and the attack log
and the attack log
Hi,
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
CACLS g:\windows\system32\svchost.exe >Log.txt
START Log.txt
DEL %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
hi here are the contents of files.bat
g:\windows\system32\svchost.exe BUILTIN\Users:R
BUILTIN\Power Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
Does that svchost.exe error still appear? If it does please try to get the exact error message here.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
The svchost.exe error still appear
here is the message
svchost.exe - Application Error
The instruction at "0x79bf4373" referenced memory at "0x79bf4373". The memory could not be "written".
Click OK to terminate the program
Click CANCEL to debug the program
This message appears also when i am trying to install programs with suffix .msi.
And after pressing ok or cancel a message appears that it i am not allowed to use windows installer service.
Open notepad and copy/paste the text in the quotebox below into it:
Code:File:: D:\Downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe Infected: Trojan.Win32.Inject.arpx 1 Folder:: D:\Downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE D:\Downloads\mIRC\mIRC v6.3 [Keygen and Crack Included] D:\Downloads\RegCure 1.3 + Crack Reglock:: [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log + fresh dds.txt log.
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.
Hi here is the combofix log
ComboFix 10-06-19.04 - astra 23/06/2010 8:18.6.4 - x86
Running from: g:\documents and settings\astra\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: g:\documents and settings\astra\Επιφάνεια εργασίας\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
FILE ::
"d:\downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe Infected: Trojan.Win32.Inject.arpx 1"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\heritage.nfo
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\file_id.diz
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HERiTAGE.nfo
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG.rar
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG\Crack\BG3130_CRK.exe
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG\Setup.exe
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\README.txt
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\mIRC 6.3 [keygen].exe
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\mirc.exe
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\MIRCREGMKDEVTEAM.REG
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\MIRCREGMKDEVTEAM2.REG
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\README.txt
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\mirc63.exe
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Torrent_downloaded_from_Demonoid.com.txt
d:\downloads\RegCure 1.3 + Crack
d:\downloads\RegCure 1.3 + Crack\RegCure 1.3 + Crack.zip
d:\downloads\RegCure 1.3 + Crack\Torrent downloaded from Demonoid.com.txt
.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.
2010-06-21 09:56 . 2010-06-21 09:56 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-20 18:42 . 2010-04-29 12:39 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 18:42 . 2010-06-20 18:42 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-06-20 18:42 . 2010-04-29 12:39 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-06-20 17:17 . 2010-06-20 17:17 24576 ----a-w- g:\documents and settings\astra\Application Data\KeePass\PluginCache\kYNALEaVfUqyIF5K_2.1.0.28189\fdNx0kpe.dll
2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- g:\documents and settings\astra\Application Data\KeePass
2010-06-17 07:36 . 2010-06-19 06:28 -------- d-----w- g:\program files\Safer Networking
2010-06-17 05:29 . 2010-06-17 05:29 -------- d-----w- g:\documents and settings\Administrator\Application Data\Mp3tag
2010-06-16 19:33 . 2010-06-16 19:36 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-14 20:12 . 2010-06-14 20:12 -------- d-----r- g:\documents and settings\LocalService\Τα έγγραφά μου
2010-06-13 21:05 . 2010-06-13 21:05 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27 . 2010-06-13 21:10 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27 . 2010-06-13 21:05 -------- d-----w- g:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-13 18:32 . 2010-06-13 18:32 -------- d-----w- g:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\astra\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-13 17:25 . 2010-06-13 17:31 -------- d-----w- g:\program files\Windows Live Safety Center
