Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 37

Thread: shvhost.exe application error

  1. #11
    Junior Member
    Join Date
    Jun 2010
    Posts
    21

    Default Attach log

    and the attack log

  2. #12
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
    @ECHO OFF
    CACLS g:\windows\system32\svchost.exe >Log.txt
    START Log.txt
    DEL %0

    Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #13
    Junior Member
    Join Date
    Jun 2010
    Posts
    21

    Default contents of fixes.bat

    hi here are the contents of files.bat

    g:\windows\system32\svchost.exe BUILTIN\Users:R
    BUILTIN\Power Users:R
    BUILTIN\Administrators:F
    NT AUTHORITY\SYSTEM:F

  4. #14
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Does that svchost.exe error still appear? If it does please try to get the exact error message here.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #15
    Junior Member
    Join Date
    Jun 2010
    Posts
    21

    Default svchost.exe error still appear

    The svchost.exe error still appear
    here is the message

    svchost.exe - Application Error

    The instruction at "0x79bf4373" referenced memory at "0x79bf4373". The memory could not be "written".

    Click OK to terminate the program
    Click CANCEL to debug the program

    This message appears also when i am trying to install programs with suffix .msi.
    And after pressing ok or cancel a message appears that it i am not allowed to use windows installer service.

  6. #16
    Junior Member
    Join Date
    Jun 2010
    Posts
    21

    Default

    Quote Originally Posted by PUHLuR View Post
    The svchost.exe error still appear
    here is the message

    svchost.exe - Application Error

    The instruction at "0x79bf4373" referenced memory at "0x79bf4373". The memory could not be "written".

    Click OK to terminate the program
    Click CANCEL to debug the program

    This message appears also when i am trying to install programs with suffix .msi.
    And after pressing ok or cancel a message appears that it says i am not allowed to use windows installer service.
    The same message appears and when i am trying to open the systems default browser.
    after pressing ok or cancel a message appears that it says that chrome ended unexpectedly.

    it doesn't also appear the windows sound icon in the system tray.

  7. #17
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    File::
    D:\Downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe Infected: Trojan.Win32.Inject.arpx 1
    Folder::
    D:\Downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE
    D:\Downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]
    D:\Downloads\RegCure 1.3 + Crack
    Reglock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log + fresh dds.txt log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #18
    Junior Member
    Join Date
    Jun 2010
    Posts
    21

    Default Combofix log

    Hi here is the combofix log

    ComboFix 10-06-19.04 - astra 23/06/2010 8:18.6.4 - x86
    Running from: g:\documents and settings\astra\Επιφάνεια εργασίας\ComboFix.exe
    Command switches used :: g:\documents and settings\astra\Επιφάνεια εργασίας\CFScript.txt
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    * Created a new restore point

    FILE ::
    "d:\downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe Infected: Trojan.Win32.Inject.arpx 1"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE
    d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\heritage.nfo
    d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\file_id.diz
    d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HERiTAGE.nfo
    d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG.rar
    d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG\Crack\BG3130_CRK.exe
    d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG\Setup.exe
    d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\README.txt
    d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]
    d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\mIRC 6.3 [keygen].exe
    d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\mirc.exe
    d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\MIRCREGMKDEVTEAM.REG
    d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\MIRCREGMKDEVTEAM2.REG
    d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\README.txt
    d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\mirc63.exe
    d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Torrent_downloaded_from_Demonoid.com.txt
    d:\downloads\RegCure 1.3 + Crack
    d:\downloads\RegCure 1.3 + Crack\RegCure 1.3 + Crack.zip
    d:\downloads\RegCure 1.3 + Crack\Torrent downloaded from Demonoid.com.txt

    .
    ((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
    .

