02 08:44 . 2008-06-02 08:44 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\ActiveState 2008-06-02 08:38 . 2008-06-02 08:38 <DIR> d-------- D:\OpenSA 2008-06-02 08:37 . 2008-06-02 08:41 <DIR> d-------- D:\Perl 2008-06-02 07:41 . 2008-06-02 07:41 <DIR> d-------- D:\WINDOWS\system32\logs 2008-06-02 07:24 . 2008-07-02 16:41 201 --a------ D:\WINDOWS\wcx_ftp.ini 2008-06-02 04:47 . 2004-08-18 10:34 442,368 -ra------ D:\WINDOWS\system32\vp6vfw.dll 2008-06-02 03:01 . 2008-06-02 03:01 <DIR> d-------- D:\Documents and Settings\JarekCz\Application Data\DAEMON Tools Pro 2008-06-02 03:01 . 2008-06-02 03:01 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro 2008-06-02 02:59 . 2008-06-02 03:03 <DIR> d-------- D:\Program Files\DAEMON Tools Pro 2008-06-02 01:19 . 2008-06-02 01:19 <DIR> d-------- D:\Program Files\Opera . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-02 16:55 --------- d-----w D:\Program Files\AutoConnect 2008-07-01 21:11 --------- d-----w D:\Documents and Settings\All Users\Application Data\Avira 2008-07-01 10:16 --------- d-----w D:\Documents and Settings\JarekCz\Application Data\foobar2000 2008-06-30 15:11 --------- d--h--w D:\Program Files\InstallShield Installation Information 2008-06-28 05:02 716,272 ----a-w D:\WINDOWS\system32\drivers\sptd.sys 2008-06-24 16:52 --------- d-----w D:\Program Files\eMule 2008-06-04 11:15 --------- d-----w D:\Program Files\Common Files\InstallShield 2008-06-03 00:52 --------- d-----w D:\Program Files\Gadu-Gadu 2008-06-02 00:18 --------- d-----w D:\Program Files\totalcmd 2008-06-01 19:43 --------- d-----w D:\Program Files\Common Files\Ahead 2008-06-01 19:43 --------- d-----w D:\Program Files\Ahead 2008-06-01 13:28 --------- d-----w D:\Program Files\7-Zip 2008-06-01 13:25 --------- d-----w D:\Program Files\Alcohol Soft 2008-06-01 03:54 --------- d-----w D:\Documents and Settings\JarekCz\Application Data\Media Player Classic 2008-06-01 03:53 --------- d-----w D:\Program Files\MPC 2008-06-01 03:52 --------- d-----w D:\Program Files\K-Lite Codec Pack 2008-06-01 01:56 --------- d-----w D:\Program Files\foobar2000 2008-06-01 00:22 --------- d-----w D:\Documents and Settings\JarekCz\Application Data\Gadu-Gadu 2008-06-01 00:13 --------- d-----w D:\Program Files\Thomson 2008-05-31 23:57 315,392 ----a-w D:\WINDOWS\HideWin.exe 2008-05-31 23:57 --------- d-----w D:\Program Files\Realtek 2008-05-31 23:51 --------- d-----w D:\Program Files\Intel 2008-05-31 23:41 --------- d-----w D:\Program Files\microsoft frontpage 2008-05-08 12:28 202,752 ----a-w D:\WINDOWS\system32\drivers\rmcast.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AutoConnect"="D:\Program Files\AutoConnect\AutoConnect.exe" [2004-08-28 20:27 295424] "ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360] "DynDNS Updater"="D:\Program Files\DynDNS Updater\DynDNS.exe" [2006-09-17 19:32 1352704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2008-02-19 10:35 13500416] "NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2008-02-19 10:35 86016] "NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 20:50 155648] "PinnacleDriverCheck"="D:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 00:26 406016] "egui"="D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 15:05 1410304] "nwiz"="nwiz.exe" [2008-02-19 10:35 1626112 D:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="D:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360] D:\Documents and Settings\JarekCz\Start Menu\Programs\Startup\ check-ip-changed.bat [2008-06-02 08:47:47 58] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= vdrcodec.dll "vidc.yv12"= yv12vfw.dll "VIDC.MJPG"= Pvmjpg30.dll "VIDC.PIM1"= pclepim1.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics] --a------ 2004-08-06 18:45 877568 D:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] -r------- 2007-03-21 16:49 16126464 D:\WINDOWS\RTHDCPL.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "D:\\Program Files\\eMule\\emule.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "D:\\Program Files\\totalcmd\\TOTALCMD.EXE"= "D:\\OpenSA\\Apache2\\bin\\Apache.exe"= "C:\\Perl\\bin\\perl.exe"= "D:\\Program Files\\uTorrent\\uTorrent.exe"= "D:\\Program Files\\Skype\\Phone\\Skype.exe"= "E:\\Kamera\\Pinnacle\\programs\\RM.exe"= "E:\\Kamera\\Pinnacle\\programs\\Studio.exe"= "E:\\Kamera\\Pinnacle\\programs\\PMSRegisterFile.exe"= "E:\\Kamera\\Pinnacle\\programs\\umi.exe"= "E:\\Gry\\nwn2\\nwn2main.exe"= "E:\\Gry\\nwn2\\nwn2main_amdxp.exe"= "E:\\Gry\\nwn2\\nwupdate.exe"= "E:\\Gry\\nwn2\\nwn2server.exe"= "E:\\Gry\\civ 4\\Civilization4.exe"= "E:\\Gry\\civ 4\\Warlords\\Civ4Warlords.exe"= "E:\\Gry\\civ 4\\Warlords\\Civ4Warlords_PitBoss.exe"= "E:\\Gry\\civ 4\\Beyond the Sword\\Civ4BeyondSword.exe"= "E:\\Gry\\civ 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"= R1 epfwtdir;epfwtdir;D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06] . Contents of the 'Scheduled Tasks' folder "2008-07-02 16:48:03 D:\WINDOWS\Tasks\ipresub.job" - c:\perl\bin\perl.exe D:\OpenSA\Apache2\heartbeat.pl "2008-06-26 21:53:20 D:\WINDOWS\Tasks\New Task.job" - D:\Documents and Settings\JarekCz\Desktop\1.exe . - - - - ORPHANS REMOVED - - - - BHO-{20E59CA2-78B0-4431-BFD0-D8B5ADFC0056} - (no file) HKLM-Run-a8e5e2b0 - D:\WINDOWS\system32\seengwyr.dll HKLM-Run-BMe7092d04 - D:\WINDOWS\system32\fshbrmdd.dll ShellExecuteHooks-{20E59CA2-78B0-4431-BFD0-D8B5ADFC0056} - (no file) Notify-ddcBTNFV - (no file) ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-02 18:55:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . D:\OpenSA\Apache2\bin\Apache.exe D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe D:\WINDOWS\system32\nvsvc32.exe D:\WINDOWS\system32\wdfmgr.exe D:\OpenSA\Apache2\bin\Apache.exe D:\WINDOWS\system32\rundll32.exe D:\WINDOWS\system32\rundll32.exe D:\WINDOWS\system32\rundll32.exe . ************************************************************************ . Completion time: 2008-07-02 18:57:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-02 16:56:58 Pre-Run: 3,440,582,656 bytes free Post-Run: 3,523,616,768 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Nowy" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Stary" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 237 --- E O F --- 2008-06-20 20:44:31 HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:02:26, on 2008-07-02 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\OpenSA\Apache2\bin\Apache.exe D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe D:\WINDOWS\system32\nvsvc32.exe D:\OpenSA\Apache2\bin\Apache.exe D:\WINDOWS\system32\RUNDLL32.EXE D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe D:\Program Files\AutoConnect\AutoConnect.exe D:\WINDOWS\system32\ctfmon.exe D:\Program Files\DynDNS Updater\DynDNS.exe D:\WINDOWS\explorer.exe D:\WINDOWS\system32\notepad.exe D:\WINDOWS\system32\mspaint.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\totalcmd\TOTALCMD.EXE D:\Program Files\Mozilla Firefox\firefox.exe D:\WINDOWS\system32\NOTEPAD.EXE D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [AutoConnect] D:\Program Files\AutoConnect\AutoConnect.exe O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DynDNS Updater] "D:\Program Files\DynDNS Updater\DynDNS.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: check-ip-changed.bat O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{C7647385-9D41-44E9-A961-8E914D046F29}: NameServer = 213.241.79.37 83.238.255.76 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Apache2 - Apache Software Foundation - D:\OpenSA\Apache2\bin\Apache.exe O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing) -- End of file - 4111 bytes Few more things: At the beginning of Combofix scan, I received "Installation failed" error. Although after clicking OK, it finishsed all the scanns without any problem. After restart I received 2 errors: And I keep getting messages like this one: Additionally, before the combofix scans, something kept turning off windows automatic updates :\|