Removing Virtumonde.dll

K

kpe1974

New member
Hi Everybody,
I'm a dully user of spybot for many years. And it protected me well enough. I rarely had problems. Up to now. My computer got infected with Virtumonde.dll. Spybot finds it, but is not able to remove it. The Win Rescue mode does not help. How shall I proceed?
 
Hi again, thanks 4 your kind reply. I run combofix. Below u can find the log:

ComboFix 08-05-12.1 - KPe 2008-05-13 22:25:58.3 - NTFSx86
Running from: C:\Documents and Settings\KPe\Pulpit\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
.
---- Previous Run -------
.
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dKknonpo.ini
C:\WINDOWS\system32\dKknonpo.ini2
C:\WINDOWS\system32\hOUFPXyb.ini
C:\WINDOWS\system32\hOUFPXyb.ini2
C:\WINDOWS\system32\jgybhpxc.ini
C:\WINDOWS\system32\onkqjxcf.ini
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\yfpkpcte.ini
C:\WINDOWS\system32\yGMpoUtv.ini
C:\WINDOWS\system32\yGMpoUtv.ini2
C:\WINDOWS\system32\yphnkgsh.ini
C:\WINDOWS\winself.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-12 14:47 . 2008-05-12 14:47 115,712 --a------ C:\WINDOWS\system32\cxphbygj.dll
2008-05-12 14:44 . 2008-05-12 14:44 2,048 --a------ C:\WINDOWS\system32\pbqslhhf.exe
2008-05-12 14:44 . 2008-05-12 14:44 0 --a------ C:\WINDOWS\system32\WSSPOOL.TMP
2008-05-12 14:42 . 2008-05-12 14:42 125,952 --a------ C:\WINDOWS\system32\nxrkledc.dll
2008-05-12 10:47 . 2008-05-12 15:54 <DIR> d-------- C:\VundoFix Backups
2008-05-12 10:28 . 2008-05-12 10:28 2,048 --a------ C:\WINDOWS\system32\swkyonum.exe
2008-05-12 10:24 . 2008-05-12 10:24 125,952 --a------ C:\WINDOWS\system32\otldsujy.dll
2008-05-11 18:48 . 2008-05-11 18:48 2,797,568 --a------ C:\WINDOWS\sxe1B3.tmp
2008-05-11 18:47 . 2008-05-11 18:47 2,797,568 --a------ C:\WINDOWS\sxe1AC.tmp
2008-05-11 11:08 . 2008-05-11 11:08 2,048 --a------ C:\WINDOWS\system32\ujrposxr.exe
2008-05-11 11:03 . 2008-05-11 11:03 126,976 --a------ C:\WINDOWS\system32\jecnhiod.dll
2008-05-11 09:34 . 2008-05-11 09:34 372,736 --------- C:\WINDOWS\system32\opnonkKd.dll_old
2008-05-10 10:43 . 2008-05-10 10:43 2,048 --a------ C:\WINDOWS\system32\corawcew.exe
2008-05-10 10:40 . 2008-05-10 10:40 114,176 --a------ C:\WINDOWS\system32\fcxjqkno.dll
2008-05-10 10:38 . 2008-05-10 10:38 125,440 --a------ C:\WINDOWS\system32\fgigvtkf.dll
2008-05-10 10:38 . 2008-05-13 22:20 109,803 --a------ C:\WINDOWS\BM0b789012.xml
2008-05-09 21:57 . 2008-05-09 21:57 373,248 --------- C:\WINDOWS\system32\cbXNGvVM.dll_old
2008-05-09 21:57 . 2008-05-10 12:29 345 --ahs---- C:\WINDOWS\system32\MVvGNXbc.ini
2008-05-09 17:30 . 2008-05-09 19:39 345 --ahs---- C:\WINDOWS\system32\MTuEgfii.ini
2008-05-09 17:27 . 2008-05-09 17:27 578 --a------ C:\WINDOWS\index.html
2008-05-09 17:24 . 2008-05-09 17:24 32,475 --a------ C:\WINDOWS\system32\opnmMccY.dll.vir
2008-05-09 08:42 . 2008-05-09 08:46 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-05-04 20:35 . 2008-05-04 20:37 47,387 --a------ C:\WINDOWS\avx.ini
2008-05-04 20:35 . 2008-05-04 20:35 12 --a------ C:\WINDOWS\FVmm.dat
2008-04-30 20:04 . 2008-05-11 20:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-30 20:04 . 2008-04-30 20:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 20:55 . 2008-04-27 20:55 <DIR> d-------- C:\Downloaded Videos
2008-04-27 20:55 . 2008-04-27 20:55 26 --a------ C:\WINDOWS\catsrv.INI
2008-04-27 20:53 . 2005-08-27 03:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-04-27 20:53 . 2004-03-09 00:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-04-27 20:52 . 2008-04-27 20:52 <DIR> d--hs---- C:\Documents and Settings\KPe\temp
2008-04-27 20:52 . 2008-04-27 23:26 <DIR> d--hs---- C:\Documents and Settings\KPe\Policies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 20:28 --------- d-----w C:\Documents and Settings\KPe\Dane aplikacji\Skype