    2010-06-21 09:56 . 2010-06-21 09:56 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
    2010-06-20 18:42 . 2010-04-29 12:39 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-20 18:42 . 2010-06-20 18:42 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
    2010-06-20 18:42 . 2010-04-29 12:39 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
    2010-06-20 17:17 . 2010-06-20 17:17 24576 ----a-w- g:\documents and settings\astra\Application Data\KeePass\PluginCache\kYNALEaVfUqyIF5K_2.1.0.28189\fdNx0kpe.dll
    2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- g:\documents and settings\astra\Application Data\KeePass
    2010-06-17 07:36 . 2010-06-19 06:28 -------- d-----w- g:\program files\Safer Networking
    2010-06-17 05:29 . 2010-06-17 05:29 -------- d-----w- g:\documents and settings\Administrator\Application Data\Mp3tag
    2010-06-16 19:33 . 2010-06-16 19:36 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
    2010-06-14 20:12 . 2010-06-14 20:12 -------- d-----r- g:\documents and settings\LocalService\Τα έγγραφά μου
    2010-06-13 21:05 . 2010-06-13 21:05 12872 ----a-w- g:\windows\system32\bootdelete.exe
    2010-06-13 20:27 . 2010-06-13 21:10 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
    2010-06-13 20:27 . 2010-06-13 21:05 -------- d-----w- g:\documents and settings\All Users\Application Data\Hitman Pro
    2010-06-13 18:32 . 2010-06-13 18:32 -------- d-----w- g:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\astra\Application Data\Malwarebytes
    2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\All Users\Application Data\Malwarebytes
    2010-06-13 17:25 . 2010-06-13 17:31 -------- d-----w- g:\program files\Windows Live Safety Center
    2010-06-12 17:04 . 2010-06-12 17:04 -------- d-----w- g:\program files\JRE
    2010-06-12 14:45 . 2010-06-12 14:45 -------- d-----w- g:\program files\iPod
    2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\program files\iTunes
    2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-06-12 14:05 . 2010-06-12 14:05 -------- d-----w- g:\program files\Phyxion.net
    2010-06-12 07:34 . 2010-06-13 13:18 -------- d-----w- g:\program files\PeerBlock
    2010-06-12 07:23 . 2010-06-12 07:24 -------- d-----w- g:\documents and settings\All Users\Application Data\COMODO
    2010-06-12 07:11 . 2010-06-12 07:11 -------- d-----w- g:\documents and settings\astra\Application Data\ComodoGroup
    2010-06-12 06:39 . 2010-06-12 07:20 -------- d-----w- g:\documents and settings\All Users\Application Data\Comodo Downloader
    2010-06-12 06:14 . 2010-06-12 06:14 -------- d-----w- g:\documents and settings\astra\Application DataComodoGroup
    2010-06-11 19:09 . 2010-06-11 19:09 53632 ----a-w- g:\documents and settings\astra\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
    2010-06-11 11:33 . 2010-06-11 11:33 -------- d-----w- g:\program files\zabkat
    2010-06-11 08:28 . 2010-06-11 09:08 -------- d-----w- g:\documents and settings\astra\.freeplane
    2010-06-10 22:11 . 2010-06-10 22:11 -------- d-----w- g:\windows\SHELLNEW
    2010-06-08 20:48 . 2010-06-02 01:55 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
    2010-06-08 20:48 . 2010-06-02 01:55 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
    2010-06-08 20:48 . 2010-06-02 01:55 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
    2010-06-08 20:48 . 2010-05-26 08:41 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
    2010-06-08 20:48 . 2010-05-26 08:41 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
    2010-06-08 20:48 . 2010-05-26 08:41 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
    2010-06-08 20:48 . 2010-05-26 08:41 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
    2010-06-08 20:48 . 2010-05-26 08:41 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
    2010-06-08 20:48 . 2010-02-04 07:01 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
    2010-06-08 20:48 . 2010-02-04 07:01 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
    2010-06-08 20:48 . 2010-02-04 07:01 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
    2010-06-08 20:48 . 2010-02-04 07:01 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
    2010-06-08 18:47 . 2010-05-06 10:33 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
    2010-06-06 15:53 . 2010-06-06 15:53 -------- d-----w- g:\documents and settings\astra\Application Data\Search Settings
    2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\astra\Application Data\Zeon
    2010-06-06 15:26 . 2010-06-06 15:27 -------- d-----w- g:\documents and settings\All Users\Application Data\Nuance
    2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\All Users\Application Data\Downloaded Installations
    2010-06-06 13:10 . 2010-06-06 13:11 -------- d-----w- g:\documents and settings\astra\Application Data\dvdcss
    2010-06-04 08:55 . 2010-06-04 08:55 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
    2010-06-04 07:42 . 2010-06-04 07:42 -------- d-----w- g:\program files\Common Files\ABBYY
    2010-06-04 07:40 . 2010-06-04 07:45 -------- d-----w- g:\program files\ABBYY FineReader 9.0
    2010-06-01 16:00 . 2010-06-01 16:00 278288 ----a-w- g:\windows\system32\guard32.dll
    2010-06-01 16:00 . 2010-06-01 16:00 87824 ----a-w- g:\windows\system32\drivers\inspect.sys
    2010-06-01 16:00 . 2010-06-01 16:00 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
    2010-06-01 16:00 . 2010-06-01 16:00 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
    2010-05-31 13:45 . 2010-05-31 13:45 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcp71.dll
    2010-05-31 13:45 . 2010-05-31 13:45 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\jmc.dll
    2010-05-31 13:45 . 2010-05-31 13:45 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcr71.dll
    2010-05-31 13:45 . 2010-05-31 13:45 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-sse.dll
