Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PUP.Optional.Freecorder.A.


  • This topic is locked This topic is locked
20 replies to this topic

#1 Terokal

Terokal

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 19 January 2015 - 03:04 PM

Hi, I'm running a malwarebytes scan and I'm finding this stuff, guess me nephews were downloading music from a website (tons of it actually, "The Mentalist" complete 1-6 soundtrack... LOL). Guess it's just that thing but who knows ... Won't take further action until I get a response from one of ya guys, even though I'd like to cause I already downloaded adwarecleaner, combofix, removejunk ... I'm ready to  :axe:   this PC ... there it goes, thanks in advance.

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17496
Run by Javier at 14:58:52 on 2015-01-19
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.51.3082.18.1982.671 [GMT -5:00]
.
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9B5F5313-CAF9-DD97-C460-E778420237B4}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Bitdefender Antivirus Free Edition *Enabled/Updated* {203EB2F7-ECC3-D219-FED0-DC0A39857D09}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Bitdefender\Bitdefender Anti-Theft\atserv.exe
C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bitdefender\Bitdefender Anti-Theft\updatesrv.exe
C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
C:\Program Files\Zemana AntiLogger Free\AntiLogger Free.exe
C:\Program Files\Applian Technologies\Freecorder 8 Applications\Audio\fcaudiop.exe
C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_257.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_257.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.pe/
BHO: Freecorder extension: {B15BBE59-42F5-4206-B3F0-BE98F5DC4B93} - c:\program files\freecorder extension\ScriptHost.dll
mRun: [Malwarebytes Anti-Exploit] c:\program files\malwarebytes anti-exploit\mbae.exe
mRun: [ZALFree] "c:\program files\zemana antilogger free\AntiLogger Free.exe" /MINIMIZED
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: &Enviar a OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: E&xportar a Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 200.48.225.146 200.48.225.130
TCP: Interfaces\{0D3263F3-26D9-40F7-B317-85F0C6B8991E} : DHCPNameServer = 200.48.225.146 200.48.225.130
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
AppInit_DLLs= c:\progra~1\keycry~1\keycry~3.dll,c:\windows\jaksta\ac\x86\jaudcap.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\javier\appdata\roaming\mozilla\firefox\profiles\a801htew.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.31211.0\npctrlui.dll
FF - plugin: c:\program files\winamp detect\npwachk.dll
FF - plugin: c:\users\javier\appdata\roaming\mozilla\firefox\profiles\a801htew.default\extensions\addon@freecorder.com\plugins\npFreeCoder.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1211151.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_16_0_0_257.dll
.
============= SERVICES / DRIVERS ===============
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2014-6-11 633344]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2012-11-20 23192]
R1 bdfwfpf;bdfwfpf;c:\program files\bitdefender\antivirus free edition\bdfwfpf.sys [2014-6-11 108008]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\malwarebytes anti-exploit\mbae.sys [2014-11-22 47928]
R1 gzflt;gzflt;c:\windows\system32\drivers\gzflt.sys [2014-6-11 164952]
R2 atserv;Bitdefender Anti-Theft Service;c:\program files\bitdefender\bitdefender anti-theft\atserv.exe [2014-8-2 456648]
R2 gzserv;Bitdefender Antivirus Free Edition;c:\program files\bitdefender\antivirus free edition\gzserv.exe [2014-6-11 57520]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\malwarebytes anti-exploit\mbae-svc.exe [2014-11-22 555320]
R2 UPDATESRV_ANTITHEFT;Bitdefender Anti-Theft Update Service;c:\program files\bitdefender\bitdefender anti-theft\updatesrv.exe [2014-8-2 54424]
R3 keycrypt;keycrypt;c:\windows\system32\drivers\KeyCrypt32.sys [2014-12-19 69816]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-5-19 114904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2014-12-11 315496]
S3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2014-6-11 486536]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-1-16 62464]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-12-9 102912]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2014-5-20 14848]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2012-11-20 375808]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2011-1-16 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2014-5-20 24064]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-5-20 49152]
S3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;c:\windows\system32\drivers\TsUsbGD.sys [2011-1-16 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-1-16 112640]
S3 WatAdminSvc;Servicio de tecnologías de activación de Windows;c:\windows\system32\wat\WatAdminSvc.exe [2013-1-11 1343400]
S3 WsAudioDevice_383;WsAudioDevice_383;c:\windows\system32\drivers\WsAudioDevice_383.sys [2014-7-8 25632]
.
=============== Created Last 30 ================
.
2015-01-18 12:12:34    --------    d-----w-    c:\users\javier\appdata\roaming\TagScanner
2015-01-18 12:12:29    --------    d-----w-    c:\program files\TagScanner
2015-01-16 23:25:50    --------    d-----w-    c:\users\javier\appdata\roaming\Freecorder 8 Converter
2015-01-16 17:46:10    9054624    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{d0fef791-355b-4594-a59e-5915171a120b}\mpengine.dll
2015-01-16 04:23:51    --------    d-----w-    c:\users\javier\appdata\roaming\Freecorder 8 Audio
2015-01-16 04:23:48    --------    d-----w-    c:\users\javier\appdata\local\Jaksta_Technologies_Pty_L
2015-01-16 04:21:09    --------    d-----w-    c:\windows\Jaksta
2015-01-16 04:21:06    --------    d-----w-    c:\program files\Applian Technologies
2015-01-16 04:18:51    --------    d-----w-    c:\program files\Freecorder extension
2015-01-16 03:12:26    --------    d-----w-    c:\program files\NCH Software
2015-01-16 02:16:56    --------    d-----w-    c:\program files\common files\Wondershare
2015-01-15 06:51:41    49776    ----a-w-    c:\program files\mozilla firefox\browser\components\browsercomps.dll
2015-01-15 06:51:40    915376    ----a-w-    c:\program files\mozilla firefox\uninstall\helper.exe
2015-01-15 06:51:39    73840    ----a-w-    c:\program files\mozilla firefox\wow_helper.exe
2015-01-15 06:39:01    --------    d-----w-    c:\windows\system32\directx
2015-01-14 19:22:12    3971512    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2015-01-14 19:22:11    3916728    ----a-w-    c:\windows\system32\ntoskrnl.exe
2015-01-14 19:22:07    164864    ----a-w-    c:\windows\system32\profsvc.dll
2015-01-14 19:22:05    242688    ----a-w-    c:\windows\system32\nlasvc.dll
2015-01-14 19:22:04    116224    ----a-w-    c:\windows\system32\drivers\mrxdav.sys
2015-01-14 19:21:18    74240    ----a-w-    c:\windows\system32\TSWbPrxy.exe
2015-01-13 20:52:49    --------    d-sh--w-    c:\users\javier\appdata\local\EmieBrowserModeList
2014-12-31 18:58:37    --------    d-----w-    c:\users\javier\appdata\local\Skype
2014-12-31 18:58:01    --------    d-----r-    c:\program files\Skype
2014-12-30 17:41:17    242504    ----a-w-    c:\windows\system32\drivers\avchv.sys
.
==================== Find3M  ====================
.
2015-01-19 18:41:51    114904    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-14 06:16:17    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2015-01-14 06:16:17    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2015-01-06 09:36:02    249488    ------w-    c:\windows\system32\MpSigStub.exe
2014-12-30 18:18:16    69816    ----a-w-    c:\windows\system32\drivers\KeyCrypt32.sys
2014-12-13 03:33:44    115712    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-12-04 04:38:59    337920    ----a-w-    c:\windows\system32\generaltel.dll
2014-12-04 04:38:45    610304    ----a-w-    c:\windows\system32\invagent.dll
2014-12-04 04:38:40    315392    ----a-w-    c:\windows\system32\devinv.dll
2014-12-04 04:38:37    728576    ----a-w-    c:\windows\system32\appraiser.dll
2014-12-04 04:38:36    202752    ----a-w-    c:\windows\system32\aepdu.dll
2014-12-04 04:38:36    159744    ----a-w-    c:\windows\system32\aepic.dll
2014-12-04 04:34:13    873984    ----a-w-    c:\windows\system32\aeinv.dll
2014-12-01 23:28:26    1160872    ----a-w-    c:\windows\system32\aitstatic.exe
2014-11-23 04:06:36    34808    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2014-11-22 02:20:44    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-11-22 02:20:30    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:07:43    501248    ----a-w-    c:\windows\system32\vbscript.dll
2014-11-22 02:07:17    62464    ----a-w-    c:\windows\system32\iesetup.dll
2014-11-22 02:06:32    47616    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:05:02    64000    ----a-w-    c:\windows\system32\MshtmlDac.dll
2014-11-22 01:55:14    102912    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-11-22 01:54:30    620032    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-11-22 01:48:26    667648    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 01:40:04    60416    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26    4299264    ----a-w-    c:\windows\system32\jscript9.dll
2014-11-22 01:22:49    2052096    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-11-22 01:21:57    1155072    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:00:20    1888256    ----a-w-    c:\windows\system32\wininet.dll
2014-11-21 11:14:20    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-11-21 11:14:10    75480    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 11:14:06    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-11-19 09:31:16    1217192    ----a-w-    c:\windows\system32\FM20.DLL
2014-11-11 02:44:45    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-11-11 02:44:32    186880    ----a-w-    c:\windows\system32\pku2u.dll
2014-11-11 02:44:25    550912    ----a-w-    c:\windows\system32\kerberos.dll
2014-11-11 01:32:14    74752    ----a-w-    c:\windows\system32\drivers\tdx.sys
2014-11-08 02:45:09    2048    ----a-w-    c:\windows\system32\tzres.dll
2014-10-30 01:45:43    155136    ----a-w-    c:\windows\system32\charmap.exe
2014-10-25 01:32:37    67584    ----a-w-    c:\windows\system32\packager.dll
.
============= FINISH: 15:00:18.36 ===============
 

Attached Files


Edited by Terokal, 19 January 2015 - 05:35 PM.


BC AdBot (Login to Remove)

 


#2 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:21 PM

Posted 19 January 2015 - 11:55 PM

Hi Terokal,

My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Please stay with this topic until I let you know that your system appears to be "All Clear"

Important: All tools MUST be run from the Desktop.