2010-06-12 17:04 . 2010-06-12 17:04 -------- d-----w- g:\program files\JRE
2010-06-12 14:45 . 2010-06-12 14:45 -------- d-----w- g:\program files\iPod
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\program files\iTunes
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05 . 2010-06-12 14:05 -------- d-----w- g:\program files\Phyxion.net
2010-06-12 07:34 . 2010-06-13 13:18 -------- d-----w- g:\program files\PeerBlock
2010-06-12 07:23 . 2010-06-12 07:24 -------- d-----w- g:\documents and settings\All Users\Application Data\COMODO
2010-06-12 07:11 . 2010-06-12 07:11 -------- d-----w- g:\documents and settings\astra\Application Data\ComodoGroup
2010-06-12 06:39 . 2010-06-12 07:20 -------- d-----w- g:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-12 06:14 . 2010-06-12 06:14 -------- d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 19:09 . 2010-06-11 19:09 53632 ----a-w- g:\documents and settings\astra\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2010-06-11 11:33 . 2010-06-11 11:33 -------- d-----w- g:\program files\zabkat
2010-06-11 08:28 . 2010-06-11 09:08 -------- d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11 . 2010-06-10 22:11 -------- d-----w- g:\windows\SHELLNEW
2010-06-08 20:48 . 2010-06-02 01:55 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48 . 2010-06-02 01:55 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48 . 2010-06-02 01:55 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48 . 2010-05-26 08:41 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48 . 2010-02-04 07:01 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48 . 2010-02-04 07:01 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47 . 2010-05-06 10:33 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53 . 2010-06-06 15:53 -------- d-----w- g:\documents and settings\astra\Application Data\Search Settings
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\astra\Application Data\Zeon
2010-06-06 15:26 . 2010-06-06 15:27 -------- d-----w- g:\documents and settings\All Users\Application Data\Nuance
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\All Users\Application Data\Downloaded Installations
2010-06-06 13:10 . 2010-06-06 13:11 -------- d-----w- g:\documents and settings\astra\Application Data\dvdcss
2010-06-04 08:55 . 2010-06-04 08:55 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42 . 2010-06-04 07:42 -------- d-----w- g:\program files\Common Files\ABBYY
2010-06-04 07:40 . 2010-06-04 07:45 -------- d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00 . 2010-06-01 16:00 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00 . 2010-06-01 16:00 87824 ----a-w- g:\windows\system32\drivers\inspect.sys
2010-06-01 16:00 . 2010-06-01 16:00 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00 . 2010-06-01 16:00 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
2010-05-31 13:45 . 2010-05-31 13:45 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcp71.dll
2010-05-31 13:45 . 2010-05-31 13:45 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\jmc.dll
2010-05-31 13:45 . 2010-05-31 13:45 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcr71.dll
2010-05-31 13:45 . 2010-05-31 13:45 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-sse.dll
2010-05-31 13:45 . 2010-05-31 13:45 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 05:15 . 2009-07-17 21:19 -------- d-----w- g:\documents and settings\astra\Application Data\TeraCopy
2010-06-23 05:10 . 2008-11-02 18:41 -------- d-----w- g:\documents and settings\LocalService\Application Data\VMware
2010-06-23 05:09 . 2008-11-02 18:40 -------- d-----w- g:\documents and settings\All Users\Application Data\VMware
2010-06-22 08:18 . 2010-01-11 11:51 -------- d-----w- g:\documents and settings\astra\Application Data\Media Player Classic
2010-06-22 06:51 . 2008-11-02 18:45 -------- d-----w- g:\documents and settings\astra\Application Data\VMware
2010-06-22 06:46 . 2004-09-07 12:00 687116 ----a-w- g:\windows\system32\perfh008.dat
2010-06-22 06:46 . 2004-09-07 12:00 146018 ----a-w- g:\windows\system32\perfc008.dat
2010-06-21 14:10 . 2009-11-14 09:54 -------- d-----w- g:\program files\DAEMON Tools Toolbar
2010-06-17 06:33 . 2009-07-28 20:10 1 ----a-w- g:\documents and settings\astra\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-13 10:07 . 2009-07-21 17:30 -------- d-----w- g:\program files\Startup Manager