    2010-05-31 13:45 . 2010-05-31 13:45 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-d3d.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-06-23 05:15 . 2009-07-17 21:19 -------- d-----w- g:\documents and settings\astra\Application Data\TeraCopy
    2010-06-23 05:10 . 2008-11-02 18:41 -------- d-----w- g:\documents and settings\LocalService\Application Data\VMware
    2010-06-23 05:09 . 2008-11-02 18:40 -------- d-----w- g:\documents and settings\All Users\Application Data\VMware
    2010-06-22 08:18 . 2010-01-11 11:51 -------- d-----w- g:\documents and settings\astra\Application Data\Media Player Classic
    2010-06-22 06:51 . 2008-11-02 18:45 -------- d-----w- g:\documents and settings\astra\Application Data\VMware
    2010-06-22 06:46 . 2004-09-07 12:00 687116 ----a-w- g:\windows\system32\perfh008.dat
    2010-06-22 06:46 . 2004-09-07 12:00 146018 ----a-w- g:\windows\system32\perfc008.dat
    2010-06-21 14:10 . 2009-11-14 09:54 -------- d-----w- g:\program files\DAEMON Tools Toolbar
    2010-06-17 06:33 . 2009-07-28 20:10 1 ----a-w- g:\documents and settings\astra\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-06-13 10:07 . 2009-07-21 17:30 -------- d-----w- g:\program files\Startup Manager
    2010-06-12 20:19 . 2010-04-03 12:04 -------- d-----w- g:\documents and settings\astra\Application Data\gtk-2.0
    2010-06-12 17:37 . 2008-10-27 23:20 117496 ----a-w- g:\documents and settings\astra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-12 17:03 . 2009-07-28 20:08 -------- d-----w- g:\program files\OpenOffice.org 3
    2010-06-12 14:44 . 2009-01-01 20:19 -------- d-----w- g:\documents and settings\All Users\Application Data\Apple Computer
    2010-06-12 13:51 . 2009-04-24 22:53 -------- d-----w- g:\documents and settings\astra\Application Data\Audacity
    2010-06-12 13:42 . 2010-04-10 21:20 -------- d-----w- g:\documents and settings\astra\Application Data\foobar2000
    2010-06-12 07:20 . 2008-10-28 09:03 -------- d-----w- g:\program files\COMODO
    2010-06-11 19:09 . 2010-02-26 17:51 -------- d-----w- g:\program files\XnView
    2010-06-11 19:09 . 2009-11-19 18:07 -------- d-----w- g:\program files\Common Files\Adobe AIR
    2010-06-11 16:34 . 2008-10-28 09:48 -------- d-----w- g:\program files\Mozilla Thunderbird
    2010-06-11 05:19 . 2009-08-07 15:46 -------- d-----w- g:\program files\FreeMind
    2010-06-10 22:11 . 2010-04-14 19:27 -------- d-----w- g:\program files\Microsoft.NET
    2010-06-10 14:56 . 2010-01-17 16:07 -------- d-----w- g:\documents and settings\astra\Application Data\vlc
    2010-06-08 21:44 . 2010-01-11 17:25 -------- d-----w- g:\program files\Calendar
    2010-06-06 15:32 . 2008-10-28 21:08 -------- d-----w- g:\program files\Common Files\Adobe
    2010-06-06 15:29 . 2009-11-30 09:52 -------- d-----w- g:\program files\Foxit Software
    2010-06-06 15:27 . 2010-03-13 08:42 -------- d-----w- g:\documents and settings\astra\Application Data\Nuance
    2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\program files\Notepad++
    2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\documents and settings\astra\Application Data\Notepad++
    2010-06-04 11:16 . 2010-02-02 12:29 -------- d-----w- g:\program files\Microsoft Silverlight
    2010-06-04 07:48 . 2010-04-10 16:28 -------- d-----w- g:\documents and settings\All Users\Application Data\ABBYY
    2010-06-04 06:13 . 2010-05-14 05:41 -------- d-----w- g:\program files\adma
    2010-06-01 22:04 . 2008-10-28 07:55 -------- d-----w- g:\program files\CCleaner
    2010-05-22 20:01 . 2009-12-06 22:05 256 ----a-w- g:\windows\system32\pool.bin
    2010-05-22 19:09 . 2009-07-27 04:41 -------- d-----w- g:\program files\Emerge Desktop
    2010-05-21 11:14 . 2009-10-02 06:41 221568 ------w- g:\windows\system32\MpSigStub.exe
    2010-05-17 08:31 . 2009-02-15 16:18 -------- d-----w- g:\program files\FMY
    2010-05-16 07:18 . 2010-05-16 07:19 411368 ----a-w- g:\windows\system32\deployJava1.dll
    2010-05-14 05:03 . 2009-01-09 17:51 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
    2010-05-13 17:48 . 2010-04-25 20:31 -------- d-----w- g:\program files\TP-LINK
    2010-05-13 17:47 . 2008-10-27 22:10 -------- d--h--w- g:\program files\InstallShield Installation Information
    2010-05-06 10:33 . 2004-09-07 12:00 916480 ----a-w- g:\windows\system32\wininet.dll
    2010-05-02 10:09 . 2010-05-02 10:09 -------- d-----w- g:\documents and settings\astra\Application Data\adma
    2010-05-02 08:07 . 2004-09-07 12:00 1851520 ----a-w- g:\windows\system32\win32k.sys
    2010-04-25 21:00 . 2010-04-25 20:27 -------- d-----w- g:\documents and settings\All Users\Application Data\TP-LINK
    2010-04-25 20:31 . 2010-04-25 20:31 -------- d-----w- g:\documents and settings\All Users\Application Data\Atheros
    2010-04-20 05:30 . 2004-09-07 12:00 285696 ----a-w- g:\windows\system32\atmfd.dll
    2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\UC.PIF
    2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\RAR.PIF
    2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKZIP.PIF
    2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKUNZIP.PIF
    2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\NOCLOSE.PIF
    2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\LHA.PIF
    2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\ARJ.PIF
    2010-04-01 03:46 . 2010-04-01 03:46 65536 ----a-r- g:\documents and settings\astra\Application Data\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
    2010-03-31 12:10 . 2010-03-31 12:10 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcp71.dll
    2010-03-31 12:10 . 2010-03-31 12:10 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\jmc.dll
    2010-03-31 12:10 . 2010-03-31 12:10 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcr71.dll
    2010-03-31 12:10 . 2010-03-31 12:10 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-sse.dll
    2010-03-31 12:10 . 2010-03-31 12:10 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-d3d.dll
    2008-10-28 20:30 . 2008-10-28 20:30 23 --sha-w- g:\windows\system32\bdcca4_d.dll
    .

