Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicion of infection


  • This topic is locked This topic is locked
51 replies to this topic

#1 baguala

baguala

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 09 January 2015 - 02:14 AM

Hi,

 

My computer at the university:

 

Desktop computer: Dell Optiplex 9020

Windows 7 Enterprise SP1 (University computer)

IT installed Symantec Endpoint protection, and I installed MalwareBytes antimalware Premium (MBAM) and MalwareBytes antiexploit Premium.

MBAM gives this error HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE/DisableConfig but IT told me in an email that this "registary entry exists on ... staff computers the same as clients computer." I added it as an exemption in MBAM .

 

Copying files into my pendrive is slow. I had to reinstall W7 in my laptop due to some kind of malware, trojan... Maybe the pendrives that I used with the laptop could have infected my PC? In general, I found the system slow, but I already read your post regarding this and applied the measures. Maybe it is because of a University synchronizing program, but maybe not: the thing is that the hard drive is sometimes busy and everything is slowed down. Also in Firefox they appear ads that I think are fake (now, I have AdblockPlus and NoScript active).

 

Something I did that I guess I should not have done, is running ComboFix. I also installed some of the antispy software you reccommend, but now they are uninstalled.

 

Adding the DDS.txt and attaching Attach.txt. Thanks.

 

 

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421  BrowserJavaVersion: 11.25.2
Run by ... at 16:49:41 on 2015-01-09
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.3510.1498 [GMT 13:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Microsoft User Experience Virtualization\Agent\Driver\AgentService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
C:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe
C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Application Virtualization\Client\AppVStreamingUX.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\Microsoft User Experience Virtualization\Agent\Microsoft.Uev.SyncController.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\figuerlu\AppData\Local\Mozilla Firefox\firefox.exe
C:\Windows\CCM\CcmExec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\CCM\RemCtrl\CmRcService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\figuerlu\AppData\Local\Mozilla Firefox\plugin-container.exe
C:\Windows\CCM\SCNotification.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k regsvc
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
BHO: Symantec Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\symantec\symantec endpoint protection\12.1.4013.4013.105\bin\ips\IPSBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_25\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office15\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_25\bin\jp2ssv.dll
mRun: [UevTrayApp] c:\program files\microsoft user experience virtualization\agent\UevTrayApp.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtkNGUI.exe /s
mRun: [RtHDVBg] c:\program files\realtek\audio\hda\RtHDVBg.exe /MAXX4
mRun: [Malwarebytes Anti-Exploit] c:\program files\malwarebytes anti-exploit\mbae.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\figuerlu\appdata\roaming\microsoft\windows\start menu\programs\startup\send to onenote.lnk - \\scps-2cyl72s\c$\program files\microsoft office\office15\ONENOTEM.EXE
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoInternetIcon = dword:1
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
uPolicies-Explorer: HideSCAHealth = dword:1
uPolicies-Windows\System: ExcludeProfileDirs = Downloads;Music;Pictures;Videos;Saved Games;AppData\Roaming\Dropbox;Dropbox;
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:181
mPolicies-Explorer: NoMSAppLogo5ChannelNotify = dword:1
mPolicies-Explorer: UseDefaultTile = dword:1
mPolicies-Explorer: NoWebServices = dword:1
mPolicies-Explorer: NoPublishingWizard = dword:1
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: legalnoticecaption = Important - Staff and Guest User Acknowledgement
mPolicies-System: legalnoticetext = When using Victoria University of Wellington’s file sharing, information systems and internet facilities (whether on or through user access away from university campuses) you must comply with the Acceptable Use of Information Systems Statute, which can be viewed online at www.victoria.ac.nz/home/about/policy/its. These systems are made available for work purposes, however, a limited amount of responsible personal use is permitted. By using the University’s file sharing, information systems and internet facilities, you agree to comply with this statute. As staff, you acknowledge that a failure to do so may constitute a breach of the Staff Conduct Policy (http://www.victoria.ac.nz/home/about/policy/staff). Guest Users are held accountable against their respective organisations conduct policies and applicable legislation.
mPolicies-System: FilterAdministratorToken = dword:1
mPolicies-System: DefaultLogonDomain = Staff
mPolicies-System: DisableStartupSound = dword:1
mPolicies-Windows\System: UserPolicyMode = dword:1
mPolicies-Windows\System: UseOEMBackground = dword:1
mPolicies-Windows\System: AddAdminGroupToRUP = dword:1
mPolicies-Windows\System: CleanupProfiles = dword:180
mPolicies-Windows\System: UploadHiveMethod = dword:1
mPolicies-Windows\System: UploadHiveInterval = dword:7
mPolicies-Windows\System: UploadHiveTime = dword:3
IE: E&xport to Microsoft Excel - c:\program files\microsoft office\office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\program files\microsoft office\office15\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office15\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office15\ONBttnIELinkedNotes.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 10.100.32.30 10.100.32.32
TCP: Interfaces\{518AD91B-36A4-4006-9F17-48BD37259054} : DHCPNameServer = 10.100.32.30 10.100.32.32
Filter: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office15\MSOXMLMF.DLL
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - c:\program files\microsoft office\office15\MSOSB.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\drivers\amdkmpfd.sys [2012-9-15 23720]
R0 iaStorA;iaStorA;c:\windows\system32\drivers\iaStorA.sys [2013-5-9 524784]
R0 iaStorF;iaStorF;c:\windows\system32\drivers\iaStorF.sys [2013-5-9 26608]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2013-5-9 17032]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\SymDS.sys [2014-11-17 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\SymEFA.sys [2014-11-17 935512]
R1 BHDrvx86;BHDrvx86;c:\programdata\symantec\symantec endpoint protection\12.1.4013.4013.105\data\definitions\bashdefs\20141210.012\BHDrvx86.sys [2014-12-13 1137368]
R1 ccSettings_{974A0163-23BB-4C9D-A3C2-611667F7A450};Symantec Endpoint Protection 12.1.4013.4013.105 Settings Manager;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\ccSetx86.sys [2014-11-17 134744]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\malwarebytes anti-exploit\mbae.sys [2014-12-26 47928]
R1 IDSVix86;IDSVix86;c:\programdata\symantec\symantec endpoint protection\12.1.4013.4013.105\data\definitions\ipsdefs\20150107.011\IDSvix86.sys [2015-1-8 479448]
R1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2014-12-26 75480]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\Ironx86.sys [2014-11-17 175192]
R1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\symnets.sys [2014-11-17 341080]
R2 AppVClient;Microsoft App-V Client;c:\program files\microsoft application virtualization\client\AppVClient.exe [2013-11-7 630952]
R2 CmRcService;Configuration Manager Remote Control;c:\windows\ccm\remctrl\CmRcService.exe [2013-9-11 465592]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\malwarebytes anti-exploit\mbae-svc.exe [2014-12-26 555320]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-12-26 1871160]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-12-26 969016]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\12.1.4013.4013.105\bin\ccSvcHst.exe [2014-11-17 144368]
R2 UevAgentService;User Experience Virtualization service;c:\program files\microsoft user experience virtualization\agent\driver\AgentService.exe [2014-2-2 1157824]
R2 WakeUpAgt;1E WakeUp Agent;c:\program files\1e\agent\wakeup\WakeUpAgt.exe [2013-4-10 531248]
R3 AppvStrm;AppvStrm;c:\windows\system32\drivers\AppvStrm.sys [2013-11-7 82088]
R3 AppvVemgr;AppvVemgr;c:\windows\system32\drivers\AppvVemgr.sys [2013-11-7 120488]
R3 AppvVfs;AppvVfs;c:\windows\system32\drivers\AppvVfs.sys [2013-11-7 111272]
R3 e1dexpress;Intel® PRO/1000 PCI Express Network Connection Driver D;c:\windows\system32\drivers\e1d6232.sys [2013-5-9 368392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2014-12-16 111408]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2014-1-23 364504]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys [2013-5-9 359560]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers\iusb3xhc.sys [2013-5-9 792712]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-12-26 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-12-26 114904]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-12-26 51928]
R3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2013-5-9 56432]
R3 UevAgentDriver;UevAgentDriver;c:\windows\system32\drivers\Microsoft.Uev.AgentDriver.sys [2014-11-18 30976]
S1 SymEPSecFlt;SymEPSecFlt;c:\windows\system32\drivers\SymEPSecFlt.sys [2014-11-18 42928]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 NightWatchman;1E NightWatchman;c:\program files\1e\agent\nightwatchman\NwmSvc.exe [2013-4-10 1038656]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
S3 irstrtdv;Intel® Rapid Start Technology Driver;c:\windows\system32\drivers\irstrtdv.sys [2013-5-9 36504]
S3 ISCT;Intel® Smart Connect Technology Device Driver;c:\windows\system32\drivers\ISCTD.sys [2013-5-9 40936]
S3 lpasvc;Microsoft Policy Platform Local Authority;c:\program files\microsoft policy platform\policyHost.exe [2012-8-2 48744]
S3 lppsvc;Microsoft Policy Platform Processor;c:\program files\microsoft policy platform\policyHost.exe [2012-8-2 48744]
S3 PNPMEM;Microsoft Memory Module Driver;c:\windows\system32\drivers\pnpmem.sys [2009-7-14 13312]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2014-11-18 14848]
S3 SNXPPALX;SUNIX Parallel Port Driver;c:\windows\system32\drivers\snxppalx.sys [2013-5-9 86392]
S3 SNXPSERX;SUNIX Serial Port Driver;c:\windows\system32\drivers\snxpserx.sys [2013-5-9 78712]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 SyDvCtrl;SyDvCtrl;c:\program files\symantec\symantec endpoint protection\12.1.4013.4013.105\bin\SyDvCtrl32.sys [2014-11-17 28576]
S3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2014-11-18 24064]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-11-18 49152]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2014-11-18 26880]
S3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 112640]
.
=============== Created Last 30 ================
.
2015-01-09 02:58:16    --------    d-----w-    c:\users\figuerlu\appdata\local\VS Revo Group
2015-01-09 02:58:11    --------    d-----w-    c:\programdata\VS Revo Group
2015-01-09 02:58:10    --------    d-----w-    c:\program files\VS Revo Group
2015-01-07 08:19:58    --------    d-----w-    c:\program files\Ghostgum
2015-01-07 08:18:00    --------    d-----w-    c:\program files\gs
2015-01-07 07:28:48    --------    d-----w-    c:\users\figuerlu\.asy
2015-01-07 06:36:28    --------    d-----w-    c:\program files\Asymptote
2015-01-06 07:12:27    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2015-01-06 07:12:10    --------    d-----w-    c:\programdata\Oracle
2014-12-31 01:33:18    --------    d-sh--w-    C:\$RECYCLE.BIN
2014-12-31 01:28:53    --------    d-----w-    c:\users\figuerlu\appdata\local\temp
2014-12-31 01:13:27    98816    ----a-w-    c:\windows\sed.exe
2014-12-31 01:13:27    256000    ----a-w-    c:\windows\PEV.exe
2014-12-31 01:13:27    208896    ----a-w-    c:\windows\MBR.exe
2014-12-30 01:47:26    --------    d-----w-    c:\users\figuerlu\appdata\local\webkit
2014-12-27 07:08:12    --------    d-----w-    c:\users\figuerlu\appdata\local\Intel_Corporation
2014-12-26 01:05:38    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-26 01:04:12    75480    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-26 01:04:12    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-12-26 01:04:12    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-12-26 01:04:10    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-12-26 00:58:57    --------    d-----w-    c:\program files\Malwarebytes Anti-Exploit
2014-12-25 21:41:54    --------    d-----w-    c:\users\figuerlu\appdata\roaming\SUPERAntiSpyware.com
2014-12-25 21:41:34    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2014-12-25 21:30:10    --------    d-----w-    c:\programdata\Licenses
2014-12-25 21:30:08    129872    ----a-w-    c:\windows\system32\MSSTDFMT.DLL
2014-12-23 23:42:38    --------    d-----w-    c:\users\figuerlu\appdata\roaming\Enigma Software Group
.
==================== Find3M  ====================
.
2014-12-13 04:56:06    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-13 04:56:06    701104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-11-18 03:59:58    142936    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2014-11-18 03:59:36    42928    ----a-w-    c:\windows\system32\drivers\SymEPSecFlt.sys
2014-11-18 03:59:36    420752    ----a-w-    c:\windows\system32\SymVPN.dll
2014-11-18 03:59:36    361360    ----a-w-    c:\windows\system32\sysfer.dll
2014-11-18 03:59:36    33264    ----a-w-    c:\windows\system32\drivers\WGX.SYS
2014-11-18 03:59:36    136080    ----a-w-    c:\windows\system32\FwsVpn.dll
2014-11-18 03:59:36    126440    ----a-w-    c:\windows\system32\drivers\SysPlant.sys
2014-11-18 03:59:36    11152    ----a-w-    c:\windows\system32\sysferThunk.dll
2014-11-17 01:38:24    341080    ----a-w-    c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\symnets.sys
2014-11-17 01:38:22    935512    ----a-w-    c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\SymEFA.sys
2014-11-17 01:38:22    72880    ----a-w-    c:\windows\system32\drivers\Teefer.sys
2014-11-17 01:38:22    603224    ----a-w-    c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\srtsp.sys
2014-11-17 01:38:22    367704    ----a-w-    c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\SymDS.sys
2014-11-17 01:38:22    32344    ----a-w-    c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\srtspx.sys
2014-11-17 01:38:22    175192    ----a-w-    c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\Ironx86.sys
2014-11-17 01:38:22    134744    ----a-w-    c:\windows\system32\drivers\sep\0c010fad\0fad.105\x86\ccSetx86.sys
2014-11-11 02:44:32    186880    ----a-w-    c:\windows\system32\pku2u.dll
2014-11-11 02:44:25    550912    ----a-w-    c:\windows\system32\kerberos.dll
2014-11-05 17:50:47    254464    ----a-w-    c:\windows\system32\generaltel.dll
2014-11-05 17:50:28    203776    ----a-w-    c:\windows\system32\aepdu.dll
2014-11-05 17:47:40    302592    ----a-w-    c:\windows\system32\aeinv.dll
2014-11-04 01:30:58    229000    ----a-w-    c:\windows\system32\MpSigStub.exe
2014-10-25 01:32:37    67584    ----a-w-    c:\windows\system32\packager.dll
2014-10-18 01:33:18    571904    ----a-w-    c:\windows\system32\oleaut32.dll
2014-10-14 01:56:19    136632    ----a-w-    c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 01:50:50    523776    ----a-w-    c:\windows\system32\termsrv.dll
2014-10-14 01:50:41    2363904    ----a-w-    c:\windows\system32\msi.dll
2014-10-14 01:50:39    1059840    ----a-w-    c:\windows\system32\lsasrv.dll
2014-10-14 01:47:30    146432    ----a-w-    c:\windows\system32\msaudite.dll
2014-10-14 01:46:02    681984    ----a-w-    c:\windows\system32\adtschema.dll
.
============= FINISH: 16:50:08.28 ===============
 