2010-06-12 20:19 . 2010-04-03 12:04 -------- d-----w- g:\documents and settings\astra\Application Data\gtk-2.0
2010-06-12 17:37 . 2008-10-27 23:20 117496 ----a-w- g:\documents and settings\astra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-12 17:03 . 2009-07-28 20:08 -------- d-----w- g:\program files\OpenOffice.org 3
2010-06-12 14:44 . 2009-01-01 20:19 -------- d-----w- g:\documents and settings\All Users\Application Data\Apple Computer
2010-06-12 13:51 . 2009-04-24 22:53 -------- d-----w- g:\documents and settings\astra\Application Data\Audacity
2010-06-12 13:42 . 2010-04-10 21:20 -------- d-----w- g:\documents and settings\astra\Application Data\foobar2000
2010-06-12 07:20 . 2008-10-28 09:03 -------- d-----w- g:\program files\COMODO
2010-06-11 19:09 . 2010-02-26 17:51 -------- d-----w- g:\program files\XnView
2010-06-11 19:09 . 2009-11-19 18:07 -------- d-----w- g:\program files\Common Files\Adobe AIR
2010-06-11 16:34 . 2008-10-28 09:48 -------- d-----w- g:\program files\Mozilla Thunderbird
2010-06-11 05:19 . 2009-08-07 15:46 -------- d-----w- g:\program files\FreeMind
2010-06-10 22:11 . 2010-04-14 19:27 -------- d-----w- g:\program files\Microsoft.NET
2010-06-10 14:56 . 2010-01-17 16:07 -------- d-----w- g:\documents and settings\astra\Application Data\vlc
2010-06-08 21:44 . 2010-01-11 17:25 -------- d-----w- g:\program files\Calendar
2010-06-06 15:32 . 2008-10-28 21:08 -------- d-----w- g:\program files\Common Files\Adobe
2010-06-06 15:29 . 2009-11-30 09:52 -------- d-----w- g:\program files\Foxit Software
2010-06-06 15:27 . 2010-03-13 08:42 -------- d-----w- g:\documents and settings\astra\Application Data\Nuance
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\program files\Notepad++
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\documents and settings\astra\Application Data\Notepad++
2010-06-04 11:16 . 2010-02-02 12:29 -------- d-----w- g:\program files\Microsoft Silverlight
2010-06-04 07:48 . 2010-04-10 16:28 -------- d-----w- g:\documents and settings\All Users\Application Data\ABBYY
2010-06-04 06:13 . 2010-05-14 05:41 -------- d-----w- g:\program files\adma
2010-06-01 22:04 . 2008-10-28 07:55 -------- d-----w- g:\program files\CCleaner
2010-05-22 20:01 . 2009-12-06 22:05 256 ----a-w- g:\windows\system32\pool.bin
2010-05-22 19:09 . 2009-07-27 04:41 -------- d-----w- g:\program files\Emerge Desktop
2010-05-21 11:14 . 2009-10-02 06:41 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-17 08:31 . 2009-02-15 16:18 -------- d-----w- g:\program files\FMY
2010-05-16 07:18 . 2010-05-16 07:19 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03 . 2009-01-09 17:51 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-13 17:48 . 2010-04-25 20:31 -------- d-----w- g:\program files\TP-LINK
2010-05-13 17:47 . 2008-10-27 22:10 -------- d--h--w- g:\program files\InstallShield Installation Information
2010-05-06 10:33 . 2004-09-07 12:00 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 10:09 . 2010-05-02 10:09 -------- d-----w- g:\documents and settings\astra\Application Data\adma
2010-05-02 08:07 . 2004-09-07 12:00 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-25 21:00 . 2010-04-25 20:27 -------- d-----w- g:\documents and settings\All Users\Application Data\TP-LINK
2010-04-25 20:31 . 2010-04-25 20:31 -------- d-----w- g:\documents and settings\All Users\Application Data\Atheros
2010-04-20 05:30 . 2004-09-07 12:00 285696 ----a-w- g:\windows\system32\atmfd.dll
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\UC.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\RAR.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKUNZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\NOCLOSE.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\LHA.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\ARJ.PIF
2010-04-01 03:46 . 2010-04-01 03:46 65536 ----a-r- g:\documents and settings\astra\Application Data\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
2010-03-31 12:10 . 2010-03-31 12:10 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcp71.dll
2010-03-31 12:10 . 2010-03-31 12:10 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\jmc.dll
2010-03-31 12:10 . 2010-03-31 12:10 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcr71.dll
2010-03-31 12:10 . 2010-03-31 12:10 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-sse.dll
2010-03-31 12:10 . 2010-03-31 12:10 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-d3d.dll
2008-10-28 20:30 . 2008-10-28 20:30 23 --sha-w- g:\windows\system32\bdcca4_d.dll
.