    ------- Sigcheck -------

    [-] 2009-08-11 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . g:\windows\system32\drivers\tcpip.sys
    [7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
    [7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\system32\dllcache\tcpip.sys
    [7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . g:\windows\$NtServicePackUninstall$\tcpip.sys
    [7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . g:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
    [7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . g:\windows\ServicePackFiles\i386\tcpip.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-06-20_17.00.59 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-06-23 05:10 . 2010-06-23 05:10 16384 g:\windows\temp\Perflib_Perfdata_840.dat
    + 2004-09-07 12:00 . 2010-06-22 06:46 557528 g:\windows\system32\perfh009.dat
    + 2004-09-07 12:00 . 2010-06-22 06:46 110996 g:\windows\system32\perfc009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vmware-tray"="g:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-01-22 129584]
    "TWCU"="g:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2010-02-04 561263]
    "MSSE"="g:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
    "COMODO Internet Security"="g:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
    "RTHDCPL"="RTHDCPL.EXE" [2009-11-02 18782720]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="g:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]

    g:\documents and settings\All Users\Start Menu\α\΅΅ε\
    Rainmeter.lnk - g:\program files\Rainmeter\Rainmeter.exe [2010-2-28 119296]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "g:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="G:\Yellow flower.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=g:\windows\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ pgdfgsvc G 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^MagicDisc.lnk]
    backup=g:\windows\pss\MagicDisc.lnkStartup
    path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\MagicDisc.lnk

    [HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^OpenOffice.org 3.1.lnk]
    backup=g:\windows\pss\OpenOffice.org 3.1.lnkStartup
    path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\OpenOffice.org 3.1.lnk

