View Full Version : shvhost.exe application error
I 've a svchost.exe application error and when i press ok or cancel i get a "DCOM server Process launcher service terminated unexpectedly" error and after a minute my pc restart.
I 've some anti malware but always i get the same message.
I would like some help dealing with this thing.
Thanks in advance
here is my dds
DDS (Ver_10-03-17.01) - NTFSx86
Run by astra at 9:15:54,65 on ¨* 15/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
uURLSearchHooks: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - g:\program files\pdfforge toolbar\SearchSettings.dll
mWinlogon: UIHost=G:\Yellow flower.exe
uWinlogon: Shell="g:\program files\emerge desktop\emergeCore.exe"
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - g:\program files\pdfforge toolbar\ie\1.1.2\pdfforgeToolbarIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - g:\program files\pdfforge toolbar\SearchSettings.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - g:\program files\daemon tools toolbar\DTToolbar.dll
TB: pdfforge Toolbar: {b922d405-6d13-4a2b-ae89-08a030da4402} - g:\program files\pdfforge toolbar\ie\1.1.2\pdfforgeToolbarIE.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [CTFMON.EXE] g:\windows\system32\ctfmon.exe
mRun: [vmware-tray] "g:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [TWCU] "g:\program files\tp-link\tp-link wireless client utility\TWCU.exe" -nogui
mRun: [MSSE] "g:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [COMODO Internet Security] "g:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "g:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: g:\docume~1\alluse~1\startm~1\f2da~1\599a~1\rainme~1.lnk - g:\program files\rainmeter\Rainmeter.exe
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: g:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229157474656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239954420281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: g:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - g:\program files\winfax\WfxSeh32.Dll
================= FIREFOX ===================
FF - ProfilePath - g:\docume~1\astra\applic~1\mozilla\firefox\profiles\pvs1v4h5.default\
FF - component: g:\program files\pdfforge toolbar\ssff\components\SearchSettingsFF.dll
FF - plugin: g:\documents and settings\astra\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: g:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: g:\program files\opera\program\plugins\np_gp.dll
FF - plugin: g:\program files\opera\program\plugins\npjp2.dll
FF - plugin: g:\program files\opera\program\plugins\npzzatif.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - g:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
g:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
============== File Associations ===============
.scr=AutoCADLTScriptFile
=============== Created Last 30 ================
2010-06-15 06:15:13 5164 ----a-w- G:\fraglist.luar
2010-06-14 14:05:42 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-14 14:01:19 522636 ----a-w- g:\windows\system32\drivers\cmcantirootkit.sys
2010-06-13 21:05:52 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27:44 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27:32 0 d-----w- g:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-13 18:08:31 0 d-----w- g:\docume~1\astra\applic~1\Malwarebytes
2010-06-13 18:08:21 0 d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-12 19:57:18 0 d-----w- g:\program files\Gnaural
2010-06-12 19:56:20 0 d-----w- g:\program files\GTK2-Runtime
2010-06-12 19:18:47 256 ----a-w- g:\documents and settings\astra\.pulse-cookie
2010-06-12 17:04:00 0 d-----w- g:\program files\JRE
2010-06-12 14:45:01 0 d-----w- g:\program files\iPod
2010-06-12 14:44:57 0 d-----w- g:\program files\iTunes
2010-06-12 14:44:57 0 d-----w- g:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05:38 0 d-----w- g:\program files\Phyxion.net
2010-06-12 07:34:54 0 d-----w- g:\program files\PeerBlock
2010-06-12 07:23:54 0 d-----w- g:\docume~1\alluse~1\applic~1\COMODO
2010-06-12 07:11:34 0 d-----w- g:\docume~1\astra\applic~1\ComodoGroup
2010-06-12 06:39:10 0 d-----w- g:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-06-12 06:14:05 0 d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 11:54:22 0 d-----w- g:\program files\BrainWave Generator
2010-06-11 11:33:14 0 d-----w- g:\program files\zabkat
2010-06-11 08:28:57 0 d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11:05 0 d-----w- g:\windows\SHELLNEW
2010-06-08 20:48:18 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48:18 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48:18 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48:17 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48:17 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48:16 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48:16 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48:16 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48:15 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48:15 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48:15 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48:14 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47:50 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53:24 0 d-----w- g:\docume~1\astra\applic~1\Search Settings
2010-06-06 15:53:15 0 d-----w- g:\docume~1\astra\applic~1\pdfforge
2010-06-06 15:43:04 0 d-----w- g:\program files\Application Updater
2010-06-06 15:43:02 0 d-----w- g:\program files\pdfforge Toolbar
2010-06-06 15:42:37 137000 ----a-w- g:\windows\system32\MSMAPI32.OCX
2010-06-06 15:42:37 116224 ----a-w- g:\windows\system32\pdfcmnnt.dll
2010-06-06 15:42:36 23552 ----a-w- g:\windows\system32\MSMPIDE.DLL
2010-06-06 15:42:35 0 d-----w- g:\program files\PDFCreator
2010-06-06 15:26:51 0 d-----w- g:\docume~1\astra\applic~1\Zeon
2010-06-06 15:26:49 0 d-----w- g:\docume~1\alluse~1\applic~1\Nuance
2010-06-06 15:26:16 0 d-----w- g:\docume~1\alluse~1\applic~1\Downloaded Installations
2010-06-04 08:55:58 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42:55 0 d-----w- g:\program files\common files\ABBYY
2010-06-04 07:40:19 0 d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00:52 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00:22 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00:20 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
2010-05-16 07:19:05 73728 ----a-w- g:\windows\system32\javacpl.cpl
2010-05-16 07:19:05 411368 ----a-w- g:\windows\system32\deployJava1.dll
==================== Find3M ====================
2010-06-14 11:46:21 681950 ----a-w- g:\windows\system32\perfh008.dat
2010-06-14 11:46:21 143680 ----a-w- g:\windows\system32\perfc008.dat
2010-05-21 11:14:28 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-14 05:03:56 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-06 10:33:33 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 08:07:34 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-20 05:30:47 285696 ----a-w- g:\windows\system32\atmfd.dll
2010-03-18 13:47:22 17760 ----a-w- g:\windows\system32\aspnet_counters.dll
2010-03-18 10:16:28 771424 ----a-w- g:\windows\system32\msvcr100_clr0400.dll
2010-03-18 10:16:28 70472 ----a-w- g:\windows\system32\dxva2.dll
2010-03-18 10:16:28 486216 ----a-w- g:\windows\system32\evr.dll
2010-03-18 07:09:00 99176 ----a-w- g:\windows\system32\PresentationHostProxy.dll
2010-03-18 07:09:00 49488 ----a-w- g:\windows\system32\netfxperf.dll
2010-03-18 07:09:00 297808 ----a-w- g:\windows\system32\mscoree.dll
2010-03-18 07:09:00 295264 ----a-w- g:\windows\system32\PresentationHost.exe
2008-10-28 20:30:56 23 --sha-w- g:\windows\system32\bdcca4_d.dll
============= FINISH: 9:16:06,07 ===============
Hi,
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.
΅Torrent
I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).
Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
After that:
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully first.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New dds log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
thanks for the reply to my post
here is the file ComboFix.txt
ComboFix 10-06-19.04 - astra 20/06/2010 19:57:14.4.4 - x86
Running from: g:\documents and settings\astra\Επιφάνεια εργασίας\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
((((((((((((((((((((((((( Files Created from 2010-05-20 to 2010-06-20 )))))))))))))))))))))))))))))))
.
2010-06-16 19:33 . 2010-06-16 19:36 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-14 20:12 . 2010-06-14 20:12 -------- d-----r- g:\documents and settings\LocalService\Τα έγγραφά μου
2010-06-14 14:01 . 2010-06-14 14:01 522636 ----a-w- g:\windows\system32\drivers\cmcantirootkit.sys
2010-06-13 21:05 . 2010-06-13 21:05 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27 . 2010-06-13 21:10 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27 . 2010-06-13 21:05 -------- d-----w- g:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-13 18:32 . 2010-06-13 18:32 -------- d-----w- g:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\astra\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-13 17:25 . 2010-06-13 17:31 -------- d-----w- g:\program files\Windows Live Safety Center
2010-06-12 17:04 . 2010-06-12 17:04 -------- d-----w- g:\program files\JRE
2010-06-12 14:45 . 2010-06-12 14:45 -------- d-----w- g:\program files\iPod
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\program files\iTunes
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05 . 2010-06-12 14:05 -------- d-----w- g:\program files\Phyxion.net
2010-06-12 07:34 . 2010-06-13 13:18 -------- d-----w- g:\program files\PeerBlock
2010-06-12 07:23 . 2010-06-12 07:24 -------- d-----w- g:\documents and settings\All Users\Application Data\COMODO
2010-06-12 07:11 . 2010-06-12 07:11 -------- d-----w- g:\documents and settings\astra\Application Data\ComodoGroup
2010-06-12 06:39 . 2010-06-12 07:20 -------- d-----w- g:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-12 06:14 . 2010-06-12 06:14 -------- d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 19:09 . 2010-06-11 19:09 53632 ----a-w- g:\documents and settings\astra\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-11 11:33 . 2010-06-11 11:33 -------- d-----w- g:\program files\zabkat
2010-06-11 08:28 . 2010-06-11 09:08 -------- d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11 . 2010-06-10 22:11 -------- d-----w- g:\windows\SHELLNEW
2010-06-08 20:48 . 2010-06-02 01:55 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48 . 2010-06-02 01:55 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48 . 2010-06-02 01:55 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48 . 2010-05-26 08:41 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48 . 2010-02-04 07:01 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48 . 2010-02-04 07:01 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47 . 2010-05-06 10:33 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53 . 2010-06-06 15:53 -------- d-----w- g:\documents and settings\astra\Application Data\Search Settings
2010-06-06 15:53 . 2010-06-06 15:53 -------- d-----w- g:\documents and settings\astra\Application Data\pdfforge
2010-06-06 15:43 . 2010-06-19 06:35 -------- d-----w- g:\program files\pdfforge Toolbar
2010-06-06 15:42 . 2001-10-28 14:42 116224 ----a-w- g:\windows\system32\pdfcmnnt.dll
2010-06-06 15:42 . 1998-07-05 22:00 23552 ----a-w- g:\windows\system32\MSMPIDE.DLL
2010-06-06 15:42 . 2010-06-06 15:43 -------- d-----w- g:\program files\PDFCreator
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\astra\Application Data\Zeon
2010-06-06 15:26 . 2010-06-06 15:27 -------- d-----w- g:\documents and settings\All Users\Application Data\Nuance
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\All Users\Application Data\Downloaded Installations
2010-06-06 13:10 . 2010-06-06 13:11 -------- d-----w- g:\documents and settings\astra\Application Data\dvdcss
2010-06-04 08:55 . 2010-06-04 08:55 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42 . 2010-06-04 07:42 -------- d-----w- g:\program files\Common Files\ABBYY
2010-06-04 07:40 . 2010-06-04 07:45 -------- d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00 . 2010-06-01 16:00 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00 . 2010-06-01 16:00 87824 ----a-w- g:\windows\system32\drivers\inspect.sys
2010-06-01 16:00 . 2010-06-01 16:00 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00 . 2010-06-01 16:00 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
2010-05-31 13:45 . 2010-05-31 13:45 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcp71.dll
2010-05-31 13:45 . 2010-05-31 13:45 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\jmc.dll
2010-05-31 13:45 . 2010-05-31 13:45 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcr71.dll
2010-05-31 13:45 . 2010-05-31 13:45 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-sse.dll
2010-05-31 13:45 . 2010-05-31 13:45 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-20 16:51 . 2008-11-02 18:41 -------- d-----w- g:\documents and settings\LocalService\Application Data\VMware
2010-06-20 16:51 . 2008-11-02 18:40 -------- d-----w- g:\documents and settings\All Users\Application Data\VMware
2010-06-20 16:33 . 2004-09-07 12:00 684902 ----a-w- g:\windows\system32\perfh008.dat
2010-06-20 16:33 . 2004-09-07 12:00 145016 ----a-w- g:\windows\system32\perfc008.dat
2010-06-20 16:23 . 2009-07-17 21:19 -------- d-----w- g:\documents and settings\astra\Application Data\TeraCopy
2010-06-19 12:53 . 2008-11-02 18:45 -------- d-----w- g:\documents and settings\astra\Application Data\VMware
2010-06-19 06:28 . 2010-06-17 07:36 -------- d-----w- g:\program files\Safer Networking
2010-06-17 06:33 . 2009-07-28 20:10 1 ----a-w- g:\documents and settings\astra\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-17 05:29 . 2010-06-17 05:29 -------- d-----w- g:\documents and settings\Administrator\Application Data\Mp3tag
2010-06-15 08:00 . 2010-01-23 09:51 -------- d-----w- g:\documents and settings\astra\Application Data\uTorrent
2010-06-14 21:12 . 2010-01-11 11:51 -------- d-----w- g:\documents and settings\astra\Application Data\Media Player Classic
2010-06-13 10:07 . 2009-07-21 17:30 -------- d-----w- g:\program files\Startup Manager
2010-06-12 20:19 . 2010-04-03 12:04 -------- d-----w- g:\documents and settings\astra\Application Data\gtk-2.0
2010-06-12 17:37 . 2008-10-27 23:20 117496 ----a-w- g:\documents and settings\astra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-12 17:03 . 2009-07-28 20:08 -------- d-----w- g:\program files\OpenOffice.org 3
2010-06-12 14:44 . 2009-01-01 20:19 -------- d-----w- g:\documents and settings\All Users\Application Data\Apple Computer
2010-06-12 13:51 . 2009-04-24 22:53 -------- d-----w- g:\documents and settings\astra\Application Data\Audacity
2010-06-12 13:42 . 2010-04-10 21:20 -------- d-----w- g:\documents and settings\astra\Application Data\foobar2000
2010-06-12 07:20 . 2008-10-28 09:03 -------- d-----w- g:\program files\COMODO
2010-06-11 19:09 . 2010-02-26 17:51 -------- d-----w- g:\program files\XnView
2010-06-11 19:09 . 2009-11-19 18:07 -------- d-----w- g:\program files\Common Files\Adobe AIR
2010-06-11 16:34 . 2008-10-28 09:48 -------- d-----w- g:\program files\Mozilla Thunderbird
2010-06-11 05:19 . 2009-08-07 15:46 -------- d-----w- g:\program files\FreeMind
2010-06-10 22:11 . 2010-04-14 19:27 -------- d-----w- g:\program files\Microsoft.NET
2010-06-10 14:56 . 2010-01-17 16:07 -------- d-----w- g:\documents and settings\astra\Application Data\vlc
2010-06-08 21:44 . 2010-01-11 17:25 -------- d-----w- g:\program files\Calendar
2010-06-06 15:32 . 2008-10-28 21:08 -------- d-----w- g:\program files\Common Files\Adobe
2010-06-06 15:29 . 2009-11-30 09:52 -------- d-----w- g:\program files\Foxit Software
2010-06-06 15:27 . 2010-03-13 08:42 -------- d-----w- g:\documents and settings\astra\Application Data\Nuance
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\program files\Notepad++
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\documents and settings\astra\Application Data\Notepad++
2010-06-04 11:16 . 2010-02-02 12:29 -------- d-----w- g:\program files\Microsoft Silverlight
2010-06-04 07:48 . 2010-04-10 16:28 -------- d-----w- g:\documents and settings\All Users\Application Data\ABBYY
2010-06-04 06:13 . 2010-05-14 05:41 -------- d-----w- g:\program files\adma
2010-06-01 22:04 . 2008-10-28 07:55 -------- d-----w- g:\program files\CCleaner
2010-05-22 20:01 . 2009-12-06 22:05 256 ----a-w- g:\windows\system32\pool.bin
2010-05-22 19:09 . 2009-07-27 04:41 -------- d-----w- g:\program files\Emerge Desktop
2010-05-21 11:14 . 2009-10-02 06:41 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-17 08:31 . 2009-02-15 16:18 -------- d-----w- g:\program files\FMY
2010-05-16 07:18 . 2010-05-16 07:19 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03 . 2009-01-09 17:51 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-13 17:48 . 2010-04-25 20:31 -------- d-----w- g:\program files\TP-LINK
2010-05-13 17:47 . 2008-10-27 22:10 -------- d--h--w- g:\program files\InstallShield Installation Information
2010-05-06 10:33 . 2004-09-07 12:00 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 10:09 . 2010-05-02 10:09 -------- d-----w- g:\documents and settings\astra\Application Data\adma
2010-05-02 08:07 . 2004-09-07 12:00 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-25 21:00 . 2010-04-25 20:27 -------- d-----w- g:\documents and settings\All Users\Application Data\TP-LINK
2010-04-25 20:31 . 2010-04-25 20:31 -------- d-----w- g:\documents and settings\All Users\Application Data\Atheros
2010-04-20 05:30 . 2004-09-07 12:00 285696 ----a-w- g:\windows\system32\atmfd.dll
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\UC.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\RAR.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKUNZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\NOCLOSE.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\LHA.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\ARJ.PIF
2010-04-01 03:46 . 2010-04-01 03:46 65536 ----a-r- g:\documents and settings\astra\Application Data\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
2010-03-31 12:10 . 2010-03-31 12:10 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcp71.dll
2010-03-31 12:10 . 2010-03-31 12:10 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\jmc.dll
2010-03-31 12:10 . 2010-03-31 12:10 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcr71.dll
2010-03-31 12:10 . 2010-03-31 12:10 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-sse.dll
2010-03-31 12:10 . 2010-03-31 12:10 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-d3d.dll
2008-10-28 20:30 . 2008-10-28 20:30 23 --sha-w- g:\windows\system32\bdcca4_d.dll
.