 

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:51 PM

Posted 10 January 2015 - 11:02 AM

Hey my friend, :)
please give me the Combofix log.

Please download FRST (by Farbar) from the link below and save it to your Desktop.

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 baguala

baguala
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 January 2015 - 08:05 PM

Hi Machiavelli,

  • Combofix.txt attached.
  • Symantec Endpoint protection disabled, MBAM exited, and MBAE (anti exploit) disabled.
  • I have W7 enterprise 32 bits.
  • One doubt: I have to use with this computer my pendrives. What happens if there is malware, viruses... in them? Can I affect the cleaning process?
  • Attaching the requested logs:

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-01-2015
Ran by figuerlu (administrator) on SCPS-9WQ4232 on 11-01-2015 13:58:29
Running from C:\Users\figuerlu\Desktop
Loaded Profile: figuerlu (Available profiles: admcampbes1 & figuerlu)
Platform: Microsoft Windows 7 Enterprise  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft User Experience Virtualization\Agent\Driver\AgentService.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(1E) C:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization\Client\AppVStreamingUX.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Microsoft Corporation) C:\Program Files\Microsoft User Experience Virtualization\Agent\Microsoft.Uev.SyncController.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe
(Microsoft Corporation) C:\Windows\CCM\RemCtrl\CmRcService.exe
(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe
(Mozilla Corporation) C:\Users\figuerlu\AppData\Local\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Users\figuerlu\AppData\Local\Mozilla Firefox\plugin-container.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [UevTrayApp] => C:\Program Files\Microsoft User Experience Virtualization\Agent\UevTrayApp.exe [138432 2014-02-02] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-09] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [6155336 2013-05-09] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe [953416 2013-05-09] (Realtek Semiconductor)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2561848 2014-12-10] (Malwarebytes Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoMSAppLogo5ChannelNotify] 1
HKLM\...\Policies\Explorer: [UseDefaultTile] 1
HKLM\...\Policies\Explorer: [NoWebServices] 1
HKLM\...\Policies\Explorer: [NoPublishingWizard] 1
HKU\S-1-5-21-776561741-1592454029-682003330-61491\...\Policies\Explorer: [NoInternetIcon] 1
HKU\S-1-5-21-776561741-1592454029-682003330-61491\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\Users\figuerlu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> \\Scps-2cyl72s\c$\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-776561741-1592454029-682003330-61491\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-776561741-1592454029-682003330-61491\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKU\S-1-5-21-776561741-1592454029-682003330-61491\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.100.32.30 10.100.32.32