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-03-24 18:17 952768 ----a-w- g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-04-04 05:42 36272 ----a-w- g:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2009-10-30 11:57 369200 ----a-w- g:\program files\DAEMON Tools Lite\DTLite.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2009-08-12 12:53 133104 ----atw- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
    2007-11-02 12:52 36864 ----a-w- g:\program files\HP\HP UT\bin\hppusg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 16:30 1695232 ------w- g:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2009-11-02 10:53 18782720 ----a-w- g:\windows\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "MDM"=2 (0x2)
    "JavaQuickStarterService"=2 (0x2)
    "idsvc"=3 (0x3)
    "IDriverT"=3 (0x3)
    "Autodesk Licensing Service"=3 (0x3)
    "Ati HotKey Poller"=2 (0x2)
    "Adobe LM Service"=3 (0x3)
    "ABBYY.Licensing.FineReader.Professional.10.0"=2 (0x2)
    "iPod Service"=3 (0x3)
    "ABBYY.Licensing.FineReader.Professional.9.0"=3 (0x3)
    "WMPNetworkSvc"=3 (0x3)
    "wfxsvc"=2 (0x2)
    "ose"=3 (0x3)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
    "d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
    "d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
    "g:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

    R0 CFRMD;CFRMD;g:\windows\System32\drivers\CFRMD.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;g:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 Ambfilt;Ambfilt;g:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
    R3 aswArKrn;aswArKrn;g:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys [x]
    R3 CheckFSD;Antiy Labs FSD Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\CheckFSD.sys [2008-04-09 8728]
    R3 CheckSSDT;Antiy Labs SSDT Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\SSDT.sys [2008-04-09 8856]
    R3 CMC AntiRootkit Service;CMC AntiRootkit Servic;g:\windows\system32\drivers\cmcantirootkit.sys [x]
    R3 DarkSpy;DarkSpy;g:\windows\system32\DarkSpyKernel.sys [2010-06-21 132096]
    R3 HookMsg;Antiy Labs MsgHook Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\ABaseDrv.sys [2008-04-09 8472]
    R3 IRPFile;Antiy Labs IRP FILE;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\IrpFile.sys [2008-07-25 11848]
    R3 pbfilter;pbfilter;g:\program files\PeerBlock\pbfilter.sys [2010-06-09 18544]
    R3 rk_remover-boot;rk_remover-boot;g:\windows\system32\drivers\rk_remover.sys [2010-06-16 52736]
    R3 SunkFilt62;Alcor Micro Corp - 6362;g:\windows\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
    R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;g:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-11-30 100048]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;g:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;g:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
    R4 sptd;sptd;g:\windows\system32\Drivers\sptd.sys [2009-11-14 691696]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;g:\windows\system32\DRIVERS\cmdguard.sys [2010-06-04 229312]
    S1 cmdHlp;COMODO Internet Security Helper Driver;g:\windows\system32\DRIVERS\cmdhlp.sys [2010-06-01 25240]
    S2 vmci;VMware vmci;g:\windows\system32\Drivers\vmci.sys [2010-01-22 70704]
    S2 VMUSBArbService;VMware USB Arbitration Service;g:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-01-22 563760]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-21 g:\windows\Tasks\COMODO System Cleaner Update.job
    - g:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 12:41]

    2010-06-21 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003Core.job
    - g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]

    2010-06-22 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003UA.job
    - g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]

    2010-06-23 g:\windows\Tasks\MP Scheduled Scan.job
    - g:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.gr/
    uInternet Settings,ProxyOverride = local
    IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    LSP: g:\program files\VMware\VMware Workstation\vsocklib.dll
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    FF - ProfilePath - g:\documents and settings\astra\Application Data\Mozilla\Firefox\Profiles\pvs1v4h5.default\
    FF - plugin: g:\documents and settings\astra\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: g:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
    FF - plugin: g:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    g:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    g:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-06-23 08:23
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwClose, ZwOpenFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 10]
    "GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\games"
    "ShortlistDir"=""
    "ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010"
    "SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\"
    "HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 10\\History Points"
    "LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2010\\data\\db\\1000\\lang_db.dat"
    "LastSaveGame"=""
    "Language"="English"
    "LoadLangDB"=dword:00000001
    "CompressHistoryPoints"=dword:00000000
    "HighlightedAttributes"=dword:00000000
    "MinCondition"=dword:00000050
    "GraphStep"=dword:00000000
    "SkinName"="Steklo Black"
    "LastUpdateCheck"=dword:00000000
    "HighQualityGUI"=dword:00000001
    "AutomaticallyUpdateCheck"=dword:00000001
    "AdvancedGeneration"=dword:00000000
    "TranslateStaffSkills"=dword:00000001
    "TranslatePlayerSkills"=dword:00000001
    "TranslatePositions"=dword:00000001
    "ShowHistory"=dword:00000001
    "Version"=dword:0000006f
    "UniqueID"="E5-E280-E46F"
    "Currency"=dword:00000056
    "UseProxy"=dword:00000000
    "ProxyHost"=""
    "ProxyPort"=""
    "UseAuthentication"=dword:00000000
    "UserName"=""
    "UserPassword"=""