=========================

bullseye_zpse9eaf36e.gif Security Check

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
=========================

bullseye_zpse9eaf36e.gif aswMBR

Download aswMBR.exe and save it to your desktop.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.
=========================

bullseye_zpse9eaf36e.gif Download Farbar Recovery Scan Tool and save to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click and select "Run as Administrator" to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply
=========================

In your next post please provide the following:
  • checkup.txt
  • aswMBR.txt
  • attach MBR.zip
  • FRST.txt
  • Addition.txt

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#3 Terokal

Terokal
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 20 January 2015 - 02:48 PM

Hi OCD, thanks.

For some strange reason AswMBR collapses when it reaches C: Windows /Assembly / GAC_MSIL / Microsoft.Visual.Studio.Tools.Applications. ... tried 6 times to do the scan and it goes south at that same point ... I'll wait for yer take on it.

 

 

 

Results of screen317's Security Check version 0.99.94  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
Bitdefender Antivirus Free Edition   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0    
 CCleaner     
 Adobe Flash Player     16.0.0.257  
 Adobe Reader XI  
 Mozilla Firefox (35.0)
````````Process Check: objlist.exe by Laurent````````  
 Bitdefender Antivirus Free Edition gzserv.exe  
 Bitdefender Antivirus Free Edition gziface.exe  
 Malwarebytes Anti-Exploit mbae-svc.exe   
 Malwarebytes Anti-Exploit mbae.exe   
 Bitdefender Bitdefender Anti-Theft atserv.exe  
 Bitdefender Bitdefender Anti-Theft updatesrv.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````

 

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-01-2015
Ran by Javier (administrator) on NUREFALAZ-PC on 20-01-2015 14:38:22
Running from C:\Users\Javier\Desktop
Loaded Profiles: Javier (Available profiles: Javier & Invitado)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Anti-Theft\atserv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Anti-Theft\updatesrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Zemana Ltd.) C:\Program Files\Zemana AntiLogger Free\AntiLogger Free.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\update.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2561848 2014-12-10] (Malwarebytes Corporation)
HKLM\...\Run: [ZALFree] => C:\Program Files\Zemana AntiLogger Free\AntiLogger Free.exe [8205944 2014-12-30] (Zemana Ltd.)
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1299114229-604962728-1052101830-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.pe/
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Hosts: 127.0.0.1    localhost
Tcpip\Parameters: [DhcpNameServer] 200.48.225.146 200.48.225.130

FireFox:
========
FF ProfilePath: C:\Users\Javier\AppData\Roaming\Mozilla\Firefox\Profiles\a801htew.default
FF DefaultSearchEngine: Google
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @nullsoft.com/winampDetector;version=1 -> C:\Program Files\Winamp Detect\npwachk.dll (Nullsoft, Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Blur (Formerly DoNotTrackMe) - C:\Users\Javier\AppData\Roaming\Mozilla\Firefox\Profiles\a801htew.default\Extensions\donottrackplus@abine.com [2014-11-20]
FF Extension: Lightbeam - C:\Users\Javier\AppData\Roaming\Mozilla\Firefox\Profiles\a801htew.default\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2014-09-25]
FF Extension: Adblock Plus - C:\Users\Javier\AppData\Roaming\Mozilla\Firefox\Profiles\a801htew.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-05-19]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 atserv; C:\Program Files\Bitdefender\Bitdefender Anti-Theft\atserv.exe [456648 2013-10-07] (Bitdefender)
R2 gzserv; C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe [57520 2013-10-23] (Bitdefender)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [555320 2014-12-10] (Malwarebytes Corporation)
R2 UPDATESRV_ANTITHEFT; C:\Program Files\Bitdefender\Bitdefender Anti-Theft\updatesrv.exe [54424 2013-10-04] (Bitdefender)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [633344 2013-04-17] (BitDefender)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [486536 2013-04-17] (BitDefender)
R1 bdfwfpf; C:\Program Files\Bitdefender\Antivirus Free Edition\bdfwfpf.sys [108008 2013-07-02] (Bitdefender SRL)
R1 bdselfpr; C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys [135472 2013-07-16] (BitDefender LLC)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2014-12-10] ()
R3 FETNDIS; C:\Windows\System32\DRIVERS\fetn62.sys [45056 2010-08-06] (VIA Technologies, Inc.              )
R1 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [164952 2013-04-22] (BitDefender LLC)
R3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt32.sys [69816 2014-12-30] (Zemana Ltd.)
S3 RTL8187; C:\Windows\System32\DRIVERS\rtl8187.sys [375808 2010-01-07] (Realtek Semiconductor Corporation                           )
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [355744 2013-05-28] (BitDefender S.R.L.)
R3 viagfx; C:\Windows\System32\DRIVERS\vtmini.sys [281856 2007-03-22] (Copyright © VIA/S3 Graphics Co, Ltd.)
R0 videX32; C:\Windows\System32\DRIVERS\videX32.sys [13976 2010-02-11] (VIA Technologies, Inc.)
S3 WsAudioDevice_383; C:\Windows\System32\drivers\WsAudioDevice_383.sys [25632 2013-05-30] (Wondershare)
R0 xfilt; C:\Windows\System32\DRIVERS\xfilt.sys [23192 2010-02-11] (VIA Technologies, Inc.)
S1 Avgdiskx; system32\DRIVERS\avgdiskx.sys [X]
S0 AVGIDSHX; system32\DRIVERS\avgidshx.sys [X]
S1 AVGIDSShim; system32\DRIVERS\avgidsshimx.sys [X]
S0 Avglogx; system32\DRIVERS\avglogx.sys [X]
S1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [X]
S3 catchme; \??\C:\Users\Javier\AppData\Local\Temp\catchme.sys [X]
S3 PAC7302; system32\DRIVERS\PAC7302.SYS [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
U3 aswMBR; \??\C:\Users\Javier\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\Javier\AppData\Local\Temp\aswVmm.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 14:38 - 2015-01-20 14:38 - 00008619 _____ () C:\Users\Javier\Desktop\FRST.txt
2015-01-20 14:37 - 2015-01-20 14:38 - 00000000 ____D () C:\FRST
2015-01-20 14:09 - 2015-01-20 14:09 - 00000995 _____ () C:\Users\Javier\Desktop\checkup.txt
2015-01-20 14:06 - 2015-01-20 14:06 - 01118208 _____ (Farbar) C:\Users\Javier\Desktop\FRST.exe
2015-01-20 14:05 - 2015-01-20 14:05 - 05198336 _____ (AVAST Software) C:\Users\Javier\Desktop\aswMBR.exe
2015-01-20 14:04 - 2015-01-20 14:04 - 00852520 _____ () C:\Users\Javier\Desktop\SecurityCheck.exe
2015-01-19 21:26 - 2015-01-19 21:26 - 00000000 ____D () C:\ProgramData\BDLogging
2015-01-19 19:58 - 2015-01-19 19:58 - 01270544 _____ (Ellora Assets Corporation ) C:\Users\Javier\Downloads\FreemakeVideoConverterSetup.exe
2015-01-19 19:31 - 2015-01-19 19:31 - 00000622 _____ () C:\Users\Javier\Desktop\JRT.txt
2015-01-19 18:27 - 2015-01-19 18:27 - 00034172 _____ () C:\ComboFix.txt
2015-01-19 15:00 - 2015-01-19 15:00 - 00012656 _____ () C:\Users\Javier\Desktop\dds.txt
2015-01-19 15:00 - 2015-01-19 15:00 - 00005928 _____ () C:\Users\Javier\Desktop\attach.txt
2015-01-19 14:40 - 2015-01-19 14:40 - 00688992 ____R (Swearware) C:\Users\Javier\Desktop\dds.com
2015-01-19 14:37 - 2015-01-19 14:37 - 01707939 _____ (Thisisu) C:\Users\Javier\Desktop\JRT.exe
2015-01-18 07:12 - 2015-01-18 07:12 - 00000972 _____ () C:\Users\Javier\Desktop\TagScanner.lnk
2015-01-18 07:12 - 2015-01-18 07:12 - 00000000 ____D () C:\Users\Javier\AppData\Roaming\TagScanner
2015-01-18 07:12 - 2015-01-18 07:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TagScanner
2015-01-18 07:12 - 2015-01-18 07:12 - 00000000 ____D () C:\Program Files\TagScanner
2015-01-18 07:11 - 2015-01-18 07:11 - 01935848 _____ (Sergey Serkov ) C:\Users\Javier\Downloads\tagscan5.1.660setup.exe
2015-01-16 17:51 - 2015-01-17 00:19 - 00000000 ____D () C:\Users\Javier\Downloads\The Mentalist
2015-01-15 23:18 - 2015-01-15 23:18 - 02002112 _____ (Applian Technologies Inc.) C:\Users\Javier\Downloads\Freecorder8SetupIC.exe
2015-01-15 23:02 - 2015-01-15 23:03 - 00000969 _____ () C:\Users\Javier\Documents\recorder.log
2015-01-15 21:07 - 2015-01-15 21:07 - 00000000 __RSH () C:\MSDOS.SYS
2015-01-15 21:07 - 2015-01-15 21:07 - 00000000 __RSH () C:\IO.SYS
2015-01-15 01:41 - 2010-06-02 04:55 - 00527192 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2015-01-15 01:41 - 2010-06-02 04:55 - 00239960 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_7.dll
2015-01-15 01:41 - 2010-06-02 04:55 - 00074072 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 02106216 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 01998168 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_43.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 01868128 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_43.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 00470880 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_43.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2015-01-15 01:41 - 2010-02-04 10:01 - 00528216 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_6.dll
2015-01-15 01:41 - 2010-02-04 10:01 - 00238936 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_6.dll
2015-01-15 01:41 - 2010-02-04 10:01 - 00074072 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_4.dll
2015-01-15 01:41 - 2010-02-04 10:01 - 00022360 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_7.dll
2015-01-15 01:41 - 2009-09-04 17:44 - 00515416 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_5.dll
2015-01-15 01:41 - 2009-09-04 17:44 - 00238936 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_5.dll
2015-01-15 01:41 - 2009-09-04 17:44 - 00069464 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_3.dll
2015-01-15 01:41 - 2009-09-04 17:29 - 05501792 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_42.dll
2015-01-15 01:41 - 2009-09-04 17:29 - 01974616 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_42.dll
2015-01-15 01:41 - 2009-09-04 17:29 - 00453456 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_42.dll
2015-01-15 01:41 - 2009-09-04 17:29 - 00235344 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_42.dll
2015-01-15 01:41 - 2009-03-16 14:18 - 00517448 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_4.dll
2015-01-15 01:41 - 2009-03-16 14:18 - 00235352 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_4.dll
2015-01-15 01:41 - 2009-03-16 14:18 - 00022360 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_6.dll
2015-01-15 01:41 - 2009-03-09 15:27 - 04178264 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_41.dll
2015-01-15 01:41 - 2008-10-27 10:04 - 00514384 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_3.dll
2015-01-15 01:41 - 2008-10-27 10:04 - 00235856 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_3.dll