FireFox:
========
FF ProfilePath: C:\Users\figuerlu\AppData\Roaming\Mozilla\Firefox\Profiles\6azr2v09.default
FF Homepage: https://www.google.com
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: NoScript - C:\Users\figuerlu\AppData\Roaming\Mozilla\Firefox\Profiles\6azr2v09.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-12-27]
FF Extension: Adblock Plus - C:\Users\figuerlu\AppData\Roaming\Mozilla\Firefox\Profiles\6azr2v09.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-12-27]
FF StartMenuInternet: FIREFOX.EXE - C:\Users\figuerlu\AppData\Local\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR Profile: C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-03]
CHR Extension: (Google Docs) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-03]
CHR Extension: (Google Drive) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-03]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-04]
CHR Extension: (YouTube) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-03]
CHR Extension: (Google Search) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-03]
CHR Extension: (Google Sheets) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-03]
CHR Extension: (Google Wallet) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-03]
CHR Extension: (Gmail) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-03]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AppVClient; C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe [630952 2013-11-07] (Microsoft Corporation)
R2 CcmExec; C:\Windows\CCM\CcmExec.exe [1160888 2013-09-11] (Microsoft Corporation)
R2 CmRcService; C:\Windows\CCM\RemCtrl\CmRcService.exe [465592 2013-09-11] (Microsoft Corporation)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [279024 2013-05-09] (Intel Corporation)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [555320 2014-12-10] (Malwarebytes Corporation)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S2 NightWatchman; C:\Program Files\1E\Agent\NightWatchman\NwmSvc.exe [1038656 2013-04-10] (1E)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [144368 2014-11-17] (Symantec Corporation)
R3 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe [1746576 2014-11-17] (Symantec Corporation)
S3 smstsmgr; C:\Windows\CCM\TSManager.exe [217272 2013-09-11] (Microsoft Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\snac.exe [288656 2014-11-17] (Symantec Corporation)
R2 UevAgentService; C:\Program Files\Microsoft User Experience Virtualization\Agent\Driver\AgentService.exe [1157824 2014-02-02] (Microsoft Corporation)
R2 WakeUpAgt; C:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe [531248 2013-04-10] (1E)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [23720 2012-09-15] (Advanced Micro Devices, Inc.)
R3 AppvStrm; C:\Windows\System32\DRIVERS\appvStrm.sys [82088 2013-11-07] (Microsoft Corporation)
R3 AppvVemgr; C:\Windows\System32\DRIVERS\AppvVemgr.sys [120488 2013-11-07] (Microsoft Corporation)
R3 AppvVfs; C:\Windows\System32\DRIVERS\AppvVfs.sys [111272 2013-11-07] (Microsoft Corporation)
R1 BHDrvx86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20141210.012\BHDrvx86.sys [1137368 2014-12-13] (Symantec Corporation)
R1 ccSettings_{974A0163-23BB-4C9D-A3C2-611667F7A450}; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\ccSetx86.sys [134744 2014-11-17] (Symantec Corporation)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d6232.sys [368392 2013-05-09] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-12-12] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-12] (Symantec Corporation)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2014-12-10] ()
R0 iaStorA; C:\Windows\System32\drivers\iaStorA.sys [524784 2013-05-09] (Intel Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [26608 2013-05-09] (Intel Corporation)
R1 IDSVix86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150109.012\IDSvix86.sys [479448 2014-12-11] (Symantec Corporation)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [1655368 2013-05-09] (Realtek Semiconductor Corp.)
S3 irstrtdv; C:\Windows\system32\drivers\irstrtdv.sys [36504 2013-05-09] (Intel Corporation)
S3 ISCT; C:\Windows\system32\drivers\ISCTD.sys [40936 2013-05-09] ()
R0 iusb3hcs; C:\Windows\System32\drivers\iusb3hcs.sys [17032 2013-05-09] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [359560 2013-05-09] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [792712 2013-05-09] (Intel Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [75480 2014-12-26] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [56432 2013-05-09] (Intel Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150109.020\NAVENG.SYS [95704 2014-12-06] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150109.020\NAVEX15.SYS [1636696 2014-12-06] (Symantec Corporation)
S3 PNPMEM; C:\Windows\System32\DRIVERS\pnpmem.sys [13312 2009-07-14] (Microsoft Corporation)
R3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [20840 2013-09-11] (Microsoft Corporation)
S3 SNXPPALX; C:\Windows\system32\drivers\snxppalx.sys [86392 2013-05-09] (SUNIX Co., Ltd.)
S3 SNXPSERX; C:\Windows\system32\drivers\snxpserx.sys [78712 2013-05-09] (SUNIX Co., Ltd.)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SRTSP.SYS [603224 2014-11-17] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SRTSPX.SYS [32344 2014-11-17] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\SyDvCtrl32.sys [28576 2014-11-17] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMDS.SYS [367704 2014-11-17] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMEFA.SYS [935512 2014-11-17] (Symantec Corporation)
S1 SymEPSecFlt; C:\Windows\System32\Drivers\SymEPSecFlt.sys [42928 2014-11-18] ()
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-11-18] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\Ironx86.SYS [175192 2014-11-17] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMNETS.SYS [341080 2014-11-17] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [126440 2014-11-18] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [72880 2014-11-17] (Symantec Corporation)
R3 UevAgentDriver; C:\Windows\System32\DRIVERS\Microsoft.Uev.AgentDriver.sys [30976 2013-06-25] (Microsoft Corporation)
S3 catchme; \??\C:\Users\figuerlu\AppData\Local\Temp\catchme.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-11 13:58 - 2015-01-11 13:58 - 00016415 _____ () C:\Users\figuerlu\Desktop\FRST.txt
2015-01-11 13:58 - 2015-01-11 13:58 - 00000000 ____D () C:\FRST
2015-01-11 13:47 - 2015-01-11 13:47 - 01115648 _____ (Farbar) C:\Users\figuerlu\Desktop\FRST.exe
2015-01-11 13:36 - 2015-01-11 13:36 - 00023734 _____ () C:\Users\figuerlu\Desktop\combofix_20141231_desktop.txt
2015-01-09 15:58 - 2015-01-09 15:58 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\VS Revo Group
2015-01-09 15:58 - 2015-01-09 15:58 - 00000000 ____D () C:\ProgramData\VS Revo Group
2015-01-09 15:58 - 2015-01-09 15:58 - 00000000 ____D () C:\Program Files\VS Revo Group
2015-01-09 13:56 - 2015-01-09 14:55 - 00000000 ____D () C:\Users\figuerlu\Desktop\conference_poster_6
2015-01-09 12:02 - 2015-01-09 13:39 - 00000000 ____D () C:\Users\figuerlu\Desktop\conference_poster_1
2015-01-08 13:52 - 2015-01-08 23:20 - 00000000 ____D () C:\Users\figuerlu\Desktop\prueba
2015-01-08 13:51 - 2015-01-08 13:51 - 00000000 ____D () C:\Users\figuerlu\Desktop\ex_poster-2
2015-01-08 12:02 - 2015-01-08 12:02 - 01110476 _____ () C:\Users\figuerlu\Downloads\7z920.exe
2015-01-08 12:02 - 2015-01-08 12:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-01-08 12:02 - 2015-01-08 12:02 - 00000000 ____D () C:\Program Files\7-Zip
2015-01-07 21:20 - 2015-01-09 11:58 - 00011500 _____ () C:\Users\figuerlu\gsview32.ini
2015-01-07 21:20 - 2015-01-07 21:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ghostgum
2015-01-07 21:19 - 2015-01-07 21:20 - 00000000 ____D () C:\Program Files\Ghostgum
2015-01-07 21:18 - 2015-01-07 21:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ghostscript
2015-01-07 21:18 - 2015-01-07 21:18 - 00000000 ____D () C:\Program Files\gs
2015-01-07 21:17 - 2015-01-07 21:17 - 02032640 _____ () C:\Users\figuerlu\Downloads\gsv50w32.exe
2015-01-07 21:16 - 2015-01-07 21:16 - 13264811 _____ () C:\Users\figuerlu\Downloads\gs915w32.exe
2015-01-07 20:28 - 2015-01-07 20:28 - 00000000 ____D () C:\Users\figuerlu\.asy
2015-01-07 19:36 - 2015-01-07 19:36 - 00001744 _____ () C:\Users\admcampbes1\Desktop\Asymptote.lnk
2015-01-07 19:36 - 2015-01-07 19:36 - 00000886 _____ () C:\Users\admcampbes1\Desktop\Xasy.lnk
2015-01-07 19:36 - 2015-01-07 19:36 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Asymptote
2015-01-07 19:36 - 2015-01-07 19:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Asymptote
2015-01-07 19:36 - 2015-01-07 19:36 - 00000000 ____D () C:\Program Files\Asymptote
2015-01-07 19:35 - 2015-01-07 19:35 - 05457366 _____ () C:\Users\figuerlu\Downloads\asymptote-2.32-setup.exe
2015-01-06 20:39 - 2015-01-06 20:39 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Oracle
2015-01-06 20:12 - 2015-01-06 20:12 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\ProgramData\Sun
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\Program Files\Java
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-06 20:07 - 2015-01-06 20:07 - 00638888 _____ (Oracle Corporation) C:\Users\figuerlu\Downloads\jxpiinstall.exe
2015-01-06 18:38 - 2014-08-05 18:11 - 00000165 ____H () C:\Users\figuerlu\Desktop\~$Presentation_SmN.pptx
2015-01-06 15:54 - 2015-01-11 13:54 - 00011956 __RSH () C:\Users\figuerlu\ntuser.pol
2015-01-02 11:40 - 2015-01-02 11:40 - 00001524 _____ () C:\Users\figuerlu\AppData\Local\recently-used.xbel
2014-12-31 14:39 - 2015-01-11 13:53 - 00042475 __RSH () C:\ProgramData\ntuser.pol
2014-12-31 14:33 - 2014-12-31 14:33 - 00023734 _____ () C:\ComboFix.txt
2014-12-31 14:13 - 2011-06-26 19:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-12-31 14:13 - 2010-11-08 06:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-12-31 14:13 - 2009-04-20 17:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00098816 _____ () C:\Windows\sed.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00080412 _____ () C:\Windows\grep.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00068096 _____ () C:\Windows\zip.exe
2014-12-31 14:11 - 2014-12-31 14:33 - 00000000 ____D () C:\Qoobox
2014-12-31 14:11 - 2014-12-31 14:30 - 00000000 ____D () C:\Windows\erdnt
2014-12-31 14:10 - 2014-12-31 14:10 - 05604036 ____R (Swearware) C:\Users\figuerlu\Downloads\ComboFix.exe
2014-12-30 14:47 - 2014-12-30 14:47 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\webkit
2014-12-27 20:08 - 2014-12-27 20:08 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\Intel_Corporation
2014-12-26 14:05 - 2015-01-11 13:11 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-26 14:04 - 2014-12-26 15:11 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-26 14:04 - 2014-12-26 14:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-26 14:04 - 2014-12-26 14:04 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-26 14:04 - 2014-11-21 07:07 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-26 14:04 - 2014-11-21 07:07 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-26 14:03 - 2014-12-26 14:03 - 20447120 _____ (Malwarebytes Corporation ) C:\Users\figuerlu\Downloads\mbam_premium.exe
2014-12-26 13:59 - 2014-12-26 13:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2014-12-26 13:58 - 2014-12-26 13:59 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Exploit
2014-12-26 10:41 - 2014-12-26 10:41 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\SUPERAntiSpyware.com
2014-12-26 10:41 - 2014-12-26 10:41 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-12-26 10:40 - 2014-12-26 10:40 - 20905160 _____ (SUPERAntiSpyware) C:\Users\figuerlu\Downloads\SUPERAntiSpyware.exe
2014-12-26 10:30 - 2014-12-31 14:23 - 00000000 ____D () C:\ProgramData\TEMP
2014-12-26 10:30 - 2014-12-26 10:30 - 00000000 ____D () C:\ProgramData\Licenses
2014-12-26 10:30 - 2009-03-24 12:52 - 00129872 _____ (Microsoft Corporation) C:\Windows\system32\MSSTDFMT.DLL
2014-12-26 10:27 - 2014-12-26 10:27 - 04095448 _____ (BrightFort LLC ) C:\Users\figuerlu\Downloads\spywareblastersetup50.exe
2014-12-24 12:42 - 2014-12-24 12:40 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Enigma Software Group
2014-12-24 11:32 - 2014-12-24 11:32 - 03044736 _____ (Enigma Software Group USA, LLC.) C:\Users\figuerlu\Downloads\SpyHunter-Installer.exe
2014-12-17 16:33 - 2015-01-06 13:32 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\vlc

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-11 13:56 - 2014-11-18 12:58 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-11 13:54 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu
2015-01-11 13:54 - 2014-12-02 16:03 - 00000552 _____ () C:\Windows\system32\config\netlogon.ftl
2015-01-11 13:46 - 2009-07-14 17:34 - 00023792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-11 13:46 - 2009-07-14 17:34 - 00023792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-11 13:01 - 2014-12-02 16:05 - 02093467 _____ () C:\Windows\WindowsUpdate.log
2015-01-10 18:01 - 2014-12-04 13:21 - 00000000 ____D () C:\ProgramData\Malwarebytes Anti-Exploit
2015-01-10 14:39 - 2010-11-21 10:01 - 00783834 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-09 21:11 - 2014-11-18 12:24 - 00000600 _____ () C:\Windows\SMSCFG.INI
2015-01-09 21:09 - 2009-07-14 17:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-09 21:08 - 2009-07-14 17:39 - 00036001 _____ () C:\Windows\setupact.log
2015-01-09 15:18 - 2014-12-03 16:37 - 00000314 ___SH () C:\Users\figuerlu\ntuser.ini
2015-01-07 22:09 - 2014-11-18 12:58 - 00002471 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-04 22:14 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\.gimp-2.8
2015-01-04 21:27 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\.matplotlib
2015-01-02 11:40 - 2014-12-04 12:39 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\gtk-2.0
2014-12-31 14:39 - 2010-11-21 10:48 - 00016370 _____ () C:\Windows\PFRO.log
2014-12-31 14:33 - 2009-07-14 15:37 - 00000000 ___RD () C:\Users\Public
2014-12-31 14:33 - 2009-07-14 15:37 - 00000000 ___HD () C:\Users\Default
2014-12-31 14:29 - 2009-07-14 15:04 - 00000215 _____ () C:\Windows\system.ini
2014-12-30 18:44 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\xm1
2014-12-26 13:58 - 2014-12-04 13:19 - 02962304 _____ (Malwarebytes ) C:\Users\figuerlu\Downloads\mbae-setup-1.05.1.1014.exe
2014-12-16 20:48 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Enthought Canopy (32-bit)
2014-12-16 20:46 - 2014-12-04 12:54 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\Enthought
2014-12-16 20:45 - 2014-12-04 12:12 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-12-16 19:05 - 2009-07-14 17:33 - 00435592 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-16 12:36 - 2014-12-02 16:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center 2012 R2
2014-12-13 17:56 - 2014-11-18 12:58 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-12-13 17:56 - 2014-11-18 12:58 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-12-13 17:04 - 2014-12-04 12:38 - 24743106 _____ () C:\Users\figuerlu\Downloads\vlc-2.1.5-win32.exe
2014-12-13 17:03 - 2014-12-03 16:38 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\Adobe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-04 00:27

==================== End Of Log ============================

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 10-01-2015
Ran by figuerlu at 2015-01-11 13:58:56
Running from C:\Users\figuerlu\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Symantec Endpoint Protection (Enabled - Up to date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Symantec Endpoint Protection (Enabled - Up to date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection (Enabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

