Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-06-2017 01 Ran by essemtec (administrator) on PANX-PC1462 (10-06-2017 09:03:27) Running from f:\ Loaded Profiles: essemtec (Available Profiles: essemtec & Administrator) Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States) Internet Explorer Version 8 (Default browser: IE) Boot Mode: Safe Mode (minimal) Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\WINDOWS\system32\cmd.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-01] (Intel Corporation) HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated) HKLM\...\Run: [Bron-Spizaetus] => C:\WINDOWS\ShellNew\sempalong.exe [42713 2009-07-23] () HKLM\...\Winlogon: [Shell] Explorer.exe "C:\WINDOWS\eksplorasi.exe" [x ] () Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2010-11-25] (ATI Technologies Inc.) Winlogon\Notify\GoToAssist Express Customer: C:\Program Files\Citrix\GoToAssist Remote Support Customer\1185\g2ax_winlogon.dll [2017-01-02] (Citrix Systems, Inc.) HKLM\ DisallowedCertificates: 08738A96A4853A52ACEF23F782E8E1FEA7BCED02 (U) HKLM\ DisallowedCertificates: 09271DD621EBD3910C2EA1D059F99B8181405A17 (U) HKLM\ DisallowedCertificates: 09FF2CC86CEEFA8A8BB3F2E3E84D6DA3FABBF63E (U) HKLM\ DisallowedCertificates: 23EF3384E21F70F034C467D4CBA6EB61429F174E (U) HKLM\ DisallowedCertificates: 330D8D3FD325A0E5FDDDA27013A2E75E7130165F (U) HKLM\ DisallowedCertificates: 374D5B925B0BD83494E656EB8087127275DB83CE (U) HKLM\ DisallowedCertificates: 3A26012171855D4020C973BEC3F4F9DA45BD2B83 (U) HKLM\ DisallowedCertificates: 4D8547B7F864132A7F62D9B75B068521F10B68E3 (U) HKLM\ DisallowedCertificates: 4DF13947493CFF69CDE554881C5F114E97C3D03B (U) HKLM\ DisallowedCertificates: 4ED8AA06D1BC72CA64C47B1DFE05ACC8D51FC76F (U) HKLM\ DisallowedCertificates: 587B59FB52D8A683CBE1CA00E6393D7BB923BC92 (U) HKLM\ DisallowedCertificates: 5CE339465F41A1E423149F65544095404DE6EBE2 (U) HKLM\ DisallowedCertificates: 5D5185DF1EB7DC76015422EC8138A5724BEE2886 (U) HKLM\ DisallowedCertificates: 6690C02B922CBD3FF0D0A5994DBD336592887E3F (U) HKLM\ DisallowedCertificates: 7613BF0BA261006CAC3ED2DDBEF343425357F18B (U) HKLM\ DisallowedCertificates: 838FFD509DE868F481C29819992E38A4F7082873 (U) HKLM\ DisallowedCertificates: 8977E8569D2A633AF01D0394851681CE122683A6 (U) HKLM\ DisallowedCertificates: A1505D9843C826DD67ED4EA5209804BDBB0DF502 (U) HKLM\ DisallowedCertificates: A221D360309B5C3C4097C44CC779ACC5A9845B66 (U) HKLM\ DisallowedCertificates: A35A8C727E88BCCA40A3F9679CE8CA00C26789FD (U) HKLM\ DisallowedCertificates: A7B5531DDC87129E2C3BB14767953D6745FB14A6 (U) HKLM\ DisallowedCertificates: A81706D31E6F5C791CD9D3B1B9C63464954BA4F5 (U) HKLM\ DisallowedCertificates: BED412B1334D7DFCEBA3015E5F9F905D571C45CF (U) HKLM\ DisallowedCertificates: C69F28C825139E65A646C434ACA5A1D200295DB1 (U) HKLM\ DisallowedCertificates: D0BB3E3DFBFB86C0EEE2A047E328609E6E1F185E (U) HKLM\ DisallowedCertificates: D43153C8C25F0041287987250F1E3CABAC8C2177 (U) HKLM\ DisallowedCertificates: D8CE8D07F9F19D2569C2FB854401BC99C1EB7C3B (U) HKLM\ DisallowedCertificates: E38A2B7663B86796436D8DF5898D9FAA6835B238 (U) HKLM\ DisallowedCertificates: E95DD86F32C771F0341743EBD75EC33C74A3DED9 (U) HKLM\ DisallowedCertificates: E9809E023B4512AA4D4D53F40569C313C1D0294D (U) HKLM\ DisallowedCertificates: F5A874F3987EB0A9961A564B669A9050F770308A (U) HKLM\ DisallowedCertificates: F92BE5266CC05DB2DC0DC3F2DC74E02DEFD949CB (U) HKU\S-1-5-21-2646437663-3650158834-333150697-1005\...