2015-01-15 01:41 - 2008-10-27 10:04 - 00070992 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_2.dll
2015-01-15 01:41 - 2008-10-27 10:04 - 00023376 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_5.dll
2015-01-15 01:41 - 2008-10-10 04:52 - 04379984 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_40.dll
2015-01-15 01:41 - 2008-10-10 04:52 - 02036576 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_40.dll
2015-01-15 01:41 - 2008-10-10 04:52 - 00452440 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_40.dll
2015-01-15 01:41 - 2008-07-31 10:41 - 00238088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_2.dll
2015-01-15 01:41 - 2008-07-31 10:41 - 00068616 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_1.dll
2015-01-15 01:41 - 2008-07-31 10:40 - 00509448 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_2.dll
2015-01-15 01:41 - 2008-07-10 11:01 - 00467984 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_39.dll
2015-01-15 01:41 - 2008-07-10 11:00 - 03851784 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_39.dll
2015-01-15 01:41 - 2008-07-10 11:00 - 01493528 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_39.dll
2015-01-15 01:41 - 2008-05-30 14:19 - 00507400 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_1.dll
2015-01-15 01:41 - 2008-05-30 14:18 - 00238088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_1.dll
2015-01-15 01:41 - 2008-05-30 14:17 - 00065032 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_0.dll
2015-01-15 01:41 - 2008-05-30 14:17 - 00025608 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_4.dll
2015-01-15 01:41 - 2008-05-30 14:11 - 03850760 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_38.dll
2015-01-15 01:41 - 2008-05-30 14:11 - 01491992 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_38.dll
2015-01-15 01:41 - 2008-05-30 14:11 - 00467984 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_38.dll
2015-01-15 01:41 - 2008-03-05 16:03 - 00479752 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_0.dll
2015-01-15 01:41 - 2008-03-05 16:03 - 00238088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_0.dll
2015-01-15 01:41 - 2008-03-05 16:00 - 00025608 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_3.dll
2015-01-15 01:41 - 2008-03-05 15:56 - 03786760 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_37.dll
2015-01-15 01:41 - 2008-03-05 15:56 - 01420824 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_37.dll
2015-01-15 01:41 - 2008-02-05 23:07 - 00462864 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_37.dll
2015-01-15 01:41 - 2007-10-22 03:39 - 00267272 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_10.dll
2015-01-15 01:41 - 2007-10-22 03:37 - 00017928 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_2.dll
2015-01-15 01:41 - 2007-10-12 15:14 - 03734536 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_36.dll
2015-01-15 01:41 - 2007-10-12 15:14 - 01374232 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_36.dll
2015-01-15 01:41 - 2007-10-02 09:56 - 00444776 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_36.dll
2015-01-15 01:41 - 2007-07-20 00:57 - 00267112 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_9.dll
2015-01-15 01:41 - 2007-07-19 18:14 - 03727720 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_35.dll
2015-01-15 01:41 - 2007-07-19 18:14 - 01358192 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_35.dll
2015-01-15 01:41 - 2007-07-19 18:14 - 00444776 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_35.dll
2015-01-15 01:41 - 2007-06-20 20:46 - 00266088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_8.dll
2015-01-15 01:41 - 2007-05-16 16:45 - 03497832 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_34.dll
2015-01-15 01:41 - 2007-05-16 16:45 - 01124720 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_34.dll
2015-01-15 01:41 - 2007-05-16 16:45 - 00443752 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_34.dll
2015-01-15 01:41 - 2007-04-04 18:55 - 00261480 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_7.dll
2015-01-15 01:41 - 2007-04-04 18:53 - 00081768 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_3.dll
2015-01-15 01:41 - 2007-03-15 16:57 - 00443752 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_33.dll
2015-01-15 01:41 - 2007-03-12 16:42 - 03495784 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_33.dll
2015-01-15 01:41 - 2007-03-12 16:42 - 01123696 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_33.dll
2015-01-15 01:41 - 2007-03-05 12:42 - 00015128 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_1.dll
2015-01-15 01:41 - 2007-01-24 15:27 - 00255848 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_6.dll
2015-01-15 01:41 - 2006-12-08 12:02 - 00251672 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_5.dll
2015-01-15 01:41 - 2006-11-29 13:06 - 03426072 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_32.dll
2015-01-15 01:41 - 2006-11-29 13:06 - 00440080 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10.dll
2015-01-15 01:41 - 2006-09-28 16:05 - 00237848 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_4.dll
2015-01-15 01:41 - 2006-07-28 09:30 - 00236824 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_3.dll
2015-01-15 01:41 - 2006-07-28 09:30 - 00062744 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_2.dll
2015-01-15 01:41 - 2006-05-31 07:24 - 00230168 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_2.dll
2015-01-15 01:41 - 2006-03-31 12:40 - 02388176 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_30.dll
2015-01-15 01:41 - 2006-03-31 12:39 - 00229584 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_1.dll
2015-01-15 01:41 - 2006-03-31 12:39 - 00062672 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_1.dll
2015-01-15 01:41 - 2006-02-03 08:43 - 02332368 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_29.dll
2015-01-15 01:41 - 2006-02-03 08:42 - 00230096 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_0.dll
2015-01-15 01:41 - 2006-02-03 08:41 - 00014032 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_0.dll
2015-01-15 01:41 - 2005-12-05 18:09 - 02323664 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_28.dll
2015-01-15 01:41 - 2005-07-22 19:59 - 02319568 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_27.dll
2015-01-15 01:41 - 2005-05-26 15:34 - 02297552 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_26.dll
2015-01-15 01:41 - 2005-03-18 17:19 - 02337488 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_25.dll
2015-01-15 01:41 - 2005-02-05 19:45 - 02222800 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_24.dll
2015-01-15 01:39 - 2015-01-15 01:41 - 00000000 ____D () C:\Windows\system32\directx
2015-01-15 01:20 - 2015-01-15 01:20 - 00026608 _____ () C:\Users\Javier\Desktop\DxDiag.txt
2015-01-14 14:22 - 2014-12-18 21:43 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 14:22 - 2014-12-18 20:34 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 14:22 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-01-14 14:22 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 14:22 - 2014-12-05 22:50 - 00242688 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 14:21 - 2014-12-11 12:47 - 00074240 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 15:52 - 2015-01-13 15:52 - 00000000 __SHD () C:\Users\Javier\AppData\Local\EmieBrowserModeList
2015-01-11 03:48 - 2015-01-11 03:49 - 00001021 _____ () C:\Users\Javier\Desktop\Start Tor Browser.lnk
2015-01-11 03:36 - 2015-01-11 03:36 - 00000000 ____D () C:\Users\Javier\Documents\Tor Browser
2014-12-31 13:58 - 2015-01-15 09:07 - 00000000 ____D () C:\Users\Javier\AppData\Roaming\Skype
2014-12-31 13:58 - 2014-12-31 13:58 - 00002685 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-12-31 13:58 - 2014-12-31 13:58 - 00000000 ___RD () C:\Program Files\Skype
2014-12-31 13:58 - 2014-12-31 13:58 - 00000000 ____D () C:\Users\Javier\AppData\Local\Skype
2014-12-31 13:58 - 2014-12-31 13:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-12-31 13:58 - 2014-12-31 13:58 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-12-31 13:57 - 2014-12-31 13:58 - 00000000 ____D () C:\ProgramData\Skype
2014-12-30 12:41 - 2014-12-30 12:41 - 00242504 _____ (BitDefender) C:\Windows\system32\Drivers\avchv.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 14:37 - 2014-08-15 18:15 - 00000000 ____D () C:\Users\Javier\AppData\Local\CrashDumps
2015-01-20 14:16 - 2012-11-20 12:11 - 00000838 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-20 13:59 - 2014-05-20 07:54 - 00000000 ____D () C:\Windows\erdnt
2015-01-20 13:48 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\LogFiles
2015-01-20 13:47 - 2012-11-20 11:39 - 01792093 _____ () C:\Windows\WindowsUpdate.log
2015-01-20 12:35 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-19 22:38 - 2014-11-16 04:03 - 00000000 ____D () C:\Users\Javier\AppData\Roaming\vlc
2015-01-19 22:37 - 2012-11-20 11:46 - 00000000 ____D () C:\Users\Javier
2015-01-19 22:34 - 2014-08-19 23:53 - 00000000 ____D () C:\Program Files\Recuva
2015-01-19 21:50 - 2014-05-20 02:58 - 00000000 ____D () C:\ProgramData\TEMP
2015-01-19 21:50 - 2014-05-20 02:58 - 00000000 ____D () C:\Program Files\SpywareBlaster
2015-01-19 19:59 - 2014-05-19 13:42 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-19 19:12 - 2014-11-22 23:10 - 00000000 ____D () C:\ProgramData\Malwarebytes Anti-Exploit
2015-01-19 18:24 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
2015-01-19 18:02 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\PLA
2015-01-19 16:16 - 2014-05-27 05:04 - 00072192 _____ () C:\Users\Javier\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-19 15:13 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-19 14:47 - 2014-07-30 14:12 - 00001374 _____ () C:\Users\Javier\Desktop\Telfs..txt
2015-01-17 06:17 - 2009-07-13 23:34 - 00016640 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-17 06:17 - 2009-07-13 23:34 - 00016640 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-16 21:01 - 2014-05-19 17:39 - 00000000 ____D () C:\Users\Javier\AppData\Roaming\uTorrent
2015-01-15 10:33 - 2012-11-20 11:50 - 01588400 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-15 08:42 - 2014-12-09 15:21 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-15 08:42 - 2014-05-19 14:06 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-15 03:01 - 2012-11-20 12:59 - 00000000 ____D () C:\Program Files\Google
2015-01-15 01:51 - 2014-05-19 14:06 - 00001117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-15 01:51 - 2014-05-19 14:06 - 00001105 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-01-15 01:41 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-01-14 14:46 - 2014-05-19 21:29 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 14:38 - 2014-05-19 21:29 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-14 01:16 - 2012-11-20 12:11 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-01-14 01:16 - 2012-11-20 12:11 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-01-13 15:52 - 2012-11-20 12:59 - 00000000 ____D () C:\Users\Javier\AppData\Local\Google