2008-05-13 20:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-13 17:27 --------- d-----w C:\Documents and Settings\KPe\Dane aplikacji\skypePM
2008-05-12 09:36 --------- d-----w C:\Program Files\PowerISO
2008-05-12 08:44 --------- d-----w C:\Documents and Settings\KPe\Dane aplikacji\uTorrent
2008-05-11 16:48 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-29 19:55 --------- d-----w C:\Program Files\ABC Amber LIT Converter
2008-04-10 14:41 --------- d-----w C:\Program Files\Common Files\STDUtility
2008-04-09 14:32 --------- d-----w C:\Program Files\FLV Player
2008-04-08 12:33 --------- d-----w C:\Documents and Settings\KPe\Dane aplikacji\dvdcss
2008-04-06 10:31 10,332 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-28 18:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 20:53 --------- d-----w C:\Program Files\7-Zip
2008-03-03 07:53 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 15:47 8,704 --sha-w C:\Program Files\Thumbs.db
2008-02-16 09:05 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-24 23:55 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2007-09-24 20:04 85,744 ----a-w C:\Documents and Settings\KPe\Dane aplikacji\GDIPFONTCACHEV1.DAT
2006-02-19 07:18 7,168 --sha-w C:\Program Files\Common Files\Thumbs.db
2005-04-19 11:27 0 -c--a-w C:\Documents and Settings\KPe\Miasta&PL_v3m.exe
2004-11-29 22:49 0 -c--a-w C:\Program Files\gditst
2004-03-11 12:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-03-13 14:01 32 --sha-w C:\WINDOWS\{601EFE59-7264-4296-B2CC-F29EA3CFCCDB}.dat
2007-03-13 14:02 32 --sha-w C:\WINDOWS\{6778D73D-C4CA-4A25-A20C-12AD3EF0ADFF}.dat
2007-03-13 14:02 32 --sha-w C:\WINDOWS\system32\{5F871E91-4BBF-4259-B38A-0F83D94BF3B3}.dat
2007-03-13 14:01 32 --sha-w C:\WINDOWS\system32\{ADDC6039-642D-4CBA-9180-756CCCFFD21D}.dat
2007-09-12 17:13 458,784 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-12 17:13 81,696 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_21.11.37.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 18:54:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 19:48:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 19:48:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e4.dat
- 1998-02-06 21:23:52 248,064 ----a-w C:\WINDOWS\UNINST16.EXE
+ 1998-02-06 20:23:52 248,064 ----a-w C:\WINDOWS\UNINST16.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3023BB83-EFA1-4F1E-ACE7-3742E82E00AE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4815DB9E-781D-458C-9695-6DFD7F03FA63}]
C:\WINDOWS\system32\opnonkKd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6685616B-B7C5-4821-B8E8-D7E50A48CEF8}]
C:\WINDOWS\system32\byXPFUOh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B9BC0A4-9C2C-4E84-9BE3-36BCFF9B3775}]
C:\WINDOWS\system32\vtUopMGy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-07-08 10:33 100056]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"PowerBar"="" []
"ASUS SmartDoctor"="C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [2006-09-08 17:10 1085440]
"Skype"="D:\Programy\Phone\Skype.exe" [2007-12-07 16:11 21803304]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 01:13 1591808]
"catsrv"="C:\Documents and Settings\KPe\Policies\catsrv.exe" [2007-04-10 00:26 626176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dit"="Dit.exe" [2003-07-16 14:56 86016 C:\WINDOWS\Dit.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-09-14 21:21 54976]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-09-14 21:22 38592]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-01-10 16:27 385024]
"catsrv"="C:\Documents and Settings\KPe\Policies\catsrv.exe" [2007-04-10 00:26 626176]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"084ba38e"="C:\WINDOWS\system32\etcpkpfy.dll" [ ]
"BM0b789012"="C:\WINDOWS\system32\nxrkledc.dll" [2008-05-12 14:42 125952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