    [HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009]
    "GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
    "ShortlistDir"=""
    "ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
    "SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
    "HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009\\History Points"
    "LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-910\\db\\910\\lang_db.dat"
    "LastSaveGame"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games\\aris.fm"
    "Language"="English"
    "LoadLangDB"=dword:00000001
    "CompressHistoryPoints"=dword:00000000
    "HighlightedAttributes"=dword:00000000
    "MinCondition"=dword:00000050
    "SkinName"="Champions League"
    "LastUpdateCheck"=dword:00009b7a
    "HighQualityGUI"=dword:00000001
    "AutomaticallyUpdateCheck"=dword:00000001
    "AdvancedGeneration"=dword:00000000
    "TranslateStaffSkills"=dword:00000001
    "TranslatePlayerSkills"=dword:00000001
    "TranslatePositions"=dword:00000001
    "ShowHistory"=dword:00000001
    "Version"=dword:00000062
    "UniqueID"="E5-E280-EF1F"
    "UseProxy"=dword:00000000
    "ProxyHost"=""
    "ProxyPort"=""
    "UseAuthentication"=dword:00000000
    "UserName"=""
    "UserPassword"=""

    [HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
    "Currency"=dword:0000001c
    "GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
    "ShortlistDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\shortlists"
    "ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
    "SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
    "HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009 XE\\History Points"
    "LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-930\\db\\930\\lang_db.dat"
    "LastSaveGame"=""
    "Language"="English"
    "LoadLangDB"=dword:00000001
    "CompressHistoryPoints"=dword:00000000
    "HighlightedAttributes"=dword:00000000
    "MinCondition"=dword:00000050
    "SkinName"="Champions League"
    "LastUpdateCheck"=dword:00000000
    "HighQualityGUI"=dword:00000001
    "AutomaticallyUpdateCheck"=dword:00000000
    "AdvancedGeneration"=dword:00000000
    "TranslateStaffSkills"=dword:00000001
    "TranslatePlayerSkills"=dword:00000001
    "TranslatePositions"=dword:00000001
    "ShowHistory"=dword:00000001
    "Version"=dword:00000067
    "UniqueID"="E5-E280-EF1F"
    "UseProxy"=dword:00000000
    "ProxyHost"=""
    "ProxyPort"=""
    "UseAuthentication"=dword:00000000
    "UserName"=""
    "UserPassword"=""
    "GraphStep"=dword:00000000

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|ΐ|ω9~*]
    "AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
    @DACL=(02 0012)
    @Denied: (Read) (Administrators)
    @Denied: (B E 1 4 5) (Administrators)
    "midimapper"="midimap.dll"
    "msacm.imaadpcm"="imaadp32.acm"
    "msacm.msadpcm"="msadp32.acm"
    "msacm.msg711"="msg711.acm"
    "msacm.msgsm610"="msgsm32.acm"
    "msacm.trspch"="tssoft32.acm"
    "vidc.cvid"="iccvid.dll"
    "vidc.iv31"="ir32_32.dll"
    "vidc.iv32"="ir32_32.dll"
    "vidc.iv41"="ir41_32.ax"
    "VIDC.IYUV"="iyuv_32.dll"
    "vidc.mrle"="msrle32.dll"
    "vidc.msvc"="msvidc32.dll"
    "VIDC.UYVY"="msyuv.dll"
    "VIDC.YUY2"="msyuv.dll"
    "VIDC.YVU9"="tsbyuv.dll"
    "VIDC.YVYU"="msyuv.dll"
    "wavemapper"="msacm32.drv"
    "msacm.msg723"="msg723.acm"
    "vidc.M263"="msh263.drv"
    "vidc.M261"="msh261.drv"
    "msacm.msaudio1"="msaud32.acm"
    "msacm.sl_anet"="sl_anet.acm"
    "msacm.iac2"="g:\\WINDOWS\\system32\\iac25_32.ax"
    "vidc.iv50"="ir50_32.dll"
    "msacm.l3acm"="g:\\WINDOWS\\system32\\l3codeca.acm"
    "VIDC.I420"="i420vfw.dll"
    "MSVideo8"="VfWWDM32.dll"
    "MSVideo"="vfwwdm32.dll"
    "wave"="wdmaud.drv"
    "midi"="wdmaud.drv"
    "mixer"="wdmaud.drv"
    "aux"="wdmaud.drv"
    "wave3"="wdmaud.drv"
    "midi3"="wdmaud.drv"
    "mixer3"="wdmaud.drv"
    "aux3"="wdmaud.drv"
    "vidc.yv12"="yv12vfw.dll"
    "wave6"="serwvdrv.dll"
    "wave2"="wdmaud.drv"
    "midi2"="wdmaud.drv"
    "mixer2"="wdmaud.drv"
    "aux2"="wdmaud.drv"
    "VIDC.FFDS"="ff_vfw.dll"
    "wave1"="wdmaud.drv"
    "midi1"="wdmaud.drv"
    "mixer1"="wdmaud.drv"
    "aux1"="wdmaud.drv"
    "VIDC.VMnc"="vmnc.dll"
    "wave4"="wdmaud.drv"
    "mixer4"="wdmaud.drv"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1420)
    g:\windows\system32\guard32.dll
    g:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'lsass.exe'(1636)
    g:\windows\system32\guard32.dll
    .
    Completion time: 2010-06-23 08:25:08
    ComboFix-quarantined-files.txt 2010-06-23 05:25
    ComboFix2.txt 2010-06-21 16:21
    ComboFix3.txt 2010-06-20 17:02
    ComboFix4.txt 2010-06-17 05:16