2015-01-06 04:36 - 2012-11-20 12:36 - 00249488 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-01-05 13:38 - 2012-11-20 13:29 - 00000965 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-01-05 13:38 - 2012-11-20 13:29 - 00000000 ____D () C:\Program Files\CCleaner
2014-12-31 13:06 - 2014-12-19 23:09 - 00000000 ____D () C:\Program Files\KeyCryptSDK
2014-12-30 13:18 - 2014-12-19 23:09 - 00069816 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\KeyCrypt32.sys
2014-12-30 13:08 - 2014-12-19 23:09 - 00001098 _____ () C:\Users\Public\Desktop\AntiLogger Free.lnk
2014-12-30 13:08 - 2014-12-19 23:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiLogger Free
2014-12-30 13:08 - 2014-12-19 23:09 - 00000000 ____D () C:\Program Files\Zemana AntiLogger Free
2014-12-30 04:11 - 2014-08-10 02:30 - 00007639 _____ () C:\Users\Javier\AppData\Local\Resmon.ResmonCfg
2014-12-27 14:35 - 2014-11-17 19:00 - 00000000 ____D () C:\Users\Javier\AppData\Local\AntiLogger Free
2014-12-24 12:19 - 2014-08-19 01:47 - 00000000 ____D () C:\Users\Javier\AppData\Local\Adobe
2014-12-21 03:36 - 2014-10-27 18:31 - 00000000 ____D () C:\Users\Javier\AppData\Local\Facebook

==================== Files in the root of some directories =======
2014-05-27 05:04 - 2015-01-19 16:16 - 0072192 _____ () C:\Users\Javier\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-08-10 02:30 - 2014-12-30 04:11 - 0007639 _____ () C:\Users\Javier\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2011-01-16 12:56] - [2013-01-11 17:17] - 0811520 ____A (Microsoft Corporation) 8626F0C30D4E3564FFDD25C90F4426F1

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 00:46

==================== End Of Log ============================

 

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 19-01-2015
Ran by Javier at 2015-01-20 14:39:13
Running from C:\Users\Javier\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Bitdefender Antivirus Free Edition (Disabled - Up to date) {9B5F5313-CAF9-DD97-C460-E778420237B4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Bitdefender Antivirus Free Edition (Disabled - Up to date) {203EB2F7-ECC3-D219-FED0-DC0A39857D09}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1299114229-604962728-1052101830-1000\...\uTorrent) (Version: 3.4.2.35702 - BitTorrent Inc.)
ACDSee Photo Manager 12 (HKLM\...\{A5CBD7C5-CF16-443F-A4F2-3503C9DE311B}) (Version: 12.0.344 - ACD Systems International Inc.)
Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.257 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.1.151 - Adobe Systems, Inc.)
AntiLogger Free version 1.8.2.198 (HKLM\...\{A80DB23D-0618-405B-89D9-28F99814E287}_is1) (Version: 1.8.2.198 - Zemana Ltd.)
Bitdefender Anti-Theft (HKLM\...\Bitdefender Anti-Theft) (Version: 1.0.9.44 - Bitdefender)
Bitdefender Antivirus Free Edition (HKLM\...\BitDefender Gonzales) (Version: 1.0.21.1099 - Bitdefender)
CCleaner (HKLM\...\CCleaner) (Version: 5.01 - Piriform)
Defraggler (HKLM\...\Defraggler) (Version: 2.18 - Piriform)
Free Audio Converter version 5.0.51.1022 (HKLM\...\Free Audio Converter_is1) (Version: 5.0.51.1022 - DVDVideoSoft Ltd.)
Free MP3 Cutter 2.0 (HKLM\...\{847E0734-4457-4B48-BF49-998D1CF2CFA1}_is1) (Version: 2.0 - PolySoft Solutions)
Malwarebytes Anti-Exploit version 1.05.1.1016 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.05.1.1016 - Malwarebytes)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.2 (español) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 3082) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.31211.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mozilla Firefox 35.0 (x86 en-US) (HKLM\...\Mozilla Firefox 35.0 (x86 en-US)) (Version: 35.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 35.0 - Mozilla)
Nero 8.3.2.1 (HKLM\...\Nero8WinuE_is1) (Version: 8.3.2.1 - Bj @ WinuE)
Recuva (HKLM\...\Recuva) (Version: 1.51 - Piriform)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Skype™ 7.0 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
SoulseekQt (HKLM\...\SoulseekQt) (Version:  - )
SpywareBlaster 5.0 (HKLM\...\SpywareBlaster_is1) (Version: 5.0.0 - BrightFort LLC)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TagScanner 5.1.660 (HKLM\...\TagScanner_is1) (Version:  - Sergey Serkov)
Thumbs Remover (HKLM\...\{CD3423F8-F651-41DE-AA3C-0BF2A2EF505A}_is1) (Version: 1.6.1.280 - Xtreme-LAb®)
VIA Rhine Family Fast Ethernet Adapter (HKLM\...\VN_VUIns_Rhine_VIA) (Version:  - VIA Technologies, Inc.)
VIA/S3G Display Driver 6.14.10.0359 (HKLM\...\VIA/S3G UniChrome Family Win2K/XP/Server2003 Display) (Version:  - )
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Winamp (HKLM\...\Winamp) (Version: 5.666  - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-1299114229-604962728-1052101830-1000\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
WinZip 15.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240C1}) (Version: 15.0.9411 - WinZip Computing, S.L. )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points  =========================

20-01-2015 13:59:33 ComboFix created restore point

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2014-11-16 19:23 - 00000768 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1    localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {20D71D72-D19A-4685-8B77-2715526F07EA} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-12-12] (Piriform Ltd)
Task: {7466BD12-714E-457A-BD4E-FA749CA72B99} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-01-14] (Adobe Systems Incorporated)
Task: {A46CB00B-4B45-4141-998A-E32B1322CBD6} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {B70B7F8E-C896-4F9B-AF92-C623F0918207} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-06-11 07:03 - 2013-03-19 12:07 - 00508136 _____ () C:\Program Files\Bitdefender\Antivirus Free Edition\sqlite3.dll
2014-06-11 07:03 - 2013-09-03 14:29 - 00095088 _____ () C:\Program Files\Bitdefender\Antivirus Free Edition\BDMetrics.dll
2014-08-02 03:43 - 2013-09-03 12:32 - 00204280 _____ () C:\Program Files\Bitdefender\Bitdefender Anti-Theft\txmlutil.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2014-12-09 15:21 - 2015-01-09 04:05 - 03925104 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:C43ED645

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrador (S-1-5-21-1299114229-604962728-1052101830-500 - Administrator - Disabled)
HomeGroupUser$ (S-1-5-21-1299114229-604962728-1052101830-1002 - Limited - Enabled)
Invitado (S-1-5-21-1299114229-604962728-1052101830-501 - Limited - Disabled) => C:\Users\Invitado
Javier (S-1-5-21-1299114229-604962728-1052101830-1000 - Administrator - Enabled) => C:\Users\Javier

==================== Faulty Device Manager Devices =============

Name: AVGIDSShim
Description: AVGIDSShim
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: AVGIDSShim
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: avgtp
Description: avgtp
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: avgtp
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/20/2015 02:36:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nombre de la aplicación con errores: aswMBR.exe, versión: 1.0.1.2252, marca de tiempo: 0x5465ba64
Nombre del módulo con errores: ntdll.dll, versión: 6.1.7601.18247, marca de tiempo: 0x521ea91c
Código de excepción: 0xc0000005
Desplazamiento de errores: 0x00052d37
Id. del proceso con errores: 0x558
Hora de inicio de la aplicación con errores: 0xaswMBR.exe0
Ruta de acceso de la aplicación con errores: aswMBR.exe1
Ruta de acceso del módulo con errores: aswMBR.exe2
Id. del informe: aswMBR.exe3

Error: (01/20/2015 02:30:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nombre de la aplicación con errores: aswMBR.exe, versión: 1.0.1.2252, marca de tiempo: 0x5465ba64
Nombre del módulo con errores: ntdll.dll, versión: 6.1.7601.18247, marca de tiempo: 0x521ea91c
Código de excepción: 0xc0000005
Desplazamiento de errores: 0x00052d94
Id. del proceso con errores: 0xe94
Hora de inicio de la aplicación con errores: 0xaswMBR.exe0
Ruta de acceso de la aplicación con errores: aswMBR.exe1
Ruta de acceso del módulo con errores: aswMBR.exe2
Id. del informe: aswMBR.exe3

Error: (01/20/2015 02:25:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nombre de la aplicación con errores: aswMBR.exe, versión: 1.0.1.2252, marca de tiempo: 0x5465ba64
Nombre del módulo con errores: ntdll.dll, versión: 6.1.7601.18247, marca de tiempo: 0x521ea91c
Código de excepción: 0xc0000005
Desplazamiento de errores: 0x00052d94
Id. del proceso con errores: 0xea0
Hora de inicio de la aplicación con errores: 0xaswMBR.exe0
Ruta de acceso de la aplicación con errores: aswMBR.exe1
Ruta de acceso del módulo con errores: aswMBR.exe2
Id. del informe: aswMBR.exe3

Error: (01/20/2015 02:20:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nombre de la aplicación con errores: aswMBR.exe, versión: 1.0.1.2252, marca de tiempo: 0x5465ba64
Nombre del módulo con errores: ntdll.dll, versión: 6.1.7601.18247, marca de tiempo: 0x521ea91c
Código de excepción: 0xc0000005
Desplazamiento de errores: 0x00052d94
Id. del proceso con errores: 0xa0
Hora de inicio de la aplicación con errores: 0xaswMBR.exe0
Ruta de acceso de la aplicación con errores: aswMBR.exe1
Ruta de acceso del módulo con errores: aswMBR.exe2
Id. del informe: aswMBR.exe3


System errors:
=============

Microsoft Office Sessions:
=========================
Error: (01/20/2015 02:36:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: aswMBR.exe1.0.1.22525465ba64ntdll.dll6.1.7601.18247521ea91cc000000500052d3755801d034e7c1913432C:\Users\Javier\Desktop\aswMBR.exeC:\Windows\SYSTEM32\ntdll.dllad5ec948-a0db-11e4-a3ee-00e04d6bf6ad

Error: (01/20/2015 02:30:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: aswMBR.exe1.0.1.22525465ba64ntdll.dll6.1.7601.18247521ea91cc000000500052d94e9401d034e6fbd91eb0C:\Users\Javier\Desktop\aswMBR.exeC:\Windows\SYSTEM32\ntdll.dllcf98c9da-a0da-11e4-a3ee-00e04d6bf6ad

Error: (01/20/2015 02:25:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: aswMBR.exe1.0.1.22525465ba64ntdll.dll6.1.7601.18247521ea91cc000000500052d94ea001d034e622b6e4a4C:\Users\Javier\Desktop\aswMBR.exeC:\Windows\SYSTEM32\ntdll.dll15b4fe8a-a0da-11e4-a3ee-00e04d6bf6ad

Error: (01/20/2015 02:20:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: aswMBR.exe1.0.1.22525465ba64ntdll.dll6.1.7601.18247521ea91cc000000500052d94a001d034e4abd9c38aC:\Users\Javier\Desktop\aswMBR.exeC:\Windows\SYSTEM32\ntdll.dll539dc68c-a0d9-11e4-a3ee-00e04d6bf6ad


==================== Memory info ===========================

Processor: Intel® Pentium® Dual CPU E2160 @ 1.80GHz
Percentage of memory in use: 36%
Total physical RAM: 1982.49 MB
Available physical RAM: 1260.37 MB
Total Pagefile: 3964.98 MB
Available Pagefile: 2770.69 MB
Total Virtual: 2047.88 MB