1E Agent (HKLM\...\{A5C9DC72-9D3E-4C41-9E02-7820A0096037}) (Version: 6.5.0 - 1E)
7-Zip 9.20 (HKLM\...\7-Zip) (Version:  - )
Adobe Digital Editions 4.0 (HKLM\...\Adobe Digital Editions 4.0) (Version: 4.0 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\{755DDD59-9690-4F1A-BE9C-D39BDCFA77C9}) (Version: 12.1.3.153 - Adobe Systems, Inc)
Asymptote 2.32 (HKLM\...\Asymptote) (Version: 2.32 - )
Configuration Manager Client (Version: 5.00.7958.1000 - Microsoft Corporation) Hidden
Enthought Canopy (32-bit) (HKLM\...\{7C13AA42-1B81-4C70-963D-D2772F8D7F33}) (Version: 1.4.1.255 - Enthought, Inc.)
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
GPL Ghostscript (HKLM\...\GPL Ghostscript 9.15) (Version: 9.15 - Artifex Software Inc.)
GSview 5.0 (HKLM\...\GSview 5.0) (Version: 5.0 - Ghostgum Software Pty Ltd)
Inkscape 0.48.5 (HKLM\...\Inkscape) (Version: 0.48.5 - )
Inkscape 0.48.5 (HKU\S-1-5-21-776561741-1592454029-682003330-61491\...\Inkscape) (Version: 0.48.5 - )
Intel® Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.18.10.3055 - Intel Corporation)
Java 8 Update 25 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Malwarebytes Anti-Exploit version 1.05.1.1016 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.05.1.1016 - Malwarebytes)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Application Virtualization (App-V) Client 5.0 Service Pack 2 (HKLM\...\{02b7afd0-93ce-400b-812d-e5ac298a6260}) (Version: 5.0.3361.0 - Microsoft Corporation)
Microsoft Application Virtualization (App-V) Client 5.0 Service Pack 2 x86 (HKLM\...\{8556995F-384F-4E13-90C8-C423BE9C7478}) (Version: 5.0.3361.0 - Microsoft Corporation)
Microsoft Application Virtualization Client en-US Language Pack x86 (HKLM\...\{172C76E6-5F0F-4DF8-964A-0FDD42DEBAA3}) (Version: 5.0.3361.0 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Project Professional 2013 (HKLM\...\Office15.PRJPRO) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft User Experience Virtualization (UE-V) update KB2927019 (HKLM\...\{b7be7ccb-e825-4291-8196-95cb412a0c2a}) (Version: 2.0.319.2 - Microsoft Corporation)
Microsoft User Experience Virtualization Agent (HKLM\...\{e7f590ad-0947-4f42-8739-2d519a5f210e}) (Version: 2.0.319.0 - Microsoft Corporation)
Microsoft Visio Professional 2013 (HKLM\...\Office15.VISPRO) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
MiKTeX 2.9 (HKLM\...\MiKTeX 2.9) (Version: 2.9 - MiKTeX.org)
Mozilla Firefox 34.0.5 (x86 en-US) (HKU\S-1-5-21-776561741-1592454029-682003330-61491\...\Mozilla Firefox 34.0.5 (x86 en-US)) (Version: 34.0.5 - Mozilla)
MPMS MultiVu (HKLM\...\{1001A3B7-C44F-11D3-80E0-00C04F59CFAE}) (Version:  - )
Origin91 (HKLM\...\{ADC55813-F4DD-47AA-94F3-CA35E1447E26}) (Version: 9.10.00 - OriginLab Corporation)
Outils de vérification linguistique 2013 de Microsoft Office - Français (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
PANalytical X'Pert Explorer Add-ons (HKLM\...\{3B86831E-E305-47B3-89A0-B4E6994E3758}) (Version: 1.3 - PANalytical B.V.)
PPMS MultiVu (HKLM\...\{04C07664-6755-11D5-8211-00C04F59D1BF}) (Version:  - )
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5946 - Realtek Semiconductor Corp.)
Service Pack 1 for Microsoft Office 2013 (KB2817430) 32-Bit Edition (HKLM\...\{90150000-0011-0000-0000-0000000FF1CE}_Office15.PROPLUS_{7F6C4883-A18C-459A-82C1-A2F9403F2DA6}) (Version:  - Microsoft)
Service Pack 1 for Microsoft Project 2013 (KB2817433) 32-Bit Edition (HKLM\...\{90150000-003B-0000-0000-0000000FF1CE}_Office15.PRJPRO_{115B7592-B71D-4C27-AB34-34268FB199CA}) (Version:  - Microsoft)
Service Pack 1 for Microsoft Visio 2013 (KB2817443) 32-Bit Edition (HKLM\...\{90150000-0051-0000-0000-0000000FF1CE}_Office15.VISPRO_{8D2E04ED-3350-4ECE-9D6E-3BC9A9A93A47}) (Version:  - Microsoft)
Symantec Endpoint Protection (HKLM\...\{A84E6630-FE81-4D1F-BBA0-4BFBCC1D9493}) (Version: 12.1.4013.4013 - Symantec Corporation)
Texmaker (HKLM\...\Texmaker) (Version:  - )
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{05187161-5C36-4324-A734-22BF37509F2D}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfTheoraDecoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{05A1D945-A794-44EF-B41A-2F851A117155}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfVorbisDecoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{121EA765-6D3F-4519-9686-A0BA6E5281A2}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfTheoraEncoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{1F3EFFE4-0E70-47C7-9C48-05EB99E20011}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfOggMux.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{3376086C-D6F9-4CE4-8B89-33CD570106B5}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfFLACDecoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{5C769985-C3E1-4F95-BEE7-1101C465F5FC}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfTheoraEncoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{5C94FE86-B93B-467F-BFC3-BD6C91416F9B}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfVorbisEncoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfNativeFLACSource.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{7036C2FE-A209-464C-97AB-95B9260EDBF7}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfSpeexEncoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{7605E26C-DE38-4B82-ADD8-FE2568CC0B25}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfSpeexDecoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{77E3A6A3-2A24-43FA-B929-00747E4B560B}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfFLACEncoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{7CC95AE6-C1FA-40CC-AB17-3E91DA2F77CA}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\AxPlayer.dll (Xiph.Org)
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{A538F05F-DC08-4BF9-994F-18A86CCA6CC4}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfVorbisEncoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{C9361F5A-3282-4944-9899-6D99CDC5370B}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfOggDemux2.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{ED3110F0-5211-11DF-94AF-0026B977EEAA}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\webmmux.dll (Google)
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{ED3110F3-5211-11DF-94AF-0026B977EEAA}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\vp8decoder.dll (Google)
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{ED3110F5-5211-11DF-94AF-0026B977EEAA}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\vp8encoder.dll (Google)
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{ED3110F8-5211-11DF-94AF-0026B977EEAA}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\webmsplit.dll (Google)
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{ED311102-5211-11DF-94AF-0026B977EEAA}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\vp8encoder.dll (Google)
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{ED79AEC0-68AD-4BE6-B06E-B4D3C8101624}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfSpeexEncoder.dll ()
CustomCLSID: HKU\S-1-5-21-776561741-1592454029-682003330-61491_Classes\CLSID\{EE66A998-4E5C-4E23-A0F3-97C40D87EC48}\InprocServer32 -> C:\Users\figuerlu\AppData\Local\Enthought\opencodecs\x86\dsfFLACEncoder.dll ()

==================== Restore Points  =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 15:04 - 2009-06-11 10:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {16A4477C-9D7A-4A5A-87F3-9F05183CF065} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: {3E73AA0D-A3BA-4E62-B23D-4DE85EC2A84B} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2014-01-23] (Microsoft Corporation)
Task: {3E8DAD5E-4309-4064-818D-9FEFEA79F929} - System32\Tasks\Microsoft\UE-V\Template Auto Update => C:\Program Files\Microsoft User Experience Virtualization\Agent\x86\ApplySettingsTemplateCatalog.exe [2014-02-02] (Microsoft Corporation)
Task: {4AB6B6A7-E0C0-499A-803F-83DEB6171F4B} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {5988D8FA-DC2D-4CFA-A3E7-A89314C97A6B} - System32\Tasks\Microsoft\UE-V\Upload CEIP data => C:\Program Files\Microsoft User Experience Virtualization\Agent\UevSqmUploader.exe [2014-02-02] (Microsoft Corporation)
Task: {5F62E567-DBF8-49EC-BC58-0BE6565E9967} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Idle Detection
Task: {6B41D25B-02B5-40BB-908A-62773E1715BA} - System32\Tasks\Microsoft\UE-V\Synchronize Settings at Logoff => C:\Program Files\Microsoft User Experience Virtualization\Agent\Microsoft.Uev.SyncController.exe [2014-02-02] (Microsoft Corporation)
Task: {94406E79-C6D6-4B9A-9F09-42EBCC8123E4} - System32\Tasks\Microsoft Office 15 Sync Maintenance for {bc4293b3-c595-4fa4-abb2-dbbef2db43bb} SCPS-9WQ4232.staff.vuw.ac.nz => C:\Program Files\Microsoft Office\Office15\MsoSync.exe [2014-07-27] (Microsoft Corporation)
Task: {9C12E2DF-BA51-49E7-822B-9C4A58379208} - System32\Tasks\Microsoft\UE-V\Sync Controller Application => C:\Program Files\Microsoft User Experience Virtualization\Agent\Microsoft.Uev.SyncController.exe [2014-02-02] (Microsoft Corporation)
Task: {C1C4C93B-C655-4524-994D-08B75600D1C1} - System32\Tasks\Microsoft\UE-V\Collect CEIP data => C:\Program Files\Microsoft User Experience Virtualization\Agent\UevSqmSession.exe [2014-02-02] (Microsoft Corporation)
Task: {C484A082-4832-4590-A848-03173CB1725E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-13] (Adobe Systems Incorporated)
Task: {C7AB6DC4-B771-4962-9682-63CC53C120A6} - System32\Tasks\Microsoft\UE-V\Monitor Application Settings => C:\Program Files\Microsoft User Experience Virtualization\Agent\UevAppMonitor.exe [2014-02-02] (Microsoft Corporation)
Task: {E7E36E11-9F71-4348-8C0C-2F175ADFB184} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Health Evaluation => C:\Windows\CCM\ccmeval.exe [2013-09-11] (Microsoft Corporation)
Task: {EC5895F9-B807-4548-8987-BC8CD57E52CE} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {EE46BFEE-AA9E-435A-9C45-1C711377BD9C} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-12-04 00:06 - 2014-11-27 05:40 - 03758192 _____ () C:\Users\figuerlu\AppData\Local\Mozilla Firefox\mozjs.dll
2014-12-13 17:03 - 2014-12-13 17:03 - 16843952 _____ () C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Eddie (S-1-5-21-2326528282-869759336-2375333791-501 - Limited - Disabled)
vuwlocaladmin (S-1-5-21-2326528282-869759336-2375333791-500 - Administrator - Enabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/09/2015 09:09:34 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1521) (User: STAFF)
Description: Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

 DETAIL - The network path was not found.

Error: (01/09/2015 09:09:21 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/09/2015 03:30:58 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1521) (User: STAFF)
Description: Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

 DETAIL - The network path was not found.

Error: (01/09/2015 03:30:47 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/08/2015 11:30:03 AM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/07/2015 09:43:14 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1521) (User: STAFF)
Description: Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

 DETAIL - The network path was not found.

Error: (01/07/2015 09:43:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/07/2015 07:25:14 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1521) (User: STAFF)
Description: Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you log off. This error may be caused by network problems or insufficient security rights.

 DETAIL - The network path was not found.

Error: (01/07/2015 07:25:04 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (01/06/2015 06:33:29 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (01/11/2015 01:19:02 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (01/11/2015 01:19:02 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (01/11/2015 01:19:01 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (01/11/2015 01:19:01 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (01/10/2015 02:38:02 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (01/10/2015 02:38:01 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (01/10/2015 02:38:00 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (01/10/2015 02:38:00 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (01/09/2015 09:11:25 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{05D1D5D8-18D1-4B83-85ED-A0F99D53C885}{AD65A69D-3831-40D7-9629-9B0B50A93843}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (01/09/2015 09:09:43 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1058) (User: STAFF)
Description: The processing of Group Policy failed. Windows attempted to read the file \\staff.vuw.ac.nz\sysvol\staff.vuw.ac.nz\Policies\{90FC9BB8-0801-48B6-B8F1-AA53B7AE2281}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
B) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.


Microsoft Office Sessions:
=========================
Error: (01/09/2015 09:09:34 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1521) (User: STAFF)
Description: The network path was not found.

Error: (01/09/2015 09:09:21 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/09/2015 03:30:58 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1521) (User: STAFF)
Description: The network path was not found.

Error: (01/09/2015 03:30:47 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/08/2015 11:30:03 AM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/07/2015 09:43:14 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1521) (User: STAFF)
Description: The network path was not found.

Error: (01/07/2015 09:43:00 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/07/2015 07:25:14 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1521) (User: STAFF)
Description: The network path was not found.