------- Sigcheck -------
[-] 2009-08-11 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . g:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . g:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . g:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . g:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-12 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vmware-tray"="g:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-01-22 129584]
"TWCU"="g:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2010-02-04 561263]
"MSSE"="g:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"COMODO Internet Security"="g:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="g:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]
g:\documents and settings\All Users\Start Menu\¨¦¨α££«\΅΅ε€©\
Rainmeter.lnk - g:\program files\Rainmeter\Rainmeter.exe [2010-2-28 119296]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "g:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="G:\Yellow flower.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\guard32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ pgdfgsvc G 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^MagicDisc.lnk]
backup=g:\windows\pss\MagicDisc.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\MagicDisc.lnk
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^OpenOffice.org 3.1.lnk]
backup=g:\windows\pss\OpenOffice.org 3.1.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\OpenOffice.org 3.1.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- g:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- g:\program files\DAEMON Tools Lite\DTLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-12 12:53 133104 ----atw- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 12:52 36864 ----a-w- g:\program files\HP\HP UT\bin\hppusg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:30 1695232 ------w- g:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-11-02 10:53 18782720 ----a-w- g:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.10.0"=2 (0x2)
"iPod Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.9.0"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"wfxsvc"=2 (0x2)
"ose"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\uTorrent\\utorrent.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"g:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R0 CFRMD;CFRMD;g:\windows\System32\drivers\CFRMD.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;g:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Ambfilt;Ambfilt;g:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 aswArKrn;aswArKrn;g:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys [x]
R3 CheckFSD;Antiy Labs FSD Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\CheckFSD.sys [2008-04-09 8728]
R3 CheckSSDT;Antiy Labs SSDT Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\SSDT.sys [2008-04-09 8856]
R3 CMC AntiRootkit Service;CMC AntiRootkit Servic;g:\windows\system32\drivers\cmcantirootkit.sys [2010-06-14 522636]
R3 HookMsg;Antiy Labs MsgHook Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\ABaseDrv.sys [2008-04-09 8472]
R3 IRPFile;Antiy Labs IRP FILE;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\IrpFile.sys [2008-07-25 11848]
R3 LQIHFPK;LQIHFPK;g:\docume~1\astra\LOCALS~1\Temp\LQIHFPK.exe [x]
R3 NK;NK;g:\docume~1\astra\LOCALS~1\Temp\NK.exe [x]
R3 NNFQO;NNFQO;g:\docume~1\astra\LOCALS~1\Temp\NNFQO.exe [x]
R3 pbfilter;pbfilter;g:\program files\PeerBlock\pbfilter.sys [2010-06-09 18544]
R3 PEN;PEN;g:\docume~1\astra\LOCALS~1\Temp\PEN.exe [x]
R3 rk_remover-boot;rk_remover-boot;g:\windows\system32\drivers\rk_remover.sys [2010-06-16 52736]
R3 SunkFilt62;Alcor Micro Corp - 6362;g:\windows\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;g:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-11-30 100048]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;g:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 YYWDKYIS;YYWDKYIS;g:\docume~1\astra\LOCALS~1\Temp\YYWDKYIS.exe [x]
R4 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;g:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R4 Application Updater;Application Updater;g:\program files\Application Updater\ApplicationUpdater.exe [x]
R4 sptd;sptd;g:\windows\system32\Drivers\sptd.sys [2009-11-14 691696]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;g:\windows\system32\DRIVERS\cmdguard.sys [2010-06-04 229312]
S1 cmdHlp;COMODO Internet Security Helper Driver;g:\windows\system32\DRIVERS\cmdhlp.sys [2010-06-01 25240]
S2 vmci;VMware vmci;g:\windows\system32\Drivers\vmci.sys [2010-01-22 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;g:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-01-22 563760]
.
Contents of the 'Scheduled Tasks' folder
2010-06-19 g:\windows\Tasks\COMODO System Cleaner Update.job
- g:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 12:41]
2010-06-18 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003Core.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-20 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003UA.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-20 g:\windows\Tasks\MP Scheduled Scan.job
- g:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: g:\program files\VMware\VMware Workstation\vsocklib.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - g:\documents and settings\astra\Application Data\Mozilla\Firefox\Profiles\pvs1v4h5.default\
FF - plugin: g:\documents and settings\astra\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: g:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
g:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{B922D405-6D13-4A2B-AE89-08A030DA4402} - (no file)
MSConfigStartUp-SearchSettings - g:\program files\pdfforge Toolbar\SearchSettings.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-20 20:00
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 10]
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\games"
"ShortlistDir"=""
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 10\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2010\\data\\db\\1000\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:0000006f
"UniqueID"="E5-E280-E46F"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009]
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"=""
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-910\\db\\910\\lang_db.dat"
"LastSaveGame"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games\\aris.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00009b7a
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000062
"UniqueID"="E5-E280-EF1F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"Currency"=dword:0000001c
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-930\\db\\930\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000000
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="E5-E280-EF1F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"GraphStep"=dword:00000000
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FD8B8F52-5380-7448-7981-0C07F50FC781}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abgjnaihlhjdcomdoghlbpjkdolojbdaph"=hex:70,61,65,6a,68,67,70,69,6f,6f,6f,66,
6d,65,6d,6a,61,70,67,6a,61,62,6b,63,70,6f,65,67,6d,6a,68,64,00,00
"mafjihbhhgocikpanlllgjpnen"=hex:6f,61,67,68,6c,69,68,70,69,64,69,6a,6d,65,6e,
69,66,6e,6a,6c,69,68,66,6e,70,61,68,6c,62,6a,00,64
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|ΐ|ω9~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
@DACL=(02 0012)
@Denied: (Read) (Administrators)
@Denied: (B E 1 4 5) (Administrators)
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="g:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="g:\\WINDOWS\\system32\\l3codeca.acm"
"VIDC.I420"="i420vfw.dll"
"MSVideo8"="VfWWDM32.dll"
"MSVideo"="vfwwdm32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux3"="wdmaud.drv"
"vidc.yv12"="yv12vfw.dll"
"wave6"="serwvdrv.dll"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux2"="wdmaud.drv"
"VIDC.FFDS"="ff_vfw.dll"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux1"="wdmaud.drv"
"VIDC.VMnc"="vmnc.dll"
"wave4"="wdmaud.drv"
"mixer4"="wdmaud.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1452)
g:\windows\system32\guard32.dll
g:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(1636)
g:\windows\system32\guard32.dll
- - - - - - - > 'explorer.exe'(588)
g:\windows\system32\guard32.dll
g:\windows\system32\webcheck.dll
g:\windows\system32\WPDShServiceObj.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-20 20:02:26
ComboFix-quarantined-files.txt 2010-06-20 17:02
ComboFix2.txt 2010-06-17 05:16
Pre-Run: 14 Κατάλογοι 434.533.781.504 διαθέσιμα byte
Post-Run: 15 Κατάλογοι 434.517.213.184 διαθέσιμα byte
- - End Of File - - 1CAF90822C36F98371B66F5421614A31
and here is the new dds log
DDS (Ver_10-03-17.01) - NTFSx86
Run by astra at 20:15:30,39 on Κυρ 20/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
mWinlogon: UIHost=G:\Yellow flower.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - g:\program files\daemon tools toolbar\DTToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [Google Update] "g:\documents and settings\astra\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [vmware-tray] "g:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [TWCU] "g:\program files\tp-link\tp-link wireless client utility\TWCU.exe" -nogui
mRun: [MSSE] "g:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [COMODO Internet Security] "g:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "g:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: g:\docume~1\alluse~1\startm~1\f2da~1\599a~1\rainme~1.lnk - g:\program files\rainmeter\Rainmeter.exe
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: g:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229157474656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239954420281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: g:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - g:\program files\winfax\WfxSeh32.Dll
================= FIREFOX ===================
FF - ProfilePath - g:\docume~1\astra\applic~1\mozilla\firefox\profiles\pvs1v4h5.default\
FF - plugin: g:\documents and settings\astra\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: g:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
g:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
============== File Associations ===============
.scr=AutoCADLTScriptFile
=============== Created Last 30 ================
2010-06-20 16:54:18 98816 ----a-w- g:\windows\sed.exe
2010-06-20 16:54:18 77312 ----a-w- g:\windows\MBR.exe
2010-06-20 16:54:18 256512 ----a-w- g:\windows\PEV.exe
2010-06-20 16:54:18 161792 ----a-w- g:\windows\SWREG.exe
2010-06-17 07:36:37 0 d-----w- g:\program files\Safer Networking
2010-06-17 05:05:28 0 d-sha-r- G:\cmdcons
2010-06-16 19:33:44 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-16 08:41:51 11831757 ----a-w- g:\windows\system32\GKHBVMXGMCMWN
2010-06-15 06:15:13 76 ----a-w- G:\fraglist.luar
2010-06-14 14:01:19 522636 ----a-w- g:\windows\system32\drivers\cmcantirootkit.sys
2010-06-13 21:05:52 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27:44 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27:32 0 d-----w- g:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-13 18:08:31 0 d-----w- g:\docume~1\astra\applic~1\Malwarebytes
2010-06-13 18:08:21 0 d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-12 19:18:47 256 ----a-w- g:\documents and settings\astra\.pulse-cookie
2010-06-12 17:04:00 0 d-----w- g:\program files\JRE
2010-06-12 14:45:01 0 d-----w- g:\program files\iPod
2010-06-12 14:44:57 0 d-----w- g:\program files\iTunes
2010-06-12 14:44:57 0 d-----w- g:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05:38 0 d-----w- g:\program files\Phyxion.net
2010-06-12 07:34:54 0 d-----w- g:\program files\PeerBlock
2010-06-12 07:23:54 0 d-----w- g:\docume~1\alluse~1\applic~1\COMODO
2010-06-12 07:11:34 0 d-----w- g:\docume~1\astra\applic~1\ComodoGroup
2010-06-12 06:39:10 0 d-----w- g:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-06-12 06:14:05 0 d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 11:33:14 0 d-----w- g:\program files\zabkat
2010-06-11 08:28:57 0 d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11:05 0 d-----w- g:\windows\SHELLNEW
2010-06-08 20:48:18 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48:18 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48:18 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48:17 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48:17 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48:16 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48:16 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48:16 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48:15 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48:15 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48:15 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48:14 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47:50 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53:24 0 d-----w- g:\docume~1\astra\applic~1\Search Settings
2010-06-06 15:53:15 0 d-----w- g:\docume~1\astra\applic~1\pdfforge
2010-06-06 15:43:02 0 d-----w- g:\program files\pdfforge Toolbar
2010-06-06 15:42:37 137000 ----a-w- g:\windows\system32\MSMAPI32.OCX
2010-06-06 15:42:37 116224 ----a-w- g:\windows\system32\pdfcmnnt.dll
2010-06-06 15:42:36 23552 ----a-w- g:\windows\system32\MSMPIDE.DLL
2010-06-06 15:42:35 0 d-----w- g:\program files\PDFCreator
2010-06-06 15:26:51 0 d-----w- g:\docume~1\astra\applic~1\Zeon
2010-06-06 15:26:49 0 d-----w- g:\docume~1\alluse~1\applic~1\Nuance
2010-06-06 15:26:16 0 d-----w- g:\docume~1\alluse~1\applic~1\Downloaded Installations
2010-06-04 08:55:58 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42:55 0 d-----w- g:\program files\common files\ABBYY
2010-06-04 07:40:19 0 d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00:52 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00:22 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00:20 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
==================== Find3M ====================
2010-06-20 16:33:57 684902 ----a-w- g:\windows\system32\perfh008.dat
2010-06-20 16:33:57 145016 ----a-w- g:\windows\system32\perfc008.dat