Available Virtual: 1904.22 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:43.85 GB) (Free:20.52 GB) NTFS
Drive d: () (Fixed) (Total:105.1 GB) (Free:104.87 GB) NTFS
Drive f: () (Fixed) (Total:465.76 GB) (Free:215.96 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: F6745AF7)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=43.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=105.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: F8294C7A)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================
 


Edited by Terokal, 20 January 2015 - 09:50 PM.


#4 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:21 PM

Posted 21 January 2015 - 01:13 AM

Hi Terokal,

Try this anti-rootkit program instead.

bullseye_zpse9eaf36e.gif Malwarebytes Anti-Rootkit

  • Download Malwarebytes Anti-Rootkit
  • Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
  • Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
  • Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
  • After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
  • Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
  • If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.

MBAMAnti-Rootkit1_zps4613be8c.png

  • Please click by the introduction screen on the Next button to continue.

MBAMAnti-Rootkit2update_zpsf85fca28.png

  • Next you will see the Update Database screen.
  • Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.

MBAMAnti-Rootkitupdatecomplete_zpscf9f4c

  • When the update has finished, click on the Next button.

MBAMAnti-Rootkitscan_zps9b346fe7.png

  • Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
  • Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.

MBAMAnti-Rootkitscan-results_zps9f0fdf8e

  • When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
  • Make sure everything is selected and that the option to create a restore point is checked.
  • Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
  • Click on Yes button to restart your computer.
  • There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.
  • The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run.
    • For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt.
  • The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program.

=========================

bullseye_zpse9eaf36e.gif FRST Fix Script

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the desktop as fixlist.txt




Start
CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

=========================

I see you have/had ComboFix installed.

  1. When was the last time you ran it?
  2. Do you still have the log?

C:\ComboFix.txt

=========================

bullseye_zpse9eaf36e.gif P2P - (Peer to Peer)

I see you have/had P2P software uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall this now.

Click Start > Control Panel > Programs and Features. Locate and select the following that are present on the list and click the Remove button:

  • uTorrent

If you choose to not remove this programs please refrain from using it until we have finished cleaning your computer.

=========================

In your next post please provide the following:

  • mbar-log
  • system-log.txt
  • Fixlog.txt
  • ComboFix.txt - if you have it
  • Decision of uTorrent.

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#5 Terokal

Terokal
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 21 January 2015 - 02:35 AM

Hi OCD !!!, again thanks for the help !!! ...

 

Combofix's log is long gone, so the exe ... guess me brother has been doing something when I was out ... he's used ESET online scanner.

 

About the use of uTorrent, I download only mkv files of a TV show ... that's what I use it for, no cracked programs anymore (I've had serious problems before) ... well, that show is about to end so I guess there won't be any need to use utorrent ... did it just for the sake of watching it as soon as it was aired on U.S.A. or Canada, saving me from bad resolution watch free sites ... actually I use soulseek to share mp3s (is it dangerous ?) ... gonna read carefully the info on that link ... it "appears" the PC is not so screwed up ... as I told ya, me brother definitely has been doing his thing (well, it's his bloody machine :crazy: ) ... hope everything's OK now.

 

here's the requested info :

 

 

 

Malwarebytes Anti-Rootkit BETA 1.08.3.1004
www.malwarebytes.org

Database version:
  main:    v2015.01.21.04
  rootkit: v2015.01.14.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.17501
Javier :: NUREFALAZ-PC [administrator]

21/01/2015 01:39:06 a.m.
mbar-log-2015-01-21 (01-39-06).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 354855
Time elapsed: 11 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

 

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.3.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 11.0.9600.17501

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 1.799000 GHz
Memory total: 2078793728, free: 1131585536

=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.3.1004

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 11.0.9600.17501

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, F:\ DRIVE_FIXED
CPU speed: 1.799000 GHz
Memory total: 2078793728, free: 1109544960

Downloaded database version: v2015.01.21.04
Downloaded database version: v2015.01.14.01
Downloaded database version: v2014.12.06.01
Initializing...
======================
------------ Kernel report ------------
     01/21/2015 01:38:39
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\DRIVERS\ACPI.sys
\SystemRoot\system32\DRIVERS\WMILIB.SYS
\SystemRoot\system32\DRIVERS\msisadrv.sys
\SystemRoot\system32\DRIVERS\pci.sys
\SystemRoot\system32\DRIVERS\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\trufos.sys
\SystemRoot\system32\DRIVERS\FLTMGR.SYS
\SystemRoot\system32\DRIVERS\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\DRIVERS\viaide.sys
\SystemRoot\system32\DRIVERS\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\videX32.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\atapi.sys
\SystemRoot\system32\DRIVERS\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\avc3.sys
\SystemRoot\system32\DRIVERS\xfilt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\vmstorfl.sys
\SystemRoot\system32\DRIVERS\wd.sys
\SystemRoot\system32\DRIVERS\volsnap.sys
\SystemRoot\system32\DRIVERS\uagp35.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\gzflt.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdfwfpf.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\??\C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\vtmini.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\fetn62.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\KeyCrypt32.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpbus.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\vtdisp.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\ATMFD.DLL
\??\C:\Windows\system32\Drivers\PROCEXP113.SYS
\??\C:\Users\Javier\AppData\Local\Temp\aswMBR.sys
\??\C:\Users\Javier\AppData\Local\Temp\aswVmm.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2015.01.21.04
  rootkit: v2015.01.14.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85c50860, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85c50498, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85c50860, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85b7d918, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff85b76908, DeviceName: \Device\Ide\IdeDeviceP3T0L0-5\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F6745AF7

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 91955200

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 92162048  Numsec = 220416000

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 160041885696 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffffb6797318, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffffe04d7ac0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffffb6797318, DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffffb66553b0, DeviceName: \Device\0000007e\, DriverName: \Driver\USBSTOR\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR4\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: F8294C7A

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 2048  Numsec = 976766976

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-2048-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
Removal finished
 

 

 

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-01-2015
Ran by Javier at 2015-01-21 01:56:09 Run:1
Running from C:\Users\Javier\Desktop
Loaded Profiles: Javier (Available profiles: Javier & Invitado)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
EmptyTemp:
End
*****************

Processes closed successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKU\S-1-5-21-1299114229-604962728-1052101830-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
EmptyTemp: => Removed 214.1 MB temporary data.


The system needed a reboot.

==== End of Fixlog 01:56:24 ====



#6 Terokal

Terokal
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 21 January 2015 - 03:23 AM

Geez, guess the admin. was in a real bad mood when he wrote that, but he's saying it plain and simple ... I've been hacked before, with a bloody keylogger once, that stopped me from searching cracked programs and all that ... now if I find a free version of something that is a simpler and easier to use program than the real mccoy I go for it ... no cracked stuff anymore.



#7 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:21 PM

Posted 21 January 2015 - 11:32 AM

Hi Terokal ,

It's not just cracked software that you will run into issues with while using P2P. It is next to impossible to verify the integrity of ANY file you download via a P2P network. So if you must continue to use uTorrent please refrain from doing so during our clean up process. I appreciate your cooperation.

bullseye_zpse9eaf36e.gif AdwCleaner v3: Scan & Clean
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a log file report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that log file in your next reply.
  • A copy of that log file will also be saved in the C:\AdwCleaner folder.
=========================

bullseye_zpse9eaf36e.gif Junkware Removal Tool

Download Junkware Removal Tool to your desktop.
    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Shut down your protection software now to avoid potential conflicts.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
=========================

In your next post please provide the following:
  • AdwCleaner[S0].txt
  • JRT.txt
  • How is the computer running? Symptoms/issues?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#8 Terokal

Terokal
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 21 January 2015 - 02:10 PM