Error: (01/07/2015 07:25:04 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/06/2015 06:33:29 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


==================== Memory info ===========================

Processor: Intel® Core™ i5-4570 CPU @ 3.20GHz
Percentage of memory in use: 49%
Total physical RAM: 3510.14 MB
Available physical RAM: 1764.64 MB
Total Pagefile: 7018.58 MB
Available Pagefile: 5050.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 1883.71 MB

==================== Drives ================================

Drive c: (OS Disk) (Fixed) (Total:95 GB) (Free:30.57 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Local Disk) (Fixed) (Total:370.76 GB) (Free:349.77 GB) NTFS
Drive f: () (Removable) (Total:30.23 GB) (Free:8.64 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 6917684F)
Partition 1: (Active) - (Size=95 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=370.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 30.2 GB) (Disk ID: 6E697373)
No partition Table on disk 1.

==================== End Of Log ============================

 

 

 

 

 

Thanks.

 

 

 

 

 

Attached Files



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:51 PM

Posted 11 January 2015 - 07:43 AM

Hey,

What happens if there is malware, viruses... in them? Can I affect the cleaning process?

Let it connected with your system. :)

Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 baguala

baguala
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 12 January 2015 - 07:00 PM

Hi,

 

AdwCleaner log

 

# AdwCleaner v4.107 - Report created 13/01/2015 at 11:57:16
# Updated 07/01/2015 by Xplode
# Database : 2015-01-12.3 [Live]
# Operating System : Windows 7 Enterprise Service Pack 1 (32 bits)
# Username : figuerlu - SCPS-9WQ4232
# Running from : C:\Users\figuerlu\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\figuerlu\AppData\Local\CrashRpt

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16421


-\\ Mozilla Firefox v


-\\ Google Chrome v


*************************

AdwCleaner[R0].txt - [823 octets] - [13/01/2015 11:54:59]
AdwCleaner[S0].txt - [747 octets] - [13/01/2015 11:57:16]

########## EOF - H:\AdwCleaner\AdwCleaner[S0].txt - [806 octets] ##########

 

 

 

MBAM log

 

Malwarebytes Anti-Malware
www.malwarebytes.org


Update, 13/01/2015 01:11:37, SYSTEM, SCPS-9WQ4232, Scheduler, Malware Database, 2015.1.12.3, 2015.1.12.4,
Protection, 13/01/2015 01:11:37, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Starting,
Protection, 13/01/2015 01:11:37, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopping,
Protection, 13/01/2015 01:11:37, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopped,
Protection, 13/01/2015 01:11:40, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Success,
Protection, 13/01/2015 01:11:40, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Starting,
Protection, 13/01/2015 01:11:41, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Started,
Update, 13/01/2015 04:07:12, SYSTEM, SCPS-9WQ4232, Scheduler, Malware Database, 2015.1.12.4, 2015.1.12.5,
Protection, 13/01/2015 04:07:12, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Starting,
Protection, 13/01/2015 04:07:12, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopping,
Protection, 13/01/2015 04:07:12, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopped,
Protection, 13/01/2015 04:07:15, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Success,
Protection, 13/01/2015 04:07:15, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Starting,
Protection, 13/01/2015 04:07:15, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Started,
Update, 13/01/2015 06:03:36, SYSTEM, SCPS-9WQ4232, Scheduler, Malware Database, 2015.1.12.5, 2015.1.12.6,
Protection, 13/01/2015 06:03:36, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Starting,
Protection, 13/01/2015 06:03:36, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopping,
Protection, 13/01/2015 06:03:36, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopped,
Protection, 13/01/2015 06:03:39, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Success,
Protection, 13/01/2015 06:03:39, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Starting,
Protection, 13/01/2015 06:03:39, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Started,
Update, 13/01/2015 06:45:17, SYSTEM, SCPS-9WQ4232, Scheduler, Malware Database, 2015.1.12.6, 2015.1.12.7,
Protection, 13/01/2015 06:45:17, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Starting,
Protection, 13/01/2015 06:45:17, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopping,
Protection, 13/01/2015 06:45:17, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopped,
Protection, 13/01/2015 06:45:20, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Success,
Protection, 13/01/2015 06:45:20, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Starting,
Protection, 13/01/2015 06:45:20, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Started,
Update, 13/01/2015 08:50:54, SYSTEM, SCPS-9WQ4232, Scheduler, Malware Database, 2015.1.12.7, 2015.1.12.8,
Protection, 13/01/2015 08:50:54, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Starting,
Protection, 13/01/2015 08:50:54, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopping,
Protection, 13/01/2015 08:50:54, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopped,
Protection, 13/01/2015 08:50:57, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Success,
Protection, 13/01/2015 08:50:57, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Starting,
Protection, 13/01/2015 08:50:57, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Started,
Update, 13/01/2015 09:59:10, SYSTEM, SCPS-9WQ4232, Scheduler, Malware Database, 2015.1.12.8, 2015.1.12.9,
Protection, 13/01/2015 09:59:10, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Starting,
Protection, 13/01/2015 09:59:10, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopping,
Protection, 13/01/2015 09:59:10, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopped,
Protection, 13/01/2015 09:59:14, SYSTEM, SCPS-9WQ4232, Protection, Refresh, Success,
Protection, 13/01/2015 09:59:14, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Starting,
Protection, 13/01/2015 09:59:14, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Started,
Protection, 13/01/2015 11:44:22, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopping,
Protection, 13/01/2015 11:44:22, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Stopped,
Protection, 13/01/2015 11:44:22, SYSTEM, SCPS-9WQ4232, Protection, Malware Protection, Stopping,
Protection, 13/01/2015 11:44:37, SYSTEM, SCPS-9WQ4232, Protection, Malware Protection, Stopped,
Protection, 13/01/2015 12:02:47, SYSTEM, SCPS-9WQ4232, Protection, Malware Protection, Starting,
Protection, 13/01/2015 12:02:47, SYSTEM, SCPS-9WQ4232, Protection, Malware Protection, Started,
Protection, 13/01/2015 12:02:47, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Starting,
Protection, 13/01/2015 12:02:48, SYSTEM, SCPS-9WQ4232, Protection, Malicious Website Protection, Started,
Scan, 13/01/2015 12:33:34, SYSTEM, SCPS-9WQ4232, Manual, Start:13/01/2015 12:13:55, Duration:19 min 3 sec, Threat Scan, Completed, 1 Malware Detection, 0 Non-Malware Detections,

(end)

 

 

 

JRT log

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Enterprise x86
Ran by figuerlu on Tue 13/01/2015 at 12:39:56.09
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 13/01/2015 at 12:47:01.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

FRST log

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-01-2015 02
Ran by figuerlu (administrator) on SCPS-9WQ4232 on 13-01-2015 12:49:08
Running from C:\Users\figuerlu\Desktop
Loaded Profile: figuerlu (Available profiles: admcampbes1 & figuerlu)
Platform: Microsoft Windows 7 Enterprise  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft User Experience Virtualization\Agent\Driver\AgentService.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(1E) C:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe
(Microsoft Corporation) C:\Windows\CCM\RemCtrl\CmRcService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization\Client\AppVStreamingUX.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Microsoft Corporation) C:\Program Files\Microsoft User Experience Virtualization\Agent\Microsoft.Uev.SyncController.exe
(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe
(Thisisu) C:\Users\figuerlu\Desktop\JRT.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Mozilla Corporation) C:\Users\figuerlu\AppData\Local\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [UevTrayApp] => C:\Program Files\Microsoft User Experience Virtualization\Agent\UevTrayApp.exe [138432 2014-02-02] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-09] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [6155336 2013-05-09] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe [953416 2013-05-09] (Realtek Semiconductor)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2561848 2014-12-10] (Malwarebytes Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoMSAppLogo5ChannelNotify] 1
HKLM\...\Policies\Explorer: [UseDefaultTile] 1
HKLM\...\Policies\Explorer: [NoWebServices] 1
HKLM\...\Policies\Explorer: [NoPublishingWizard] 1
HKU\S-1-5-21-776561741-1592454029-682003330-61491\...\Policies\Explorer: [NoInternetIcon] 1
HKU\S-1-5-21-776561741-1592454029-682003330-61491\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\Users\figuerlu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> \\Scps-2cyl72s\c$\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-776561741-1592454029-682003330-61491\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-776561741-1592454029-682003330-61491\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKU\S-1-5-21-776561741-1592454029-682003330-61491\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.100.32.30 10.100.32.32

