Here are the report from combofix Broni...!
ComboFix 13-06-30.01 - Sony 02/07/2013 0:44.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.62.1033.18.2038.1024 [GMT 7:00]
Running from: c:\users\Sony\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\spsys.log
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2013-06-01 to 2013-07-01 )))))))))))))))))))))))))))))))
.
.
2013-07-01 18:12 . 2013-07-01 18:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-06-25 16:31 . 2013-06-25 16:30 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-25 16:30 . 2013-06-25 16:30 -------- d-----w- c:\program files\Java
2013-06-25 13:27 . 2013-06-25 13:30 -------- d-----w- c:\users\Sony\.matplotlib
2013-06-25 13:27 . 2013-06-25 13:27 -------- d-----w- c:\users\Sony\.curveexpert
2013-06-25 13:26 . 2013-06-25 13:26 -------- d-----w- c:\program files\CurveExpert Professional
2013-06-25 12:44 . 2013-06-25 12:44 -------- d-----w- c:\users\Sony\.graphexpert
2013-06-25 12:42 . 2013-06-25 12:42 -------- d-----w- c:\program files\GraphExpert Professional
2013-06-25 12:06 . 2013-06-25 13:00 -------- d-----w- c:\program files\CurveExpert
2013-06-25 12:06 . 2013-06-25 12:06 -------- d-----w- c:\users\Sony\AppData\Roaming\CurveExpert
2013-06-25 12:06 . 2013-06-25 12:06 -------- d-----w- c:\program files\DigXY
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-28 23:16 . 2008-01-21 02:24 52736 ----a-w- c:\windows\system32\dnscacheugc.exe
2013-06-28 23:16 . 2008-01-21 02:24 80384 ----a-w- c:\windows\system32\expand.exe
2013-06-28 23:16 . 2008-01-21 02:25 68096 ----a-w- c:\windows\system32\lodctr.exe
2013-06-28 23:16 . 2008-01-21 02:25 61440 ----a-w- c:\windows\system32\unlodctr.exe
2013-06-28 23:16 . 2008-01-21 02:24 69120 ----a-w- c:\windows\system32\auditpol.exe
2013-06-28 23:16 . 2006-11-02 08:52 172032 ----a-w- c:\windows\system32\iscsicli.exe
2013-06-28 23:16 . 2008-01-21 02:23 83968 ----a-w- c:\windows\system32\wermgr.exe
2013-06-28 23:16 . 2008-01-21 02:24 63488 ----a-w- c:\windows\system32\UI0Detect.exe
2013-06-28 23:16 . 2008-01-21 02:24 105472 ----a-w- c:\windows\system32\wbem\WinMgmt.exe
2013-06-28 23:16 . 2008-01-21 02:23 43008 ----a-w- c:\windows\system32\bridgeunattend.exe
2013-06-28 23:16 . 2008-01-21 02:24 93696 ----a-w- c:\windows\system32\MuiUnattend.exe
2013-06-28 23:16 . 2008-01-21 02:24 49152 ----a-w- c:\windows\system32\netbtugc.exe
2013-06-28 23:16 . 2008-01-21 02:24 50176 ----a-w- c:\windows\system32\netiougc.exe
2013-06-28 23:16 . 2006-11-02 08:33 102400 ----a-w- c:\windows\system32\newdev.exe
2013-06-28 23:16 . 2006-11-02 08:29 48640 ----a-w- c:\windows\system32\sdbinst.exe
2013-06-28 23:16 . 2008-01-21 02:24 34304 ----a-w- c:\windows\system32\CertEnrollCtrl.exe
2013-06-28 23:16 . 2008-01-21 02:24 109568 ----a-w- c:\windows\system32\consent.exe
2013-06-28 23:16 . 2008-01-21 02:25 47616 ----a-w- c:\windows\system32\vdsldr.exe
2013-06-28 23:16 . 2008-01-21 02:25 410624 ----a-w- c:\windows\system32\vds.exe
2013-06-28 23:16 . 2006-11-02 09:15 88064 ----a-w- c:\windows\system32\printui.exe
2013-06-28 23:16 . 2006-11-02 08:44 61952 ----a-w- c:\windows\system32\wlrmdr.exe
2013-06-28 23:16 . 2006-11-02 08:44 41984 ----a-w- c:\windows\system32\mpnotify.exe
2013-06-28 23:16 . 2008-01-21 02:25 346112 ----a-w- c:\windows\system32\rstrui.exe
2013-06-28 23:15 . 2008-01-21 02:24 109568 ----a-w- c:\windows\system32\dwm.exe
2013-06-28 23:15 . 2008-01-21 02:24 73728 ----a-w- c:\windows\system32\csrstub.exe
2013-06-28 23:15 . 2008-01-21 02:24 548352 ----a-w- c:\windows\system32\ntvdm.exe
2013-06-28 23:15 . 2006-11-02 08:58 44544 ----a-w- c:\windows\system32\rasautou.exe
2013-06-28 23:15 . 2008-01-21 02:23 220672 ----a-w- c:\windows\system32\recdisc.exe
2013-06-28 23:15 . 2008-01-21 02:24 129536 ----a-w- c:\windows\system32\drvinst.exe
2013-06-28 23:15 . 2006-11-02 08:33 108032 ----a-w- c:\windows\system32\hdwwiz.exe
2013-06-28 23:15 . 2006-11-02 09:11 42496 ----a-w- c:\windows\hh.exe
2013-06-25 16:30 . 2013-04-02 17:57 867240 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-06-25 16:30 . 2013-04-02 17:57 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-06-16 16:35 . 2013-04-02 18:27 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-16 16:35 . 2013-04-02 18:27 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-10 20:18 . 2013-04-10 20:18 302368 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-04-10 06:58 . 2013-05-06 10:08 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-01-21 . 276EC654B19E9B5412CB8AC599C5D2B0 . 70656 . . [7.0.6001.18000] . . c:\windows\System32\wuauclt.exe
[-] 2008-01-21 . 276EC654B19E9B5412CB8AC599C5D2B0 . 70656 . . [7.0.6001.18000] . . c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.0.6001.18000_none_a052d92e34802200\wuauclt.exe
[-] 2006-11-02 . 2BC663C2D37246D4410942F37F94BB5E . 69120 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_6.0.6000.16386_none_acab9aecacae685d\wuauclt.exe
.