Hi OCD, thanks again ... uTorrent is always closed, nothing to share there cause as soon as the weekly show is downloaded I exit the program, change the name of the mkv file and move it to an external drive ... this is an old PC but it's working good ... internet was kinda slow before but now it's like normal ... here are the logs :

 

# AdwCleaner v4.108 - Reporte Creado 21/01/2015 en 13:35:48
# Actualizado 17/01/2015 por Xplode
# Database : 2015-01-18.1 [Live]
# Sistema Operativo : Windows 7 Ultimate Service Pack 1 (32 bits)
# Nombre de usuario : Javier - NUREFALAZ-PC
# Ejecutado desde : C:\Users\Javier\Desktop\AdwCleaner.exe
# Opción : Limpiar

***** [ Servicios ] *****


***** [ Archivos / Carpetas ] *****


***** [ Tareas ] *****


***** [ Accesos directos ] *****


***** [ Registro ] *****


***** [ Navegadores ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v35.0 (x86 en-US)


*************************

AdwCleaner[R0].txt - [780 octets] - [21/01/2015 13:33:24]
AdwCleaner[S0].txt - [700 octets] - [21/01/2015 13:35:48]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [759 octets] ##########

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Ultimate x86
Ran by Javier on 21/01/2015 at 13:39:46.57
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 21/01/2015 at 13:42:36.73
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


Edited by Terokal, 21 January 2015 - 09:11 PM.


#9 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:21 PM

Posted 21 January 2015 - 10:19 PM

Hi Terokal,

Your logs look pretty good. A few more scans to be sure nothing is hiding and we can probably send you on your way.

bullseye_zpse9eaf36e.gif Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware (save it to your desktop).

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • Select Scan tab.
    MBAMDashboard_zpsddef9b5f.gif
  • Select type of scan to perform:
    MBAMScanTab_zps2c5e74bd.gif
    • Threat Scan < --- Select this type of scan
    • Custom Scan
    • Hyper Scan
  • Next click the Scan button.
  • When the scan is complete, if no malicious items are found you can close the program.
  • If malicious items are found be sure that everything is checked, and click Quarantine .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

=========================

bullseye_zpse9eaf36e.gif ESET Online Scanner

*Note:

  • It is recommended to disable on-board antivirus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
  • Please don't go surfing while your resident protection is disabled!
  • Once the scan is finished remember to re-enable your antivirus along with your anti-spyware programs.

** You need to run your browser with Administrator Rights, to do so right click your browsers short cut and select "Run as Administrator".

= = = = = = = = = = = = = = = = = = = =

Go here to run ESET Online Scanner

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your Antivirus software. You can usually do this with its Notification Tray icon near the clock
  • Click Start
  • Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is Checked.
  • Click Scan.
  • Wait for the scan to finish.
  • When the scan completes, click List of found threats
  • click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
  • Include the contents of this report in your next reply

    Note - when ESET doesn't find any threats, no report will be created.
  • Push the back button.
  • Push Finish
  • Re-enable your Antivirus software.

=========================

In your next post please provide the following:


  • MBAM log
  • ESET's log.txt
  • How's the computer running, any symptoms?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#10 Terokal

Terokal
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 22 January 2015 - 02:56 AM

hello OCD :

After scanning with JRT most of the icons on the notification tray area dissapeared, when checking "control panel" it was like everything was changed (show notifications as default, all of 'em) and found a new thing : objlist.exe.

 

At first I panicked, but here on a previous topic I read its related to security check, right?.

(http://www.bleepingcomputer.com/forums/t/444263/what-is-ojlistexe-by-laurent/). Is there a way to get rid of it ? ...

 

Haven't restarted the machine yet, hope the icons will be there again after a reboot. Appart from that, everything's working really fine. Here's the Malwarebytes Anti-Malware log, ESET found no threats at all.

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org


Update, 21/01/2015 11:44:35 p.m., SYSTEM, NUREFALAZ-PC, Manual, Malware Database, 2015.1.19.11, 2015.1.22.3,
Scan, 21/01/2015 11:55:41 p.m., SYSTEM, NUREFALAZ-PC, Manual, Start:21/01/2015 11:44:46 p.m., Duration:10 min 54 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,

(end)



#11 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:21 PM

Posted 22 January 2015 - 10:36 AM

Hi Terokal ,
 

After scanning with JRT most of the icons on the notification tray area dissapeared, when checking "control panel" it was like everything was changed (show notifications as default, all of 'em) and found a new thing : objlist.exe.

 

It's highly unlikely that JRT has caused what you are experiencing as it did not make any changes to your system. (see log in your previous post). You may just need to reset what icons show in the task bar.

 

  • Click the little up arrow in the notification tray (lower right corner)
  • Choose Customize, select the icons you wish to have displayed
  • Click the dropdown menu for each and select your preferences
  • Select OK when done.
     
At first I panicked, but here on a previous topic I read its related to security check, right?.

(http://www.bleepingcomputer.com/forums/t/444263/what-is-ojlistexe-by-laurent/). Is there a way to get rid of it ? ...

 

objlist.exe is part of JRT and is used to collect the information in the log. We will remove all the tools we have used at the end of the process so I wouldn't worry about it at this time.

 

=========================

bullseye_zpse9eaf36e.gif Re-run Farbar Recovery Scan Tool it should be on your desktop.

    • Windows XP : Double click on the icon to run it.
    • Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
  • When the tool opens click Yes to disclaimer.
  • Select the Addition box
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • It will also make (Addition.txt). Please attach it to your reply

=========================

In your next post please provide the following:

  • FRST.txt
  • Addition.txt

Edited by OCD, 22 January 2015 - 10:37 AM.
spelling error

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#12 Terokal

Terokal
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 22 January 2015 - 02:18 PM

Hi OCD, thanks for the info, yeah thanks icons are again as it was ... one simple question : the tools and logs you always ask us to download are uninstalled to prevent users from doing stupid things in the future without the full knowledge of how they work ?.

 

here are the logs :

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-01-2015
Ran by Javier (administrator) on NUREFALAZ-PC on 22-01-2015 14:00:56
Running from C:\Users\Javier\Desktop
Loaded Profiles: Javier (Available profiles: Javier & Invitado)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: Español (España, internacional)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Anti-Theft\atserv.exe
(Bitdefender) C:\Program Files\Bitdefender\Antivirus Free Edition\gziface.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
(Bitdefender) C:\Program Files\Bitdefender\Bitdefender Anti-Theft\updatesrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
(Zemana Ltd.) C:\Program Files\Zemana AntiLogger Free\AntiLogger Free.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 11.0\Reader\reader_sl.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe [2561848 2014-12-10] (Malwarebytes Corporation)
HKLM\...\Run: [ZALFree] => C:\Program Files\Zemana AntiLogger Free\AntiLogger Free.exe [8205944 2014-12-30] (Zemana Ltd.)
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1299114229-604962728-1052101830-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.pe/
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Hosts: 127.0.0.1    localhost
Tcpip\Parameters: [DhcpNameServer] 200.48.225.146 200.48.225.130

FireFox:
========
FF ProfilePath: C:\Users\Javier\AppData\Roaming\Mozilla\Firefox\Profiles\a801htew.default
FF DefaultSearchEngine: Google
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_257.dll ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @nullsoft.com/winampDetector;version=1 -> C:\Program Files\Winamp Detect\npwachk.dll (Nullsoft, Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Extension: Blur (Formerly DoNotTrackMe) - C:\Users\Javier\AppData\Roaming\Mozilla\Firefox\Profiles\a801htew.default\Extensions\donottrackplus@abine.com [2014-11-20]
FF Extension: Lightbeam - C:\Users\Javier\AppData\Roaming\Mozilla\Firefox\Profiles\a801htew.default\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2014-09-25]
FF Extension: Adblock Plus - C:\Users\Javier\AppData\Roaming\Mozilla\Firefox\Profiles\a801htew.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-05-19]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 atserv; C:\Program Files\Bitdefender\Bitdefender Anti-Theft\atserv.exe [456648 2013-10-07] (Bitdefender)
R2 gzserv; C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe [57520 2013-10-23] (Bitdefender)
R2 MbaeSvc; C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe [555320 2014-12-10] (Malwarebytes Corporation)
R2 UPDATESRV_ANTITHEFT; C:\Program Files\Bitdefender\Bitdefender Anti-Theft\updatesrv.exe [54424 2013-10-04] (Bitdefender)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [633344 2013-04-17] (BitDefender)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [486536 2013-04-17] (BitDefender)
R1 bdfwfpf; C:\Program Files\Bitdefender\Antivirus Free Edition\bdfwfpf.sys [108008 2013-07-02] (Bitdefender SRL)
R1 bdselfpr; C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys [135472 2013-07-16] (BitDefender LLC)
R1 ESProtectionDriver; C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys [47928 2014-12-10] ()
R3 FETNDIS; C:\Windows\System32\DRIVERS\fetn62.sys [45056 2010-08-06] (VIA Technologies, Inc.              )
R1 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [164952 2013-04-22] (BitDefender LLC)
R3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt32.sys [69816 2014-12-30] (Zemana Ltd.)
S3 RTL8187; C:\Windows\System32\DRIVERS\rtl8187.sys [375808 2010-01-07] (Realtek Semiconductor Corporation                           )
R0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [355744 2013-05-28] (BitDefender S.R.L.)
R3 viagfx; C:\Windows\System32\DRIVERS\vtmini.sys [281856 2007-03-22] (Copyright © VIA/S3 Graphics Co, Ltd.)
R0 videX32; C:\Windows\System32\DRIVERS\videX32.sys [13976 2010-02-11] (VIA Technologies, Inc.)
R0 xfilt; C:\Windows\System32\DRIVERS\xfilt.sys [23192 2010-02-11] (VIA Technologies, Inc.)
