shvhost.exe application error

[PUHLuR]

hi
here is the combofix log that rum in safe mode

ComboFix 10-06-23.01 - Administrator 23/06/2010 22:55:15.8.4 - x86 MINIMAL
Running from: g:\documents and settings\Administrator\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: g:\documents and settings\Administrator\Επιφάνεια εργασίας\Cfscript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point

FILE ::
"d:\downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe"
.

((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.

2010-06-23 19:33 . 2010-06-23 19:33 -------- d-----w- g:\documents and settings\Administrator\Application Data\Notepad++
2010-06-23 18:33 . 2010-05-24 17:13 51232 ----a-w- g:\windows\system32\RHCoInstXP.dll
2010-06-23 18:33 . 2010-05-24 17:13 1489440 ----a-w- g:\windows\RtaUpd.exe
2010-06-23 18:33 . 2010-05-24 17:09 4003008 ----a-w- g:\windows\system32\drivers\RtKHDMI.sys
2010-06-23 08:36 . 2010-06-23 08:36 -------- d-----w- g:\documents and settings\astra\????????? ????????
2010-06-21 09:56 . 2010-06-21 09:56 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-20 18:42 . 2010-04-29 12:39 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 18:42 . 2010-06-20 18:42 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-06-20 18:42 . 2010-04-29 12:39 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-06-17 07:36 . 2010-06-19 06:28 -------- d-----w- g:\program files\Safer Networking
2010-06-17 05:29 . 2010-06-17 05:29 -------- d-----w- g:\documents and settings\Administrator\Application Data\Mp3tag
2010-06-16 19:33 . 2010-06-16 19:36 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-14 20:12 . 2010-06-14 20:12 -------- d-----r- g:\documents and settings\LocalService\Τα έγγραφά μου
2010-06-13 21:05 . 2010-06-13 21:05 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27 . 2010-06-13 21:10 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27 . 2010-06-13 21:05 -------- d-----w- g:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-13 18:32 . 2010-06-13 18:32 -------- d-----w- g:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-13 17:25 . 2010-06-13 17:31 -------- d-----w- g:\program files\Windows Live Safety Center
2010-06-12 17:04 . 2010-06-12 17:04 -------- d-----w- g:\program files\JRE
2010-06-12 14:45 . 2010-06-12 14:45 -------- d-----w- g:\program files\iPod
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\program files\iTunes
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05 . 2010-06-12 14:05 -------- d-----w- g:\program files\Phyxion.net
2010-06-12 07:34 . 2010-06-13 13:18 -------- d-----w- g:\program files\PeerBlock
2010-06-12 07:23 . 2010-06-12 07:24 -------- d-----w- g:\documents and settings\All Users\Application Data\COMODO
2010-06-12 06:39 . 2010-06-12 07:20 -------- d-----w- g:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-12 06:14 . 2010-06-12 06:14 -------- d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 11:33 . 2010-06-11 11:33 -------- d-----w- g:\program files\zabkat
2010-06-11 08:28 . 2010-06-11 09:08 -------- d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11 . 2010-06-10 22:11 -------- d-----w- g:\windows\SHELLNEW
2010-06-08 20:48 . 2010-06-02 01:55 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48 . 2010-06-02 01:55 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48 . 2010-06-02 01:55 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48 . 2010-05-26 08:41 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48 . 2010-02-04 07:01 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48 . 2010-02-04 07:01 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47 . 2010-05-06 10:33 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:26 . 2010-06-06 15:27 -------- d-----w- g:\documents and settings\All Users\Application Data\Nuance
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\All Users\Application Data\Downloaded Installations
2010-06-04 08:55 . 2010-06-04 08:55 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42 . 2010-06-04 07:42 -------- d-----w- g:\program files\Common Files\ABBYY
2010-06-04 07:40 . 2010-06-04 07:45 -------- d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00 . 2010-06-01 16:00 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00 . 2010-06-01 16:00 87824 ----a-w- g:\windows\system32\drivers\inspect.sys
2010-06-01 16:00 . 2010-06-01 16:00 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00 . 2010-06-01 16:00 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 19:27 . 2004-09-07 12:00 690068 ----a-w- g:\windows\system32\perfh008.dat
2010-06-23 19:27 . 2004-09-07 12:00 147354 ----a-w- g:\windows\system32\perfc008.dat
2010-06-23 19:19 . 2008-11-02 18:40 -------- d-----w- g:\documents and settings\All Users\Application Data\VMware
2010-06-23 19:19 . 2008-11-02 18:41 -------- d-----w- g:\documents and settings\LocalService\Application Data\VMware
2010-06-06 15:32 . 2008-10-28 21:08 -------- d-----w- g:\program files\Common Files\Adobe
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\program files\Notepad++
2010-06-04 11:16 . 2010-02-02 12:29 -------- d-----w- g:\program files\Microsoft Silverlight
2010-06-04 07:48 . 2010-04-10 16:28 -------- d-----w- g:\documents and settings\All Users\Application Data\ABBYY
2010-06-04 06:13 . 2010-05-14 05:41 -------- d-----w- g:\program files\adma
2010-06-01 22:04 . 2008-10-28 07:55 -------- d-----w- g:\program files\CCleaner
2010-05-22 20:01 . 2009-12-06 22:05 256 ----a-w- g:\windows\system32\pool.bin
2010-05-22 19:09 . 2009-07-27 04:41 -------- d-----w- g:\program files\Emerge Desktop
2010-05-21 11:14 . 2009-10-02 06:41 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-17 08:31 . 2009-02-15 16:18 -------- d-----w- g:\program files\FMY
2010-05-16 07:18 . 2010-05-16 07:19 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03 . 2009-01-09 17:51 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-13 17:48 . 2010-04-25 20:31 -------- d-----w- g:\program files\TP-LINK
2010-05-06 10:33 . 2004-09-07 12:00 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 08:07 . 2004-09-07 12:00 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-28 15:45 . 2010-06-23 18:34 1251872 ----a-w- g:\windows\RtlExUpd.dll
2010-04-25 21:00 . 2010-04-25 20:27 -------- d-----w- g:\documents and settings\All Users\Application Data\TP-LINK
2010-04-25 20:31 . 2010-04-25 20:31 -------- d-----w- g:\documents and settings\All Users\Application Data\Atheros
2010-04-20 05:30 . 2004-09-07 12:00 285696 ----a-w- g:\windows\system32\atmfd.dll
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\UC.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\RAR.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKUNZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\NOCLOSE.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\LHA.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\ARJ.PIF
2008-10-28 20:30 . 2008-10-28 20:30 23 --sha-w- g:\windows\system32\bdcca4_d.dll
.