FireFox:
========
FF ProfilePath: C:\Users\figuerlu\AppData\Roaming\Mozilla\Firefox\Profiles\6azr2v09.default
FF Homepage: https://www.google.com
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: NoScript - C:\Users\figuerlu\AppData\Roaming\Mozilla\Firefox\Profiles\6azr2v09.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-12-27]
FF Extension: Adblock Plus - C:\Users\figuerlu\AppData\Roaming\Mozilla\Firefox\Profiles\6azr2v09.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-12-27]
FF StartMenuInternet: FIREFOX.EXE - C:\Users\figuerlu\AppData\Local\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR Profile: C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-03]
CHR Extension: (Google Docs) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-03]
CHR Extension: (Google Drive) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-03]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-04]
CHR Extension: (YouTube) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-03]
CHR Extension: (Google Search) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-03]
CHR Extension: (Google Sheets) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-03]
CHR Extension: (Google Wallet) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-03]
CHR Extension: (Gmail) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-03]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AppVClient; C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe [630952 2013-11-07] (Microsoft Corporation)
R2 CcmExec; C:\Windows\CCM\CcmExec.exe [1160888 2013-09-11] (Microsoft Corporation)
R2 CmRcService; C:\Windows\CCM\RemCtrl\CmRcService.exe [465592 2013-09-11] (Microsoft Corporation)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [279024 2013-05-09] (Intel Corporation)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [555320 2014-12-10] (Malwarebytes Corporation)
S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S2 NightWatchman; C:\Program Files\1E\Agent\NightWatchman\NwmSvc.exe [1038656 2013-04-10] (1E)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [144368 2014-11-17] (Symantec Corporation)
R3 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe [1746576 2014-11-17] (Symantec Corporation)
S3 smstsmgr; C:\Windows\CCM\TSManager.exe [217272 2013-09-11] (Microsoft Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\snac.exe [288656 2014-11-17] (Symantec Corporation)
R2 UevAgentService; C:\Program Files\Microsoft User Experience Virtualization\Agent\Driver\AgentService.exe [1157824 2014-02-02] (Microsoft Corporation)
R2 WakeUpAgt; C:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe [531248 2013-04-10] (1E)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [23720 2012-09-15] (Advanced Micro Devices, Inc.)
R3 AppvStrm; C:\Windows\System32\DRIVERS\appvStrm.sys [82088 2013-11-07] (Microsoft Corporation)
R3 AppvVemgr; C:\Windows\System32\DRIVERS\AppvVemgr.sys [120488 2013-11-07] (Microsoft Corporation)
R3 AppvVfs; C:\Windows\System32\DRIVERS\AppvVfs.sys [111272 2013-11-07] (Microsoft Corporation)
R1 BHDrvx86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20141210.012\BHDrvx86.sys [1137368 2014-12-13] (Symantec Corporation)
R1 ccSettings_{974A0163-23BB-4C9D-A3C2-611667F7A450}; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\ccSetx86.sys [134744 2014-11-17] (Symantec Corporation)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d6232.sys [368392 2013-05-09] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-12-12] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-12] (Symantec Corporation)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2014-12-10] ()
R0 iaStorA; C:\Windows\System32\drivers\iaStorA.sys [524784 2013-05-09] (Intel Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [26608 2013-05-09] (Intel Corporation)
R1 IDSVix86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150109.012\IDSvix86.sys [479448 2014-12-11] (Symantec Corporation)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [1655368 2013-05-09] (Realtek Semiconductor Corp.)
S3 irstrtdv; C:\Windows\system32\drivers\irstrtdv.sys [36504 2013-05-09] (Intel Corporation)
S3 ISCT; C:\Windows\system32\drivers\ISCTD.sys [40936 2013-05-09] ()
R0 iusb3hcs; C:\Windows\System32\drivers\iusb3hcs.sys [17032 2013-05-09] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [359560 2013-05-09] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [792712 2013-05-09] (Intel Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [75480 2014-12-26] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [56432 2013-05-09] (Intel Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150112.002\NAVENG.SYS [95704 2014-12-06] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150112.002\NAVEX15.SYS [1636696 2014-12-06] (Symantec Corporation)
S3 PNPMEM; C:\Windows\System32\DRIVERS\pnpmem.sys [13312 2009-07-14] (Microsoft Corporation)
R3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [20840 2013-09-11] (Microsoft Corporation)
S3 SNXPPALX; C:\Windows\system32\drivers\snxppalx.sys [86392 2013-05-09] (SUNIX Co., Ltd.)
S3 SNXPSERX; C:\Windows\system32\drivers\snxpserx.sys [78712 2013-05-09] (SUNIX Co., Ltd.)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SRTSP.SYS [603224 2014-11-17] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SRTSPX.SYS [32344 2014-11-17] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\SyDvCtrl32.sys [28576 2014-11-17] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMDS.SYS [367704 2014-11-17] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMEFA.SYS [935512 2014-11-17] (Symantec Corporation)
S1 SymEPSecFlt; C:\Windows\System32\Drivers\SymEPSecFlt.sys [42928 2014-11-18] ()
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-11-18] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\Ironx86.SYS [175192 2014-11-17] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMNETS.SYS [341080 2014-11-17] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [126440 2014-11-18] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [72880 2014-11-17] (Symantec Corporation)
R3 UevAgentDriver; C:\Windows\System32\DRIVERS\Microsoft.Uev.AgentDriver.sys [30976 2013-06-25] (Microsoft Corporation)
S3 catchme; \??\C:\Users\figuerlu\AppData\Local\Temp\catchme.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 12:49 - 2015-01-13 12:49 - 00016603 _____ () C:\Users\figuerlu\Desktop\FRST.txt
2015-01-13 12:48 - 2015-01-13 12:48 - 01115648 _____ (Farbar) C:\Users\figuerlu\Desktop\FRST.exe
2015-01-13 12:47 - 2015-01-13 12:47 - 00000634 _____ () C:\Users\figuerlu\Desktop\JRT.txt
2015-01-13 12:39 - 2015-01-13 12:39 - 00000000 ____D () C:\Windows\ERUNT
2015-01-13 12:38 - 2015-01-13 12:38 - 01707939 _____ (Thisisu) C:\Users\figuerlu\Desktop\JRT.exe
2015-01-13 12:36 - 2015-01-13 12:36 - 00005370 _____ () C:\Users\figuerlu\Desktop\MBAM_20150113.txt
2015-01-13 11:47 - 2015-01-13 11:47 - 02191360 _____ () C:\Users\figuerlu\Desktop\AdwCleaner.exe
2015-01-12 15:02 - 2014-12-19 10:47 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\ImgBurn
2015-01-11 13:58 - 2015-01-13 12:49 - 00000000 ____D () C:\FRST
2015-01-09 15:58 - 2015-01-09 15:58 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\VS Revo Group
2015-01-09 15:58 - 2015-01-09 15:58 - 00000000 ____D () C:\ProgramData\VS Revo Group
2015-01-09 15:58 - 2015-01-09 15:58 - 00000000 ____D () C:\Program Files\VS Revo Group
2015-01-08 12:02 - 2015-01-08 12:02 - 01110476 _____ () C:\Users\figuerlu\Downloads\7z920.exe
2015-01-08 12:02 - 2015-01-08 12:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-01-08 12:02 - 2015-01-08 12:02 - 00000000 ____D () C:\Program Files\7-Zip
2015-01-07 21:20 - 2015-01-09 11:58 - 00011500 _____ () C:\Users\figuerlu\gsview32.ini
2015-01-07 21:20 - 2015-01-07 21:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ghostgum
2015-01-07 21:19 - 2015-01-07 21:20 - 00000000 ____D () C:\Program Files\Ghostgum
2015-01-07 21:18 - 2015-01-07 21:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ghostscript
2015-01-07 21:18 - 2015-01-07 21:18 - 00000000 ____D () C:\Program Files\gs
2015-01-07 21:17 - 2015-01-07 21:17 - 02032640 _____ () C:\Users\figuerlu\Downloads\gsv50w32.exe
2015-01-07 21:16 - 2015-01-07 21:16 - 13264811 _____ () C:\Users\figuerlu\Downloads\gs915w32.exe
2015-01-07 20:28 - 2015-01-07 20:28 - 00000000 ____D () C:\Users\figuerlu\.asy
2015-01-07 19:36 - 2015-01-07 19:36 - 00001744 _____ () C:\Users\admcampbes1\Desktop\Asymptote.lnk
2015-01-07 19:36 - 2015-01-07 19:36 - 00000886 _____ () C:\Users\admcampbes1\Desktop\Xasy.lnk
2015-01-07 19:36 - 2015-01-07 19:36 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Asymptote
2015-01-07 19:36 - 2015-01-07 19:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Asymptote
2015-01-07 19:36 - 2015-01-07 19:36 - 00000000 ____D () C:\Program Files\Asymptote
2015-01-07 19:35 - 2015-01-07 19:35 - 05457366 _____ () C:\Users\figuerlu\Downloads\asymptote-2.32-setup.exe
2015-01-06 20:39 - 2015-01-06 20:39 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Oracle
2015-01-06 20:12 - 2015-01-06 20:12 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\ProgramData\Sun
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\Program Files\Java
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-06 20:07 - 2015-01-06 20:07 - 00638888 _____ (Oracle Corporation) C:\Users\figuerlu\Downloads\jxpiinstall.exe
2015-01-06 18:38 - 2014-08-05 18:11 - 00000165 ____H () C:\Users\figuerlu\Desktop\~$Presentation_SmN.pptx
2015-01-06 15:54 - 2015-01-13 12:08 - 00011956 __RSH () C:\Users\figuerlu\ntuser.pol
2015-01-02 11:40 - 2015-01-02 11:40 - 00001524 _____ () C:\Users\figuerlu\AppData\Local\recently-used.xbel
2014-12-31 14:39 - 2015-01-13 12:02 - 00042475 __RSH () C:\ProgramData\ntuser.pol
2014-12-31 14:33 - 2014-12-31 14:33 - 00023734 _____ () C:\ComboFix.txt
2014-12-31 14:13 - 2011-06-26 19:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-12-31 14:13 - 2010-11-08 06:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-12-31 14:13 - 2009-04-20 17:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00098816 _____ () C:\Windows\sed.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00080412 _____ () C:\Windows\grep.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00068096 _____ () C:\Windows\zip.exe
2014-12-31 14:11 - 2014-12-31 14:33 - 00000000 ____D () C:\Qoobox
2014-12-31 14:11 - 2014-12-31 14:30 - 00000000 ____D () C:\Windows\erdnt
2014-12-31 14:10 - 2014-12-31 14:10 - 05604036 ____R (Swearware) C:\Users\figuerlu\Downloads\ComboFix.exe
2014-12-30 14:47 - 2014-12-30 14:47 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\webkit
2014-12-27 20:08 - 2014-12-27 20:08 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\Intel_Corporation
2014-12-26 14:05 - 2015-01-13 12:08 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-26 14:04 - 2014-12-26 15:11 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-26 14:04 - 2014-12-26 14:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-26 14:04 - 2014-12-26 14:04 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-26 14:04 - 2014-11-21 07:07 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-26 14:04 - 2014-11-21 07:07 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-26 14:03 - 2014-12-26 14:03 - 20447120 _____ (Malwarebytes Corporation ) C:\Users\figuerlu\Downloads\mbam_premium.exe
2014-12-26 13:59 - 2014-12-26 13:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2014-12-26 13:58 - 2014-12-26 13:59 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Exploit
2014-12-26 10:41 - 2014-12-26 10:41 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\SUPERAntiSpyware.com
2014-12-26 10:41 - 2014-12-26 10:41 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-12-26 10:40 - 2014-12-26 10:40 - 20905160 _____ (SUPERAntiSpyware) C:\Users\figuerlu\Downloads\SUPERAntiSpyware.exe
2014-12-26 10:30 - 2014-12-31 14:23 - 00000000 ____D () C:\ProgramData\TEMP
2014-12-26 10:30 - 2014-12-26 10:30 - 00000000 ____D () C:\ProgramData\Licenses
2014-12-26 10:30 - 2009-03-24 12:52 - 00129872 _____ (Microsoft Corporation) C:\Windows\system32\MSSTDFMT.DLL
2014-12-26 10:27 - 2014-12-26 10:27 - 04095448 _____ (BrightFort LLC ) C:\Users\figuerlu\Downloads\spywareblastersetup50.exe
2014-12-24 12:42 - 2014-12-24 12:40 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Enigma Software Group
2014-12-24 11:32 - 2014-12-24 11:32 - 03044736 _____ (Enigma Software Group USA, LLC.) C:\Users\figuerlu\Downloads\SpyHunter-Installer.exe
2014-12-17 16:33 - 2015-01-06 13:32 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\vlc

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 12:33 - 2014-12-02 16:05 - 01172472 _____ () C:\Windows\WindowsUpdate.log
2015-01-13 12:10 - 2009-07-14 17:34 - 00023792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-13 12:10 - 2009-07-14 17:34 - 00023792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-13 12:08 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu
2015-01-13 12:07 - 2014-12-02 16:03 - 00000552 _____ () C:\Windows\system32\config\netlogon.ftl
2015-01-13 12:05 - 2014-11-18 12:24 - 00000600 _____ () C:\Windows\SMSCFG.INI
2015-01-13 12:02 - 2010-11-21 10:48 - 00016680 _____ () C:\Windows\PFRO.log
2015-01-13 12:02 - 2009-07-14 17:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-13 12:02 - 2009-07-14 17:39 - 00036169 _____ () C:\Windows\setupact.log
2015-01-13 11:56 - 2014-11-18 12:58 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-13 11:36 - 2010-11-21 10:01 - 00783834 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-13 10:46 - 2014-12-04 13:21 - 00000000 ____D () C:\ProgramData\Malwarebytes Anti-Exploit
2015-01-09 15:18 - 2014-12-03 16:37 - 00000314 ___SH () C:\Users\figuerlu\ntuser.ini
2015-01-07 22:09 - 2014-11-18 12:58 - 00002471 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-04 22:14 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\.gimp-2.8
2015-01-04 21:27 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\.matplotlib
2015-01-02 11:40 - 2014-12-04 12:39 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\gtk-2.0
2014-12-31 14:33 - 2009-07-14 15:37 - 00000000 ___RD () C:\Users\Public
2014-12-31 14:33 - 2009-07-14 15:37 - 00000000 ___HD () C:\Users\Default
2014-12-31 14:29 - 2009-07-14 15:04 - 00000215 _____ () C:\Windows\system.ini
2014-12-30 18:44 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\xm1
2014-12-26 13:58 - 2014-12-04 13:19 - 02962304 _____ (Malwarebytes ) C:\Users\figuerlu\Downloads\mbae-setup-1.05.1.1014.exe
2014-12-16 20:48 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Enthought Canopy (32-bit)
2014-12-16 20:46 - 2014-12-04 12:54 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\Enthought
2014-12-16 20:45 - 2014-12-04 12:12 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-12-16 19:05 - 2009-07-14 17:33 - 00435592 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-16 12:36 - 2014-12-02 16:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center 2012 R2

Some content of TEMP:
====================
C:\Users\figuerlu\AppData\Local\temp\Quarantine.exe
C:\Users\figuerlu\AppData\Local\temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-04 00:27

==================== End Of Log ============================

 

 

 

 

 

I had disabled Symantec, exited MBAM, and disabled MBAE before running AdwCleaner (I thought I had to do it with all the programs you ask me to run, sorry). After rebooting from AdwCleaner scan, I noticed that MBAM was automatically opened, something that previously did not happen, if I am not wrong.

