I have to mention that I reinstalled my Windows and I have no program in C/ directory. I left only my D/ directory the same because i have some important documents in there.
The problem samed to apper when I tryed to format my USB memory stick.
I scaned it with HiJackThis and here's the result:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:38:03 AM, on 7/30/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\RomDan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\RomDan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\RomDan\LOCALS~1\Temp\winlles.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{13284590-54BD-41C8-A303-D9A05F5A35E6}: NameServer = 86.127.112.108 80.96.50.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DCFA6A9-A794-4EE1-8B6D-ACB7E491DC8B}: NameServer = 86.127.112.108 80.96.50.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{13284590-54BD-41C8-A303-D9A05F5A35E6}: NameServer = 86.127.112.108 80.96.50.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{13284590-54BD-41C8-A303-D9A05F5A35E6}: NameServer = 86.127.112.108 80.96.50.2
--
End of file - 1729 bytes
After I fixed all the problems in HiJackThis I used ComboFix and theres the log:
ComboFix 10-07-29.02 - RomDan 07/30/2010 23:24:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.310 [GMT 3:00]
Running from: c:\documents and settings\RomDan\My Documents\Downloads\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-30 )))))))))))))))))))))))))))))))
.
2010-07-30 20:15 . 2010-07-30 20:15 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-07-30 20:08 . 2010-07-30 20:08 -------- d-----w- c:\documents and settings\RomDan\Local Settings\Application Data\Temp
2010-07-30 20:08 . 2010-07-30 20:08 -------- d-----w- c:\documents and settings\RomDan\Local Settings\Application Data\Google
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-30 19:58 . 2010-07-30 19:58 465920 ----a-r- c:\documents and settings\RomDan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-30 19:58 . 2010-07-30 19:58 -------- d-----w- c:\program files\Trend Micro
2010-07-30 19:53 . 2010-07-30 19:53 12328 ----a-w- c:\documents and settings\RomDan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-30 19:37 . 2010-07-30 19:37 -------- d-----w- c:\program files\microsoft frontpage
2010-07-30 19:35 . 2010-07-30 19:35 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-07-30 19:32 . 2010-07-30 19:32 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Live for Speed Alpha 0.5Z\\LFS.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder
2010-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1292428093-839522115-1003Core.job
- c:\documents and settings\RomDan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-30 20:08]
2010-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-1292428093-839522115-1003UA.job
- c:\documents and settings\RomDan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-30 20:08]
.
.
------- Supplementary Scan -------
.
TCP: {13284590-54BD-41C8-A303-D9A05F5A35E6} = 86.127.112.108 80.96.50.2
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-30 23:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-07-30 23:29:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-30 20:29
Pre-Run: 12,908,560,384 bytes free
Post-Run: 12,861,210,624 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 71F7E048CC933BD4CCD19CDC3E2D68F8
Before I reinstalled the OS, AVG was finding me infection on all of the programs and was a virus, i don't know the exact name: Txxxx M.