------- Sigcheck -------

[-] 2009-08-11 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . g:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . g:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . g:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . g:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vmware-tray"="g:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-01-22 129584]
"TWCU"="g:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2010-02-04 561263]
"MSSE"="g:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"COMODO Internet Security"="g:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" [2010-06-08 19552872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="g:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]

g:\documents and settings\All Users\Start Menu\�¨¦š¨α££˜«˜\„΅΅ε¤ž©ž\
Rainmeter.lnk - g:\program files\Rainmeter\Rainmeter.exe [2010-2-28 119296]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "g:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="G:\Yellow flower.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ pgdfgsvc G 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^MagicDisc.lnk]
backup=g:\windows\pss\MagicDisc.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\MagicDisc.lnk

[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^OpenOffice.org 3.1.lnk]
backup=g:\windows\pss\OpenOffice.org 3.1.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\OpenOffice.org 3.1.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- g:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- g:\program files\DAEMON Tools Lite\DTLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-12 12:53 133104 ----atw- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 12:52 36864 ----a-w- g:\program files\HP\HP UT\bin\hppusg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:30 1695232 ------w- g:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-06-08 14:16 19552872 ----a-w- g:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.10.0"=2 (0x2)
"iPod Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.9.0"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"wfxsvc"=2 (0x2)
"ose"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"g:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 CFRMD;CFRMD;g:\windows\System32\drivers\CFRMD.sys [x]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;g:\windows\system32\DRIVERS\cmdguard.sys [2010-06-04 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;g:\windows\system32\DRIVERS\cmdhlp.sys [2010-06-01 25240]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;g:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 vmci;VMware vmci;g:\windows\system32\Drivers\vmci.sys [2010-01-22 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;g:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-01-22 563760]
R3 Ambfilt;Ambfilt;g:\windows\system32\drivers\Ambfilt.sys [2009-11-18 1691480]
R3 aswArKrn;aswArKrn;g:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys [x]
R3 CheckFSD;Antiy Labs FSD Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\CheckFSD.sys [2008-04-09 8728]
R3 CheckSSDT;Antiy Labs SSDT Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\SSDT.sys [2008-04-09 8856]
R3 CMC AntiRootkit Service;CMC AntiRootkit Servic;g:\windows\system32\drivers\cmcantirootkit.sys [x]
R3 DarkSpy;DarkSpy;g:\windows\system32\DarkSpyKernel.sys [2010-06-21 132096]
R3 HookMsg;Antiy Labs MsgHook Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\ABaseDrv.sys [2008-04-09 8472]
R3 IRPFile;Antiy Labs IRP FILE;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\IrpFile.sys [2008-07-25 11848]
R3 pbfilter;pbfilter;g:\program files\PeerBlock\pbfilter.sys [2010-06-09 18544]
R3 rk_remover-boot;rk_remover-boot;g:\windows\system32\drivers\rk_remover.sys [2010-06-16 52736]
R3 SunkFilt62;Alcor Micro Corp - 6362;g:\windows\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;g:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-11-30 100048]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;g:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;g:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R4 sptd;sptd;g:\windows\system32\Drivers\sptd.sys [2009-11-14 691696]

.
Contents of the 'Scheduled Tasks' folder

2010-06-23 g:\windows\Tasks\COMODO System Cleaner Update.job
- g:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 12:41]