S1 Avgdiskx; system32\DRIVERS\avgdiskx.sys [X]
S0 AVGIDSHX; system32\DRIVERS\avgidshx.sys [X]
S1 AVGIDSShim; system32\DRIVERS\avgidsshimx.sys [X]
S0 Avglogx; system32\DRIVERS\avglogx.sys [X]
S1 avgtp; \??\C:\Windows\system32\drivers\avgtpx86.sys [X]
S3 catchme; \??\C:\Users\Javier\AppData\Local\Temp\catchme.sys [X]
S3 PAC7302; system32\DRIVERS\PAC7302.SYS [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 WsAudioDevice_383; system32\drivers\WsAudioDevice_383.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-22 14:00 - 2015-01-22 14:01 - 00008278 _____ () C:\Users\Javier\Desktop\FRST.txt
2015-01-22 14:00 - 2015-01-22 14:01 - 00000000 ____D () C:\FRST
2015-01-22 13:58 - 2015-01-22 13:59 - 01118208 _____ (Farbar) C:\Users\Javier\Desktop\FRST.exe
2015-01-22 13:47 - 2015-01-22 13:47 - 00000056 _____ () C:\Windows\setupact.log
2015-01-22 13:47 - 2015-01-22 13:47 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-21 21:28 - 2015-01-22 03:14 - 00000000 ____D () C:\Users\Javier\Downloads\S07 E08 'The Whites Of His Eyes'
2015-01-21 13:33 - 2015-01-21 13:35 - 00000000 ____D () C:\AdwCleaner
2015-01-21 13:32 - 2015-01-21 13:32 - 02186752 _____ () C:\Users\Javier\Desktop\AdwCleaner.exe
2015-01-21 13:25 - 2015-01-21 13:25 - 01707939 _____ (Thisisu) C:\Users\Javier\Desktop\JRT.exe
2015-01-21 01:38 - 2015-01-21 01:53 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-01-21 01:31 - 2015-01-21 01:31 - 16466552 _____ (Malwarebytes Corp.) C:\Users\Javier\Desktop\mbar-1.08.3.1004.exe
2015-01-20 22:10 - 2015-01-20 22:10 - 02347384 _____ (ESET) C:\Users\Javier\Desktop\esetsmartinstaller_enu.exe
2015-01-20 22:10 - 2015-01-20 22:10 - 00000000 ____D () C:\Program Files\ESET
2015-01-19 21:26 - 2015-01-19 21:26 - 00000000 ____D () C:\ProgramData\BDLogging
2015-01-18 07:12 - 2015-01-18 07:12 - 00000972 _____ () C:\Users\Javier\Desktop\TagScanner.lnk
2015-01-18 07:12 - 2015-01-18 07:12 - 00000000 ____D () C:\Users\Javier\AppData\Roaming\TagScanner
2015-01-18 07:12 - 2015-01-18 07:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TagScanner
2015-01-18 07:12 - 2015-01-18 07:12 - 00000000 ____D () C:\Program Files\TagScanner
2015-01-15 23:02 - 2015-01-15 23:03 - 00000969 _____ () C:\Users\Javier\Documents\recorder.log
2015-01-15 21:07 - 2015-01-15 21:07 - 00000000 __RSH () C:\MSDOS.SYS
2015-01-15 21:07 - 2015-01-15 21:07 - 00000000 __RSH () C:\IO.SYS
2015-01-15 01:41 - 2010-06-02 04:55 - 00527192 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2015-01-15 01:41 - 2010-06-02 04:55 - 00239960 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_7.dll
2015-01-15 01:41 - 2010-06-02 04:55 - 00074072 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 02106216 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 01998168 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_43.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 01868128 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_43.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 00470880 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_43.dll
2015-01-15 01:41 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2015-01-15 01:41 - 2010-02-04 10:01 - 00528216 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_6.dll
2015-01-15 01:41 - 2010-02-04 10:01 - 00238936 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_6.dll
2015-01-15 01:41 - 2010-02-04 10:01 - 00074072 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_4.dll
2015-01-15 01:41 - 2010-02-04 10:01 - 00022360 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_7.dll
2015-01-15 01:41 - 2009-09-04 17:44 - 00515416 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_5.dll
2015-01-15 01:41 - 2009-09-04 17:44 - 00238936 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_5.dll
2015-01-15 01:41 - 2009-09-04 17:44 - 00069464 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_3.dll
2015-01-15 01:41 - 2009-09-04 17:29 - 05501792 _____ (Microsoft Corporation) C:\Windows\system32\d3dcsx_42.dll
2015-01-15 01:41 - 2009-09-04 17:29 - 01974616 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_42.dll
2015-01-15 01:41 - 2009-09-04 17:29 - 00453456 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_42.dll
2015-01-15 01:41 - 2009-09-04 17:29 - 00235344 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_42.dll
2015-01-15 01:41 - 2009-03-16 14:18 - 00517448 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_4.dll
2015-01-15 01:41 - 2009-03-16 14:18 - 00235352 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_4.dll
2015-01-15 01:41 - 2009-03-16 14:18 - 00022360 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_6.dll
2015-01-15 01:41 - 2009-03-09 15:27 - 04178264 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_41.dll
2015-01-15 01:41 - 2008-10-27 10:04 - 00514384 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_3.dll
2015-01-15 01:41 - 2008-10-27 10:04 - 00235856 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_3.dll
2015-01-15 01:41 - 2008-10-27 10:04 - 00070992 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_2.dll
2015-01-15 01:41 - 2008-10-27 10:04 - 00023376 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_5.dll
2015-01-15 01:41 - 2008-10-10 04:52 - 04379984 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_40.dll
2015-01-15 01:41 - 2008-10-10 04:52 - 02036576 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_40.dll
2015-01-15 01:41 - 2008-10-10 04:52 - 00452440 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_40.dll
2015-01-15 01:41 - 2008-07-31 10:41 - 00238088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_2.dll
2015-01-15 01:41 - 2008-07-31 10:41 - 00068616 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_1.dll
2015-01-15 01:41 - 2008-07-31 10:40 - 00509448 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_2.dll
2015-01-15 01:41 - 2008-07-10 11:01 - 00467984 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_39.dll
2015-01-15 01:41 - 2008-07-10 11:00 - 03851784 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_39.dll
2015-01-15 01:41 - 2008-07-10 11:00 - 01493528 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_39.dll
2015-01-15 01:41 - 2008-05-30 14:19 - 00507400 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_1.dll
2015-01-15 01:41 - 2008-05-30 14:18 - 00238088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_1.dll
2015-01-15 01:41 - 2008-05-30 14:17 - 00065032 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_0.dll
2015-01-15 01:41 - 2008-05-30 14:17 - 00025608 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_4.dll
2015-01-15 01:41 - 2008-05-30 14:11 - 03850760 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_38.dll
2015-01-15 01:41 - 2008-05-30 14:11 - 01491992 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_38.dll
2015-01-15 01:41 - 2008-05-30 14:11 - 00467984 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_38.dll
2015-01-15 01:41 - 2008-03-05 16:03 - 00479752 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_0.dll
2015-01-15 01:41 - 2008-03-05 16:03 - 00238088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine3_0.dll
2015-01-15 01:41 - 2008-03-05 16:00 - 00025608 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_3.dll
2015-01-15 01:41 - 2008-03-05 15:56 - 03786760 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_37.dll
2015-01-15 01:41 - 2008-03-05 15:56 - 01420824 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_37.dll
2015-01-15 01:41 - 2008-02-05 23:07 - 00462864 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_37.dll
2015-01-15 01:41 - 2007-10-22 03:39 - 00267272 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_10.dll
2015-01-15 01:41 - 2007-10-22 03:37 - 00017928 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_2.dll
2015-01-15 01:41 - 2007-10-12 15:14 - 03734536 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_36.dll
2015-01-15 01:41 - 2007-10-12 15:14 - 01374232 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_36.dll
2015-01-15 01:41 - 2007-10-02 09:56 - 00444776 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_36.dll
2015-01-15 01:41 - 2007-07-20 00:57 - 00267112 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_9.dll
2015-01-15 01:41 - 2007-07-19 18:14 - 03727720 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_35.dll
2015-01-15 01:41 - 2007-07-19 18:14 - 01358192 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_35.dll
2015-01-15 01:41 - 2007-07-19 18:14 - 00444776 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_35.dll
2015-01-15 01:41 - 2007-06-20 20:46 - 00266088 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_8.dll
2015-01-15 01:41 - 2007-05-16 16:45 - 03497832 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_34.dll
2015-01-15 01:41 - 2007-05-16 16:45 - 01124720 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_34.dll
2015-01-15 01:41 - 2007-05-16 16:45 - 00443752 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_34.dll
2015-01-15 01:41 - 2007-04-04 18:55 - 00261480 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_7.dll
2015-01-15 01:41 - 2007-04-04 18:53 - 00081768 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_3.dll
2015-01-15 01:41 - 2007-03-15 16:57 - 00443752 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_33.dll
2015-01-15 01:41 - 2007-03-12 16:42 - 03495784 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_33.dll
2015-01-15 01:41 - 2007-03-12 16:42 - 01123696 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_33.dll
2015-01-15 01:41 - 2007-03-05 12:42 - 00015128 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_1.dll
2015-01-15 01:41 - 2007-01-24 15:27 - 00255848 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_6.dll
2015-01-15 01:41 - 2006-12-08 12:02 - 00251672 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_5.dll
2015-01-15 01:41 - 2006-11-29 13:06 - 03426072 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_32.dll
2015-01-15 01:41 - 2006-11-29 13:06 - 00440080 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10.dll
2015-01-15 01:41 - 2006-09-28 16:05 - 00237848 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_4.dll
2015-01-15 01:41 - 2006-07-28 09:30 - 00236824 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_3.dll
2015-01-15 01:41 - 2006-07-28 09:30 - 00062744 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_2.dll
2015-01-15 01:41 - 2006-05-31 07:24 - 00230168 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_2.dll
2015-01-15 01:41 - 2006-03-31 12:40 - 02388176 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_30.dll
2015-01-15 01:41 - 2006-03-31 12:39 - 00229584 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_1.dll
2015-01-15 01:41 - 2006-03-31 12:39 - 00062672 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_1.dll
2015-01-15 01:41 - 2006-02-03 08:43 - 02332368 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_29.dll