C:\Documents and Settings\KPe\Menu Start\Programy\System\Autostart\
Thumbs.db [2005-09-15 16:17:18 7680]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
SiWake.lnk - C:\Program Files\Wireless LAN Utility\SiWake.exe [2007-02-20 00:01:32 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"wave"= DrvTrNTm.dll
"mixer"= DrvTrNTm.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DataLayer"=C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Media Player Classic\\mplayerc.exe"=
"H:\\Games\\MOHAA\\moh_Breakthrough.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\PeerCast\\PeerCast.exe"=
"H:\\Games\\COD\\CoDMP.exe"=
"H:\\Games\\COD\\CoDUOMP.exe"=
"C:\\Program Files\\FTP Commander\\ftpcomm.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"H:\\Games\\MOHAA\\MOHAA.exe"=
"H:\\Games\\MOHAA\\moh_spearhead.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\Programy\\ITunes\\iTunes.exe"=
"C:\\Program Files\\Screamer v.0.3.8.[PL]\\screamer.exe"=
"C:\\Documents and Settings\\KPe\\Policies\\catsrv.exe"=
"D:\\Programy\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:*:Disabled:Emule
"4672:UDP"= 4672:UDP:*:Disabled:Emule

R1 KPSYSDRV;KPSYSDRV;C:\WINDOWS\system32\drivers\KPSYSDRV.sys [2001-06-20 10:03]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R2 IOPort;IOPort;C:\WINDOWS\system32\DRIVERS\IOPORT.SYS [2001-03-01 01:15]
R3 SISNPF;SIS Netgroup Packet Filter;C:\WINDOWS\system32\drivers\SISNPF.sys [2004-02-18 05:09]
R3 uscbs109;uscbs109;C:\WINDOWS\system32\DRIVERS\uscbs109.sys [2005-03-22 00:00]
R3 uscsc109;uscsc109;C:\WINDOWS\system32\DRIVERS\uscsc109.sys [2005-03-22 00:00]
S2 BulkUsb;Genesys Logic USB Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbprn.sys [2001-09-26 11:30]
S3 Cap7134;Cap7134 Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2006-02-13 17:53]
S3 DtvAudio;DtvAudio;C:\WINDOWS\system32\DRIVERS\DtvAudio.sys [2004-02-26 03:42]
S3 DtvVideo;DtvVideo;C:\WINDOWS\system32\DRIVERS\DtvVideo.sys [2004-02-26 04:27]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-09-21 20:24]
S3 PhTVTune;Cap7134 TVTuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2006-02-13 17:53]
S3 SER120;OTI Serial port driver;C:\WINDOWS\system32\DRIVERS\SER120.sys [2005-03-22 10:03]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINDOWS\system32\Drivers\usb2vcom.sys [2005-08-12 12:40]
S3 VNICPKT5;VNICPKT5 Protocol Driver;C:\WINDOWS\system32\VNICPKT5.SYS [2001-07-26 15:02]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-12-13 15:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c1363e1-d397-11db-aaf4-000272425c2c}]
\Shell\AutoRun\command - EXPLORER.EXE
\Shell\explore\Command - EXPLORER.EXE
\Shell\open\Command - EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d434cfa3-ee51-11db-ab20-000272425c2c}]
\shell\play\command - C:\Program Files\Webteh\BSplayerPro\bsplayer.exe "%L"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
rundll32 sockins32.dll,InitModule
.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 15:26:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-30 19:00:24 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~2\Tasks\mycomp.sca
"2007-12-16 15:04:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 22:28:27
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-13 22:30:41
ComboFix-quarantined-files.txt 2008-05-13 20:30:18