2010-06-23 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003Core.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]

2010-06-23 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003UA.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]

2010-06-23 g:\windows\Tasks\MP Scheduled Scan.job
- g:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]
.
.
------- Supplementary Scan -------
.
LSP: g:\program files\VMware\VMware Workstation\vsocklib.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
g:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 22:57
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ΐ•€|ω•9~*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
@DACL=(02 0012)
@Denied: (Read) (Administrators)
@Denied: (B E 1 4 5) (Administrators)
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="g:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="g:\\WINDOWS\\system32\\l3codeca.acm"
"VIDC.I420"="i420vfw.dll"
"MSVideo8"="VfWWDM32.dll"
"MSVideo"="vfwwdm32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux3"="wdmaud.drv"
"vidc.yv12"="yv12vfw.dll"
"wave6"="serwvdrv.dll"
"VIDC.FFDS"="ff_vfw.dll"
"VIDC.VMnc"="vmnc.dll"
"wave4"="wdmaud.drv"
"mixer4"="wdmaud.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(256)
g:\windows\system32\guard32.dll
g:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(312)
g:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(928)
g:\windows\system32\guard32.dll
.
Completion time: 2010-06-23 22:58:47
ComboFix-quarantined-files.txt 2010-06-23 19:58
ComboFix2.txt 2010-06-23 19:47

Pre-Run: 13 Κατάλογοι 434.478.141.440 διαθέσιμα byte
Post-Run: 15 Κατάλογοι 434.464.268.288 διαθέσιμα byte

- - End Of File - - CE30540D4F27328437907D888F7CA71B

[Blade81]

Hi,

Click start->run->type regedit.exe and press enter.
Navigate to HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32 key, right click it and select permissions. Check what groups are listed there (screenshot might be helpful) and what permissions they have with "allow" selected. Report back to me.

[PUHLuR]

hi
here are the screenshots

[Blade81]

Hi,

Click start->run->type cmd.exe. In command prompt window type the following command (and press enter):

Code:

swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset

After that type the following command:

Code:

swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" >"%userprofile%\desktop\log.txt"

Second command should generate log.txt file to your desktop. Attach it to your post, please.

[PUHLuR]

hi


*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32

Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
ASTRATIC\Administrators
Denied Read This Key Only
ASTRATIC\Administrators
Denied Read Subkeys only
ASTRATIC\Users
Allowed Read This Key Only
ASTRATIC\Users
Allowed Special (Unknown) Subkeys only
ASTRATIC\Power Users
Allowed Read This Key Only
ASTRATIC\Power Users
Allowed Special (Unknown) Subkeys only
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only
ASTRATIC\Users
Allowed Read This Key Only (Inherited)
ASTRATIC\Users
Allowed Special (Unknown) Subkeys only (Inherited)
ASTRATIC\Power Users
Allowed Special (BA54321) This Key Only (Inherited)
ASTRATIC\Power Users
Allowed Special (A) Subkeys only (Inherited)
ASTRATIC\Administrators
Allowed Full Control This Key Only (Inherited)
ASTRATIC\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms

No Auditing set

Owner: Administrators (ASTRATIC\Administrators)

[Blade81]

Hi,


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32Dummy]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="g:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="g:\\WINDOWS\\system32\\l3codeca.acm"
"VIDC.I420"="i420vfw.dll"
"MSVideo8"="VfWWDM32.dll"
"MSVideo"="vfwwdm32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux3"="wdmaud.drv"
"vidc.yv12"="yv12vfw.dll"
"wave6"="serwvdrv.dll"
"VIDC.FFDS"="ff_vfw.dll"
"VIDC.VMnc"="vmnc.dll"
"wave4"="wdmaud.drv"
"mixer4"="wdmaud.drv"

It should look like this ->

Doubleclick fix.reg, press Yes and ok.


After merging successfully done, click start->run->type cmd.exe. In command prompt window type the following command (and enter):

Code:

reg save "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32dummy" drv.hiv

then this (and enter):

Code:

reg restore "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" drv.hiv

finally, type these two commands (press enter after each one):

Code:

swreg query "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /s >"%userprofile%\desktop\logKey.txt"
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" >>"%userprofile%\desktop\logKey.txt"

After all those steps done attach/post contents of logKey.txt that should exist now on your desktop.

[PUHLuR]

Hi here is logKey.txt

[PUHLuR]

When i am trying to apply this command

Code:

reg restore "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" drv.hiv

i get an error message access is not allowed

[Blade81]

Hi,

1. Click start->run->type cmd.exe.
2. Highlight following contents in code box->right click->copy
3. Right click command prompt window, select paste. After commands have been executed there should be new log.txt file on your desktop. Post back its contents.

Code:

swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /E /OM
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /E /GM:F
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /E /RA:R
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /E /GA:F
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" >"%userprofile%\desktop\log.txt"

[PUHLuR]

Hi
here is the new log.txt file