------- Sigcheck -------
[-] 2009-08-11 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . g:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . g:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . g:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . g:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-06-20_17.00.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-23 05:10 . 2010-06-23 05:10 16384 g:\windows\temp\Perflib_Perfdata_840.dat
+ 2004-09-07 12:00 . 2010-06-22 06:46 557528 g:\windows\system32\perfh009.dat
+ 2004-09-07 12:00 . 2010-06-22 06:46 110996 g:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vmware-tray"="g:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-01-22 129584]
"TWCU"="g:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2010-02-04 561263]
"MSSE"="g:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"COMODO Internet Security"="g:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-02 18782720]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="g:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]
g:\documents and settings\All Users\Start Menu\α\΅΅ε\
Rainmeter.lnk - g:\program files\Rainmeter\Rainmeter.exe [2010-2-28 119296]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "g:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="G:\Yellow flower.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\guard32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ pgdfgsvc G 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^MagicDisc.lnk]
backup=g:\windows\pss\MagicDisc.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\MagicDisc.lnk
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^OpenOffice.org 3.1.lnk]
backup=g:\windows\pss\OpenOffice.org 3.1.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\OpenOffice.org 3.1.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- g:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- g:\program files\DAEMON Tools Lite\DTLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-12 12:53 133104 ----atw- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 12:52 36864 ----a-w- g:\program files\HP\HP UT\bin\hppusg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:30 1695232 ------w- g:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-11-02 10:53 18782720 ----a-w- g:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.10.0"=2 (0x2)
"iPod Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.9.0"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"wfxsvc"=2 (0x2)
"ose"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"g:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R0 CFRMD;CFRMD;g:\windows\System32\drivers\CFRMD.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;g:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Ambfilt;Ambfilt;g:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 aswArKrn;aswArKrn;g:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys [x]
R3 CheckFSD;Antiy Labs FSD Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\CheckFSD.sys [2008-04-09 8728]
R3 CheckSSDT;Antiy Labs SSDT Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\SSDT.sys [2008-04-09 8856]
R3 CMC AntiRootkit Service;CMC AntiRootkit Servic;g:\windows\system32\drivers\cmcantirootkit.sys [x]
R3 DarkSpy;DarkSpy;g:\windows\system32\DarkSpyKernel.sys [2010-06-21 132096]
R3 HookMsg;Antiy Labs MsgHook Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\ABaseDrv.sys [2008-04-09 8472]
R3 IRPFile;Antiy Labs IRP FILE;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\IrpFile.sys [2008-07-25 11848]
R3 pbfilter;pbfilter;g:\program files\PeerBlock\pbfilter.sys [2010-06-09 18544]
R3 rk_remover-boot;rk_remover-boot;g:\windows\system32\drivers\rk_remover.sys [2010-06-16 52736]
R3 SunkFilt62;Alcor Micro Corp - 6362;g:\windows\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;g:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-11-30 100048]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;g:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;g:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R4 sptd;sptd;g:\windows\system32\Drivers\sptd.sys [2009-11-14 691696]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;g:\windows\system32\DRIVERS\cmdguard.sys [2010-06-04 229312]
S1 cmdHlp;COMODO Internet Security Helper Driver;g:\windows\system32\DRIVERS\cmdhlp.sys [2010-06-01 25240]
S2 vmci;VMware vmci;g:\windows\system32\Drivers\vmci.sys [2010-01-22 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;g:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-01-22 563760]
.
