ComboFix 13-02-23.01 - Meli 24.02.2013 16:35:21.2.1 - x86 Running from: d:\documents and settings\Meli\My Documents\Downloads\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: avast! Antivirus *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . d:\documents and settings\All Users\Application Data\TEMP d:\documents and settings\All Users\Desktop\Intennet Exploner.lnk d:\documents and settings\All Users\Start Menu\Programs\Startup\TSPS.lnk d:\documents and settings\Meli\Favorites\&çÍ·×ÍřÖ·µĽş˝&.url d:\documents and settings\Meli\rioom.exe d:\program files\Common Files\Microsoft Shared\explorer.exe d:\program files\Common Files\trz54.tmp d:\windows\system32\SET310.tmp d:\windows\system32\SET31D.tmp d:\windows\system32\SET31F.tmp d:\windows\system32\SET324.tmp d:\windows\system32\SET325.tmp d:\windows\system32\SET326.tmp d:\windows\system32\SET32A.tmp d:\windows\system32\SET32B.tmp d:\windows\system32\SET32C.tmp d:\windows\system32\SET341.tmp d:\windows\system32\SET343.tmp d:\windows\system32\SET347.tmp d:\windows\system32\SET348.tmp d:\windows\system32\SET349.tmp d:\windows\system32\SET34D.tmp d:\windows\system32\SET34E.tmp d:\windows\system32\SET34F.tmp d:\windows\system32\SET36C.tmp d:\windows\system32\SET36E.tmp d:\windows\system32\SET372.tmp d:\windows\system32\SET373.tmp d:\windows\system32\SET374.tmp d:\windows\system32\SET378.tmp d:\windows\system32\SET379.tmp d:\windows\system32\SET37A.tmp d:\windows\system32\SET390.tmp d:\windows\system32\SET39B.tmp d:\windows\system32\SET39D.tmp d:\windows\system32\SET3A1.tmp d:\windows\system32\SET3A2.tmp d:\windows\system32\SET3A3.tmp d:\windows\system32\SET3A7.tmp d:\windows\system32\SET3A8.tmp d:\windows\system32\SET3A9.tmp . Infected copy of d:\windows\explorer.exe was found and disinfected Restored copy from - d:\system volume information\_restore{41AED485-9E12-4A33-9A87-AF94EC536E19}\RP248\A0310722.exe . . ((((((((((((((((((((((((( Files Created from 2013-01-24 to 2013-02-24 ))))))))))))))))))))))))))))))) . . 2013-02-24 14:49 . 2013-02-24 14:49 -------- d-----w- d:\documents and settings\Meli\Application Data\Optimizer Pro 2013-02-24 12:50 . 2013-02-24 12:50 343040 -c--a-w- d:\windows\system32\dllcache\mspaint.exe 2013-02-24 12:50 . 2013-02-24 12:50 343040 ----a-w- d:\windows\system32\mspaint.exe 2013-02-24 00:33 . 2013-02-24 00:33 41 ----a-w- D:\user.js 2013-02-24 00:31 . 2013-02-24 00:31 -------- d-----w- d:\program files\tuvaro 2013-02-24 00:31 . 2013-02-24 00:31 -------- d-----w- d:\documents and settings\Meli\Application Data\tuvaro 2013-02-23 23:37 . 2013-02-23 23:37 -------- d-sh--w- d:\documents and settings\Meli\IECompatCache 2013-02-23 01:27 . 2013-02-23 01:27 -------- d-----w- D:\Documents and Stitings 2013-02-19 23:05 . 2008-04-14 11:00 69120 -c--a-w- d:\windows\system32\dllcache\notepad.exe 2013-02-19 23:05 . 2008-04-14 11:00 69120 ----a-w- d:\windows\system32\notepad.exe 2013-02-19 19:14 . 2013-02-19 19:14 -------- d-----w- d:\documents and settings\Meli\Local Settings\Application Data\PCHealth 2013-02-19 18:48 . 2013-02-19 18:48 -------- d-----w- d:\documents and settings\Meli\Local Settings\Application Data\CrashRpt 2013-02-18 23:26 . 2013-02-18 23:26 -------- d-----w- d:\windows\system32\LogFiles 2013-02-09 22:32 . 2013-02-09 22:34 -------- d-----w- d:\documents and settings\Meli\Application Data\MSNInstaller 2013-01-29 14:56 . 2013-01-29 14:56 -------- d-----w- d:\documents and settings\Meli\Application Data\SUPERAntiSpyware.com 2013-01-29 14:51 . 2013-02-23 21:37 -------- d-----w- d:\program files\SUPERAntiSpyware 2013-01-29 14:51 . 2013-01-29 14:51 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2013-01-29 14:51 . 2013-01-29 14:51 -------- d-----w- d:\documents and settings\All Users\Application Data\SUPERSetup . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-02-24 12:52 . 2013-01-03 23:48 153600 ----a-w- d:\windows\system32\wudfhost.exe 2013-02-08 16:23 . 2012-08-14 11:11 697712 ----a-w- d:\windows\system32\FlashPlayerApp.exe 2013-02-08 16:23 . 2012-08-14 11:11 74096 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl 2013-01-26 03:55 . 2008-04-14 11:00 552448 ----a-w- d:\windows\system32\oleaut32.dll 2013-01-18 01:10 . 2008-04-14 11:00 17408 ----a-w- d:\windows\system32\wpdshextautoplay.exe 2013-01-07 01:28 . 2009-06-07 20:04 2193152 ----a-w- d:\windows\system32\ntoskrnl.exe 2013-01-07 00:45 . 2009-02-06 10:30 2069760 ----a-w- d:\windows\system32\ntkrnlpa.exe 2013-01-04 01:32 . 2009-06-07 20:05 1876224 ----a-w- d:\windows\system32\win32k.sys 2013-01-03 23:47 . 2008-04-14 11:00 80896 ----a-w- d:\windows\system32\firewall.cpl 2013-01-02 06:48 . 2009-06-07 20:03 1292288 ----a-w- d:\windows\system32\quartz.dll 2013-01-02 06:48 . 2008-04-14 11:00 148992 ----a-w- d:\windows\system32\mpg2splt.ax 2012-12-26 20:16 . 2009-06-07 19:57 916480 ------w- d:\windows\system32\wininet.dll 2012-12-16 12:31 . 2009-06-07 20:00 290560 ----a-w- d:\windows\system32\atmfd.dll 2013-01-02 00:09 . 2013-01-02 00:08 263064 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [-] 2009-06-07 . F958DC764FCCB2E899FC5F58BACF8494 . 1614848 . . [5.1.2600.5512] . . d:\windows\system32\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast] @="{472083B0-C522-11CF-8763-00608CC02F24}" [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}] 2012-10-30 22:50 121528 ----a-w- d:\program files\AVAST Software\Avast\ashShell.dll . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Optimizer Pro"="d:\program files\Optimizer Pro\OptProLauncher.exe" [2012-10-21 81952] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SMSERIAL"="d:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-08-28 1216512] "RTHDCPL"="RTHDCPL.EXE" [2009-06-12 17887232] "SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296] "avast"="d:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136] "ApnUpdater"="d:\program files\Ask.com\Updater\Updater.exe" [2012-06-06 1564872] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,\ . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\AvastU3.exe] "Debugger"=ntsd -d . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE] @="" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "d:\\Program Files\\Opera\\opera.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 . R1 aswKbd;aswKbd;d:\windows\system32\drivers\aswKbd.sys [12.9.2012 21:46 18544] R1 aswSnx;aswSnx;d:\windows\system32\drivers\aswSnx.sys [16.8.2012 9:41 738504] R1 aswSP;aswSP;d:\windows\system32\drivers\aswSP.sys [16.8.2012 9:41 361032] R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [22.7.2011 17:27 12880] R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12.7.2011 22:55 67664] R2 aswFsBlk;aswFsBlk;d:\windows\system32\drivers\aswFsBlk.sys [16.8.2012 9:41 21256] S3 Ambfilt;Ambfilt;d:\windows\system32\drivers\Ambfilt.sys [14.8.2012 11:50 1684736] . Contents of the 'Scheduled Tasks' folder . 2013-02-24 d:\windows\Tasks\Adobe Flash Player Updater.job - d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-14 16:23] . 2013-02-24 d:\windows\Tasks\avast! Emergency Update.job - d:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-08-16 22:50] . 2013-02-24 d:\windows\Tasks\Scheduled Update for Ask Toolbar.job - d:\program files\Ask.com\UpdateTask.exe [2012-06-06 19:33] . . ------- Supplementary Scan ------- . uStart Page = hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=homepage&toolbarid=base&u=9c748de4000000000000001644198aa1 TCP: DhcpNameServer = 192.168.88.1 192.168.0.1 FF - ProfilePath - d:\documents and settings\Meli\Application Data\Mozilla\Firefox\Profiles\a87u059h.default\ FF - prefs.js: browser.search.defaulturl - FF - prefs.js: browser.search.selectedEngine - Tuvaro FF - prefs.js: browser.startup.homepage - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=homepage&toolbarid=base&u=9c748de4000000000000001644198aa1 FF - prefs.js: keyword.URL - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=url&toolbarid=base&u=9c748de4000000000000001644198aa1&q= FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.type - 2 FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=9c748de4000000000000001644198aa1&q= FF - user.js: extensions.BabylonToolbar.id - 9c748de4000000000000001644198aa1 FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB} FF - user.js: extensions.BabylonToolbar.instlDay - 15686 FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.4.9 FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.4.9 FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.4.913:41 FF - user.js: extensions.BabylonToolbar.prtnrId - babylon FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar FF - user.js: extensions.BabylonToolbar.aflt - babsst FF - user.js: extensions.BabylonToolbar_i.smplGrp - none FF - user.js: extensions.BabylonToolbar.tlbrId - base FF - user.js: extensions.BabylonToolbar.instlRef - sst FF - user.js: extensions.BabylonToolbar.dfltLng - en FF - user.js: extensions.BabylonToolbar_i.excTlbr - false FF - user.js: extensions.BabylonToolbar.excTlbr - false FF - user.js: extensions.BabylonToolbar.admin - false FF - user.js: extensions.BabylonToolbar.autoRvrt - false FF - user.js: extensions.BabylonToolbar.rvrt - false FF - user.js: extensions.BabylonToolbar_i.newTab - false FF - user.js: extensions.claro.tlbrSrchUrl - FF - user.js: extensions.claro.id - 9c748de4000000000000001644198aa1 FF - user.js: extensions.claro.appId - {C3110516-8EFC-49D6-8B72-69354F332062} FF - user.js: extensions.claro.instlDay - 15712 FF - user.js: extensions.claro.vrsn - 1.8.8.5 FF - user.js: extensions.claro.vrsni - 1.8.8.5 FF - user.js: extensions.claro_i.vrsnTs - 1.8.8.521:22 FF - user.js: extensions.claro.prtnrId - claro FF - user.js: extensions.claro.prdct - claro FF - user.js: extensions.claro.aflt - babsst FF - user.js: extensions.claro_i.smplGrp - none FF - user.js: extensions.claro.tlbrId - claro FF - user.js: extensions.claro.instlRef - sst FF - user.js: extensions.claro.dfltLng - en FF - user.js: extensions.claro_i.excTlbr - false FF - user.js: extensions.claro.excTlbr - false FF - user.js: extensions.claro.admin - false FF - user.js: extensions.claro.autoRvrt - false FF - user.js: extensions.claro.rvrt - false FF - user.js: extensions.claro_i.newTab - false FF - user.js: extensions.tuvaro.hpOld0 - hxxp://search.conduit.com/?ctid=CT2431400&SearchSource=13&CUI=SB_CUI FF - user.js: extensions.tuvaro.tlbrSrchUrl - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=main&toolbarid=base&u=9c748de4000000000000001644198aa1&q= FF - user.js: extensions.tuvaro.id - 9c748de4000000000000001644198aa1 FF - user.js: extensions.tuvaro.appId - {2768469C-717B-401F-8532-C6D88BAE0339} FF - user.js: extensions.tuvaro.instlDay - 15760 FF - user.js: extensions.tuvaro.vrsn - 1.8.12.7 FF - user.js: extensions.tuvaro.vrsni - 1.8.12.7 FF - user.js: extensions.tuvaro.vrsnTs - 1.8.12.71:33 FF - user.js: extensions.tuvaro.prtnrId - tuvaro FF - user.js: extensions.tuvaro.prdct - tuvaro FF - user.js: extensions.tuvaro.aflt - orgnl FF - user.js: extensions.tuvaro.smplGrp - none FF - user.js: extensions.tuvaro.tlbrId - base FF - user.js: extensions.tuvaro.instlRef - cbc644dd FF - user.js: extensions.tuvaro.dfltLng - FF - user.js: extensions.tuvaro.excTlbr - false FF - user.js: extensions.tuvaro.ffxUnstlRst - false FF - user.js: extensions.tuvaro.admin - false FF - user.js: extensions.tuvaro.cam - FF - user.js: extensions.tuvaro.autoRvrt - false FF - user.js: extensions.tuvaro.rvrt - false FF - user.js: extensions.tuvaro.hmpg - true FF - user.js: extensions.tuvaro.hmpgUrl - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=homepage&toolbarid=base&u=9c748de4000000000000001644198aa1 FF - user.js: extensions.tuvaro.dfltSrch - true FF - user.js: extensions.tuvaro.srchPrvdr - Tuvaro FF - user.js: extensions.tuvaro.kw_url - hxxp://tuvaro.com/ws/?source=cbc644dd&tbp=url&toolbarid=base&u=9c748de4000000000000001644198aa1&q= FF - user.js: extensions.tuvaro.dnsErr - true FF - user.js: extensions.tuvaro.newTab - true FF - user.js: extensions.tuvaro.newTabUrl - chrome://tuvaro/content/new browser tab.html?source=cbc644dd&tbp=tab&u=9c748de4000000000000001644198aa1 . . ------- File Associations ------- . . - - - - ORPHANS REMOVED - - - - . Toolbar-Locked - (no file) . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-02-24 16:51 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="d:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_149_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'explorer.exe'(420) d:\windows\system32\WININET.dll d:\windows\system32\msi.dll d:\windows\system32\ieframe.dll d:\windows\system32\webcheck.dll d:\windows\system32\wpdshserviceobj.dll d:\windows\system32\portabledevicetypes.dll d:\windows\system32\portabledeviceapi.dll . ------------------------ Other Running Processes ------------------------ . d:\program files\AVAST Software\Avast\AvastSvc.exe d:\program files\SUPERAntiSpyware\SASCORE.EXE d:\program files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe d:\windows\RTHDCPL.EXE d:\program files\Optimizer Pro\OptProSmartScan.exe d:\program files\Optimizer Pro\OptProReminder.exe d:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2013-02-24 17:03:53 - machine was rebooted ComboFix-quarantined-files.txt 2013-02-24 16:03 ComboFix2.txt 2013-01-01 23:44 . Pre-Run: 25.499.463.680 bytes free Post-Run: 25.705.197.568 bytes free . - - End Of File - - 7E8617AFEF050EA2B8CAE2574C4F2109