Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ComboFix 13-02-23.01 - Meli 24.02.2013 16:35:21.2.1 - x86
- Running from: d:\documents and settings\Meli\My Documents\Downloads\ComboFix.exe
- AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
- FW: avast! Antivirus *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
- .
- .
- ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
- .
- .
- d:\documents and settings\All Users\Application Data\TEMP
- d:\documents and settings\All Users\Desktop\Intennet Exploner.lnk
- d:\documents and settings\All Users\Start Menu\Programs\Startup\TSPS.lnk
- d:\documents and settings\Meli\Favorites\&çÍ·×ÍřÖ·µĽş˝&.url
- d:\documents and settings\Meli\rioom.exe
- d:\program files\Common Files\Microsoft Shared\explorer.exe
- d:\program files\Common Files\trz54.tmp
- d:\windows\system32\SET310.tmp
- d:\windows\system32\SET31D.tmp
- d:\windows\system32\SET31F.tmp
- d:\windows\system32\SET324.tmp
- d:\windows\system32\SET325.tmp
- d:\windows\system32\SET326.tmp
- d:\windows\system32\SET32A.tmp
- d:\windows\system32\SET32B.tmp
- d:\windows\system32\SET32C.tmp
- d:\windows\system32\SET341.tmp
- d:\windows\system32\SET343.tmp
- d:\windows\system32\SET347.tmp
- d:\windows\system32\SET348.tmp
- d:\windows\system32\SET349.tmp
- d:\windows\system32\SET34D.tmp
- d:\windows\system32\SET34E.tmp
- d:\windows\system32\SET34F.tmp
- d:\windows\system32\SET36C.tmp
- d:\windows\system32\SET36E.tmp
- d:\windows\system32\SET372.tmp
- d:\windows\system32\SET373.tmp
- d:\windows\system32\SET374.tmp
- d:\windows\system32\SET378.tmp
- d:\windows\system32\SET379.tmp
- d:\windows\system32\SET37A.tmp
- d:\windows\system32\SET390.tmp
- d:\windows\system32\SET39B.tmp
- d:\windows\system32\SET39D.tmp
- d:\windows\system32\SET3A1.tmp
- d:\windows\system32\SET3A2.tmp
- d:\windows\system32\SET3A3.tmp
- d:\windows\system32\SET3A7.tmp
- d:\windows\system32\SET3A8.tmp
- d:\windows\system32\SET3A9.tmp
- .
- Infected copy of d:\windows\explorer.exe was found and disinfected
- Restored copy from - d:\system volume information\_restore{41AED485-9E12-4A33-9A87-AF94EC536E19}\RP248\A0310722.exe
- .
- .
- ((((((((((((((((((((((((( Files Created from 2013-01-24 to 2013-02-24 )))))))))))))))))))))))))))))))
- .
- .
- 2013-02-24 14:49 . 2013-02-24 14:49 -------- d-----w- d:\documents and settings\Meli\Application Data\Optimizer Pro
- 2013-02-24 12:50 . 2013-02-24 12:50 343040 -c--a-w- d:\windows\system32\dllcache\mspaint.exe
- 2013-02-24 12:50 . 2013-02-24 12:50 343040 ----a-w- d:\windows\system32\mspaint.exe
- 2013-02-24 00:33 . 2013-02-24 00:33 41 ----a-w- D:\user.js
- 2013-02-24 00:31 . 2013-02-24 00:31 -------- d-----w- d:\program files\tuvaro
- 2013-02-24 00:31 . 2013-02-24 00:31 -------- d-----w- d:\documents and settings\Meli\Application Data\tuvaro
- 2013-02-23 23:37 . 2013-02-23 23:37 -------- d-sh--w- d:\documents and settings\Meli\IECompatCache
- 2013-02-23 01:27 . 2013-02-23 01:27 -------- d-----w- D:\Documents and Stitings
- 2013-02-19 23:05 . 2008-04-14 11:00 69120 -c--a-w- d:\windows\system32\dllcache\notepad.exe
- 2013-02-19 23:05 . 2008-04-14 11:00 69120 ----a-w- d:\windows\system32\notepad.exe
- 2013-02-19 19:14 . 2013-02-19 19:14 -------- d-----w- d:\documents and settings\Meli\Local Settings\Application Data\PCHealth
- 2013-02-19 18:48 . 2013-02-19 18:48 -------- d-----w- d:\documents and settings\Meli\Local Settings\Application Data\CrashRpt
- 2013-02-18 23:26 . 2013-02-18 23:26 -------- d-----w- d:\windows\system32\LogFiles
- 2013-02-09 22:32 . 2013-02-09 22:34 -------- d-----w- d:\documents and settings\Meli\Application Data\MSNInstaller
- 2013-01-29 14:56 . 2013-01-29 14:56 -------- d-----w- d:\documents and settings\Meli\Application Data\SUPERAntiSpyware.com
- 2013-01-29 14:51 . 2013-02-23 21:37 -------- d-----w- d:\program files\SUPERAntiSpyware
- 2013-01-29 14:51 . 2013-01-29 14:51 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
- 2013-01-29 14:51 . 2013-01-29 14:51 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERSetup
- .