    Pre-Run: 14 Κατάλογοι 434.524.155.904 διαθέσιμα byte
    Post-Run: 15 Κατάλογοι 434.612.260.864 διαθέσιμα byte

    - - End Of File - - 1F526047E699DFD0CF097F9D6BACF055

  9. #19
    Junior Member
    Join Date
    Jun 2010
    Posts
    21

    Default fresh dds log

    here is the new dds log


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by astra at 8:29:03,37 on Τετ 23/06/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

    ============== Running Processes ===============


    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.gr/
    uInternet Settings,ProxyOverride = local
    mWinlogon: UIHost=G:\Yellow flower.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
    mRun: [vmware-tray] "g:\program files\vmware\vmware workstation\vmware-tray.exe"
    mRun: [TWCU] "g:\program files\tp-link\tp-link wireless client utility\TWCU.exe" -nogui
    mRun: [MSSE] "g:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [COMODO Internet Security] "g:\program files\comodo\comodo internet security\cfp.exe" -h
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [RTHDCPL] RTHDCPL.EXE
    dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "g:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: g:\docume~1\alluse~1\startm~1\f2da~1\599a~1\rainme~1.lnk - g:\program files\rainmeter\Rainmeter.exe
    IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~3\office11\REFIEBAR.DLL
    LSP: g:\program files\vmware\vmware workstation\vsocklib.dll
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229157474656
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239954420281
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    AppInit_DLLs: g:\windows\system32\guard32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
    SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - g:\program files\winfax\WfxSeh32.Dll

    ================= FIREFOX ===================

    FF - ProfilePath - g:\docume~1\astra\applic~1\mozilla\firefox\profiles\pvs1v4h5.default\
    FF - plugin: g:\documents and settings\astra\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: g:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: g:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
    g:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
    g:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
    g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
    g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
    g:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    g:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    g:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
    g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
    g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
    g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
    g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
    g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
    g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
    g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
    g:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
    g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
    g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
    g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
    g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
    g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