2015-01-15 01:41 - 2006-02-03 08:42 - 00230096 _____ (Microsoft Corporation) C:\Windows\system32\xactengine2_0.dll
2015-01-15 01:41 - 2006-02-03 08:41 - 00014032 _____ (Microsoft Corporation) C:\Windows\system32\x3daudio1_0.dll
2015-01-15 01:41 - 2005-12-05 18:09 - 02323664 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_28.dll
2015-01-15 01:41 - 2005-07-22 19:59 - 02319568 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_27.dll
2015-01-15 01:41 - 2005-05-26 15:34 - 02297552 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_26.dll
2015-01-15 01:41 - 2005-03-18 17:19 - 02337488 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_25.dll
2015-01-15 01:41 - 2005-02-05 19:45 - 02222800 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_24.dll
2015-01-15 01:39 - 2015-01-15 01:41 - 00000000 ____D () C:\Windows\system32\directx
2015-01-14 14:22 - 2014-12-18 21:43 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 14:22 - 2014-12-18 20:34 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 14:22 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-01-14 14:22 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 14:22 - 2014-12-05 22:50 - 00242688 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 14:21 - 2014-12-11 12:47 - 00074240 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 15:52 - 2015-01-13 15:52 - 00000000 __SHD () C:\Users\Javier\AppData\Local\EmieBrowserModeList
2015-01-11 03:48 - 2015-01-11 03:49 - 00001021 _____ () C:\Users\Javier\Desktop\Start Tor Browser.lnk
2015-01-11 03:36 - 2015-01-11 03:36 - 00000000 ____D () C:\Users\Javier\Documents\Tor Browser
2014-12-31 13:58 - 2015-01-21 14:44 - 00000000 ____D () C:\Users\Javier\AppData\Roaming\Skype
2014-12-31 13:58 - 2014-12-31 13:58 - 00002685 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-12-31 13:58 - 2014-12-31 13:58 - 00000000 ___RD () C:\Program Files\Skype
2014-12-31 13:58 - 2014-12-31 13:58 - 00000000 ____D () C:\Users\Javier\AppData\Local\Skype
2014-12-31 13:58 - 2014-12-31 13:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-12-31 13:58 - 2014-12-31 13:58 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-12-31 13:57 - 2014-12-31 13:58 - 00000000 ____D () C:\ProgramData\Skype
2014-12-30 12:41 - 2014-12-30 12:41 - 00242504 _____ (BitDefender) C:\Windows\system32\Drivers\avchv.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-22 13:52 - 2012-11-20 11:39 - 01922083 _____ () C:\Windows\WindowsUpdate.log
2015-01-22 13:48 - 2009-07-13 23:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-22 04:44 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\LogFiles
2015-01-22 04:16 - 2012-11-20 12:11 - 00000838 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-22 03:15 - 2014-11-16 04:03 - 00000000 ____D () C:\Users\Javier\AppData\Roaming\vlc
2015-01-22 02:11 - 2014-05-19 13:42 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-22 00:21 - 2014-05-19 17:39 - 00000000 ____D () C:\Users\Javier\AppData\Roaming\uTorrent
2015-01-21 23:07 - 2014-11-22 23:10 - 00000000 ____D () C:\ProgramData\Malwarebytes Anti-Exploit
2015-01-21 16:52 - 2014-08-19 23:53 - 00000000 ____D () C:\Program Files\Recuva
2015-01-21 01:37 - 2014-05-19 13:42 - 00082648 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-20 23:53 - 2012-11-20 12:08 - 00000000 ____D () C:\ProgramData\Adobe
2015-01-20 22:16 - 2014-08-15 18:15 - 00000000 ____D () C:\Users\Javier\AppData\Local\CrashDumps
2015-01-20 19:28 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-20 19:15 - 2014-05-27 05:04 - 00075264 _____ () C:\Users\Javier\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-01-20 13:59 - 2014-05-20 07:54 - 00000000 ____D () C:\Windows\erdnt
2015-01-19 22:37 - 2012-11-20 11:46 - 00000000 ____D () C:\Users\Javier
2015-01-19 21:50 - 2014-05-20 02:58 - 00000000 ____D () C:\ProgramData\TEMP
2015-01-19 21:50 - 2014-05-20 02:58 - 00000000 ____D () C:\Program Files\SpywareBlaster
2015-01-19 18:24 - 2009-07-13 21:04 - 00000215 _____ () C:\Windows\system.ini
2015-01-19 18:03 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\PLA
2015-01-17 06:17 - 2009-07-13 23:34 - 00016640 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-17 06:17 - 2009-07-13 23:34 - 00016640 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-15 10:33 - 2012-11-20 11:50 - 01588400 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-15 08:42 - 2014-12-09 15:21 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-15 08:42 - 2014-05-19 14:06 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-15 03:01 - 2012-11-20 12:59 - 00000000 ____D () C:\Program Files\Google
2015-01-15 01:51 - 2014-05-19 14:06 - 00001117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-15 01:51 - 2014-05-19 14:06 - 00001105 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-01-15 01:41 - 2009-07-13 21:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-01-14 14:46 - 2014-05-19 21:29 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 14:38 - 2014-05-19 21:29 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-14 01:16 - 2012-11-20 12:11 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-01-14 01:16 - 2012-11-20 12:11 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-01-13 15:52 - 2012-11-20 12:59 - 00000000 ____D () C:\Users\Javier\AppData\Local\Google
2015-01-06 04:36 - 2012-11-20 12:36 - 00249488 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-01-05 13:38 - 2012-11-20 13:29 - 00000965 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-01-05 13:38 - 2012-11-20 13:29 - 00000000 ____D () C:\Program Files\CCleaner
2014-12-31 13:06 - 2014-12-19 23:09 - 00000000 ____D () C:\Program Files\KeyCryptSDK
2014-12-30 13:18 - 2014-12-19 23:09 - 00069816 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\KeyCrypt32.sys
2014-12-30 13:08 - 2014-12-19 23:09 - 00001098 _____ () C:\Users\Public\Desktop\AntiLogger Free.lnk
2014-12-30 13:08 - 2014-12-19 23:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiLogger Free
2014-12-30 13:08 - 2014-12-19 23:09 - 00000000 ____D () C:\Program Files\Zemana AntiLogger Free
2014-12-30 04:11 - 2014-08-10 02:30 - 00007639 _____ () C:\Users\Javier\AppData\Local\Resmon.ResmonCfg
2014-12-27 14:35 - 2014-11-17 19:00 - 00000000 ____D () C:\Users\Javier\AppData\Local\AntiLogger Free
2014-12-24 12:19 - 2014-08-19 01:47 - 00000000 ____D () C:\Users\Javier\AppData\Local\Adobe

==================== Files in the root of some directories =======
2014-05-27 05:04 - 2015-01-20 19:15 - 0075264 _____ () C:\Users\Javier\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-08-10 02:30 - 2014-12-30 04:11 - 0007639 _____ () C:\Users\Javier\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll
[2011-01-16 12:56] - [2013-01-11 17:17] - 0811520 ____A (Microsoft Corporation) 8626F0C30D4E3564FFDD25C90F4426F1

C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-14 00:46

==================== End Of Log

Attached Files


Edited by Terokal, 22 January 2015 - 02:19 PM.


#13 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:21 PM

Posted 22 January 2015 - 11:21 PM

Hi Terokal,
 

one simple question : the tools and logs you always ask us to download are uninstalled to prevent users from doing stupid things in the future without the full knowledge of how they work ?.

Basically, that is correct. There are some tools that can be retained for added on demand scanning, but as a general rule we always try and remove all tools we have used during the malware removal process.

Your logs look good.  :thumbup2:  Are there any remaining symptoms or issues we haven't addressed?
 


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

#14 Terokal

Terokal
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 23 January 2015 - 12:39 AM

Hi OCD, everything is working fine ... there's a problem when the PC starts but goes way back and has nothing to do with this topic ... I'll wait for instructions on removing the tools ... thanks for your help and patience !!! ... this forum & team rock !!!



#15 OCD

OCD

  • Malware Response Team
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:21 PM

Posted 23 January 2015 - 01:04 AM

Hi Terokal,

Your log appears to be clean. :thumbup2:

We have a few items to take care of before we get to the All Clean Speech.

= = = = = = = = = = = = = = = = = = = =

bullseye_zpse9eaf36e.gif Remove Disinfection Tools

  • Download Delfix
  • Tick the following boxes:
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    Delfix_zpsbce6c60b.gif
  • Click Run
  • Any other tools and files found can simply be deleted or uninstall via the Control Panel.

= = = = = = = = = = = = = = = = = = = =


With the above items taken care of let's move on to the All Clean part of the process.

The following procedures are recommendations for helping to keep your system running smoothly. If you are currently satisfied with how your system is running some or all of these may not pertain to you. Implement what you need.

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate windows and frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Make your Mozilla Firefox more secure - This can be done by adding these add-ons:

Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

Free Anti-Virus

Free Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here.

= = = = = = = = = = = = = = = = = = = =

Be prepared for CryptoLocker:

Cryptolocker Ransomware: What You Need To Know
CryptoLocker Ransomware Information Guide and FAQ

to help protect your computer in the future I recommend that you get the following free program:

CryptoPrevent install this program to lock down and prevent crypto-ransomeware

CryptoPrevent_zps7ddc3ebd.jpg

= = = = = = = = = = = = = = = = = = = =

COMPUTER SECURITY - a short guide to staying safer online

= = = = = = = = = = = = = = = = = = = =

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Green should be good to go
  • Yellow for caution
  • Red to stop

= = = = = = = = = = = = = = = = = = = =

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

= = = = = = = = = = = = = = = = = = = =

Make sure you keep your Windows OS current.

  • Windows XP:
    Microsoft will no longer offer support for Windows XP beginning on April 8, 2014
    If you are running Windows XP, please take the time to read the information provided at these links.
  • Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems.
  • Window 8 Open Windows Update by swiping in from the right edge of the screen (or, if you're using a mouse, pointing to the lower-right corner of the screen and moving the mouse pointer up), tapping or clicking Settings, tapping or clicking Change PC settings, and then tapping or clicking Update and recovery.

Without these you are leaving the back door open.

= = = = = = = = = = = = = = = = = = = =

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

= = = = = = = = = = = = = = = = = = = =

Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.


OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users