Pre-Run: 4,472,631,296 bajtów wolnych
Post-Run: 4,458,573,824 bajtów wolnych

241 --- E O F --- 2008-04-09 11:18:57
 
HijackThis Log

And this is another required log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:52:01, on 2008-05-13
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\KPe\Policies\catsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
D:\Programy\Phone\Skype.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Wireless LAN Utility\SiWake.exe
C:\Program Files\Wireless LAN Utility\SiSCFG.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\Programy\Plugin Manager\SkypePM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
D:\Programy\Instalki\System\System\Antispam\HJTInstall.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazeta.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazeta.pl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {3023BB83-EFA1-4F1E-ACE7-3742E82E00AE} - (no file)
O2 - BHO: (no name) - {4815DB9E-781D-458C-9695-6DFD7F03FA63} - C:\WINDOWS\system32\opnonkKd.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6685616B-B7C5-4821-B8E8-D7E50A48CEF8} - C:\WINDOWS\system32\byXPFUOh.dll (file missing)
O2 - BHO: (no name) - {7B9BC0A4-9C2C-4E84-9BE3-36BCFF9B3775} - C:\WINDOWS\system32\vtUopMGy.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DD4A65C7-61D7-445F-BCF1-5065F765EAF9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [catsrv] C:\Documents and Settings\KPe\Policies\catsrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [084ba38e] rundll32.exe "C:\WINDOWS\system32\etcpkpfy.dll",b
O4 - HKLM\..\Run: [BM0b789012] Rundll32.exe "C:\WINDOWS\system32\nxrkledc.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [Skype] "D:\Programy\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\KPe\Policies\catsrv.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Thumbs.db
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SiWake.lnk = C:\Program Files\Wireless LAN Utility\SiWake.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9257 bytes
 
Please only do the steps I ask you to do

I didn't say to run ComboFix




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\cxphbygj.dll
C:\WINDOWS\system32\pbqslhhf.exe
C:\WINDOWS\system32\WSSPOOL.TMP
C:\WINDOWS\system32\nxrkledc.dll
C:\WINDOWS\system32\swkyonum.exe
C:\WINDOWS\system32\otldsujy.dll
C:\WINDOWS\sxe1B3.tmp
C:\WINDOWS\sxe1AC.tmp
C:\WINDOWS\system32\ujrposxr.exe
C:\WINDOWS\system32\jecnhiod.dll
C:\WINDOWS\system32\opnonkKd.dll_old
C:\WINDOWS\system32\corawcew.exe
C:\WINDOWS\system32\fcxjqkno.dll
C:\WINDOWS\system32\fgigvtkf.dll
C:\WINDOWS\BM0b789012.xml
C:\WINDOWS\system32\cbXNGvVM.dll_old
C:\WINDOWS\system32\MVvGNXbc.ini
C:\WINDOWS\system32\MTuEgfii.ini
C:\WINDOWS\index.html
C:\WINDOWS\system32\opnmMccY.dll.vir

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c1363e1-d397-11db-aaf4-000272425c2c}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d434cfa3-ee51-11db-ab20-000272425c2c}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{66186F05-BBBB-4a39-864F-72D84615C679}]
[-HKEY_CLASSES_ROOT\CLSID\{66186F05-BBBB-4a39-864F-72D84615C679}]