Let me know if I did something wrong.

Thanks.

 



#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:51 PM

Posted 13 January 2015 - 12:09 AM

Hey,
that's the wrong MBAM Log. :)
  • Start Malwarebytes
  • Go to the tab called History
  • Then click on Application Logs
tq7qi6z6.png
  • Then select the one log where it has found anything, do a double click on it
  • Then click on the Export
  • Button - select in the menu Text File (.txt)
p84ykoav.png
  • Save it on your Desktop and post the content of this text file into your next reply.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#7 baguala

baguala
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 13 January 2015 - 01:02 AM

I had Shockwave flash off on firefox, and when I tried to paste the contents of the log I got the message you can see in the attachment. Is this normal?

Attached Files



#8 baguala

baguala
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 13 January 2015 - 01:03 AM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 13/01/2015
Scan Time: 12:13:55
Logfile: mbam2.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.12.09
Rootkit Database: v2015.01.07.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: figuerlu

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 383970
Time Elapsed: 19 min, 3 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 1
Windows.Tool.Disabled, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig, 1, Good: (0), Bad: (1),Replaced,[851354a02c5de551a9a7751a15f053ad]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#9 baguala

baguala
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 13 January 2015 - 01:28 AM

The system seems to work almost flawlessly now. Neverthelees, I think sometimes it takes too long for example to copy-paste files and folders in Windows Explorer.



#10 baguala

baguala
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 13 January 2015 - 01:37 AM

Another thing: the AdwCleaner folder with the logs was in a network folder the university gives us. It was not installed in the C: drive of my desktop PC.



#11 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:51 PM

Posted 14 January 2015 - 10:23 AM

Hey,
sorry for the delay.

Step 1: FRST Fix
  • Please open Notepad.exe. Make sure that you don't use any other software than Notepad.exe!
  • Copy and Paste the content of the codebox below into the empty textfile:

    ShortcutTarget: Send to OneNote.lnk -> \\Scps-2cyl72s\c$\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (No File)
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-776561741-1592454029-682003330-61491\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    FF NetworkProxy: "type", 0
    EmptyTemp:
  • Then click on File >> Save as
    • File Name: Fixlist.txt
    • From the Save as type drop down list, choose All Files
  • It is very important that you save this textfile on your Desktop!
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe (Note: If FRST advises there is a new updated version to be downloaded, allow this.)and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Step 2: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.
Step 3: ESET

Please run a free online scan with the ESET Online Scanner:

IMPORTANT: You MUST use Internet Explorer for this step!
  • Visit the ESET Online Scanner Web Page
  • Select the blue Run ESET Online Scanner button:
    ESET1_zps23a5e840.png
  • Tick the box next to YES, I accept the Terms of Use and click Start
    ESET_EULA2_zps9451f1c3.png
  • When asked, allow the ActiveX control to install.
  • Select Enable detection of potentially unwanted applications and select Advanced Settings:
    ESET2_zpsc701c045.png
  • Make sure to check the options Remove found threats and Enable Anti-Stealth technology are checked:
    ESET4_zps0afafd0d.png
  • Click Start. (This scan can take several hours, so please be patient):
    ESET3_zpsccd1657d.png
  • Once the scan is completed, select List of found threats:
    ESET5_zpsd27be299.png
  • Select Export to text file... and save the file as ESETlog.txt on your Desktop:
    ESET6_zpsc17d154e.png
  • Click the Back button.
  • Click the Finish button:
    ESET9_zps51587217.png
  • Use Notepad to open the saved log file (on your Desktop- ESET.txt)[/b]
  • Copy and paste that log as a reply to this topic.
Step 4: Question

How is your PC running?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#12 baguala

baguala
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 14 January 2015 - 08:34 PM

hi,

 

step 1:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 14-01-2015 01
Ran by figuerlu at 2015-01-15 13:16:38 Run:1
Running from C:\Users\figuerlu\Desktop
Loaded Profiles: figuerlu (Available profiles: admcampbes1 & figuerlu)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
ShortcutTarget: Send to OneNote.lnk -> \\Scps-2cyl72s\c$\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-776561741-1592454029-682003330-61491\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF NetworkProxy: "type", 0
EmptyTemp:
*****************

ShortcutTarget: Send to OneNote.lnk -> \\Scps-2cyl72s\c$\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (No File) not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKU\S-1-5-21-776561741-1592454029-682003330-61491\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
Firefox Proxy settings were reset.
EmptyTemp: => Removed 137.2 MB temporary data.


The system needed a reboot.

==== End of Fixlog 13:18:14 ====

 

 

 

 

 

step2: I clicked to start the scan of FRST, it was deleting temp files and then it looks like it got stuck at Listing Installed Programs (see attached image); after 1 hour or so it is still at that point. Though the scan it is not finished, the contents of the log until now are these:

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-01-2015 01
Ran by figuerlu (administrator) on SCPS-9WQ4232 on 15-01-2015 13:32:03
Running from C:\Users\figuerlu\Desktop
Loaded Profiles: figuerlu (Available profiles: admcampbes1 & figuerlu)
Platform: Microsoft Windows 7 Enterprise  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft User Experience Virtualization\Agent\Driver\AgentService.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(1E) C:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe
(Microsoft Corporation) C:\Windows\CCM\RemCtrl\CmRcService.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Program Files\Microsoft Policy Platform\policyHost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Application Virtualization\Client\AppVStreamingUX.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Symantec Corporation) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe
(Microsoft Corporation) C:\Program Files\Microsoft User Experience Virtualization\Agent\Microsoft.Uev.SyncController.exe
(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office15\MSOSYNC.EXE


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [UevTrayApp] => C:\Program Files\Microsoft User Experience Virtualization\Agent\UevTrayApp.exe [138432 2014-02-02] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-09] (Adobe Systems Incorporated)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [6155336 2013-05-09] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe [953416 2013-05-09] (Realtek Semiconductor)
HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2561848 2014-12-10] (Malwarebytes Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM\...\Policies\Explorer: [NoMSAppLogo5ChannelNotify] 1
HKLM\...\Policies\Explorer: [UseDefaultTile] 1
HKLM\...\Policies\Explorer: [NoWebServices] 1
HKLM\...\Policies\Explorer: [NoPublishingWizard] 1
HKU\S-1-5-21-776561741-1592454029-682003330-61491\...\Policies\Explorer: [NoInternetIcon] 1
HKU\S-1-5-21-776561741-1592454029-682003330-61491\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\Users\figuerlu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> \\Scps-2cyl72s\c$\Program Files\Microsoft Office\Office15\ONENOTEM.EXE (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-776561741-1592454029-682003330-61491\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-776561741-1592454029-682003330-61491\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKU\S-1-5-21-776561741-1592454029-682003330-61491\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: Symantec Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\bin\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.100.32.30 10.100.32.32