Contents of the 'Scheduled Tasks' folder
2010-06-21 g:\windows\Tasks\COMODO System Cleaner Update.job
- g:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 12:41]
2010-06-21 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003Core.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-22 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003UA.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-23 g:\windows\Tasks\MP Scheduled Scan.job
- g:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: g:\program files\VMware\VMware Workstation\vsocklib.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - g:\documents and settings\astra\Application Data\Mozilla\Firefox\Profiles\pvs1v4h5.default\
FF - plugin: g:\documents and settings\astra\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: g:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
g:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 08:23
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 10]
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\games"
"ShortlistDir"=""
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 10\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2010\\data\\db\\1000\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:0000006f
"UniqueID"="E5-E280-E46F"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009]
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"=""
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-910\\db\\910\\lang_db.dat"
"LastSaveGame"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games\\aris.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00009b7a
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000062
"UniqueID"="E5-E280-EF1F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"Currency"=dword:0000001c
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-930\\db\\930\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000000
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="E5-E280-EF1F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"GraphStep"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|ΐ|ω9~*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
@DACL=(02 0012)
@Denied: (Read) (Administrators)
@Denied: (B E 1 4 5) (Administrators)
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="g:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="g:\\WINDOWS\\system32\\l3codeca.acm"
"VIDC.I420"="i420vfw.dll"
"MSVideo8"="VfWWDM32.dll"
"MSVideo"="vfwwdm32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux3"="wdmaud.drv"
"vidc.yv12"="yv12vfw.dll"
"wave6"="serwvdrv.dll"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux2"="wdmaud.drv"
"VIDC.FFDS"="ff_vfw.dll"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux1"="wdmaud.drv"
"VIDC.VMnc"="vmnc.dll"
"wave4"="wdmaud.drv"
"mixer4"="wdmaud.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1420)
g:\windows\system32\guard32.dll
g:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(1636)
g:\windows\system32\guard32.dll
.
Completion time: 2010-06-23 08:25:08
ComboFix-quarantined-files.txt 2010-06-23 05:25
ComboFix2.txt 2010-06-21 16:21
ComboFix3.txt 2010-06-20 17:02
ComboFix4.txt 2010-06-17 05:16
Pre-Run: 14 Κατάλογοι 434.524.155.904 διαθέσιμα byte
Post-Run: 15 Κατάλογοι 434.612.260.864 διαθέσιμα byte
- - End Of File - - 1F526047E699DFD0CF097F9D6BACF055
here is the new dds log
DDS (Ver_10-03-17.01) - NTFSx86
Run by astra at 8:29:03,37 on Τετ 23/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
mWinlogon: UIHost=G:\Yellow flower.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
mRun: [vmware-tray] "g:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [TWCU] "g:\program files\tp-link\tp-link wireless client utility\TWCU.exe" -nogui
mRun: [MSSE] "g:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [COMODO Internet Security] "g:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "g:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: g:\docume~1\alluse~1\startm~1\f2da~1\599a~1\rainme~1.lnk - g:\program files\rainmeter\Rainmeter.exe
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: g:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229157474656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239954420281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: g:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - g:\program files\winfax\WfxSeh32.Dll
================= FIREFOX ===================
FF - ProfilePath - g:\docume~1\astra\applic~1\mozilla\firefox\profiles\pvs1v4h5.default\
FF - plugin: g:\documents and settings\astra\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: g:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
g:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
============== File Associations ===============
.scr=AutoCADLTScriptFile
=============== Created Last 30 ================
2010-06-21 09:56:50 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-20 18:42:05 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 18:42:04 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-06-20 18:42:04 0 d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-06-20 17:17:38 0 d-----w- g:\docume~1\astra\applic~1\KeePass
2010-06-20 16:54:18 98816 ----a-w- g:\windows\sed.exe
2010-06-20 16:54:18 77312 ----a-w- g:\windows\MBR.exe
2010-06-20 16:54:18 256512 ----a-w- g:\windows\PEV.exe
2010-06-20 16:54:18 161792 ----a-w- g:\windows\SWREG.exe
2010-06-17 07:36:37 0 d-----w- g:\program files\Safer Networking
2010-06-17 05:05:28 0 d-sha-r- G:\cmdcons
2010-06-16 19:33:44 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-16 08:41:51 11831757 ----a-w- g:\windows\system32\GKHBVMXGMCMWN
2010-06-15 06:15:13 76 ----a-w- G:\fraglist.luar
2010-06-13 21:05:52 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27:44 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27:32 0 d-----w- g:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-13 18:08:31 0 d-----w- g:\docume~1\astra\applic~1\Malwarebytes
2010-06-13 18:08:21 0 d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-12 19:18:47 256 ----a-w- g:\documents and settings\astra\.pulse-cookie
2010-06-12 17:04:00 0 d-----w- g:\program files\JRE
2010-06-12 14:45:01 0 d-----w- g:\program files\iPod
2010-06-12 14:44:57 0 d-----w- g:\program files\iTunes
2010-06-12 14:44:57 0 d-----w- g:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05:38 0 d-----w- g:\program files\Phyxion.net
2010-06-12 07:34:54 0 d-----w- g:\program files\PeerBlock
2010-06-12 07:23:54 0 d-----w- g:\docume~1\alluse~1\applic~1\COMODO
2010-06-12 07:11:34 0 d-----w- g:\docume~1\astra\applic~1\ComodoGroup
2010-06-12 06:39:10 0 d-----w- g:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-06-12 06:14:05 0 d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 11:33:14 0 d-----w- g:\program files\zabkat
2010-06-11 08:28:57 0 d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11:05 0 d-----w- g:\windows\SHELLNEW
2010-06-08 20:48:18 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48:18 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48:18 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48:17 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48:17 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48:16 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48:16 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48:16 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48:15 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48:15 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48:15 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48:14 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47:50 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53:24 0 d-----w- g:\docume~1\astra\applic~1\Search Settings
2010-06-06 15:26:51 0 d-----w- g:\docume~1\astra\applic~1\Zeon
2010-06-06 15:26:49 0 d-----w- g:\docume~1\alluse~1\applic~1\Nuance
2010-06-06 15:26:16 0 d-----w- g:\docume~1\alluse~1\applic~1\Downloaded Installations
2010-06-04 08:55:58 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42:55 0 d-----w- g:\program files\common files\ABBYY
2010-06-04 07:40:19 0 d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00:52 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00:22 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00:20 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
==================== Find3M ====================
2010-06-22 06:46:44 687116 ----a-w- g:\windows\system32\perfh008.dat
2010-06-22 06:46:44 146018 ----a-w- g:\windows\system32\perfc008.dat
2010-05-21 11:14:28 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-16 07:18:53 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03:56 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-06 10:33:33 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 08:07:34 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-20 05:30:47 285696 ----a-w- g:\windows\system32\atmfd.dll
2008-10-28 20:30:56 23 --sha-w- g:\windows\system32\bdcca4_d.dll
============= FINISH: 8:29:20,21 ===============
Hi,
Download a fresh ComboFix copy.
Create a new cfscript with this contents and run ComboFix with it in safe mode:
Code:File:: D:\Downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe Reglock:: [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
Microsoft Windows Insider MVP 2016-2020
Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
If you have problems create a thread in the forum, please.
Malware removal instructions are for the correspondent user's case only.