Driver::
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


Combo-Do.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log
 
Performed actions

As advised I performed following actions:
- created txt file
- run combofix combined with txt file
- run HighjackThis

The following logs have been generated:

Combofix: :D:

ComboFix 08-05-12.1 - KPe 2008-05-14 0:32:10.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.451 [GMT 2:00]
Running from: C:\Documents and Settings\KPe\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\KPe\Pulpit\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\BM0b789012.xml
C:\WINDOWS\index.html
C:\WINDOWS\sxe1AC.tmp
C:\WINDOWS\sxe1B3.tmp
C:\WINDOWS\system32\cbXNGvVM.dll_old
C:\WINDOWS\system32\corawcew.exe
C:\WINDOWS\system32\cxphbygj.dll
C:\WINDOWS\system32\fcxjqkno.dll
C:\WINDOWS\system32\fgigvtkf.dll
C:\WINDOWS\system32\jecnhiod.dll
C:\WINDOWS\system32\MTuEgfii.ini
C:\WINDOWS\system32\MVvGNXbc.ini
C:\WINDOWS\system32\nxrkledc.dll
C:\WINDOWS\system32\opnmMccY.dll.vir
C:\WINDOWS\system32\opnonkKd.dll_old
C:\WINDOWS\system32\otldsujy.dll
C:\WINDOWS\system32\pbqslhhf.exe
C:\WINDOWS\system32\swkyonum.exe
C:\WINDOWS\system32\ujrposxr.exe
C:\WINDOWS\system32\WSSPOOL.TMP
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM0b789012.xml
C:\WINDOWS\index.html
C:\WINDOWS\sxe1AC.tmp
C:\WINDOWS\sxe1B3.tmp
C:\WINDOWS\system32\cbXNGvVM.dll_old
C:\WINDOWS\system32\corawcew.exe
C:\WINDOWS\system32\cxphbygj.dll
C:\WINDOWS\system32\fcxjqkno.dll
C:\WINDOWS\system32\fgigvtkf.dll
C:\WINDOWS\system32\jecnhiod.dll
C:\WINDOWS\system32\MTuEgfii.ini
C:\WINDOWS\system32\MVvGNXbc.ini
C:\WINDOWS\system32\nxrkledc.dll
C:\WINDOWS\system32\opnmMccY.dll.vir
C:\WINDOWS\system32\opnonkKd.dll_old
C:\WINDOWS\system32\otldsujy.dll
C:\WINDOWS\system32\pbqslhhf.exe
C:\WINDOWS\system32\swkyonum.exe
C:\WINDOWS\system32\ujrposxr.exe
C:\WINDOWS\system32\WSSPOOL.TMP