[-] 2008-01-21 . F19FAE3A056BC242AB2E203ECC1A8951 . 34304 . . [6.0.6000.16386] . . c:\windows\System32\userinit.exe
[-] 2008-01-21 . F19FAE3A056BC242AB2E203ECC1A8951 . 34304 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
.
[-] 2008-01-21 . 0FD467727F18AB4952FB5153F9070802 . 2936320 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[-] 2008-01-21 . 0FD467727F18AB4952FB5153F9070802 . 2936320 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
.
[-] 2008-01-21 . 7C04F1095E486D7369422CDDE87B510D . 162304 . . [6.0.6000.16386] . . c:\windows\regedit.exe
[-] 2008-01-21 . 7C04F1095E486D7369422CDDE87B510D . 162304 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedit.exe
.
[-] 2006-11-02 . C3E6E9E13CAC04C11B22208C3ECD1634 . 17920 . . [6.0.6000.16386] . . c:\windows\System32\ctfmon.exe
[-] 2006-11-02 . C3E6E9E13CAC04C11B22208C3ECD1634 . 17920 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.0.6000.16386_none_9af9cad793a67953\ctfmon.exe
.
[-] 2008-01-21 . 84E1F8E4FF2D1CAB4486EB66827227A0 . 653312 . . [7.00.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9\iexplore.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-07 22:07 1929392 ----a-w- c:\program files\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\14.2.0.1\AVG Secure Search_toolbar.dll" [2012-04-07 1929392]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SM?RT-Protection"="c:\program files\Smadav\SM?RTP.exe" [?]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 229888]
"SDP"="c:\users\Sony\AppData\Local\FilesFrog Update Checker\update_checker.exe" [2013-01-31 201808]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-07 1151152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-1 141312]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 04:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIORegistration]
2007-10-17 22:40 20480 ----a-w- c:\program files\Sony\First Experience\WelcomeLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2007-07-20 23:30 606208 ----a-w- c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2004-12-20 18:41 61440 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2012-05-24 21:25 6595928 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4233796626-77247870-3653744372-1000]
"EnableNotificationsRef"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ewuyqixb
esakzap
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-02 16:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://
www.google.com/
uInternet Settings,ProxyServer = cache.itb.ac.id:8080
uInternet Settings,ProxyOverride = localhost;127.0.0.1;<local>
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
IE: Download dengan IDM - h:\software\IDMPortable\App\IDM\IEExt.htm
IE: Download semua link dengan IDM - h:\software\IDMPortable\App\IDM\IEGetAll.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 50.23.239.24 208.67.222.222
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\14.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\Sony\AppData\Roaming\Mozilla\Firefox\Profiles\vahbyci0.default\
FF - prefs.js: browser.startup.homepage - hxxp://
www.google.com/
FF - prefs.js: network.proxy.ftp - cache.itb.ac.id
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - cache.itb.ac.id
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - cache.itb.ac.id
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - cache.itb.ac.id
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - cache.itb.ac.id
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-05-06 16:49;
testpilot@labs.mozilla.com; c:\users\Sony\AppData\Roaming\Mozilla\Firefox\Profiles\vahbyci0.default\extensions\
testpilot@labs.mozilla.com.xpi
FF - ExtSQL: !HIDDEN! 2013-04-13 22:14;
speedanalysis@SpeedAnalysis.com; c:\users\Sony\AppData\Roaming\Mozilla\Extensions\
speedanalysis@SpeedAnalysis.com
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-AirCardEnabler - (no file)
MSConfigStartUp-Acrobat Assistant 8 - c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
MSConfigStartUp-CorelDRAW Graphics Suite 11b - c:\program files\Corel\Corel Graphics 12\Languages\EN\Programs\registration.exe
AddRemove-SmartPCFix_is1 - c:\program files\SmartPCFix\unins000.exe
AddRemove-{A63E7492-A0BC-4BB9-89A7-352965222380} - c:\program files\InstallShield Installation Information\{A63E7492-A0BC-4BB9-89A7-352965222380}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-07-02 01:13
Windows 6.0.6001 Service Pack 1 NTFS
.
detected NTDLL code modification:
ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\esakzap]
"ServiceDll"="c:\program files\Internet Explorer\dmhfx.dll"
--
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ewuyqixb]
"ServiceDll"="c:\windows\system32\dmhfx.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-07-02 01:17:04
ComboFix-quarantined-files.txt 2013-07-01 18:17
.
Pre-Run: 26.040.496.128 bytes free
Post-Run: 26.243.256.320 bytes free
.
- - End Of File - - 34ED1F5E46CF6F7D623AA13F3554769D
5C616939100B85E558DA92B899A0FC36