FireFox:
========
FF ProfilePath: C:\Users\figuerlu\AppData\Roaming\Mozilla\Firefox\Profiles\6azr2v09.default
FF Homepage: https://www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: NoScript - C:\Users\figuerlu\AppData\Roaming\Mozilla\Firefox\Profiles\6azr2v09.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2014-12-27]
FF Extension: Adblock Plus - C:\Users\figuerlu\AppData\Roaming\Mozilla\Firefox\Profiles\6azr2v09.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-12-27]
FF StartMenuInternet: FIREFOX.EXE - C:\Users\figuerlu\AppData\Local\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR Profile: C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-03]
CHR Extension: (Google Docs) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-03]
CHR Extension: (Google Drive) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-03]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-04]
CHR Extension: (YouTube) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-03]
CHR Extension: (Google Search) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-03]
CHR Extension: (Google Sheets) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-03]
CHR Extension: (Google Wallet) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-03]
CHR Extension: (Gmail) - C:\Users\figuerlu\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-03]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AppVClient; C:\Program Files\Microsoft Application Virtualization\Client\AppVClient.exe [630952 2013-11-07] (Microsoft Corporation)
R2 CcmExec; C:\Windows\CCM\CcmExec.exe [1160888 2013-09-11] (Microsoft Corporation)
R2 CmRcService; C:\Windows\CCM\RemCtrl\CmRcService.exe [465592 2013-09-11] (Microsoft Corporation)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [279024 2013-05-09] (Intel Corporation)
R3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [48744 2012-08-02] (Microsoft Corporation)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [555320 2014-12-10] (Malwarebytes Corporation)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
S2 NightWatchman; C:\Program Files\1E\Agent\NightWatchman\NwmSvc.exe [1038656 2013-04-10] (1E)
R2 SepMasterService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\ccSvcHst.exe [144368 2014-11-17] (Symantec Corporation)
R3 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\Smc.exe [1746576 2014-11-17] (Symantec Corporation)
S3 smstsmgr; C:\Windows\CCM\TSManager.exe [217272 2013-09-11] (Microsoft Corporation)
S3 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\snac.exe [288656 2014-11-17] (Symantec Corporation)
R2 UevAgentService; C:\Program Files\Microsoft User Experience Virtualization\Agent\Driver\AgentService.exe [1157824 2014-02-02] (Microsoft Corporation)
R2 WakeUpAgt; C:\Program Files\1E\Agent\WakeUp\WakeUpAgt.exe [531248 2013-04-10] (1E)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [23720 2012-09-15] (Advanced Micro Devices, Inc.)
R3 AppvStrm; C:\Windows\System32\DRIVERS\appvStrm.sys [82088 2013-11-07] (Microsoft Corporation)
R3 AppvVemgr; C:\Windows\System32\DRIVERS\AppvVemgr.sys [120488 2013-11-07] (Microsoft Corporation)
R3 AppvVfs; C:\Windows\System32\DRIVERS\AppvVfs.sys [111272 2013-11-07] (Microsoft Corporation)
R1 BHDrvx86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\BASHDefs\20141210.012\BHDrvx86.sys [1137368 2014-12-13] (Symantec Corporation)
R1 ccSettings_{974A0163-23BB-4C9D-A3C2-611667F7A450}; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\ccSetx86.sys [134744 2014-11-17] (Symantec Corporation)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d6232.sys [368392 2013-05-09] (Intel Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-12-12] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-12] (Symantec Corporation)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2014-12-10] ()
R0 iaStorA; C:\Windows\System32\drivers\iaStorA.sys [524784 2013-05-09] (Intel Corporation)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [26608 2013-05-09] (Intel Corporation)
R1 IDSVix86; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\IPSDefs\20150113.011\IDSvix86.sys [479448 2014-12-11] (Symantec Corporation)
R3 IntcAzAudAddService; C:\Windows\System32\drivers\RTDVHDA.sys [1655368 2013-05-09] (Realtek Semiconductor Corp.)
S3 irstrtdv; C:\Windows\system32\drivers\irstrtdv.sys [36504 2013-05-09] (Intel Corporation)
S3 ISCT; C:\Windows\system32\drivers\ISCTD.sys [40936 2013-05-09] ()
R0 iusb3hcs; C:\Windows\System32\drivers\iusb3hcs.sys [17032 2013-05-09] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [359560 2013-05-09] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [792712 2013-05-09] (Intel Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [75480 2014-12-26] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2015-01-15] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-11-21] (Malwarebytes Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [56432 2013-05-09] (Intel Corporation)
R3 NAVENG; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150114.001\NAVENG.SYS [95704 2014-12-06] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Data\Definitions\VirusDefs\20150114.001\NAVEX15.SYS [1636696 2014-12-06] (Symantec Corporation)
S3 PNPMEM; C:\Windows\System32\DRIVERS\pnpmem.sys [13312 2009-07-14] (Microsoft Corporation)
R3 prepdrvr; C:\Windows\System32\DRIVERS\prepdrv.sys [20840 2013-09-11] (Microsoft Corporation)
S3 SNXPPALX; C:\Windows\system32\drivers\snxppalx.sys [86392 2013-05-09] (SUNIX Co., Ltd.)
S3 SNXPSERX; C:\Windows\system32\drivers\snxpserx.sys [78712 2013-05-09] (SUNIX Co., Ltd.)
R1 SRTSP; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SRTSP.SYS [603224 2014-11-17] (Symantec Corporation)
R1 SRTSPX; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SRTSPX.SYS [32344 2014-11-17] (Symantec Corporation)
S3 SyDvCtrl; C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.4013.4013.105\Bin\SyDvCtrl32.sys [28576 2014-11-17] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMDS.SYS [367704 2014-11-17] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMEFA.SYS [935512 2014-11-17] (Symantec Corporation)
S1 SymEPSecFlt; C:\Windows\System32\Drivers\SymEPSecFlt.sys [42928 2014-11-18] ()
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-11-18] (Symantec Corporation)
R1 SymIRON; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\Ironx86.SYS [175192 2014-11-17] (Symantec Corporation)
R1 SYMNETS; C:\Windows\System32\Drivers\SEP\0C010FAD\0FAD.105\x86\SYMNETS.SYS [341080 2014-11-17] (Symantec Corporation)
R1 SysPlant; C:\Windows\System32\Drivers\SysPlant.sys [126440 2014-11-18] (Symantec Corporation)
R1 Teefer2; C:\Windows\System32\DRIVERS\Teefer.sys [72880 2014-11-17] (Symantec Corporation)
R3 UevAgentDriver; C:\Windows\System32\DRIVERS\Microsoft.Uev.AgentDriver.sys [30976 2013-06-25] (Microsoft Corporation)
S3 catchme; \??\C:\Users\figuerlu\AppData\Local\Temp\catchme.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 13:32 - 2015-01-15 13:32 - 00016705 _____ () C:\Users\figuerlu\Desktop\FRST.txt
2015-01-15 10:54 - 2015-01-15 10:54 - 01116672 _____ (Farbar) C:\Users\figuerlu\Desktop\FRST.exe
2015-01-15 09:09 - 2015-01-15 13:29 - 00011956 __RSH () C:\Users\figuerlu\ntuser.pol
2015-01-13 18:19 - 2015-01-13 18:19 - 03469871 _____ (LIGHTNING UK!) C:\Users\figuerlu\Downloads\SetupImgBurn_2.5.8.0.exe
2015-01-13 17:54 - 2015-01-13 17:54 - 00001524 _____ () C:\Users\figuerlu\AppData\Local\recently-used.xbel
2015-01-13 12:39 - 2015-01-13 12:39 - 00000000 ____D () C:\Windows\ERUNT
2015-01-12 15:02 - 2014-12-19 10:47 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\ImgBurn
2015-01-11 13:58 - 2015-01-15 13:32 - 00000000 ____D () C:\FRST
2015-01-09 15:58 - 2015-01-09 15:58 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\VS Revo Group
2015-01-09 15:58 - 2015-01-09 15:58 - 00000000 ____D () C:\ProgramData\VS Revo Group
2015-01-09 15:58 - 2015-01-09 15:58 - 00000000 ____D () C:\Program Files\VS Revo Group
2015-01-08 12:02 - 2015-01-08 12:02 - 01110476 _____ () C:\Users\figuerlu\Downloads\7z920.exe
2015-01-08 12:02 - 2015-01-08 12:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip
2015-01-08 12:02 - 2015-01-08 12:02 - 00000000 ____D () C:\Program Files\7-Zip
2015-01-07 21:20 - 2015-01-09 11:58 - 00011500 _____ () C:\Users\figuerlu\gsview32.ini
2015-01-07 21:20 - 2015-01-07 21:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ghostgum
2015-01-07 21:19 - 2015-01-07 21:20 - 00000000 ____D () C:\Program Files\Ghostgum
2015-01-07 21:18 - 2015-01-07 21:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ghostscript
2015-01-07 21:18 - 2015-01-07 21:18 - 00000000 ____D () C:\Program Files\gs
2015-01-07 21:17 - 2015-01-07 21:17 - 02032640 _____ () C:\Users\figuerlu\Downloads\gsv50w32.exe
2015-01-07 21:16 - 2015-01-07 21:16 - 13264811 _____ () C:\Users\figuerlu\Downloads\gs915w32.exe
2015-01-07 20:28 - 2015-01-07 20:28 - 00000000 ____D () C:\Users\figuerlu\.asy
2015-01-07 19:36 - 2015-01-07 19:36 - 00001744 _____ () C:\Users\admcampbes1\Desktop\Asymptote.lnk
2015-01-07 19:36 - 2015-01-07 19:36 - 00000886 _____ () C:\Users\admcampbes1\Desktop\Xasy.lnk
2015-01-07 19:36 - 2015-01-07 19:36 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Asymptote
2015-01-07 19:36 - 2015-01-07 19:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Asymptote
2015-01-07 19:36 - 2015-01-07 19:36 - 00000000 ____D () C:\Program Files\Asymptote
2015-01-07 19:35 - 2015-01-07 19:35 - 05457366 _____ () C:\Users\figuerlu\Downloads\asymptote-2.32-setup.exe
2015-01-06 20:39 - 2015-01-06 20:39 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Oracle
2015-01-06 20:12 - 2015-01-06 20:12 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\ProgramData\Sun
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\Program Files\Java
2015-01-06 20:12 - 2015-01-06 20:12 - 00000000 ____D () C:\Program Files\Common Files\Java
2015-01-06 20:07 - 2015-01-06 20:07 - 00638888 _____ (Oracle Corporation) C:\Users\figuerlu\Downloads\jxpiinstall.exe
2015-01-06 18:38 - 2014-08-05 18:11 - 00000165 ____H () C:\Users\figuerlu\Desktop\~$Presentation_SmN.pptx
2014-12-31 14:39 - 2015-01-15 13:24 - 00042475 __RSH () C:\ProgramData\ntuser.pol
2014-12-31 14:33 - 2014-12-31 14:33 - 00023734 _____ () C:\ComboFix.txt
2014-12-31 14:13 - 2011-06-26 19:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-12-31 14:13 - 2010-11-08 06:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-12-31 14:13 - 2009-04-20 17:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00098816 _____ () C:\Windows\sed.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00080412 _____ () C:\Windows\grep.exe
2014-12-31 14:13 - 2000-08-31 13:00 - 00068096 _____ () C:\Windows\zip.exe
2014-12-31 14:11 - 2014-12-31 14:33 - 00000000 ____D () C:\Qoobox
2014-12-31 14:11 - 2014-12-31 14:30 - 00000000 ____D () C:\Windows\erdnt
2014-12-30 14:47 - 2014-12-30 14:47 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\webkit
2014-12-27 20:08 - 2014-12-27 20:08 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\Intel_Corporation
2014-12-26 14:05 - 2015-01-15 13:29 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-26 14:04 - 2014-12-26 15:11 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-26 14:04 - 2014-12-26 14:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-26 14:04 - 2014-12-26 14:04 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-26 14:04 - 2014-11-21 07:07 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-26 14:04 - 2014-11-21 07:07 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-26 14:03 - 2014-12-26 14:03 - 20447120 _____ (Malwarebytes Corporation ) C:\Users\figuerlu\Downloads\mbam_premium.exe
2014-12-26 13:59 - 2014-12-26 13:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2014-12-26 13:58 - 2014-12-26 13:59 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Exploit
2014-12-26 10:41 - 2014-12-26 10:41 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\SUPERAntiSpyware.com
2014-12-26 10:41 - 2014-12-26 10:41 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
2014-12-26 10:30 - 2014-12-31 14:23 - 00000000 ____D () C:\ProgramData\TEMP
2014-12-26 10:30 - 2014-12-26 10:30 - 00000000 ____D () C:\ProgramData\Licenses
2014-12-26 10:30 - 2009-03-24 12:52 - 00129872 _____ (Microsoft Corporation) C:\Windows\system32\MSSTDFMT.DLL
2014-12-24 12:42 - 2014-12-24 12:40 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Enigma Software Group
2014-12-17 16:33 - 2015-01-06 13:32 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\vlc

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-15 13:31 - 2009-07-14 17:34 - 00023792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-15 13:31 - 2009-07-14 17:34 - 00023792 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-15 13:29 - 2014-12-04 13:21 - 00000000 ____D () C:\ProgramData\Malwarebytes Anti-Exploit
2015-01-15 13:29 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu
2015-01-15 13:27 - 2014-12-02 16:05 - 01263749 _____ () C:\Windows\WindowsUpdate.log
2015-01-15 13:26 - 2014-11-18 12:24 - 00000600 _____ () C:\Windows\SMSCFG.INI
2015-01-15 13:24 - 2014-12-02 16:03 - 00000552 _____ () C:\Windows\system32\config\netlogon.ftl
2015-01-15 13:24 - 2009-07-14 17:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-15 13:24 - 2009-07-14 17:39 - 00036337 _____ () C:\Windows\setupact.log
2015-01-15 12:56 - 2014-11-18 12:58 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-15 09:22 - 2014-12-03 16:37 - 00000314 ___SH () C:\Users\figuerlu\ntuser.ini
2015-01-13 15:08 - 2010-11-21 10:01 - 00800584 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-13 12:02 - 2010-11-21 10:48 - 00016680 _____ () C:\Windows\PFRO.log
2015-01-07 22:09 - 2014-11-18 12:58 - 00002471 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-04 22:14 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\.gimp-2.8
2015-01-04 21:27 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\.matplotlib
2015-01-02 11:40 - 2014-12-04 12:39 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\gtk-2.0
2014-12-31 14:33 - 2009-07-14 15:37 - 00000000 ___RD () C:\Users\Public
2014-12-31 14:33 - 2009-07-14 15:37 - 00000000 ___HD () C:\Users\Default
2014-12-31 14:29 - 2009-07-14 15:04 - 00000215 _____ () C:\Windows\system.ini
2014-12-30 18:44 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\xm1
2014-12-26 13:58 - 2014-12-04 13:19 - 02962304 _____ (Malwarebytes ) C:\Users\figuerlu\Downloads\mbae-setup-1.05.1.1014.exe
2014-12-16 20:48 - 2014-12-03 16:37 - 00000000 ____D () C:\Users\figuerlu\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Enthought Canopy (32-bit)
2014-12-16 20:46 - 2014-12-04 12:54 - 00000000 ____D () C:\Users\figuerlu\AppData\Local\Enthought
2014-12-16 20:45 - 2014-12-04 12:12 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-12-16 19:05 - 2009-07-14 17:33 - 00435592 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-12-16 12:36 - 2014-12-02 16:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft System Center 2012 R2

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 

 

 

 

Do you want me to proceed with the other steps?

 

Thanks.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Attached Files



#13 baguala

baguala
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 14 January 2015 - 08:41 PM

By the way, when the PC restarts it takes a lot of time to log out and shutdown. I have to be connected to the university network to log in or log out.



#14 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:51 PM

Posted 15 January 2015 - 10:24 AM

Please proceed with the ESET step. :)

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#15 baguala

baguala
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 15 January 2015 - 08:33 PM

Hi,

 

ESET found no threats.

 

Would it be useful to run FRST again?

 

I will let you know in a few days if there is any problem.

 

Thanks.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users