2010-05-21 11:14:28 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-16 07:18:53 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03:56 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-06 10:33:33 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 08:07:34 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-20 05:30:47 285696 ----a-w- g:\windows\system32\atmfd.dll
2008-10-28 20:30:56 23 --sha-w- g:\windows\system32\bdcca4_d.dll
============= FINISH: 20:15:40,84 ===============
Hi,
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
hi this is Malwarebytes' Anti-Malware Log
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4219
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
20/6/2010 9:44:58 μμ
mbam-log-2010-06-20 (21-44-58).txt
Scan type: Quick scan
Objects scanned: 136606
Time elapsed: 2 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Hi again,
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
LQIHFPK
NK
NNFQO
PEN
YYWDKYIS
File::
g:\docume~1\astra\LOCALS~1\Temp\LQIHFPK.exe
g:\docume~1\astra\LOCALS~1\Temp\NK.exe
g:\docume~1\astra\LOCALS~1\Temp\NNFQO.exe
g:\docume~1\astra\LOCALS~1\Temp\PEN.exe
g:\docume~1\astra\LOCALS~1\Temp\YYWDKYIS.exe
Folder::
g:\documents and settings\astra\Application Data\uTorrent
d:\Program Files\uTorrent
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\Program Files\\uTorrent\\utorrent.exe"=-
DDS::
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Regnull::
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FD8B8F52-5380-7448-7981-0C07F50FC781}*]
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Uninstall DAEMON Tools Toolbar if not installed on purpose. Do same with pdfforge Toolbar.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
hi this is the new combofix log
ComboFix 10-06-19.04 - astra 21/06/2010 17:29:22.5.4 - x86
Running from: g:\documents and settings\astra\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: g:\documents and settings\astra\Επιφάνεια εργασίας\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
FILE ::
"g:\docume~1\astra\LOCALS~1\Temp\LQIHFPK.exe"
"g:\docume~1\astra\LOCALS~1\Temp\NK.exe"
"g:\docume~1\astra\LOCALS~1\Temp\NNFQO.exe"
"g:\docume~1\astra\LOCALS~1\Temp\PEN.exe"
"g:\docume~1\astra\LOCALS~1\Temp\YYWDKYIS.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\program files\uTorrent
d:\program files\uTorrent\Uninstall.exe
d:\program files\uTorrent\utorrent.exe
g:\documents and settings\astra\Application Data\uTorrent
g:\documents and settings\astra\Application Data\uTorrent\ΚΟΡΝΗΛΙΟΣ ΚΑΣΤΟΡΙΑΔΗΣ.torrent
g:\documents and settings\astra\Application Data\uTorrent\Als2.torrent
g:\documents and settings\astra\Application Data\uTorrent\BYA3.torrent
g:\documents and settings\astra\Application Data\uTorrent\BrGen.torrent
g:\documents and settings\astra\Application Data\uTorrent\CS.torrent
g:\documents and settings\astra\Application Data\uTorrent\dht.dat
g:\documents and settings\astra\Application Data\uTorrent\dht.dat.old
g:\documents and settings\astra\Application Data\uTorrent\EqBrSer.torrent
g:\documents and settings\astra\Application Data\uTorrent\MemLe.torrent
g:\documents and settings\astra\Application Data\uTorrent\minthrea.filepress.net.torrent
g:\documents and settings\astra\Application Data\uTorrent\Of03.torrent
g:\documents and settings\astra\Application Data\uTorrent\resume.dat
g:\documents and settings\astra\Application Data\uTorrent\resume.dat.1.bad
g:\documents and settings\astra\Application Data\uTorrent\resume.dat.old
g:\documents and settings\astra\Application Data\uTorrent\rss.dat
g:\documents and settings\astra\Application Data\uTorrent\rss.dat.old
g:\documents and settings\astra\Application Data\uTorrent\settings.dat
g:\documents and settings\astra\Application Data\uTorrent\settings.dat.old
g:\documents and settings\astra\Application Data\uTorrent\utorrent.lng
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_LQIHFPK
-------\Legacy_NK
-------\Legacy_NNFQO
-------\Legacy_PEN
-------\Legacy_YYWDKYIS
-------\Service_LQIHFPK
-------\Service_NK
-------\Service_NNFQO
-------\Service_PEN
-------\Service_YYWDKYIS
((((((((((((((((((((((((( Files Created from 2010-05-21 to 2010-06-21 )))))))))))))))))))))))))))))))
.
2010-06-21 09:56 . 2010-06-21 09:56 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-20 18:42 . 2010-04-29 12:39 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 18:42 . 2010-06-20 18:42 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-06-20 18:42 . 2010-04-29 12:39 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-06-20 17:17 . 2010-06-20 17:17 24576 ----a-w- g:\documents and settings\astra\Application Data\KeePass\PluginCache\kYNALEaVfUqyIF5K_2.1.0.28189\fdNx0kpe.dll
2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- g:\documents and settings\astra\Application Data\KeePass
2010-06-17 07:36 . 2010-06-19 06:28 -------- d-----w- g:\program files\Safer Networking
2010-06-17 05:29 . 2010-06-17 05:29 -------- d-----w- g:\documents and settings\Administrator\Application Data\Mp3tag
2010-06-16 19:33 . 2010-06-16 19:36 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-14 20:12 . 2010-06-14 20:12 -------- d-----r- g:\documents and settings\LocalService\Τα έγγραφά μου
2010-06-13 21:05 . 2010-06-13 21:05 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27 . 2010-06-13 21:10 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27 . 2010-06-13 21:05 -------- d-----w- g:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-13 18:32 . 2010-06-13 18:32 -------- d-----w- g:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\astra\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-13 17:25 . 2010-06-13 17:31 -------- d-----w- g:\program files\Windows Live Safety Center
2010-06-12 17:04 . 2010-06-12 17:04 -------- d-----w- g:\program files\JRE
2010-06-12 14:45 . 2010-06-12 14:45 -------- d-----w- g:\program files\iPod
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\program files\iTunes
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05 . 2010-06-12 14:05 -------- d-----w- g:\program files\Phyxion.net
2010-06-12 07:34 . 2010-06-13 13:18 -------- d-----w- g:\program files\PeerBlock
2010-06-12 07:23 . 2010-06-12 07:24 -------- d-----w- g:\documents and settings\All Users\Application Data\COMODO
2010-06-12 07:11 . 2010-06-12 07:11 -------- d-----w- g:\documents and settings\astra\Application Data\ComodoGroup
2010-06-12 06:39 . 2010-06-12 07:20 -------- d-----w- g:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-12 06:14 . 2010-06-12 06:14 -------- d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 19:09 . 2010-06-11 19:09 53632 ----a-w- g:\documents and settings\astra\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-11 11:33 . 2010-06-11 11:33 -------- d-----w- g:\program files\zabkat
2010-06-11 08:28 . 2010-06-11 09:08 -------- d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11 . 2010-06-10 22:11 -------- d-----w- g:\windows\SHELLNEW
2010-06-08 20:48 . 2010-06-02 01:55 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48 . 2010-06-02 01:55 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48 . 2010-06-02 01:55 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48 . 2010-05-26 08:41 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48 . 2010-02-04 07:01 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48 . 2010-02-04 07:01 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47 . 2010-05-06 10:33 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53 . 2010-06-06 15:53 -------- d-----w- g:\documents and settings\astra\Application Data\Search Settings
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\astra\Application Data\Zeon
2010-06-06 15:26 . 2010-06-06 15:27 -------- d-----w- g:\documents and settings\All Users\Application Data\Nuance
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\All Users\Application Data\Downloaded Installations
2010-06-06 13:10 . 2010-06-06 13:11 -------- d-----w- g:\documents and settings\astra\Application Data\dvdcss
2010-06-04 08:55 . 2010-06-04 08:55 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42 . 2010-06-04 07:42 -------- d-----w- g:\program files\Common Files\ABBYY
2010-06-04 07:40 . 2010-06-04 07:45 -------- d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00 . 2010-06-01 16:00 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00 . 2010-06-01 16:00 87824 ----a-w- g:\windows\system32\drivers\inspect.sys
2010-06-01 16:00 . 2010-06-01 16:00 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00 . 2010-06-01 16:00 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
2010-05-31 13:45 . 2010-05-31 13:45 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcp71.dll
2010-05-31 13:45 . 2010-05-31 13:45 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\jmc.dll
2010-05-31 13:45 . 2010-05-31 13:45 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcr71.dll
2010-05-31 13:45 . 2010-05-31 13:45 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-sse.dll
2010-05-31 13:45 . 2010-05-31 13:45 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 14:36 . 2008-11-02 18:41 -------- d-----w- g:\documents and settings\LocalService\Application Data\VMware
2010-06-21 14:36 . 2008-11-02 18:40 -------- d-----w- g:\documents and settings\All Users\Application Data\VMware
2010-06-21 14:21 . 2009-07-17 21:19 -------- d-----w- g:\documents and settings\astra\Application Data\TeraCopy
2010-06-21 14:10 . 2009-11-14 09:54 -------- d-----w- g:\program files\DAEMON Tools Toolbar
2010-06-21 13:22 . 2004-09-07 12:00 686378 ----a-w- g:\windows\system32\perfh008.dat
2010-06-21 13:22 . 2004-09-07 12:00 145684 ----a-w- g:\windows\system32\perfc008.dat
2010-06-21 07:32 . 2008-11-02 18:45 -------- d-----w- g:\documents and settings\astra\Application Data\VMware
2010-06-17 06:33 . 2009-07-28 20:10 1 ----a-w- g:\documents and settings\astra\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-14 21:12 . 2010-01-11 11:51 -------- d-----w- g:\documents and settings\astra\Application Data\Media Player Classic
2010-06-13 10:07 . 2009-07-21 17:30 -------- d-----w- g:\program files\Startup Manager
2010-06-12 20:19 . 2010-04-03 12:04 -------- d-----w- g:\documents and settings\astra\Application Data\gtk-2.0
2010-06-12 17:37 . 2008-10-27 23:20 117496 ----a-w- g:\documents and settings\astra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-12 17:03 . 2009-07-28 20:08 -------- d-----w- g:\program files\OpenOffice.org 3
2010-06-12 14:44 . 2009-01-01 20:19 -------- d-----w- g:\documents and settings\All Users\Application Data\Apple Computer
2010-06-12 13:51 . 2009-04-24 22:53 -------- d-----w- g:\documents and settings\astra\Application Data\Audacity
2010-06-12 13:42 . 2010-04-10 21:20 -------- d-----w- g:\documents and settings\astra\Application Data\foobar2000
2010-06-12 07:20 . 2008-10-28 09:03 -------- d-----w- g:\program files\COMODO
2010-06-11 19:09 . 2010-02-26 17:51 -------- d-----w- g:\program files\XnView
2010-06-11 19:09 . 2009-11-19 18:07 -------- d-----w- g:\program files\Common Files\Adobe AIR
2010-06-11 16:34 . 2008-10-28 09:48 -------- d-----w- g:\program files\Mozilla Thunderbird
2010-06-11 05:19 . 2009-08-07 15:46 -------- d-----w- g:\program files\FreeMind
2010-06-10 22:11 . 2010-04-14 19:27 -------- d-----w- g:\program files\Microsoft.NET
2010-06-10 14:56 . 2010-01-17 16:07 -------- d-----w- g:\documents and settings\astra\Application Data\vlc
2010-06-08 21:44 . 2010-01-11 17:25 -------- d-----w- g:\program files\Calendar
2010-06-06 15:32 . 2008-10-28 21:08 -------- d-----w- g:\program files\Common Files\Adobe
2010-06-06 15:29 . 2009-11-30 09:52 -------- d-----w- g:\program files\Foxit Software
2010-06-06 15:27 . 2010-03-13 08:42 -------- d-----w- g:\documents and settings\astra\Application Data\Nuance
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\program files\Notepad++
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\documents and settings\astra\Application Data\Notepad++
2010-06-04 11:16 . 2010-02-02 12:29 -------- d-----w- g:\program files\Microsoft Silverlight
2010-06-04 07:48 . 2010-04-10 16:28 -------- d-----w- g:\documents and settings\All Users\Application Data\ABBYY
2010-06-04 06:13 . 2010-05-14 05:41 -------- d-----w- g:\program files\adma
2010-06-01 22:04 . 2008-10-28 07:55 -------- d-----w- g:\program files\CCleaner
2010-05-22 20:01 . 2009-12-06 22:05 256 ----a-w- g:\windows\system32\pool.bin
2010-05-22 19:09 . 2009-07-27 04:41 -------- d-----w- g:\program files\Emerge Desktop
2010-05-21 11:14 . 2009-10-02 06:41 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-17 08:31 . 2009-02-15 16:18 -------- d-----w- g:\program files\FMY
2010-05-16 07:18 . 2010-05-16 07:19 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03 . 2009-01-09 17:51 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-13 17:48 . 2010-04-25 20:31 -------- d-----w- g:\program files\TP-LINK
2010-05-13 17:47 . 2008-10-27 22:10 -------- d--h--w- g:\program files\InstallShield Installation Information
2010-05-06 10:33 . 2004-09-07 12:00 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 10:09 . 2010-05-02 10:09 -------- d-----w- g:\documents and settings\astra\Application Data\adma
2010-05-02 08:07 . 2004-09-07 12:00 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-25 21:00 . 2010-04-25 20:27 -------- d-----w- g:\documents and settings\All Users\Application Data\TP-LINK
2010-04-25 20:31 . 2010-04-25 20:31 -------- d-----w- g:\documents and settings\All Users\Application Data\Atheros
2010-04-20 05:30 . 2004-09-07 12:00 285696 ----a-w- g:\windows\system32\atmfd.dll
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\UC.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\RAR.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKUNZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\NOCLOSE.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\LHA.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\ARJ.PIF
2010-04-01 03:46 . 2010-04-01 03:46 65536 ----a-r- g:\documents and settings\astra\Application Data\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
2010-03-31 12:10 . 2010-03-31 12:10 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcp71.dll
2010-03-31 12:10 . 2010-03-31 12:10 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\jmc.dll
2010-03-31 12:10 . 2010-03-31 12:10 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcr71.dll
2010-03-31 12:10 . 2010-03-31 12:10 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-sse.dll
2010-03-31 12:10 . 2010-03-31 12:10 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-d3d.dll
2008-10-28 20:30 . 2008-10-28 20:30 23 --sha-w- g:\windows\system32\bdcca4_d.dll
.
------- Sigcheck -------
[-] 2009-08-11 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . g:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . g:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . g:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . g:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-06-20_17.00.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-21 14:21 . 2010-06-21 14:21 16384 g:\windows\temp\Perflib_Perfdata_eb8.dat
+ 2010-06-21 14:36 . 2010-06-21 14:36 16384 g:\windows\temp\Perflib_Perfdata_1f4.dat
+ 2004-09-07 12:00 . 2010-06-21 13:22 557084 g:\windows\system32\perfh009.dat
+ 2004-09-07 12:00 . 2010-06-21 13:22 110744 g:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-12 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vmware-tray"="g:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-01-22 129584]
"TWCU"="g:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2010-02-04 561263]
"MSSE"="g:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"COMODO Internet Security"="g:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="g:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]
g:\documents and settings\All Users\Start Menu\¨¦š¨α££˜«˜\΅΅ε€ž©ž\
Rainmeter.lnk - g:\program files\Rainmeter\Rainmeter.exe [2010-2-28 119296]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "g:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="G:\Yellow flower.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\guard32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ pgdfgsvc G 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^MagicDisc.lnk]
backup=g:\windows\pss\MagicDisc.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\MagicDisc.lnk
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^OpenOffice.org 3.1.lnk]
backup=g:\windows\pss\OpenOffice.org 3.1.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\OpenOffice.org 3.1.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- g:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- g:\program files\DAEMON Tools Lite\DTLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-12 12:53 133104 ----atw- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 12:52 36864 ----a-w- g:\program files\HP\HP UT\bin\hppusg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:30 1695232 ------w- g:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-11-02 10:53 18782720 ----a-w- g:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.10.0"=2 (0x2)
"iPod Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.9.0"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"wfxsvc"=2 (0x2)
"ose"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"g:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R0 CFRMD;CFRMD;g:\windows\System32\drivers\CFRMD.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;g:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Ambfilt;Ambfilt;g:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 aswArKrn;aswArKrn;g:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys [x]
R3 CheckFSD;Antiy Labs FSD Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\CheckFSD.sys [2008-04-09 8728]
R3 CheckSSDT;Antiy Labs SSDT Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\SSDT.sys [2008-04-09 8856]
R3 CMC AntiRootkit Service;CMC AntiRootkit Servic;g:\windows\system32\drivers\cmcantirootkit.sys [x]
R3 DarkSpy;DarkSpy;g:\windows\system32\DarkSpyKernel.sys [2010-06-21 132096]
R3 HookMsg;Antiy Labs MsgHook Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\ABaseDrv.sys [2008-04-09 8472]
R3 IRPFile;Antiy Labs IRP FILE;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\IrpFile.sys [2008-07-25 11848]
R3 pbfilter;pbfilter;g:\program files\PeerBlock\pbfilter.sys [2010-06-09 18544]
R3 rk_remover-boot;rk_remover-boot;g:\windows\system32\drivers\rk_remover.sys [2010-06-16 52736]
R3 SunkFilt62;Alcor Micro Corp - 6362;g:\windows\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;g:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-11-30 100048]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;g:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;g:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R4 sptd;sptd;g:\windows\system32\Drivers\sptd.sys [2009-11-14 691696]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;g:\windows\system32\DRIVERS\cmdguard.sys [2010-06-04 229312]
S1 cmdHlp;COMODO Internet Security Helper Driver;g:\windows\system32\DRIVERS\cmdhlp.sys [2010-06-01 25240]
S2 vmci;VMware vmci;g:\windows\system32\Drivers\vmci.sys [2010-01-22 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;g:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-01-22 563760]
.
Contents of the 'Scheduled Tasks' folder
2010-06-21 g:\windows\Tasks\COMODO System Cleaner Update.job
- g:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 12:41]
2010-06-20 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003Core.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-21 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003UA.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-21 g:\windows\Tasks\MP Scheduled Scan.job
- g:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: g:\program files\VMware\VMware Workstation\vsocklib.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - g:\documents and settings\astra\Application Data\Mozilla\Firefox\Profiles\pvs1v4h5.default\
FF - plugin: g:\documents and settings\astra\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: g:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
g:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-21 17:36
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 10]
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\games"
"ShortlistDir"=""
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 10\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2010\\data\\db\\1000\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:0000006f
"UniqueID"="E5-E280-E46F"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009]
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"=""
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-910\\db\\910\\lang_db.dat"
"LastSaveGame"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games\\aris.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00009b7a
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000062
"UniqueID"="E5-E280-EF1F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"Currency"=dword:0000001c
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-930\\db\\930\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000000
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="E5-E280-EF1F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"GraphStep"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|ΐ|ω9~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
@DACL=(02 0012)
@Denied: (Read) (Administrators)
@Denied: (B E 1 4 5) (Administrators)
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="g:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="g:\\WINDOWS\\system32\\l3codeca.acm"
"VIDC.I420"="i420vfw.dll"
"MSVideo8"="VfWWDM32.dll"
"MSVideo"="vfwwdm32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux3"="wdmaud.drv"
"vidc.yv12"="yv12vfw.dll"
"wave6"="serwvdrv.dll"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux2"="wdmaud.drv"
"VIDC.FFDS"="ff_vfw.dll"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux1"="wdmaud.drv"
"VIDC.VMnc"="vmnc.dll"
"wave4"="wdmaud.drv"
"mixer4"="wdmaud.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1424)
g:\windows\system32\guard32.dll
g:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(1640)
g:\windows\system32\guard32.dll
- - - - - - - > 'explorer.exe'(3820)
g:\windows\system32\guard32.dll
g:\windows\system32\webcheck.dll
g:\windows\system32\WPDShServiceObj.dll
g:\windows\system32\PortableDeviceTypes.dll
g:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
g:\program files\COMODO\COMODO Internet Security\cmdagent.exe
g:\program files\Microsoft Security Essentials\MsMpEng.exe
g:\windows\system32\acs.exe
g:\program files\CDBurnerXP\NMSAccessU.exe
g:\windows\system32\vmnat.exe
g:\windows\system32\vmnetdhcp.exe
g:\program files\VMware\VMware Workstation\vmware-authd.exe
g:\windows\system32\rundll32.exe
g:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-06-21 17:40:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-21 14:40
ComboFix2.txt 2010-06-20 17:02
ComboFix3.txt 2010-06-17 05:16
Pre-Run: 14 Κατάλογοι 434.524.835.840 διαθέσιμα byte
Post-Run: 15 Κατάλογοι 434.452.185.088 διαθέσιμα byte
- - End Of File - - 9B4751F65CFE88233D7ACCC20C3C6F3F
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, June 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, June 21, 2010 11:37:48
Records in database: 4304883
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
D:\
F:\
G:\
Scan statistics:
Objects scanned: 297300
Threats found: 13
Infected objects found: 19
Suspicious objects found: 0
Scan duration: 08:19:01
File name / Threat / Threats count
D:\Downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG\Crack\BG3130_CRK.exe Infected: Packed.Win32.PePatch.fa 1
D:\Downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG.rar Infected: Packed.Win32.PePatch.fa 1
D:\Downloads\Cabelnut\cmtu10017.zip Infected: Trojan.Win32.Pasta.jjb 1
D:\Downloads\Daemon Tools\DAEMON Tools [x86] [x64]\DAEMON Tools v4.09.1 X64\daemon4091-x64.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
D:\Downloads\Daemon Tools\DAEMON Tools [x86] [x64]\DAEMON Tools v4.09.1 X86\daemon4091-x86.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
D:\Downloads\ISO PACKAGE\daemon4091-x86.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
D:\Downloads\Jocuri\Mystery PI - The Lottery Ticket\MysteryPITheLotteryTicketSetup.exe Infected: Trojan-Downloader.Win32.Agent.bgdf 1
D:\Downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1
D:\Downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\mirc63.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 1
D:\Downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe Infected: Trojan.Win32.Inject.arpx 1
D:\Downloads\RegCure 1.3 + Crack\RegCure 1.3 + Crack.zip Infected: Email-Worm.Win32.Doombot.x 1
D:\Downloads\Thinstall\Thinstall 3.104\LANDesk Application Virtualization 3104.msi Infected: Backdoor.Win32.IRCBot.lxr 1
D:\Downloads\Total Commander\TC UP - Total Commander Ultima Prime v3.0\tcup.exe Infected: not-a-virus:PSWTool.Win32.Delf.f 1
D:\Downloads\Total Commander\TC UP - Total Commander Ultima Prime v3.0\tcup.exe Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 2
G:\Documents and Settings\astra\Επιφάνεια εργασίας\stick\slackware12\Programs\Programs\Slackw\vnc\tightvnc-1.3.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
G:\Documents and Settings\astra\Επιφάνεια εργασίας\stick\slackware12\Programs\Programs\Slackw\vnc\tightvnc-1.3.9_unixsrc.tar.bz2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.f 1
G:\Documents and Settings\astra\Τα έγγραφά μου\Φάκελος\produkey.zip Infected: not-a-virus:PSWTool.Win32.ProductKey.aj 1
G:\produkey.zip Infected: not-a-virus:PSWTool.Win32.ProductKey.aj 1
Selected area has been scanned.
DDS (Ver_10-03-17.01) - NTFSx86
Run by astra at 5:05:59,65 on Τρι 22/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
mWinlogon: UIHost=G:\Yellow flower.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [Google Update] "g:\documents and settings\astra\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [vmware-tray] "g:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [TWCU] "g:\program files\tp-link\tp-link wireless client utility\TWCU.exe" -nogui
mRun: [MSSE] "g:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [COMODO Internet Security] "g:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "g:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: g:\docume~1\alluse~1\startm~1\f2da~1\599a~1\rainme~1.lnk - g:\program files\rainmeter\Rainmeter.exe
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: g:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229157474656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239954420281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: g:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - g:\program files\winfax\WfxSeh32.Dll
================= FIREFOX ===================
FF - ProfilePath - g:\docume~1\astra\applic~1\mozilla\firefox\profiles\pvs1v4h5.default\
FF - plugin: g:\documents and settings\astra\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: g:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
g:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
============== File Associations ===============
.scr=AutoCADLTScriptFile
=============== Created Last 30 ================
2010-06-21 09:56:50 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-20 18:42:05 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 18:42:04 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-06-20 18:42:04 0 d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-06-20 17:17:38 0 d-----w- g:\docume~1\astra\applic~1\KeePass
2010-06-20 16:54:18 98816 ----a-w- g:\windows\sed.exe
2010-06-20 16:54:18 77312 ----a-w- g:\windows\MBR.exe
2010-06-20 16:54:18 256512 ----a-w- g:\windows\PEV.exe
2010-06-20 16:54:18 161792 ----a-w- g:\windows\SWREG.exe
2010-06-17 07:36:37 0 d-----w- g:\program files\Safer Networking
2010-06-17 05:05:28 0 d-sha-r- G:\cmdcons
2010-06-16 19:33:44 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-16 08:41:51 11831757 ----a-w- g:\windows\system32\GKHBVMXGMCMWN
2010-06-15 06:15:13 76 ----a-w- G:\fraglist.luar
2010-06-13 21:05:52 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27:44 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27:32 0 d-----w- g:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-13 18:08:31 0 d-----w- g:\docume~1\astra\applic~1\Malwarebytes
2010-06-13 18:08:21 0 d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-12 19:18:47 256 ----a-w- g:\documents and settings\astra\.pulse-cookie
2010-06-12 17:04:00 0 d-----w- g:\program files\JRE
2010-06-12 14:45:01 0 d-----w- g:\program files\iPod
2010-06-12 14:44:57 0 d-----w- g:\program files\iTunes
2010-06-12 14:44:57 0 d-----w- g:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05:38 0 d-----w- g:\program files\Phyxion.net
2010-06-12 07:34:54 0 d-----w- g:\program files\PeerBlock
2010-06-12 07:23:54 0 d-----w- g:\docume~1\alluse~1\applic~1\COMODO
2010-06-12 07:11:34 0 d-----w- g:\docume~1\astra\applic~1\ComodoGroup
2010-06-12 06:39:10 0 d-----w- g:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-06-12 06:14:05 0 d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 11:33:14 0 d-----w- g:\program files\zabkat
2010-06-11 08:28:57 0 d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11:05 0 d-----w- g:\windows\SHELLNEW
2010-06-08 20:48:18 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48:18 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48:18 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48:17 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48:17 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48:16 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48:16 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48:16 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48:15 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48:15 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48:15 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48:14 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47:50 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53:24 0 d-----w- g:\docume~1\astra\applic~1\Search Settings
2010-06-06 15:26:51 0 d-----w- g:\docume~1\astra\applic~1\Zeon
2010-06-06 15:26:49 0 d-----w- g:\docume~1\alluse~1\applic~1\Nuance
2010-06-06 15:26:16 0 d-----w- g:\docume~1\alluse~1\applic~1\Downloaded Installations
2010-06-04 08:55:58 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42:55 0 d-----w- g:\program files\common files\ABBYY
2010-06-04 07:40:19 0 d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00:52 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00:22 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00:20 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
==================== Find3M ====================
2010-06-21 13:22:21 686378 ----a-w- g:\windows\system32\perfh008.dat
2010-06-21 13:22:21 145684 ----a-w- g:\windows\system32\perfc008.dat
2010-05-21 11:14:28 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-16 07:18:53 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03:56 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-06 10:33:33 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 08:07:34 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-20 05:30:47 285696 ----a-w- g:\windows\system32\atmfd.dll
2008-10-28 20:30:56 23 --sha-w- g:\windows\system32\bdcca4_d.dll
============= FINISH: 5:06:10,34 ===============
Hi,
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
CACLS g:\windows\system32\svchost.exe >Log.txt
START Log.txt
DEL %0
Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.
hi here are the contents of files.bat
g:\windows\system32\svchost.exe BUILTIN\Users:R
BUILTIN\Power Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
Does that svchost.exe error still appear? If it does please try to get the exact error message here.
The svchost.exe error still appear
here is the message
svchost.exe - Application Error
The instruction at "0x79bf4373" referenced memory at "0x79bf4373". The memory could not be "written".
Click OK to terminate the program
Click CANCEL to debug the program
This message appears also when i am trying to install programs with suffix .msi.
And after pressing ok or cancel a message appears that it i am not allowed to use windows installer service.
The svchost.exe error still appear
here is the message
svchost.exe - Application Error
The instruction at "0x79bf4373" referenced memory at "0x79bf4373". The memory could not be "written".
Click OK to terminate the program
Click CANCEL to debug the program
This message appears also when i am trying to install programs with suffix .msi.
And after pressing ok or cancel a message appears that it says i am not allowed to use windows installer service.
The same message appears and when i am trying to open the systems default browser.
after pressing ok or cancel a message appears that it says that chrome ended unexpectedly.
it doesn't also appear the windows sound icon in the system tray.
Open notepad and copy/paste the text in the quotebox below into it:
File::
D:\Downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe Infected: Trojan.Win32.Inject.arpx 1
Folder::
D:\Downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE
D:\Downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]
D:\Downloads\RegCure 1.3 + Crack
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log + fresh dds.txt log.
Hi here is the combofix log
ComboFix 10-06-19.04 - astra 23/06/2010 8:18.6.4 - x86
Running from: g:\documents and settings\astra\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: g:\documents and settings\astra\Επιφάνεια εργασίας\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
FILE ::
"d:\downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe Infected: Trojan.Win32.Inject.arpx 1"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\heritage.nfo
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\file_id.diz
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HERiTAGE.nfo
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG.rar
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG\Crack\BG3130_CRK.exe
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\htgad630\HTG\Setup.exe
d:\downloads\BayGenie.eBay.Auction.Sniper.Pro.Edition.v3.1.3.0-HERiTAGE\README.txt
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\mIRC 6.3 [keygen].exe
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\mirc.exe
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\MIRCREGMKDEVTEAM.REG
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\MIRCREGMKDEVTEAM2.REG
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Crack\README.txt
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\mirc63.exe
d:\downloads\mIRC\mIRC v6.3 [Keygen and Crack Included]\Torrent_downloaded_from_Demonoid.com.txt
d:\downloads\RegCure 1.3 + Crack
d:\downloads\RegCure 1.3 + Crack\RegCure 1.3 + Crack.zip
d:\downloads\RegCure 1.3 + Crack\Torrent downloaded from Demonoid.com.txt
.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.
2010-06-21 09:56 . 2010-06-21 09:56 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-20 18:42 . 2010-04-29 12:39 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 18:42 . 2010-06-20 18:42 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-06-20 18:42 . 2010-04-29 12:39 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-06-20 17:17 . 2010-06-20 17:17 24576 ----a-w- g:\documents and settings\astra\Application Data\KeePass\PluginCache\kYNALEaVfUqyIF5K_2.1.0.28189\fdNx0kpe.dll
2010-06-20 17:17 . 2010-06-20 17:17 -------- d-----w- g:\documents and settings\astra\Application Data\KeePass
2010-06-17 07:36 . 2010-06-19 06:28 -------- d-----w- g:\program files\Safer Networking
2010-06-17 05:29 . 2010-06-17 05:29 -------- d-----w- g:\documents and settings\Administrator\Application Data\Mp3tag
2010-06-16 19:33 . 2010-06-16 19:36 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-14 20:12 . 2010-06-14 20:12 -------- d-----r- g:\documents and settings\LocalService\Τα έγγραφά μου
2010-06-13 21:05 . 2010-06-13 21:05 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27 . 2010-06-13 21:10 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27 . 2010-06-13 21:05 -------- d-----w- g:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-13 18:32 . 2010-06-13 18:32 -------- d-----w- g:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\astra\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-13 17:25 . 2010-06-13 17:31 -------- d-----w- g:\program files\Windows Live Safety Center
2010-06-12 17:04 . 2010-06-12 17:04 -------- d-----w- g:\program files\JRE
2010-06-12 14:45 . 2010-06-12 14:45 -------- d-----w- g:\program files\iPod
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\program files\iTunes
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05 . 2010-06-12 14:05 -------- d-----w- g:\program files\Phyxion.net
2010-06-12 07:34 . 2010-06-13 13:18 -------- d-----w- g:\program files\PeerBlock
2010-06-12 07:23 . 2010-06-12 07:24 -------- d-----w- g:\documents and settings\All Users\Application Data\COMODO
2010-06-12 07:11 . 2010-06-12 07:11 -------- d-----w- g:\documents and settings\astra\Application Data\ComodoGroup
2010-06-12 06:39 . 2010-06-12 07:20 -------- d-----w- g:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-12 06:14 . 2010-06-12 06:14 -------- d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 19:09 . 2010-06-11 19:09 53632 ----a-w- g:\documents and settings\astra\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-11 11:33 . 2010-06-11 11:33 -------- d-----w- g:\program files\zabkat
2010-06-11 08:28 . 2010-06-11 09:08 -------- d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11 . 2010-06-10 22:11 -------- d-----w- g:\windows\SHELLNEW
2010-06-08 20:48 . 2010-06-02 01:55 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48 . 2010-06-02 01:55 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48 . 2010-06-02 01:55 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48 . 2010-05-26 08:41 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48 . 2010-02-04 07:01 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48 . 2010-02-04 07:01 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47 . 2010-05-06 10:33 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53 . 2010-06-06 15:53 -------- d-----w- g:\documents and settings\astra\Application Data\Search Settings
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\astra\Application Data\Zeon
2010-06-06 15:26 . 2010-06-06 15:27 -------- d-----w- g:\documents and settings\All Users\Application Data\Nuance
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\All Users\Application Data\Downloaded Installations
2010-06-06 13:10 . 2010-06-06 13:11 -------- d-----w- g:\documents and settings\astra\Application Data\dvdcss
2010-06-04 08:55 . 2010-06-04 08:55 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42 . 2010-06-04 07:42 -------- d-----w- g:\program files\Common Files\ABBYY
2010-06-04 07:40 . 2010-06-04 07:45 -------- d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00 . 2010-06-01 16:00 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00 . 2010-06-01 16:00 87824 ----a-w- g:\windows\system32\drivers\inspect.sys
2010-06-01 16:00 . 2010-06-01 16:00 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00 . 2010-06-01 16:00 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
2010-05-31 13:45 . 2010-05-31 13:45 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcp71.dll
2010-05-31 13:45 . 2010-05-31 13:45 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\jmc.dll
2010-05-31 13:45 . 2010-05-31 13:45 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-358678da-n\msvcr71.dll
2010-05-31 13:45 . 2010-05-31 13:45 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-sse.dll
2010-05-31 13:45 . 2010-05-31 13:45 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-644afa58-n\decora-d3d.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 05:15 . 2009-07-17 21:19 -------- d-----w- g:\documents and settings\astra\Application Data\TeraCopy
2010-06-23 05:10 . 2008-11-02 18:41 -------- d-----w- g:\documents and settings\LocalService\Application Data\VMware
2010-06-23 05:09 . 2008-11-02 18:40 -------- d-----w- g:\documents and settings\All Users\Application Data\VMware
2010-06-22 08:18 . 2010-01-11 11:51 -------- d-----w- g:\documents and settings\astra\Application Data\Media Player Classic
2010-06-22 06:51 . 2008-11-02 18:45 -------- d-----w- g:\documents and settings\astra\Application Data\VMware
2010-06-22 06:46 . 2004-09-07 12:00 687116 ----a-w- g:\windows\system32\perfh008.dat
2010-06-22 06:46 . 2004-09-07 12:00 146018 ----a-w- g:\windows\system32\perfc008.dat
2010-06-21 14:10 . 2009-11-14 09:54 -------- d-----w- g:\program files\DAEMON Tools Toolbar
2010-06-17 06:33 . 2009-07-28 20:10 1 ----a-w- g:\documents and settings\astra\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-13 10:07 . 2009-07-21 17:30 -------- d-----w- g:\program files\Startup Manager
2010-06-12 20:19 . 2010-04-03 12:04 -------- d-----w- g:\documents and settings\astra\Application Data\gtk-2.0
2010-06-12 17:37 . 2008-10-27 23:20 117496 ----a-w- g:\documents and settings\astra\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-12 17:03 . 2009-07-28 20:08 -------- d-----w- g:\program files\OpenOffice.org 3
2010-06-12 14:44 . 2009-01-01 20:19 -------- d-----w- g:\documents and settings\All Users\Application Data\Apple Computer
2010-06-12 13:51 . 2009-04-24 22:53 -------- d-----w- g:\documents and settings\astra\Application Data\Audacity
2010-06-12 13:42 . 2010-04-10 21:20 -------- d-----w- g:\documents and settings\astra\Application Data\foobar2000
2010-06-12 07:20 . 2008-10-28 09:03 -------- d-----w- g:\program files\COMODO
2010-06-11 19:09 . 2010-02-26 17:51 -------- d-----w- g:\program files\XnView
2010-06-11 19:09 . 2009-11-19 18:07 -------- d-----w- g:\program files\Common Files\Adobe AIR
2010-06-11 16:34 . 2008-10-28 09:48 -------- d-----w- g:\program files\Mozilla Thunderbird
2010-06-11 05:19 . 2009-08-07 15:46 -------- d-----w- g:\program files\FreeMind
2010-06-10 22:11 . 2010-04-14 19:27 -------- d-----w- g:\program files\Microsoft.NET
2010-06-10 14:56 . 2010-01-17 16:07 -------- d-----w- g:\documents and settings\astra\Application Data\vlc
2010-06-08 21:44 . 2010-01-11 17:25 -------- d-----w- g:\program files\Calendar
2010-06-06 15:32 . 2008-10-28 21:08 -------- d-----w- g:\program files\Common Files\Adobe
2010-06-06 15:29 . 2009-11-30 09:52 -------- d-----w- g:\program files\Foxit Software
2010-06-06 15:27 . 2010-03-13 08:42 -------- d-----w- g:\documents and settings\astra\Application Data\Nuance
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\program files\Notepad++
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\documents and settings\astra\Application Data\Notepad++
2010-06-04 11:16 . 2010-02-02 12:29 -------- d-----w- g:\program files\Microsoft Silverlight
2010-06-04 07:48 . 2010-04-10 16:28 -------- d-----w- g:\documents and settings\All Users\Application Data\ABBYY
2010-06-04 06:13 . 2010-05-14 05:41 -------- d-----w- g:\program files\adma
2010-06-01 22:04 . 2008-10-28 07:55 -------- d-----w- g:\program files\CCleaner
2010-05-22 20:01 . 2009-12-06 22:05 256 ----a-w- g:\windows\system32\pool.bin
2010-05-22 19:09 . 2009-07-27 04:41 -------- d-----w- g:\program files\Emerge Desktop
2010-05-21 11:14 . 2009-10-02 06:41 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-17 08:31 . 2009-02-15 16:18 -------- d-----w- g:\program files\FMY
2010-05-16 07:18 . 2010-05-16 07:19 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03 . 2009-01-09 17:51 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-13 17:48 . 2010-04-25 20:31 -------- d-----w- g:\program files\TP-LINK
2010-05-13 17:47 . 2008-10-27 22:10 -------- d--h--w- g:\program files\InstallShield Installation Information
2010-05-06 10:33 . 2004-09-07 12:00 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 10:09 . 2010-05-02 10:09 -------- d-----w- g:\documents and settings\astra\Application Data\adma
2010-05-02 08:07 . 2004-09-07 12:00 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-25 21:00 . 2010-04-25 20:27 -------- d-----w- g:\documents and settings\All Users\Application Data\TP-LINK
2010-04-25 20:31 . 2010-04-25 20:31 -------- d-----w- g:\documents and settings\All Users\Application Data\Atheros
2010-04-20 05:30 . 2004-09-07 12:00 285696 ----a-w- g:\windows\system32\atmfd.dll
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\UC.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\RAR.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKUNZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\NOCLOSE.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\LHA.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\ARJ.PIF
2010-04-01 03:46 . 2010-04-01 03:46 65536 ----a-r- g:\documents and settings\astra\Application Data\Microsoft\Installer\{CDEBE7FF-C832-4B91-9214-A4CA610D78C9}\ARPPRODUCTICON.exe
2010-03-31 12:10 . 2010-03-31 12:10 503808 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcp71.dll
2010-03-31 12:10 . 2010-03-31 12:10 499712 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\jmc.dll
2010-03-31 12:10 . 2010-03-31 12:10 348160 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-615666f2-n\msvcr71.dll
2010-03-31 12:10 . 2010-03-31 12:10 61440 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-sse.dll
2010-03-31 12:10 . 2010-03-31 12:10 12800 ----a-w- g:\documents and settings\astra\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2a04ec09-n\decora-d3d.dll
2008-10-28 20:30 . 2008-10-28 20:30 23 --sha-w- g:\windows\system32\bdcca4_d.dll
.
------- Sigcheck -------
[-] 2009-08-11 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . g:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . g:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . g:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . g:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-06-20_17.00.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-23 05:10 . 2010-06-23 05:10 16384 g:\windows\temp\Perflib_Perfdata_840.dat
+ 2004-09-07 12:00 . 2010-06-22 06:46 557528 g:\windows\system32\perfh009.dat
+ 2004-09-07 12:00 . 2010-06-22 06:46 110996 g:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vmware-tray"="g:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-01-22 129584]
"TWCU"="g:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2010-02-04 561263]
"MSSE"="g:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"COMODO Internet Security"="g:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" [2009-11-02 18782720]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="g:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]
g:\documents and settings\All Users\Start Menu\¨¦¨α££«\΅΅ε€©\
Rainmeter.lnk - g:\program files\Rainmeter\Rainmeter.exe [2010-2-28 119296]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "g:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="G:\Yellow flower.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\guard32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ pgdfgsvc G 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^MagicDisc.lnk]
backup=g:\windows\pss\MagicDisc.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\MagicDisc.lnk
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^OpenOffice.org 3.1.lnk]
backup=g:\windows\pss\OpenOffice.org 3.1.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\OpenOffice.org 3.1.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- g:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- g:\program files\DAEMON Tools Lite\DTLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-12 12:53 133104 ----atw- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 12:52 36864 ----a-w- g:\program files\HP\HP UT\bin\hppusg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:30 1695232 ------w- g:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-11-02 10:53 18782720 ----a-w- g:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.10.0"=2 (0x2)
"iPod Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.9.0"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"wfxsvc"=2 (0x2)
"ose"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"g:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R0 CFRMD;CFRMD;g:\windows\System32\drivers\CFRMD.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;g:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Ambfilt;Ambfilt;g:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
R3 aswArKrn;aswArKrn;g:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys [x]
R3 CheckFSD;Antiy Labs FSD Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\CheckFSD.sys [2008-04-09 8728]
R3 CheckSSDT;Antiy Labs SSDT Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\SSDT.sys [2008-04-09 8856]
R3 CMC AntiRootkit Service;CMC AntiRootkit Servic;g:\windows\system32\drivers\cmcantirootkit.sys [x]
R3 DarkSpy;DarkSpy;g:\windows\system32\DarkSpyKernel.sys [2010-06-21 132096]
R3 HookMsg;Antiy Labs MsgHook Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\ABaseDrv.sys [2008-04-09 8472]
R3 IRPFile;Antiy Labs IRP FILE;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\IrpFile.sys [2008-07-25 11848]
R3 pbfilter;pbfilter;g:\program files\PeerBlock\pbfilter.sys [2010-06-09 18544]
R3 rk_remover-boot;rk_remover-boot;g:\windows\system32\drivers\rk_remover.sys [2010-06-16 52736]
R3 SunkFilt62;Alcor Micro Corp - 6362;g:\windows\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;g:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-11-30 100048]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;g:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;g:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R4 sptd;sptd;g:\windows\system32\Drivers\sptd.sys [2009-11-14 691696]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;g:\windows\system32\DRIVERS\cmdguard.sys [2010-06-04 229312]
S1 cmdHlp;COMODO Internet Security Helper Driver;g:\windows\system32\DRIVERS\cmdhlp.sys [2010-06-01 25240]
S2 vmci;VMware vmci;g:\windows\system32\Drivers\vmci.sys [2010-01-22 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;g:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-01-22 563760]
.
Contents of the 'Scheduled Tasks' folder
2010-06-21 g:\windows\Tasks\COMODO System Cleaner Update.job
- g:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 12:41]
2010-06-21 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003Core.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-22 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003UA.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-23 g:\windows\Tasks\MP Scheduled Scan.job
- g:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: g:\program files\VMware\VMware Workstation\vsocklib.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - g:\documents and settings\astra\Application Data\Mozilla\Firefox\Profiles\pvs1v4h5.default\
FF - plugin: g:\documents and settings\astra\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: g:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
g:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 08:23
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 10]
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\games"
"ShortlistDir"=""
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2010\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 10\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2010\\data\\db\\1000\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:0000006f
"UniqueID"="E5-E280-E46F"
"Currency"=dword:00000056
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009]
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"=""
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-910\\db\\910\\lang_db.dat"
"LastSaveGame"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games\\aris.fm"
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00009b7a
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000062
"UniqueID"="E5-E280-EF1F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
[HKEY_USERS\S-1-5-21-1078081533-261903793-839522115-1003\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"Currency"=dword:0000001c
"GameDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009"
"SaveDir"="g:\\Documents and Settings\\astra\\Τα έγγραφά μου\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="g:\\Documents and Settings\\astra\\Επιφάνεια εργασίας\\FM Genie Scout 2009 XE\\History Points"
"LangDB"="g:\\Program Files\\Sports Interactive\\Football Manager 2009\\data\\updates\\update-930\\db\\930\\lang_db.dat"
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000001
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000000
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="E5-E280-EF1F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"GraphStep"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|ΐ|ω9~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
@DACL=(02 0012)
@Denied: (Read) (Administrators)
@Denied: (B E 1 4 5) (Administrators)
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="g:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="g:\\WINDOWS\\system32\\l3codeca.acm"
"VIDC.I420"="i420vfw.dll"
"MSVideo8"="VfWWDM32.dll"
"MSVideo"="vfwwdm32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux3"="wdmaud.drv"
"vidc.yv12"="yv12vfw.dll"
"wave6"="serwvdrv.dll"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux2"="wdmaud.drv"
"VIDC.FFDS"="ff_vfw.dll"
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"aux1"="wdmaud.drv"
"VIDC.VMnc"="vmnc.dll"
"wave4"="wdmaud.drv"
"mixer4"="wdmaud.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1420)
g:\windows\system32\guard32.dll
g:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(1636)
g:\windows\system32\guard32.dll
.
Completion time: 2010-06-23 08:25:08
ComboFix-quarantined-files.txt 2010-06-23 05:25
ComboFix2.txt 2010-06-21 16:21
ComboFix3.txt 2010-06-20 17:02
ComboFix4.txt 2010-06-17 05:16
Pre-Run: 14 Κατάλογοι 434.524.155.904 διαθέσιμα byte
Post-Run: 15 Κατάλογοι 434.612.260.864 διαθέσιμα byte
- - End Of File - - 1F526047E699DFD0CF097F9D6BACF055
here is the new dds log
DDS (Ver_10-03-17.01) - NTFSx86
Run by astra at 8:29:03,37 on Τετ 23/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
mWinlogon: UIHost=G:\Yellow flower.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
mRun: [vmware-tray] "g:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [TWCU] "g:\program files\tp-link\tp-link wireless client utility\TWCU.exe" -nogui
mRun: [MSSE] "g:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [COMODO Internet Security] "g:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "g:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: g:\docume~1\alluse~1\startm~1\f2da~1\599a~1\rainme~1.lnk - g:\program files\rainmeter\Rainmeter.exe
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: g:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229157474656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239954420281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: g:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - g:\program files\winfax\WfxSeh32.Dll
================= FIREFOX ===================
FF - ProfilePath - g:\docume~1\astra\applic~1\mozilla\firefox\profiles\pvs1v4h5.default\
FF - plugin: g:\documents and settings\astra\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: g:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
g:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
============== File Associations ===============
.scr=AutoCADLTScriptFile
=============== Created Last 30 ================
2010-06-21 09:56:50 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-20 18:42:05 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 18:42:04 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-06-20 18:42:04 0 d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-06-20 17:17:38 0 d-----w- g:\docume~1\astra\applic~1\KeePass
2010-06-20 16:54:18 98816 ----a-w- g:\windows\sed.exe
2010-06-20 16:54:18 77312 ----a-w- g:\windows\MBR.exe
2010-06-20 16:54:18 256512 ----a-w- g:\windows\PEV.exe
2010-06-20 16:54:18 161792 ----a-w- g:\windows\SWREG.exe
2010-06-17 07:36:37 0 d-----w- g:\program files\Safer Networking
2010-06-17 05:05:28 0 d-sha-r- G:\cmdcons
2010-06-16 19:33:44 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-16 08:41:51 11831757 ----a-w- g:\windows\system32\GKHBVMXGMCMWN
2010-06-15 06:15:13 76 ----a-w- G:\fraglist.luar
2010-06-13 21:05:52 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27:44 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27:32 0 d-----w- g:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-13 18:08:31 0 d-----w- g:\docume~1\astra\applic~1\Malwarebytes
2010-06-13 18:08:21 0 d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-12 19:18:47 256 ----a-w- g:\documents and settings\astra\.pulse-cookie
2010-06-12 17:04:00 0 d-----w- g:\program files\JRE
2010-06-12 14:45:01 0 d-----w- g:\program files\iPod
2010-06-12 14:44:57 0 d-----w- g:\program files\iTunes
2010-06-12 14:44:57 0 d-----w- g:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05:38 0 d-----w- g:\program files\Phyxion.net
2010-06-12 07:34:54 0 d-----w- g:\program files\PeerBlock
2010-06-12 07:23:54 0 d-----w- g:\docume~1\alluse~1\applic~1\COMODO
2010-06-12 07:11:34 0 d-----w- g:\docume~1\astra\applic~1\ComodoGroup
2010-06-12 06:39:10 0 d-----w- g:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-06-12 06:14:05 0 d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 11:33:14 0 d-----w- g:\program files\zabkat
2010-06-11 08:28:57 0 d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11:05 0 d-----w- g:\windows\SHELLNEW
2010-06-08 20:48:18 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48:18 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48:18 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48:17 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48:17 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48:16 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48:16 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48:16 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48:15 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48:15 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48:15 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48:14 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47:50 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53:24 0 d-----w- g:\docume~1\astra\applic~1\Search Settings
2010-06-06 15:26:51 0 d-----w- g:\docume~1\astra\applic~1\Zeon
2010-06-06 15:26:49 0 d-----w- g:\docume~1\alluse~1\applic~1\Nuance
2010-06-06 15:26:16 0 d-----w- g:\docume~1\alluse~1\applic~1\Downloaded Installations
2010-06-04 08:55:58 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42:55 0 d-----w- g:\program files\common files\ABBYY
2010-06-04 07:40:19 0 d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00:52 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00:22 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00:20 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
==================== Find3M ====================
2010-06-22 06:46:44 687116 ----a-w- g:\windows\system32\perfh008.dat
2010-06-22 06:46:44 146018 ----a-w- g:\windows\system32\perfc008.dat
2010-05-21 11:14:28 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-16 07:18:53 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03:56 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-06 10:33:33 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 08:07:34 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-20 05:30:47 285696 ----a-w- g:\windows\system32\atmfd.dll
2008-10-28 20:30:56 23 --sha-w- g:\windows\system32\bdcca4_d.dll
============= FINISH: 8:29:20,21 ===============
Hi,
Download a fresh ComboFix copy.
Create a new cfscript with this contents and run ComboFix with it in safe mode:
File::
D:\Downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
hi
here is the combofix log that rum in safe mode
ComboFix 10-06-23.01 - Administrator 23/06/2010 22:55:15.8.4 - x86 MINIMAL
Running from: g:\documents and settings\Administrator\Επιφάνεια εργασίας\ComboFix.exe
Command switches used :: g:\documents and settings\Administrator\Επιφάνεια εργασίας\Cfscript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Created a new restore point
FILE ::
"d:\downloads\Pack Indigorose 10in1 (AIO)\Pack Indigorose.exe"
.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.
2010-06-23 19:33 . 2010-06-23 19:33 -------- d-----w- g:\documents and settings\Administrator\Application Data\Notepad++
2010-06-23 18:33 . 2010-05-24 17:13 51232 ----a-w- g:\windows\system32\RHCoInstXP.dll
2010-06-23 18:33 . 2010-05-24 17:13 1489440 ----a-w- g:\windows\RtaUpd.exe
2010-06-23 18:33 . 2010-05-24 17:09 4003008 ----a-w- g:\windows\system32\drivers\RtKHDMI.sys
2010-06-23 08:36 . 2010-06-23 08:36 -------- d-----w- g:\documents and settings\astra\????????? ????????
2010-06-21 09:56 . 2010-06-21 09:56 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-20 18:42 . 2010-04-29 12:39 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 18:42 . 2010-06-20 18:42 -------- d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-06-20 18:42 . 2010-04-29 12:39 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-06-17 07:36 . 2010-06-19 06:28 -------- d-----w- g:\program files\Safer Networking
2010-06-17 05:29 . 2010-06-17 05:29 -------- d-----w- g:\documents and settings\Administrator\Application Data\Mp3tag
2010-06-16 19:33 . 2010-06-16 19:36 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-14 20:12 . 2010-06-14 20:12 -------- d-----r- g:\documents and settings\LocalService\Τα έγγραφά μου
2010-06-13 21:05 . 2010-06-13 21:05 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27 . 2010-06-13 21:10 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27 . 2010-06-13 21:05 -------- d-----w- g:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-13 18:32 . 2010-06-13 18:32 -------- d-----w- g:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-13 18:08 . 2010-06-13 18:08 -------- d-----w- g:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-13 17:25 . 2010-06-13 17:31 -------- d-----w- g:\program files\Windows Live Safety Center
2010-06-12 17:04 . 2010-06-12 17:04 -------- d-----w- g:\program files\JRE
2010-06-12 14:45 . 2010-06-12 14:45 -------- d-----w- g:\program files\iPod
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\program files\iTunes
2010-06-12 14:44 . 2010-06-12 14:45 -------- d-----w- g:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05 . 2010-06-12 14:05 -------- d-----w- g:\program files\Phyxion.net
2010-06-12 07:34 . 2010-06-13 13:18 -------- d-----w- g:\program files\PeerBlock
2010-06-12 07:23 . 2010-06-12 07:24 -------- d-----w- g:\documents and settings\All Users\Application Data\COMODO
2010-06-12 06:39 . 2010-06-12 07:20 -------- d-----w- g:\documents and settings\All Users\Application Data\Comodo Downloader
2010-06-12 06:14 . 2010-06-12 06:14 -------- d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 11:33 . 2010-06-11 11:33 -------- d-----w- g:\program files\zabkat
2010-06-11 08:28 . 2010-06-11 09:08 -------- d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11 . 2010-06-10 22:11 -------- d-----w- g:\windows\SHELLNEW
2010-06-08 20:48 . 2010-06-02 01:55 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48 . 2010-06-02 01:55 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48 . 2010-06-02 01:55 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48 . 2010-05-26 08:41 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48 . 2010-05-26 08:41 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48 . 2010-02-04 07:01 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48 . 2010-02-04 07:01 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48 . 2010-02-04 07:01 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47 . 2010-05-06 10:33 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:26 . 2010-06-06 15:27 -------- d-----w- g:\documents and settings\All Users\Application Data\Nuance
2010-06-06 15:26 . 2010-06-06 15:26 -------- d-----w- g:\documents and settings\All Users\Application Data\Downloaded Installations
2010-06-04 08:55 . 2010-06-04 08:55 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42 . 2010-06-04 07:42 -------- d-----w- g:\program files\Common Files\ABBYY
2010-06-04 07:40 . 2010-06-04 07:45 -------- d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00 . 2010-06-01 16:00 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00 . 2010-06-01 16:00 87824 ----a-w- g:\windows\system32\drivers\inspect.sys
2010-06-01 16:00 . 2010-06-01 16:00 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00 . 2010-06-01 16:00 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 19:27 . 2004-09-07 12:00 690068 ----a-w- g:\windows\system32\perfh008.dat
2010-06-23 19:27 . 2004-09-07 12:00 147354 ----a-w- g:\windows\system32\perfc008.dat
2010-06-23 19:19 . 2008-11-02 18:40 -------- d-----w- g:\documents and settings\All Users\Application Data\VMware
2010-06-23 19:19 . 2008-11-02 18:41 -------- d-----w- g:\documents and settings\LocalService\Application Data\VMware
2010-06-06 15:32 . 2008-10-28 21:08 -------- d-----w- g:\program files\Common Files\Adobe
2010-06-05 12:56 . 2010-01-02 22:16 -------- d-----w- g:\program files\Notepad++
2010-06-04 11:16 . 2010-02-02 12:29 -------- d-----w- g:\program files\Microsoft Silverlight
2010-06-04 07:48 . 2010-04-10 16:28 -------- d-----w- g:\documents and settings\All Users\Application Data\ABBYY
2010-06-04 06:13 . 2010-05-14 05:41 -------- d-----w- g:\program files\adma
2010-06-01 22:04 . 2008-10-28 07:55 -------- d-----w- g:\program files\CCleaner
2010-05-22 20:01 . 2009-12-06 22:05 256 ----a-w- g:\windows\system32\pool.bin
2010-05-22 19:09 . 2009-07-27 04:41 -------- d-----w- g:\program files\Emerge Desktop
2010-05-21 11:14 . 2009-10-02 06:41 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-17 08:31 . 2009-02-15 16:18 -------- d-----w- g:\program files\FMY
2010-05-16 07:18 . 2010-05-16 07:19 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03 . 2009-01-09 17:51 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-13 17:48 . 2010-04-25 20:31 -------- d-----w- g:\program files\TP-LINK
2010-05-06 10:33 . 2004-09-07 12:00 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 08:07 . 2004-09-07 12:00 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-28 15:45 . 2010-06-23 18:34 1251872 ----a-w- g:\windows\RtlExUpd.dll
2010-04-25 21:00 . 2010-04-25 20:27 -------- d-----w- g:\documents and settings\All Users\Application Data\TP-LINK
2010-04-25 20:31 . 2010-04-25 20:31 -------- d-----w- g:\documents and settings\All Users\Application Data\Atheros
2010-04-20 05:30 . 2004-09-07 12:00 285696 ----a-w- g:\windows\system32\atmfd.dll
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\UC.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\RAR.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\PKUNZIP.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\NOCLOSE.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\LHA.PIF
2010-04-07 04:55 . 2010-04-10 22:19 545 ----a-w- g:\windows\ARJ.PIF
2008-10-28 20:30 . 2008-10-28 20:30 23 --sha-w- g:\windows\system32\bdcca4_d.dll
.
------- Sigcheck -------
[-] 2009-08-11 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . g:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . g:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . g:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . g:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . g:\windows\ServicePackFiles\i386\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vmware-tray"="g:\program files\VMware\VMware Workstation\vmware-tray.exe" [2010-01-22 129584]
"TWCU"="g:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2010-02-04 561263]
"MSSE"="g:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"COMODO Internet Security"="g:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-06-01 2039240]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"RTHDCPL"="RTHDCPL.EXE" [2010-06-08 19552872]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="g:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="g:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-03 435096]
g:\documents and settings\All Users\Start Menu\�¨¦¨α££«\΅΅ε€©\
Rainmeter.lnk - g:\program files\Rainmeter\Rainmeter.exe [2010-2-28 119296]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "g:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="G:\Yellow flower.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=g:\windows\system32\guard32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ pgdfgsvc G 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^MagicDisc.lnk]
backup=g:\windows\pss\MagicDisc.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\MagicDisc.lnk
[HKLM\~\startupfolder\G:^Documents and Settings^astra^Start Menu^Προγράμματα^Εκκίνηση^OpenOffice.org 3.1.lnk]
backup=g:\windows\pss\OpenOffice.org 3.1.lnkStartup
path=g:\documents and settings\astra\Start Menu\Προγράμματα\Εκκίνηση\OpenOffice.org 3.1.lnk
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- g:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- g:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-10-30 11:57 369200 ----a-w- g:\program files\DAEMON Tools Lite\DTLite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-12 12:53 133104 ----atw- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPUsageTracking]
2007-11-02 12:52 36864 ----a-w- g:\program files\HP\HP UT\bin\hppusg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 16:30 1695232 ------w- g:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-06-08 14:16 19552872 ----a-w- g:\windows\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"Autodesk Licensing Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.10.0"=2 (0x2)
"iPod Service"=3 (0x3)
"ABBYY.Licensing.FineReader.Professional.9.0"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"wfxsvc"=2 (0x2)
"ose"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"d:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"g:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
R0 CFRMD;CFRMD;g:\windows\System32\drivers\CFRMD.sys [x]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;g:\windows\system32\DRIVERS\cmdguard.sys [2010-06-04 229312]
R1 cmdHlp;COMODO Internet Security Helper Driver;g:\windows\system32\DRIVERS\cmdhlp.sys [2010-06-01 25240]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;g:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 vmci;VMware vmci;g:\windows\system32\Drivers\vmci.sys [2010-01-22 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;g:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2010-01-22 563760]
R3 Ambfilt;Ambfilt;g:\windows\system32\drivers\Ambfilt.sys [2009-11-18 1691480]
R3 aswArKrn;aswArKrn;g:\docume~1\ADMINI~1\LOCALS~1\Temp\aswArKrn.sys [x]
R3 CheckFSD;Antiy Labs FSD Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\CheckFSD.sys [2008-04-09 8728]
R3 CheckSSDT;Antiy Labs SSDT Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\SSDT.sys [2008-04-09 8856]
R3 CMC AntiRootkit Service;CMC AntiRootkit Servic;g:\windows\system32\drivers\cmcantirootkit.sys [x]
R3 DarkSpy;DarkSpy;g:\windows\system32\DarkSpyKernel.sys [2010-06-21 132096]
R3 HookMsg;Antiy Labs MsgHook Service;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\ABaseDrv.sys [2008-04-09 8472]
R3 IRPFile;Antiy Labs IRP FILE;g:\documents and settings\astra\Επιφάνεια εργασίας\αντιροοτκιτ\atool\IrpFile.sys [2008-07-25 11848]
R3 pbfilter;pbfilter;g:\program files\PeerBlock\pbfilter.sys [2010-06-09 18544]
R3 rk_remover-boot;rk_remover-boot;g:\windows\system32\drivers\rk_remover.sys [2010-06-16 52736]
R3 SunkFilt62;Alcor Micro Corp - 6362;g:\windows\System32\Drivers\sunkfilt62.sys [2004-07-23 46536]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;g:\windows\system32\DRIVERS\VBoxNetAdp.sys [2009-11-30 100048]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;g:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;g:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [2007-12-06 660768]
R4 sptd;sptd;g:\windows\system32\Drivers\sptd.sys [2009-11-14 691696]
.
Contents of the 'Scheduled Tasks' folder
2010-06-23 g:\windows\Tasks\COMODO System Cleaner Update.job
- g:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2010-03-09 12:41]
2010-06-23 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003Core.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-23 g:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-261903793-839522115-1003UA.job
- g:\documents and settings\astra\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 12:53]
2010-06-23 g:\windows\Tasks\MP Scheduled Scan.job
- g:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 16:02]
.
.
------- Supplementary Scan -------
.
LSP: g:\program files\VMware\VMware Workstation\vsocklib.dll
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
g:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
g:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 22:57
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose, ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="g:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|ΐ|ω9~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}\\Registered"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32]
@DACL=(02 0012)
@Denied: (Read) (Administrators)
@Denied: (B E 1 4 5) (Administrators)
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="g:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="g:\\WINDOWS\\system32\\l3codeca.acm"
"VIDC.I420"="i420vfw.dll"
"MSVideo8"="VfWWDM32.dll"
"MSVideo"="vfwwdm32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux3"="wdmaud.drv"
"vidc.yv12"="yv12vfw.dll"
"wave6"="serwvdrv.dll"
"VIDC.FFDS"="ff_vfw.dll"
"VIDC.VMnc"="vmnc.dll"
"wave4"="wdmaud.drv"
"mixer4"="wdmaud.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(256)
g:\windows\system32\guard32.dll
g:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(312)
g:\windows\system32\guard32.dll
- - - - - - - > 'explorer.exe'(928)
g:\windows\system32\guard32.dll
.
Completion time: 2010-06-23 22:58:47
ComboFix-quarantined-files.txt 2010-06-23 19:58
ComboFix2.txt 2010-06-23 19:47
Pre-Run: 13 Κατάλογοι 434.478.141.440 διαθέσιμα byte
Post-Run: 15 Κατάλογοι 434.464.268.288 διαθέσιμα byte
- - End Of File - - CE30540D4F27328437907D888F7CA71B
Hi,
Click start->run->type regedit.exe and press enter.
Navigate to HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32 key, right click it and select permissions. Check what groups are listed there (screenshot might be helpful) and what permissions they have with "allow" selected. Report back to me.
hi
here are the screenshots
Hi,
Click start->run->type cmd.exe. In command prompt window type the following command (and press enter):
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /reset
After that type the following command:
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" >"%userprofile%\desktop\log.txt"
Second command should generate log.txt file to your desktop. Attach it to your post, please.
hi
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
ASTRATIC\Administrators
Denied Read This Key Only
ASTRATIC\Administrators
Denied Read Subkeys only
ASTRATIC\Users
Allowed Read This Key Only
ASTRATIC\Users
Allowed Special (Unknown) Subkeys only
ASTRATIC\Power Users
Allowed Read This Key Only
ASTRATIC\Power Users
Allowed Special (Unknown) Subkeys only
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only
ASTRATIC\Users
Allowed Read This Key Only (Inherited)
ASTRATIC\Users
Allowed Special (Unknown) Subkeys only (Inherited)
ASTRATIC\Power Users
Allowed Special (BA54321) This Key Only (Inherited)
ASTRATIC\Power Users
Allowed Special (A) Subkeys only (Inherited)
ASTRATIC\Administrators
Allowed Full Control This Key Only (Inherited)
ASTRATIC\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms
No Auditing set
Owner: Administrators (ASTRATIC\Administrators)
Hi,
Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.
REGEDIT4
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Drivers32Dummy]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iv41"="ir41_32.ax"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.iac2"="g:\\WINDOWS\\system32\\iac25_32.ax"
"vidc.iv50"="ir50_32.dll"
"msacm.l3acm"="g:\\WINDOWS\\system32\\l3codeca.acm"
"VIDC.I420"="i420vfw.dll"
"MSVideo8"="VfWWDM32.dll"
"MSVideo"="vfwwdm32.dll"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"aux"="wdmaud.drv"
"wave3"="wdmaud.drv"
"midi3"="wdmaud.drv"
"mixer3"="wdmaud.drv"
"aux3"="wdmaud.drv"
"vidc.yv12"="yv12vfw.dll"
"wave6"="serwvdrv.dll"
"VIDC.FFDS"="ff_vfw.dll"
"VIDC.VMnc"="vmnc.dll"
"wave4"="wdmaud.drv"
"mixer4"="wdmaud.drv"
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
After merging successfully done, click start->run->type cmd.exe. In command prompt window type the following command (and enter):
reg save "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32dummy" drv.hiv
then this (and enter):
reg restore "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" drv.hiv
finally, type these two commands (press enter after each one):
swreg query "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /s >"%userprofile%\desktop\logKey.txt"
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" >>"%userprofile%\desktop\logKey.txt"
After all those steps done attach/post contents of logKey.txt that should exist now on your desktop.
When i am trying to apply this command
reg restore "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" drv.hiv
i get an error message access is not allowed
Hi,
1. Click start->run->type cmd.exe.
2. Highlight following contents in code box->right click->copy
3. Right click command prompt window, select paste. After commands have been executed there should be new log.txt file on your desktop. Post back its contents.
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /E /OM
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /E /GM:F
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /E /RA:R
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /E /GA:F
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" >"%userprofile%\desktop\log.txt"
Hi
here is the new log.txt file
Good. Please post a fresh dds log.
DDS (Ver_10-03-17.01) - NTFSx86
Run by astra at 16:52:07,87 on Σαβ 26/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.gr/
uInternet Settings,ProxyOverride = local
mWinlogon: UIHost=G:\Yellow flower.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ctfmon.exe] g:\windows\system32\ctfmon.exe
mRun: [vmware-tray] "g:\program files\vmware\vmware workstation\vmware-tray.exe"
mRun: [TWCU] "g:\program files\tp-link\tp-link wireless client utility\TWCU.exe" -nogui
mRun: [MSSE] "g:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [COMODO Internet Security] "g:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [RTHDCPL] RTHDCPL.EXE
dRun: [CTFMON.EXE] g:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "g:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: g:\docume~1\alluse~1\startm~1\f2da~1\599a~1\rainme~1.lnk - g:\program files\rainmeter\Rainmeter.exe
IE: Ε&ξαγωγή στο Microsoft Excel - g:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: g:\program files\vmware\vmware workstation\vsocklib.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229157474656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239954420281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: g:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - g:\windows\system32\WPDShServiceObj.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - g:\program files\winfax\WfxSeh32.Dll
================= FIREFOX ===================
FF - ProfilePath - g:\docume~1\astra\applic~1\mozilla\firefox\profiles\pvs1v4h5.default\
FF - plugin: g:\documents and settings\astra\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: g:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: g:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - g:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
g:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
g:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
g:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
g:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
g:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
g:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
g:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
g:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
g:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
============== File Associations ===============
.scr=AutoCADLTScriptFile
=============== Created Last 30 ================
2010-06-25 20:26:05 0 d-----w- g:\program files\Speccy
2010-06-25 20:19:12 0 d-----w- g:\docume~1\astra\applic~1\Orca Profiles
2010-06-25 17:38:49 8192 ----a-w- g:\documents and settings\astra\drv.hiv
2010-06-24 06:20:02 7680 --sha-w- g:\windows\Thumbs.db
2010-06-23 19:39:22 98816 ----a-w- g:\windows\sed.exe
2010-06-23 19:39:22 77312 ----a-w- g:\windows\MBR.exe
2010-06-23 19:39:22 256512 ----a-w- g:\windows\PEV.exe
2010-06-23 19:39:22 161792 ----a-w- g:\windows\SWREG.exe
2010-06-23 19:30:53 0 d-sha-r- G:\cmdcons
2010-06-23 18:33:51 51232 ----a-w- g:\windows\system32\RHCoInstXP.dll
2010-06-23 18:33:51 4003008 ----a-w- g:\windows\system32\drivers\RtKHDMI.sys
2010-06-23 18:33:51 1489440 ----a-w- g:\windows\RtaUpd.exe
2010-06-23 08:39:39 555 ----a-w- g:\windows\yap.INI
2010-06-21 09:56:50 132096 ----atw- g:\windows\system32\DarkSpyKernel.sys
2010-06-20 18:42:05 38224 ----a-w- g:\windows\system32\drivers\mbamswissarmy.sys
2010-06-20 18:42:04 20952 ----a-w- g:\windows\system32\drivers\mbam.sys
2010-06-20 18:42:04 0 d-----w- g:\program files\Malwarebytes' Anti-Malware
2010-06-20 17:17:38 0 d-----w- g:\docume~1\astra\applic~1\KeePass
2010-06-17 07:36:37 0 d-----w- g:\program files\Safer Networking
2010-06-16 19:33:44 52736 ----a-w- g:\windows\system32\drivers\rk_remover.sys
2010-06-16 08:41:51 11831757 ----a-w- g:\windows\system32\GKHBVMXGMCMWN
2010-06-15 06:15:13 76 ----a-w- G:\fraglist.luar
2010-06-13 21:05:52 12872 ----a-w- g:\windows\system32\bootdelete.exe
2010-06-13 20:27:44 15944 ----a-w- g:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 20:27:32 0 d-----w- g:\docume~1\alluse~1\applic~1\Hitman Pro
2010-06-13 18:08:31 0 d-----w- g:\docume~1\astra\applic~1\Malwarebytes
2010-06-13 18:08:21 0 d-----w- g:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-12 19:18:47 256 ----a-w- g:\documents and settings\astra\.pulse-cookie
2010-06-12 17:04:00 0 d-----w- g:\program files\JRE
2010-06-12 14:45:01 0 d-----w- g:\program files\iPod
2010-06-12 14:44:57 0 d-----w- g:\program files\iTunes
2010-06-12 14:44:57 0 d-----w- g:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-12 14:05:38 0 d-----w- g:\program files\Phyxion.net
2010-06-12 07:34:54 0 d-----w- g:\program files\PeerBlock
2010-06-12 07:23:54 0 d-----w- g:\docume~1\alluse~1\applic~1\COMODO
2010-06-12 07:11:34 0 d-----w- g:\docume~1\astra\applic~1\ComodoGroup
2010-06-12 06:39:10 0 d-----w- g:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-06-12 06:14:05 0 d-----w- g:\documents and settings\astra\Application DataComodoGroup
2010-06-11 11:33:14 0 d-----w- g:\program files\zabkat
2010-06-11 08:28:57 0 d-----w- g:\documents and settings\astra\.freeplane
2010-06-10 22:11:05 0 d-----w- g:\windows\SHELLNEW
2010-06-08 20:48:18 74072 ----a-w- g:\windows\system32\XAPOFX1_5.dll
2010-06-08 20:48:18 527192 ----a-w- g:\windows\system32\XAudio2_7.dll
2010-06-08 20:48:18 239960 ----a-w- g:\windows\system32\xactengine3_7.dll
2010-06-08 20:48:17 2106216 ----a-w- g:\windows\system32\D3DCompiler_43.dll
2010-06-08 20:48:17 1868128 ----a-w- g:\windows\system32\d3dcsx_43.dll
2010-06-08 20:48:16 470880 ----a-w- g:\windows\system32\d3dx10_43.dll
2010-06-08 20:48:16 248672 ----a-w- g:\windows\system32\d3dx11_43.dll
2010-06-08 20:48:16 1998168 ----a-w- g:\windows\system32\D3DX9_43.dll
2010-06-08 20:48:15 74072 ----a-w- g:\windows\system32\XAPOFX1_4.dll
2010-06-08 20:48:15 528216 ----a-w- g:\windows\system32\XAudio2_6.dll
2010-06-08 20:48:15 238936 ----a-w- g:\windows\system32\xactengine3_6.dll
2010-06-08 20:48:14 22360 ----a-w- g:\windows\system32\X3DAudio1_7.dll
2010-06-08 18:47:50 743424 -c----w- g:\windows\system32\dllcache\iedvtool.dll
2010-06-06 15:53:24 0 d-----w- g:\docume~1\astra\applic~1\Search Settings
2010-06-06 15:26:51 0 d-----w- g:\docume~1\astra\applic~1\Zeon
2010-06-06 15:26:49 0 d-----w- g:\docume~1\alluse~1\applic~1\Nuance
2010-06-06 15:26:16 0 d-----w- g:\docume~1\alluse~1\applic~1\Downloaded Installations
2010-06-04 08:55:58 229312 ----a-w- g:\windows\system32\drivers\cmdGuard.sys
2010-06-04 07:42:55 0 d-----w- g:\program files\common files\ABBYY
2010-06-04 07:40:19 0 d-----w- g:\program files\ABBYY FineReader 9.0
2010-06-01 16:00:52 278288 ----a-w- g:\windows\system32\guard32.dll
2010-06-01 16:00:22 25240 ----a-w- g:\windows\system32\drivers\cmdhlp.sys
2010-06-01 16:00:20 15464 ----a-w- g:\windows\system32\drivers\cmderd.sys
==================== Find3M ====================
2010-06-25 15:54:54 692282 ----a-w- g:\windows\system32\perfh008.dat
2010-06-25 15:54:54 148356 ----a-w- g:\windows\system32\perfc008.dat
2010-06-08 14:16:38 84584 ----a-w- g:\windows\SOUNDMAN.EXE
2010-06-08 14:16:38 359016 ----a-w- g:\windows\vncutil.exe
2010-06-08 14:16:38 1833576 ----a-w- g:\windows\SkyTel.exe
2010-06-08 14:16:32 9721960 ----a-w- g:\windows\RTLCPL.EXE
2010-06-08 14:16:32 1489512 ----a-w- g:\windows\RtlUpd.exe
2010-06-08 14:16:26 6056040 ----a-w- g:\windows\system32\drivers\RtkHDAud.sys
2010-06-08 14:16:20 52840 ----a-w- g:\windows\system32\RtkCoInstXP.dll
2010-06-08 14:16:20 19552872 ----a-w- g:\windows\RTHDCPL.EXE
2010-06-08 14:16:20 129640 ----a-w- g:\windows\RtkAudioService.exe
2010-06-08 14:16:14 2180712 ----a-w- g:\windows\MicCal.exe
2010-06-08 14:16:08 64104 ----a-w- g:\windows\ALCMTR.EXE
2010-06-08 14:16:08 2815592 ----a-w- g:\windows\ALCWZRD.EXE
2010-05-21 11:14:28 221568 ------w- g:\windows\system32\MpSigStub.exe
2010-05-16 07:18:53 411368 ----a-w- g:\windows\system32\deployJava1.dll
2010-05-14 05:03:56 25992 ----a-w- g:\windows\system32\pgdfgsvc.exe
2010-05-06 10:33:33 916480 ----a-w- g:\windows\system32\wininet.dll
2010-05-02 08:07:34 1851520 ----a-w- g:\windows\system32\win32k.sys
2010-04-28 15:45:24 1251872 ----a-w- g:\windows\RtlExUpd.dll
2010-04-20 05:30:47 285696 ----a-w- g:\windows\system32\atmfd.dll
2008-10-28 20:30:56 23 --sha-w- g:\windows\system32\bdcca4_d.dll
============= FINISH: 16:52:32,62 ===============
Hi,
1. Click start->run->type cmd.exe.
2. Highlight following contents in code box->right click->copy
3. Right click command prompt window, select paste. After commands have been executed there should be new log.txt file on your desktop. Post back its contents. Are there still symptoms remaining?
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" /E /OA
reg delete "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32dummy" /f
swreg acl "HKLM\software\Microsoft\Windows NT\CurrentVersion\Drivers32" >"%userprofile%\desktop\log.txt"
Yes the symptoms are still remaining
I can't install programs with window installer. When i tray to i get an error message that access to windows installer service is not allowed.
Also when i am trying to open my systems primary browser i get an error message and it terminate the process.
Hi,
1. Download Dial-a-Fix archive file here (http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles).
2. Extract contents to suitable place (e.g. your desktop) and navigate to that location.
3. Double-click Dial-a-Fix.exe file to execute the program.
4. Checkmark Fix Windows Installer -checkbox. It's possible that the program checks some options automatically after that. Leave those untouched and click GO -button.
When tool has finished, reboot and see if same problem still occurs when you try to install program.
See if you are able to run IE in no add-ons mode:
Click Start -> All Programs -> Accessories -> System Tools, and then click Internet Explorer (No Add-ons).
Due to inactivity, this thread will now be closed.
Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.
If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.