\Run: [Tok-Cirrhatus] => C:\Documents and Settings\essemtec\Local Settings\Application Data\smss.exe [42713 2009-07-23] () HKU\S-1-5-21-2646437663-3650158834-333150697-1005\...\Policies\system: [DisableRegistryTools] 1 HKU\S-1-5-21-2646437663-3650158834-333150697-1005\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-21-2646437663-3650158834-333150697-1005\...\Policies\Explorer: [NoFolderOptions] 1 HKU\S-1-5-18\...\Run: [Tok-Cirrhatus] => C:\Documents and Settings\NetworkService\Local Settings\Application Data\smss.exe [42713 2009-07-23] () HKU\S-1-5-18\...\Policies\system: [DisableRegistryTools] 1 HKU\S-1-5-18\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoFolderOptions] 1 Startup: C:\Documents and Settings\essemtec\Start Menu\Programs\Startup\Empty.pif [2009-07-23] () Startup: C:\Documents and Settings\NetworkService\Start Menu\Programs\Startup\Empty.pif [2009-07-23] () GroupPolicy: Restriction ? <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\..\Interfaces\{B65B88C2-C154-4217-A484-465A9FFEA504}: [DhcpNameServer] 192.168.129.2 192.168.130.1 Internet Explorer: ================== HKU\S-1-5-21-2646437663-3650158834-333150697-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.essemtec.com/ HKU\S-1-5-21-2646437663-3650158834-333150697-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated) FireFox: ======== FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: (Microsoft .NET Framework Assistant) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-12-13] [not signed] FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation) FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation) ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S2 GoToAssist Remote Support Customer; C:\Program Files\Citrix\GoToAssist Remote Support Customer\1185\g2ax_service.exe [607240 2017-01-02] (Citrix Systems, Inc.) S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed] S2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel(R) Corporation) S2 jhi_service; C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative) S3 asmthub3; C:\WINDOWS\System32\DRIVERS\asmthub3.sys [101352 2011-06-02] (ASMedia Technology Inc) S3 asmtxhci; C:\WINDOWS\System32\DRIVERS\asmtxhci.sys [317416 2011-06-02] (ASMedia Technology Inc) S3 AtiHDAudioService; C:\WINDOWS\System32\drivers\AtihdXP3.sys [101904 2010-11-17] (Advanced Micro Devices) S2 BT848; C:\WINDOWS\System32\DRIVERS\BT848.sys [371349 2014-05-15] (Illusion & Hope.) [File not signed] S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-14] (Microsoft Corporation) S3 MCAPI; C:\WINDOWS\System32\drivers\mcapi.sys [19584 2003-10-31] (Precision MicroControl Corp.) [File not signed] R3 MEI; C:\WINDOWS\System32\DRIVERS\HECI.sys [55104 2012-07-02] (Intel Corporation) S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.) S3 mxser; C:\WINDOWS\System32\DRIVERS\mxser.sys [25216 2009-08-05] (Moxa Inc.) S3 mxsport2; C:\WINDOWS\System32\DRIVERS\mxsport2.sys [90368 2009-08-05] (Moxa Inc.) S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-14] (Microsoft Corporation) S4 IntelIde; no ImagePath U1 WS2IFSL; no ImagePath ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-06-10 09:02 - 2017-06-10 09:03 - 00000000 ____D C:\FRST 2017-06-10 08:16 - 2017-06-10 09:01 - 00190398 _____ C:\WINDOWS\ntbtlog.txt ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-06-10 09:03 - 2014-05-15 09:47 - 00000000 ____D C:\Documents and Settings\essemtec\Local Settings\Temp 2017-06-10 08:52 - 2011-12-13 14:00 - 00590608 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-06-10 08:48 - 2011-12-13 13:59 - 00093480 _____ C:\WINDOWS\system32\FNTCACHE.DAT 2017-06-10 08:47 - 2014-05-15 09:47 - 00000178 ___SH C:\Documents and Settings\essemtec\ntuser.ini 2017-06-09 22:22 - 2012-01-11 10:19 - 00000438 ____H C:\WINDOWS\Tasks\User_Feed_Synchronization-{4A315A59-94E5-49D1-9D9C-3EB9F1D2438B}.job 2017-06-09 22:22 - 2011-12-13 13:41 - 00032076 _____ C:\WINDOWS\SchedLgU.Txt 2017-06-09 22:22 - 2011-12-13 13:41 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-06-09 22:21 - 2016-09-03 06:33 - 00000406 _____ C:\WINDOWS\Tasks\At1.job 2017-06-09 22:21 - 2014-06-03 08:30 - 00000228 _____ C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job 2017-06-09 22:21 - 2011-12-13 13:39 - 00000007 ___SH C:\AUTOEXEC.BAT 2017-06-09 17:56 - 2011-12-13 13:54 - 00000000 RSHDC C:\WINDOWS\system32\dllcache 2017-06-09 10:47 - 2008-04-14 14:00 - 00011936 _____ C:\WINDOWS\system32\wpa.dbl 2017-06-09 10:40 - 2014-05-15 10:13 - 00315808 _____ C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat ==================== Files in the root of some directories ======= 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\essemtec\Local Settings\Application Data\csrss.exe 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\essemtec\Local Settings\Application Data\inetinfo.exe 2016-09-03 06:39 - 2016-09-03 06:39 - 0000051 _____ () C:\Documents and Settings\essemtec\Local Settings\Application Data\Kosong.Bron.Tok.txt 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\essemtec\Local Settings\Application Data\lsass.exe 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\essemtec\Local Settings\Application Data\services.exe 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\essemtec\Local Settings\Application Data\smss.exe 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 ____N () C:\Documents and Settings\essemtec\Local Settings\Application Data\winlogon.exe Files to move or delete: ==================== C:\Windows\Tasks\At1.job Some files in TEMP: ==================== 2011-12-13 13:49 - 2011-05-18 08:09 - 0457496 ____R (Macrovision Corporation) C:\Documents and Settings\Administrator\Local Settings\Temp\_is170.exe 2012-01-11 10:44 - 2012-02-29 06:45 - 0457496 ____R (Macrovision Corporation) C:\Documents and Settings\Administrator\Local Settings\Temp\_is49.exe 2012-01-11 10:43 - 2006-05-24 07:10 - 0455600 ____R (Macrovision Corporation) C:\Documents and Settings\Administrator\Local Settings\Temp\_isE.exe 2014-05-15 09:41 - 2011-05-18 08:09 - 0457496 ____R (Macrovision Corporation) C:\Documents and Settings\Default User\Local Settings\Temp\_is170.exe 2014-05-15 09:41 - 2012-02-29 06:45 - 0457496 ____R (Macrovision Corporation) C:\Documents and Settings\Default User\Local Settings\Temp\_is49.exe 2014-05-15 09:41 - 2006-05-24 07:10 - 0455600 ____R (Macrovision Corporation) C:\Documents and Settings\Default User\Local Settings\Temp\_isE.exe 2014-05-15 09:47 - 2011-05-18 08:09 - 0457496 ____R (Macrovision Corporation) C:\Documents and Settings\essemtec\Local Settings\Temp\_is170.exe 2014-05-15 09:47 - 2012-02-29 06:45 - 0457496 ____R (Macrovision Corporation) C:\Documents and Settings\essemtec\Local Settings\Temp\_is49.exe 2014-05-15 09:47 - 2006-05-24 07:10 - 0455600 ____R (Macrovision Corporation) C:\Documents and Settings\essemtec\Local Settings\Temp\_isE.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End of FRST.txt ============================