.
((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-13 22:50 . 2008-05-13 22:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 10:47 . 2008-05-12 15:54 <DIR> d-------- C:\VundoFix Backups
2008-05-09 08:42 . 2008-05-09 08:46 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-05-04 20:35 . 2008-05-04 20:37 47,387 --a------ C:\WINDOWS\avx.ini
2008-05-04 20:35 . 2008-05-04 20:35 12 --a------ C:\WINDOWS\FVmm.dat
2008-04-30 20:04 . 2008-05-11 20:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-30 20:04 . 2008-04-30 20:04 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 20:55 . 2008-04-27 20:55 <DIR> d-------- C:\Downloaded Videos
2008-04-27 20:55 . 2008-04-27 20:55 26 --a------ C:\WINDOWS\catsrv.INI
2008-04-27 20:53 . 2005-08-27 03:38 1,435,272 --a------ C:\WINDOWS\system32\Flash.ocx
2008-04-27 20:53 . 2004-03-09 00:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-04-27 20:52 . 2008-04-27 20:52 <DIR> d--hs---- C:\Documents and Settings\KPe\temp
2008-04-27 20:52 . 2008-04-27 23:26 <DIR> d--hs---- C:\Documents and Settings\KPe\Policies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 22:21 --------- d-----w C:\Documents and Settings\KPe\Dane aplikacji\Skype
2008-05-13 22:02 --------- d-----w C:\Documents and Settings\KPe\Dane aplikacji\skypePM
2008-05-13 20:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-12 09:36 --------- d-----w C:\Program Files\PowerISO
2008-05-12 08:44 --------- d-----w C:\Documents and Settings\KPe\Dane aplikacji\uTorrent
2008-05-11 16:48 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-29 19:55 --------- d-----w C:\Program Files\ABC Amber LIT Converter
2008-04-10 14:41 --------- d-----w C:\Program Files\Common Files\STDUtility
2008-04-09 14:32 --------- d-----w C:\Program Files\FLV Player
2008-04-08 12:33 --------- d-----w C:\Documents and Settings\KPe\Dane aplikacji\dvdcss
2008-04-06 10:31 10,332 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-28 18:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 20:53 --------- d-----w C:\Program Files\7-Zip
2008-03-03 07:53 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 15:47 8,704 --sha-w C:\Program Files\Thumbs.db
2008-02-16 09:05 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-24 23:55 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2007-09-24 20:04 85,744 ----a-w C:\Documents and Settings\KPe\Dane aplikacji\GDIPFONTCACHEV1.DAT
2006-02-19 07:18 7,168 --sha-w C:\Program Files\Common Files\Thumbs.db
2005-04-19 11:27 0 -c--a-w C:\Documents and Settings\KPe\Miasta&PL_v3m.exe
2004-11-29 22:49 0 -c--a-w C:\Program Files\gditst
2004-03-11 12:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-03-13 14:01 32 --sha-w C:\WINDOWS\{601EFE59-7264-4296-B2CC-F29EA3CFCCDB}.dat
2007-03-13 14:02 32 --sha-w C:\WINDOWS\{6778D73D-C4CA-4A25-A20C-12AD3EF0ADFF}.dat
2007-03-13 14:02 32 --sha-w C:\WINDOWS\system32\{5F871E91-4BBF-4259-B38A-0F83D94BF3B3}.dat
2007-03-13 14:01 32 --sha-w C:\WINDOWS\system32\{ADDC6039-642D-4CBA-9180-756CCCFFD21D}.dat
2007-09-12 17:13 458,784 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-12 17:13 81,696 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-13_21.11.37.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 18:54:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-13 19:48:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-12 19:30:57 1,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\Kpgdiui.dat
+ 2008-05-13 21:00:28 1,608 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\Kpgdiui.dat
+ 2008-05-13 19:48:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7e4.dat
- 1998-02-06 21:23:52 248,064 ----a-w C:\WINDOWS\UNINST16.EXE
+ 1998-02-06 20:23:52 248,064 ----a-w C:\WINDOWS\UNINST16.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4815DB9E-781D-458C-9695-6DFD7F03FA63}]
C:\WINDOWS\system32\opnonkKd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6685616B-B7C5-4821-B8E8-D7E50A48CEF8}]
C:\WINDOWS\system32\byXPFUOh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B9BC0A4-9C2C-4E84-9BE3-36BCFF9B3775}]
C:\WINDOWS\system32\vtUopMGy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2005-07-08 10:33 100056]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"PowerBar"="" []
"ASUS SmartDoctor"="C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [2006-09-08 17:10 1085440]
"Skype"="D:\Programy\Phone\Skype.exe" [2007-12-07 16:11 21803304]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 01:13 1591808]
"catsrv"="C:\Documents and Settings\KPe\Policies\catsrv.exe" [2007-04-10 00:26 626176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dit"="Dit.exe" [2003-07-16 14:56 86016 C:\WINDOWS\Dit.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-09-14 21:21 54976]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-09-14 21:22 38592]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\QTTask.exe" [2008-01-10 16:27 385024]
"catsrv"="C:\Documents and Settings\KPe\Policies\catsrv.exe" [2007-04-10 00:26 626176]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"084ba38e"="C:\WINDOWS\system32\etcpkpfy.dll" [ ]
"BM0b789012"="C:\WINDOWS\system32\nxrkledc.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 12:43 5146448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

C:\Documents and Settings\KPe\Menu Start\Programy\System\Autostart\
Thumbs.db [2005-09-15 16:17:18 7680]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
SiWake.lnk - C:\Program Files\Wireless LAN Utility\SiWake.exe [2007-02-20 00:01:32 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.3iv2"= 3ivxVfWCodec.dll
"VIDC.VP31"= vp31vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"wave"= DrvTrNTm.dll
"mixer"= DrvTrNTm.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DataLayer"=C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Media Player Classic\\mplayerc.exe"=
"H:\\Games\\MOHAA\\moh_Breakthrough.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\PeerCast\\PeerCast.exe"=
"H:\\Games\\COD\\CoDMP.exe"=
"H:\\Games\\COD\\CoDUOMP.exe"=
"C:\\Program Files\\FTP Commander\\ftpcomm.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"H:\\Games\\MOHAA\\MOHAA.exe"=
"H:\\Games\\MOHAA\\moh_spearhead.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\Programy\\ITunes\\iTunes.exe"=
"C:\\Program Files\\Screamer v.0.3.8.[PL]\\screamer.exe"=
"C:\\Documents and Settings\\KPe\\Policies\\catsrv.exe"=
"D:\\Programy\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:*:Disabled:Emule
"4672:UDP"= 4672:UDP:*:Disabled:Emule

R1 KPSYSDRV;KPSYSDRV;C:\WINDOWS\system32\drivers\KPSYSDRV.sys [2001-06-20 10:03]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R2 IOPort;IOPort;C:\WINDOWS\system32\DRIVERS\IOPORT.SYS [2001-03-01 01:15]
R3 SISNPF;SIS Netgroup Packet Filter;C:\WINDOWS\system32\drivers\SISNPF.sys [2004-02-18 05:09]
R3 uscbs109;uscbs109;C:\WINDOWS\system32\DRIVERS\uscbs109.sys [2005-03-22 00:00]
R3 uscsc109;uscsc109;C:\WINDOWS\system32\DRIVERS\uscsc109.sys [2005-03-22 00:00]
S2 BulkUsb;Genesys Logic USB Controller NT 5.0;C:\WINDOWS\system32\Drivers\usbprn.sys [2001-09-26 11:30]
S3 Cap7134;Cap7134 Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys [2006-02-13 17:53]
S3 DtvAudio;DtvAudio;C:\WINDOWS\system32\DRIVERS\DtvAudio.sys [2004-02-26 03:42]
S3 DtvVideo;DtvVideo;C:\WINDOWS\system32\DRIVERS\DtvVideo.sys [2004-02-26 04:27]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-09-21 20:24]
S3 PhTVTune;Cap7134 TVTuner;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys [2006-02-13 17:53]
S3 SER120;OTI Serial port driver;C:\WINDOWS\system32\DRIVERS\SER120.sys [2005-03-22 10:03]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 22:41]
S3 usb2vcom;USB to Serial Bridge Controller;C:\WINDOWS\system32\Drivers\usb2vcom.sys [2005-08-12 12:40]
S3 VNICPKT5;VNICPKT5 Protocol Driver;C:\WINDOWS\system32\VNICPKT5.SYS [2001-07-26 15:02]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-12-13 15:35]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 15:26:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-30 19:00:24 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\DANEAP~1\Symantec\NORTON~2\Tasks\mycomp.sca
"2007-12-16 15:04:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 00:35:17
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-14 0:37:29
ComboFix-quarantined-files.txt 2008-05-13 22:37:21
ComboFix2.txt 2008-05-13 20:30:43

Pre-Run: 4,347,453,440 bajtów wolnych
Post-Run: 4,333,076,480 bajtów wolnych

242 --- E O F --- 2008-04-09 11:18:57

HijackThis log below: :D:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:48:57, on 2008-05-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\DitExp.exe
C:\Documents and Settings\KPe\Policies\catsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
D:\Programy\Phone\Skype.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Wireless LAN Utility\SiWake.exe
C:\Program Files\Wireless LAN Utility\SiSCFG.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
D:\Programy\Plugin Manager\SkypePM.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazeta.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazeta.pl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {3023BB83-EFA1-4F1E-ACE7-3742E82E00AE} - (no file)
O2 - BHO: (no name) - {4815DB9E-781D-458C-9695-6DFD7F03FA63} - C:\WINDOWS\system32\opnonkKd.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6685616B-B7C5-4821-B8E8-D7E50A48CEF8} - C:\WINDOWS\system32\byXPFUOh.dll (file missing)
O2 - BHO: (no name) - {7B9BC0A4-9C2C-4E84-9BE3-36BCFF9B3775} - C:\WINDOWS\system32\vtUopMGy.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DD4A65C7-61D7-445F-BCF1-5065F765EAF9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [catsrv] C:\Documents and Settings\KPe\Policies\catsrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [084ba38e] rundll32.exe "C:\WINDOWS\system32\etcpkpfy.dll",b
O4 - HKLM\..\Run: [BM0b789012] Rundll32.exe "C:\WINDOWS\system32\nxrkledc.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [Skype] "D:\Programy\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\KPe\Policies\catsrv.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Thumbs.db
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SiWake.lnk = C:\Program Files\Wireless LAN Utility\SiWake.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9198 bytes
 
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {3023BB83-EFA1-4F1E-ACE7-3742E82E00AE} - (no file)
O2 - BHO: (no name) - {4815DB9E-781D-458C-9695-6DFD7F03FA63} - C:\WINDOWS\system32\opnonkKd.dll (file missing)
O2 - BHO: (no name) - {6685616B-B7C5-4821-B8E8-D7E50A48CEF8} - C:\WINDOWS\system32\byXPFUOh.dll (file missing)
O2 - BHO: (no name) - {7B9BC0A4-9C2C-4E84-9BE3-36BCFF9B3775} - C:\WINDOWS\system32\vtUopMGy.dll (file missing)
O4 - HKLM\..\Run: [084ba38e] rundll32.exe "C:\WINDOWS\system32\etcpkpfy.dll",b
O4 - HKLM\..\Run: [BM0b789012] Rundll32.exe "C:\WINDOWS\system32\nxrkledc.dll",s
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\KPe\Policies\catsrv.exe


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also post a new HijackThis log
 
HijackThis scan + Malwarebytes

Hi again, operation performed according to Your suggestions.

Malwarebytes log below::bigthumb:
Malwarebytes' Anti-Malware 1.12
Database version: 745

Scan type: Quick Scan
Objects scanned: 38573
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ffffffff-bbbb-4146-86fd-a722e8ab3489} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And requested HijackThis log: :bigthumb:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:04:04, on 2008-05-14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
D:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Wireless LAN Utility\SiWake.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazeta.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazeta.pl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DD4A65C7-61D7-445F-BCF1-5065F765EAF9} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [catsrv] C:\Documents and Settings\KPe\Policies\catsrv.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU\..\Run: [Skype] "D:\Programy\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [catsrv] C:\Documents and Settings\KPe\Policies\catsrv.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: Thumbs.db
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SiWake.lnk = C:\Program Files\Wireless LAN Utility\SiWake.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8279 bytes

Thank You for assistance. Big help and altruistic. Rarely seen nowadays. :angel:

I experience some problems with missing dll's when I start up the system. Was it fixed as well?

regards
 
Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Cleanup.png



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
 
Dear Mr Rorschach112, the Mighty Security Warrior,

thank you for your patience. I finally got rid of this malicious spyware, with your great assisstance. I can work with my computer again. I shall be more careful next time. :police:

cheers
KPe
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top