    ============= SERVICES / DRIVERS ===============


    ============== File Associations ===============

    .scr=AutoCADLTScriptFile

    =============== Created Last 30 ================

    2010-06-21 09:56:50 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
    2010-06-20 18:42:05 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-20 18:42:04 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
    2010-06-20 18:42:04 0 d-----w- g:\program files\Malwarebytes' Anti-Malware
    2010-06-20 17:17:38 0 d-----w- g:\docume~1\astra\applic~1\KeePass
    2010-06-20 16:54:18 98816 ----a-w- g:\windows\sed.exe
    2010-06-20 16:54:18 77312 ----a-w- g:\windows\MBR.exe
    2010-06-20 16:54:18 256512 ----a-w- g:\windows\PEV.exe
    2010-06-20 16:54:18 161792 ----a-w- g:\windows\SWREG.exe
    2010-06-17 07:36:37 0 d-----w- g:\program files\Safer Networking
    2010-06-17 05:05:28 0 d-sha-r- G:\cmdcons
    2010-06-16 19:33:44 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
    2010-06-16 08:41:51 11831757 ----a-w- g:\windows\system32\GKHBVMXGMCMWN
    2010-06-15 06:15:13 76 ----a-w- G:\fraglist.luar
    2010-06-13 21:05:52 12872 ----a-w- g:\windows\system32\bootdelete.exe
    2010-06-13 20:27:44 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
    2010-06-13 20:27:32 0 d-----w- g:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-06-13 18:08:31 0 d-----w- g:\docume~1\astra\applic~1\Malwarebytes
    2010-06-13 18:08:21 0 d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-06-12 19:18:47 256 ----a-w- g:\documents and settings\astra\.pulse-cookie
    2010-06-12 17:04:00 0 d-----w- g:\program files\JRE
    2010-06-12 14:45:01 0 d-----w- g:\program files\iPod
    2010-06-12 14:44:57 0 d-----w- g:\program files\iTunes
    2010-06-12 14:44:57 0 d-----w- g:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-06-12 14:05:38 0 d-----w- g:\program files\Phyxion.net
    2010-06-12 07:34:54 0 d-----w- g:\program files\PeerBlock
    2010-06-12 07:23:54 0 d-----w- g:\docume~1\alluse~1\applic~1\COMODO
    2010-06-12 07:11:34 0 d-----w- g:\docume~1\astra\applic~1\ComodoGroup
    2010-06-12 06:39:10 0 d-----w- g:\docume~1\alluse~1\applic~1\Comodo Downloader
    2010-06-12 06:14:05 0 d-----w- g:\documents and settings\astra\Application DataComodoGroup
    2010-06-11 11:33:14 0 d-----w- g:\program files\zabkat
    2010-06-11 08:28:57 0 d-----w- g:\documents and settings\astra\.freeplane
    2010-06-10 22:11:05 0 d-----w- g:\windows\SHELLNEW
    2010-06-08 20:48:18 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
    2010-06-08 20:48:18 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
    2010-06-08 20:48:18 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
    2010-06-08 20:48:17 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
    2010-06-08 20:48:17 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
    2010-06-08 20:48:16 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
    2010-06-08 20:48:16 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
    2010-06-08 20:48:16 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
    2010-06-08 20:48:15 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
    2010-06-08 20:48:15 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
    2010-06-08 20:48:15 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
    2010-06-08 20:48:14 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
    2010-06-08 18:47:50 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
    2010-06-06 15:53:24 0 d-----w- g:\docume~1\astra\applic~1\Search Settings
    2010-06-06 15:26:51 0 d-----w- g:\docume~1\astra\applic~1\Zeon
    2010-06-06 15:26:49 0 d-----w- g:\docume~1\alluse~1\applic~1\Nuance
    2010-06-06 15:26:16 0 d-----w- g:\docume~1\alluse~1\applic~1\Downloaded Installations
    2010-06-04 08:55:58 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
    2010-06-04 07:42:55 0 d-----w- g:\program files\common files\ABBYY
    2010-06-04 07:40:19 0 d-----w- g:\program files\ABBYY FineReader 9.0
    2010-06-01 16:00:52 278288 ----a-w- g:\windows\system32\guard32.dll
    2010-06-01 16:00:22 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
    2010-06-01 16:00:20 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys

    ==================== Find3M ====================

    2010-06-22 06:46:44 687116 ----a-w- g:\windows\system32\perfh008.dat
    2010-06-22 06:46:44 146018 ----a-w- g:\windows\system32\perfc008.dat
    2010-05-21 11:14:28 221568 ------w- g:\windows\system32\MpSigStub.exe
    2010-05-16 07:18:53 411368 ----a-w- g:\windows\system32\deployJava1.dll
    2010-05-14 05:03:56 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
    2010-05-06 10:33:33 916480 ----a-w- g:\windows\system32\wininet.dll
    2010-05-02 08:07:34 1851520 ----a-w- g:\windows\system32\win32k.sys
    2010-04-20 05:30:47 285696 ----a-w- g:\windows\system32\atmfd.dll
    2008-10-28 20:30:56 23 --sha-w- g:\windows\system32\bdcca4_d.dll

    ============= FINISH: 8:29:20,21 ===============

  10. #20
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download a fresh ComboFix copy.

    Create a new cfscript with this contents and run ComboFix with it in safe mode:
    Code:
    File::
    D:\Downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe
    Reglock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •