ComboFix 14-09-22.01 - JIMS 09/26/2014 17:47:57.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.699 [GMT -5:00]
Running from: c:\users\JIMS\Downloads\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((( Files Created from 2014-08-26 to 2014-09-26 )))))))))))))))))))))))))))))))
.
.
2014-09-26 23:05 . 2014-09-26 23:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-26 23:05 . 2014-09-26 23:05 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2014-09-26 21:15 . 2014-09-09 01:24 8806800 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9C0D3839-D51F-45ED-9137-F98689F5EB6C}\mpengine.dll
2014-09-24 22:59 . 2014-09-24 22:59 -------- d-----w- c:\users\JIMS\AppData\Roaming\MyTurboPC.com
2014-09-24 22:59 . 2014-09-24 22:59 -------- d-----w- c:\users\JIMS\AppData\Roaming\DriverCure
2014-09-24 22:59 . 2014-09-24 22:59 -------- d-----w- c:\program files\Common Files\MyTurboPC.com
2014-09-24 22:59 . 2014-09-24 22:59 -------- d-----w- c:\programdata\MyTurboPC.com
2014-09-24 22:59 . 2014-09-24 22:59 -------- d-----w- c:\program files\MyTurboPC.com
2014-09-24 21:42 . 2014-09-24 22:04 -------- d-----w- C:\AdwCleaner
2014-09-20 09:58 . 2014-09-20 09:58 -------- d-----w- c:\windows\Migration
2014-09-17 16:21 . 2014-09-24 08:18 -------- d-----w- C:\FRST
2014-09-16 01:53 . 2014-09-16 01:53 -------- d-----w- c:\users\JIMS\AppData\Roaming\SparkTrust
2014-09-16 01:52 . 2014-09-24 04:43 -------- d-----w- c:\programdata\SparkTrust
2014-09-13 09:14 . 2014-06-26 22:17 99480 ----a-w- c:\windows\system32\infocardapi.dll
2014-09-13 09:14 . 2014-06-26 22:17 8856 ----a-w- c:\windows\system32\icardres.dll
2014-09-13 09:14 . 2014-06-26 22:17 619664 ----a-w- c:\windows\system32\icardagt.exe
2014-09-13 09:14 . 2014-06-06 04:28 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe
2014-09-13 09:06 . 2014-08-22 23:26 2054656 ----a-w- c:\windows\system32\win32k.sys
2014-09-13 09:06 . 2014-08-23 01:03 297984 ----a-w- c:\windows\system32\gdi32.dll
2014-09-13 03:48 . 2014-09-13 03:48 -------- d-----w- c:\program files\CCleaner
2014-09-13 03:22 . 2014-09-13 03:22 -------- d-----w- c:\programdata\Cisco Systems
2014-09-12 22:55 . 2014-09-24 22:16 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2014-09-12 22:55 . 2014-09-24 05:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2014-09-12 22:25 . 2014-09-12 22:25 -------- d-----w- c:\users\JIMS\AppData\Roaming\AVAST Software
2014-09-12 22:19 . 2014-04-26 16:01 502784 ----a-w- c:\windows\system32\usp10.dll
2014-09-12 22:19 . 2014-06-02 10:31 2263552 ----a-w- c:\windows\system32\msi.dll
2014-09-12 22:18 . 2014-06-02 10:30 1993728 ----a-w- c:\windows\system32\authui.dll
2014-09-12 22:18 . 2014-06-02 10:30 33280 ----a-w- c:\windows\system32\appinfo.dll
2014-09-12 22:18 . 2014-06-02 08:56 82432 ----a-w- c:\windows\system32\consent.exe
2014-09-12 22:18 . 2014-06-02 10:31 332800 ----a-w- c:\windows\system32\msihnd.dll
2014-09-12 22:18 . 2014-06-02 10:31 1218048 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2014-09-12 22:18 . 2014-06-02 10:30 937472 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2014-09-12 22:18 . 2014-06-02 10:30 983552 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2014-09-12 22:18 . 2014-06-02 10:30 965120 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2014-09-12 22:17 . 2014-04-05 02:42 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys
2014-09-12 22:17 . 2013-10-30 02:12 335360 ----a-w- c:\windows\system32\SysFxUI.dll
2014-09-12 22:17 . 2013-10-30 01:43 130048 ----a-w- c:\windows\system32\drivers\drmk.sys
2014-09-12 22:17 . 2013-10-30 00:43 167936 ----a-w- c:\windows\system32\drivers\portcls.sys
2014-09-12 22:16 . 2014-06-07 02:08 1305088 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\tipskins.dll
2014-09-12 22:16 . 2014-06-07 02:08 149504 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\tabskb.dll
2014-09-12 22:16 . 2014-06-07 02:08 114688 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\TipBand.dll
2014-09-12 22:16 . 2014-06-14 00:44 638400 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-09-12 22:16 . 2014-06-14 00:33 37376 ----a-w- c:\windows\system32\cdd.dll
2014-09-12 22:16 . 2014-06-06 08:59 506880 ----a-w- c:\windows\system32\qedit.dll
2014-09-12 22:15 . 2014-07-08 00:46 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-12 22:13 . 2014-05-30 06:53 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2014-09-12 22:11 . 2014-09-12 22:26 -------- d-----w- c:\users\JIMS\AppData\Local\Google
2014-09-12 22:11 . 2014-09-12 22:15 -------- d-----w- c:\program files\Google
2014-09-12 22:11 . 2014-03-10 01:22 1401344 ----a-w- c:\windows\system32\msxml6.dll
2014-09-12 22:11 . 2014-03-10 01:22 1248768 ----a-w- c:\windows\system32\msxml3.dll
2014-09-12 22:09 . 2014-09-12 22:09 -------- d-----w- c:\program files\AVAST Software
2014-09-12 22:07 . 2014-09-12 22:09 -------- d-----w- c:\programdata\AVAST Software
2014-09-12 21:53 . 2014-01-30 07:46 876032 ----a-w- c:\windows\system32\wer.dll
2014-09-12 21:45 . 2014-09-12 21:45 -------- d-----w- c:\program files\Microsoft.NET
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-24 00:58 . 2013-02-15 23:34 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-24 00:57 . 2013-02-15 23:34 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-15 14:06 . 2013-02-15 22:50 231568 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-09-12 22:09 578240 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-09-12 4085896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-25 04:59 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-09-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-15 00:58]
.
2014-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-09-12 22:11]
.
2014-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-09-12 22:11]
.
2014-09-26 c:\windows\Tasks\MyTurboPC Startup.job
- c:\program files\MyTurboPC.com\MyTurboPC\mtpc.exe [2014-05-11 02:23]
.
2014-09-26 c:\windows\Tasks\MyTurboPC.com Registration3.job
- c:\program files\Common Files\MyTurboPC.com\UUS3\UUS3.dll [2014-05-11 02:24]
.
2014-09-24 c:\windows\Tasks\MyTurboPC.com Update3.job
- c:\program files\common files\myturbopc.com\uus3\Update3.exe [2014-05-11 02:24]
.
2014-09-24 c:\windows\Tasks\MyTurboPC.com Update3_triggeronce.job
- c:\program files\common files\myturbopc.com\uus3\Update3.exe [2014-05-11 02:24]
.
2014-09-26 c:\windows\Tasks\MyTurboPC_sch_6F74FA2F-443E-11E4-8CCC-001E903ED46D.job
- c:\program files\MyTurboPC.com\MyTurboPC\mtpc.exe [2014-05-11 02:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
TCP: DhcpNameServer = 208.180.42.68 208.180.42.100
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ShopAtHomeWatcher - c:\users\JIMS\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe
HKLM-Run-ShopAtHomeUpdater - c:\users\JIMS\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeUpdater.exe
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil32_11_9_900_117_ActiveX.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
Rootkit scan 2014-09-26 18:05
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\JIMS\AppData\Local\Temp\~DF194E.tmp 32768 bytes
c:\users\JIMS\AppData\Local\Temp\~DF1C52.tmp 16384 bytes
c:\users\JIMS\AppData\Local\Temp\~DF96B5.tmp 16384 bytes
c:\users\JIMS\AppData\Local\Temp\~DFAF66.tmp 512 bytes
c:\users\JIMS\AppData\Local\Temp\~DFBCD5.tmp 16384 bytes
c:\users\JIMS\AppData\Local\Temp\~DFD579.tmp 16384 bytes
C:\avast! sandbox
.
scan completed successfully
hidden files: 7
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2014-09-26 18:11:38
ComboFix-quarantined-files.txt 2014-09-26 23:11
.
Pre-Run: 150,140,203,008 bytes free
Post-Run: 150,065,119,232 bytes free
.
- - End Of File - - 2792222F6BD5E5A11DEEDD4B843017E5
5C616939100B85E558DA92B899A0FC36