- .
- .
- (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- 2013-02-24 12:52 . 2013-01-03 23:48 153600 ----a-w- d:\windows\system32\wudfhost.exe
- 2013-02-08 16:23 . 2012-08-14 11:11 697712 ----a-w- d:\windows\system32\FlashPlayerApp.exe
- 2013-02-08 16:23 . 2012-08-14 11:11 74096 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
- 2013-01-26 03:55 . 2008-04-14 11:00 552448 ----a-w- d:\windows\system32\oleaut32.dll
- 2013-01-18 01:10 . 2008-04-14 11:00 17408 ----a-w- d:\windows\system32\wpdshextautoplay.exe
- 2013-01-07 01:28 . 2009-06-07 20:04 2193152 ----a-w- d:\windows\system32\ntoskrnl.exe
- 2013-01-07 00:45 . 2009-02-06 10:30 2069760 ----a-w- d:\windows\system32\ntkrnlpa.exe
- 2013-01-04 01:32 . 2009-06-07 20:05 1876224 ----a-w- d:\windows\system32\win32k.sys
- 2013-01-03 23:47 . 2008-04-14 11:00 80896 ----a-w- d:\windows\system32\firewall.cpl
- 2013-01-02 06:48 . 2009-06-07 20:03 1292288 ----a-w- d:\windows\system32\quartz.dll
- 2013-01-02 06:48 . 2008-04-14 11:00 148992 ----a-w- d:\windows\system32\mpg2splt.ax
- 2012-12-26 20:16 . 2009-06-07 19:57 916480 ------w- d:\windows\system32\wininet.dll
- 2012-12-16 12:31 . 2009-06-07 20:00 290560 ----a-w- d:\windows\system32\atmfd.dll
- 2013-01-02 00:09 . 2013-01-02 00:08 263064 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
- .
- .
- ------- Sigcheck -------
- Note: Unsigned files aren't necessarily malware.
- .
- [-] 2009-06-07 . F958DC764FCCB2E899FC5F58BACF8494 . 1614848 . . [5.1.2600.5512] . . d:\windows\system32\sfcfiles.dll
- .
- ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
- .
- .
- *Note* empty entries & legit default entries are not shown
- REGEDIT4
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
- @="{472083B0-C522-11CF-8763-00608CC02F24}"
- [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
- 2012-10-30 22:50 121528 ----a-w- d:\program files\AVAST Software\Avast\ashShell.dll
- .
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Optimizer Pro"="d:\program files\Optimizer Pro\OptProLauncher.exe" [2012-10-21 81952]
- .
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "SMSERIAL"="d:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-08-28 1216512]
- "RTHDCPL"="RTHDCPL.EXE" [2009-06-12 17887232]
- "SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
- "avast"="d:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
- "ApnUpdater"="d:\program files\Ask.com\Updater\Updater.exe" [2012-06-06 1564872]
- .
- [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
- "CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
- .
- [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
- "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
- "UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\
- .
- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvastU3.exe]
- "Debugger"=ntsd -d
- .
- [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
- Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
- .
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
- @=""
- .
- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
- "%windir%\\system32\\sessmgr.exe"=
- "d:\\Program Files\\Opera\\opera.exe"=
- .
- [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
- "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
- .
- R1 aswKbd;aswKbd;d:\windows\system32\drivers\aswKbd.sys [12.9.2012 21:46 18544]
- R1 aswSnx;aswSnx;d:\windows\system32\drivers\aswSnx.sys [16.8.2012 9:41 738504]
- R1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [16.8.2012 9:41 361032]
- R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [22.7.2011 17:27 12880]
- R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12.7.2011 22:55 67664]
- R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [16.8.2012 9:41 21256]
- S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [14.8.2012 11:50 1684736]
- .
- Contents of the 'Scheduled Tasks' folder
- .
- 2013-02-24 d:\windows\Tasks\Adobe Flash Player Updater.job
- - d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-14 16:23]
- .
- 2013-02-24 d:\windows\Tasks\avast! Emergency Update.job
- - d:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-08-16 22:50]
- .
- 2013-02-24 d:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- - d:\program files\Ask.com\UpdateTask.exe [2012-06-06 19:33]
- .
- .
- ------- Supplementary Scan -------
- .
- uStart Page = hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=homepage&toolbarid=base&u=9c748de4000000000000001644198aa1
- TCP: DhcpNameServer = 192.168.88.1 192.168.0.1
- FF - ProfilePath - d:\documents and settings\Meli\Application Data\Mozilla\Firefox\Profiles\a87u059h.default\
- FF - prefs.js: browser.search.defaulturl -
- FF - prefs.js: browser.search.selectedEngine - Tuvaro
- FF - prefs.js: browser.startup.homepage - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=homepage&toolbarid=base&u=9c748de4000000000000001644198aa1
- FF - prefs.js: keyword.URL - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=url&toolbarid=base&u=9c748de4000000000000001644198aa1&q=
- FF - prefs.js: network.proxy.http - 127.0.0.1
- FF - prefs.js: network.proxy.type - 2
- FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=9c748de4000000000000001644198aa1&q=
- FF - user.js: extensions.BabylonToolbar.id - 9c748de4000000000000001644198aa1
- FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
- FF - user.js: extensions.BabylonToolbar.instlDay - 15686
- FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.4.9
- FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.4.9
- FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.4.913:41
- FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
- FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
- FF - user.js: extensions.BabylonToolbar.aflt - babsst
- FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
- FF - user.js: extensions.BabylonToolbar.tlbrId - base
- FF - user.js: extensions.BabylonToolbar.instlRef - sst
- FF - user.js: extensions.BabylonToolbar.dfltLng - en
- FF - user.js: extensions.BabylonToolbar_i.excTlbr - false
- FF - user.js: extensions.BabylonToolbar.excTlbr - false
- FF - user.js: extensions.BabylonToolbar.admin - false
- FF - user.js: extensions.BabylonToolbar.autoRvrt - false
- FF - user.js: extensions.BabylonToolbar.rvrt - false
- FF - user.js: extensions.BabylonToolbar_i.newTab - false
- FF - user.js: extensions.claro.tlbrSrchUrl -
- FF - user.js: extensions.claro.id - 9c748de4000000000000001644198aa1
- FF - user.js: extensions.claro.appId - {C3110516-8EFC-49D6-8B72-69354F332062}
- FF - user.js: extensions.claro.instlDay - 15712
- FF - user.js: extensions.claro.vrsn - 1.8.8.5
- FF - user.js: extensions.claro.vrsni - 1.8.8.5
- FF - user.js: extensions.claro_i.vrsnTs - 1.8.8.521:22
- FF - user.js: extensions.claro.prtnrId - claro
- FF - user.js: extensions.claro.prdct - claro
- FF - user.js: extensions.claro.aflt - babsst
- FF - user.js: extensions.claro_i.smplGrp - none
- FF - user.js: extensions.claro.tlbrId - claro
- FF - user.js: extensions.claro.instlRef - sst
- FF - user.js: extensions.claro.dfltLng - en
- FF - user.js: extensions.claro_i.excTlbr - false
- FF - user.js: extensions.claro.excTlbr - false
- FF - user.js: extensions.claro.admin - false
- FF - user.js: extensions.claro.autoRvrt - false
- FF - user.js: extensions.claro.rvrt - false
- FF - user.js: extensions.claro_i.newTab - false
- FF - user.js: extensions.tuvaro.hpOld0 - hxxp://search.conduit.com/?ctid=CT2431400&SearchSource=13&CUI=SB_CUI
- FF - user.js: extensions.tuvaro.tlbrSrchUrl - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=main&toolbarid=base&u=9c748de4000000000000001644198aa1&q=
- FF - user.js: extensions.tuvaro.id - 9c748de4000000000000001644198aa1
- FF - user.js: extensions.tuvaro.appId - {2768469C-717B-401F-8532-C6D88BAE0339}
- FF - user.js: extensions.tuvaro.instlDay - 15760
- FF - user.js: extensions.tuvaro.vrsn - 1.8.12.7
- FF - user.js: extensions.tuvaro.vrsni - 1.8.12.7
- FF - user.js: extensions.tuvaro.vrsnTs - 1.8.12.71:33
- FF - user.js: extensions.tuvaro.prtnrId - tuvaro
- FF - user.js: extensions.tuvaro.prdct - tuvaro
- FF - user.js: extensions.tuvaro.aflt - orgnl
- FF - user.js: extensions.tuvaro.smplGrp - none
- FF - user.js: extensions.tuvaro.tlbrId - base
- FF - user.js: extensions.tuvaro.instlRef - cbc644dd
- FF - user.js: extensions.tuvaro.dfltLng -
- FF - user.js: extensions.tuvaro.excTlbr - false
- FF - user.js: extensions.tuvaro.ffxUnstlRst - false
- FF - user.js: extensions.tuvaro.admin - false
- FF - user.js: extensions.tuvaro.cam -
- FF - user.js: extensions.tuvaro.autoRvrt - false
- FF - user.js: extensions.tuvaro.rvrt - false
- FF - user.js: extensions.tuvaro.hmpg - true
- FF - user.js: extensions.tuvaro.hmpgUrl - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=homepage&toolbarid=base&u=9c748de4000000000000001644198aa1
- FF - user.js: extensions.tuvaro.dfltSrch - true
- FF - user.js: extensions.tuvaro.srchPrvdr - Tuvaro
- FF - user.js: extensions.tuvaro.kw_url - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=url&toolbarid=base&u=9c748de4000000000000001644198aa1&q=
- FF - user.js: extensions.tuvaro.dnsErr - true
- FF - user.js: extensions.tuvaro.newTab - true
- FF - user.js: extensions.tuvaro.newTabUrl - chrome://tuvaro/content/new browser tab.html?source=cbc644dd&tbp=tab&u=9c748de4000000000000001644198aa1
- .
- .
- ------- File Associations -------
- .
- .
- - - - - ORPHANS REMOVED - - - -
- .
- Toolbar-Locked - (no file)
- .
- .
- .
- **************************************************************************
- .
- catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
- Rootkit scan 2013-02-24 16:51
- Windows 5.1.2600 Service Pack 3 NTFS
- .
- scanning hidden processes ...
- .
- scanning hidden autostart entries ...
- .
- scanning hidden files ...
- .
- scan completed successfully
- hidden files: 0
- .
- **************************************************************************
- .
- --------------------- LOCKED REGISTRY KEYS ---------------------
- .
- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
- @Denied: (A 2) (Everyone)
- @="FlashBroker"
- "LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101"
- .
- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
- "Enabled"=dword:00000001
- .
- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
- @="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe"
- .
- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
- @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
- .
- [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
- @Denied: (A 2) (Everyone)
- @="IFlashBroker5"
- .
- [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
- @="{00020424-0000-0000-C000-000000000046}"
- .
- [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
- @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
- "Version"="1.0"
- .
- --------------------- DLLs Loaded Under Running Processes ---------------------
- .
- - - - - - - - > 'explorer.exe'(420)
- d:\windows\system32\WININET.dll
- d:\windows\system32\msi.dll
- d:\windows\system32\ieframe.dll
- d:\windows\system32\webcheck.dll
- d:\windows\system32\wpdshserviceobj.dll
- d:\windows\system32\portabledevicetypes.dll
- d:\windows\system32\portabledeviceapi.dll
- .
- ------------------------ Other Running Processes ------------------------
- .
- d:\program files\AVAST Software\Avast\AvastSvc.exe
- d:\program files\SUPERAntiSpyware\SASCORE.EXE
- d:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
- d:\windows\RTHDCPL.EXE
- d:\program files\Optimizer Pro\OptProSmartScan.exe
- d:\program files\Optimizer Pro\OptProReminder.exe
- d:\windows\system32\wscntfy.exe
- .
- **************************************************************************
- .
- Completion time: 2013-02-24 17:03:53 - machine was rebooted
- ComboFix-quarantined-files.txt 2013-02-24 16:03
- ComboFix2.txt 2013-01-01 23:44
- .
- Pre-Run: 25.499.463.680 bytes free
- Post-Run: 25.705.197.568 bytes free
- .
- - - End Of File - - 7E8617AFEF050EA2B8CAE2574C4F2109
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement