Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-06-2017 Ran by CSM7100 (administrator) on CSM7100-4334 (13-06-2017 21:01:10) Running from F:\ Loaded Profiles: CSM7100 (Available Profiles: CSM7100 & admin & Administrator) Platform: Microsoft Windows XP Professional Service Pack 2 (X86) Language: English (United States) Internet Explorer Version 6 (Default browser: IE) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation) C:\WINDOWS\system32\EXPLORER.EXE (Microsoft Corporation) C:\WINDOWS\system32\taskmgr.exe (Farbar) F:\FRST (1).exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [A17CF6] => C:\WINDOWS\system32\C3C5D7\A17CF6.EXE [1406935 2013-01-17] () HKLM\...\Run: [Bron-Spizaetus] => C:\WINDOWS\ShellNew\sempalong.exe [42713 2009-07-23] () HKLM\...\Run: [MSConfig] => C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [158208 2004-08-04] (Microsoft Corporation) HKLM\...\Run: [BD462C] => C:\WINDOWS\system32\A7908C\BD462C.EXE [1406935 2017-06-13] () HKLM\...\Winlogon: [Userinit] userinit.exe,EXPLORER.EXE HKLM\...\Winlogon: [Shell] Explorer.exe "C:\WINDOWS\eksplorasi.exe" [x ] () HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\Run: [wsctf.exe] => wsctf.exe HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\Run: [EXPLORER.EXE] => C:\WINDOWS\system32\EXPLORER.EXE [36864 2006-10-25] (Microsoft Corporation) HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\Run: [Tok-Cirrhatus] => C:\Documents and Settings\CSM7100\Local Settings\Application Data\smss.exe [42713 2009-07-23] () HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\Policies\system: [DisableRegistryTools] 1 HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\Policies\Explorer: [NoFolderOptions] 1 HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\MountPoints2: {51c9170a-04b7-11e3-9036-0016e63f7ac4} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycle.exe HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\MountPoints2: {d136421c-22e1-11e4-916c-0016e63f7ac4} - E:\EXPLORER.EXE HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\MountPoints2: {d8cdb7f8-a6a0-11e2-8fd8-0016e63f7ac4} - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycle.exe HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\...\MountPoints2: {e51855be-a578-11dd-8c2d-0016e63f7ac4} - F:\EXPLORER.EXE HKU\S-1-5-18\...\Run: [Tok-Cirrhatus] => C:\Documents and Settings\NetworkService\Local Settings\Application Data\smss.exe [42713 2009-07-23] () HKU\S-1-5-18\...\Run: [wsctf.exe] => wsctf.exe HKU\S-1-5-18\...\Run: [EXPLORER.EXE] => C:\WINDOWS\system32\EXPLORER.EXE [36864 2006-10-25] (Microsoft Corporation) HKU\S-1-5-18\...\Policies\system: [DisableRegistryTools] 1 HKU\S-1-5-18\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoFolderOptions] 1 Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\LightPlacer.exe [2007-03-07] (ESSEMTEC AG) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LightPlacer.exe [2007-03-07] (ESSEMTEC AG) Startup: C:\Documents and Settings\CSM7100\Start Menu\Programs\Startup\A17CF6.lnk [2017-06-12] ShortcutTarget: A17CF6.lnk -> C:\WINDOWS\system32\C3C5D7\A17CF6.EXE () Startup: C:\Documents and Settings\CSM7100\Start Menu\Programs\Startup\BD462C.lnk [2017-06-13] ShortcutTarget: BD462C.lnk -> C:\WINDOWS\system32\A7908C\BD462C.EXE () Startup: C:\Documents and Settings\CSM7100\Start Menu\Programs\Startup\Empty.pif [2009-07-23] () Startup: C:\Documents and Settings\CSM7100\Start Menu\Programs\Startup\LightPlacer.exe [2007-03-07] (ESSEMTEC AG) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Internet Explorer: ================== HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.myessemtec.com/ HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.myessemtec.com/ HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.myessemtec.com/ HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.myessemtec.com/ HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.myessemtec.com/ HKU\S-1-5-21-3186419010-3260862241-2880911088-1004\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch URLSearchHook: HKU\S-1-5-21-3186419010-3260862241-2880911088-1004 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION SearchScopes: HKLM -> DefaultScope value is missing BHO: AcroIEHlprObj Class -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03] (Adobe Systems Incorporated) ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 BT848; C:\WINDOWS\System32\DRIVERS\BT848.sys [372309 2007-07-16] (Illusion & Hope.) [File not signed] S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2004-08-03] (Microsoft Corporation) R3 mxser; C:\WINDOWS\System32\DRIVERS\mxser.sys [19420 2004-11-29] (Moxa Technologies Co., Ltd.) [File not signed] R3 mxsport; C:\WINDOWS\System32\DRIVERS\mxsport.sys [90846 2004-11-29] (Moxa Technologies Co., Ltd.) [File not signed] S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2004-08-03] (Microsoft Corporation) S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-08-04] () S3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [250240 2006-09-18] (Marvell) S3 yukonx86; C:\WINDOWS\System32\DRIVERS\yukonx86.sys [176256 2003-12-23] (Marvell Semiconductor Inc.) [File not signed] S4 IntelIde; no ImagePath U1 WS2IFSL; no ImagePath ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-06-13 13:32 - 2017-06-13 21:01 - 00000000 ____D C:\FRST 2017-06-13 13:22 - 2017-06-13 13:22 - 00000000 ___HD C:\WINDOWS\system32\A7908C 2017-06-13 13:22 - 2017-06-13 13:22 - 00000000 ___HD C:\WINDOWS\system32\693AC9 2017-06-13 13:22 - 2017-06-13 13:22 - 00000000 ___HD C:\WINDOWS\system32\3CFFA8 2017-06-13 13:22 - 2017-06-13 13:22 - 00000000 ___HD C:\WINDOWS\system32\1C3060 2017-06-13 13:22 - 2017-06-13 13:22 - 00000000 ____D C:\Documents and Settings\CSM7100\Local Settings\Application Data\Bron.tok-12-13 2017-06-13 12:13 - 2004-08-04 00:56 - 00021504 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidserv.dll 2017-06-13 12:13 - 2004-08-04 00:56 - 00021504 _____ (Microsoft Corporation) C:\WINDOWS\system32\hidserv.dll 2017-06-13 12:13 - 2004-08-03 22:58 - 00014848 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\kbdhid.sys 2017-06-13 12:13 - 2004-08-03 22:58 - 00014848 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\kbdhid.sys 2017-06-13 12:13 - 2001-08-17 14:02 - 00009600 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\hidusb.sys 2017-06-13 12:13 - 2001-08-17 14:02 - 00009600 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hidusb.sys 2017-06-13 12:13 - 2001-08-17 13:48 - 00012160 ____C (Microsoft Corporation) C:\WINDOWS\system32\dllcache\mouhid.sys 2017-06-13 12:13 - 2001-08-17 13:48 - 00012160 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mouhid.sys 2017-06-12 09:08 - 2017-06-12 09:18 - 00000178 ___SH C:\Documents and Settings\admin\ntuser.ini 2017-06-12 09:08 - 2017-06-12 09:13 - 00000000 ____D C:\Documents and Settings\admin\Local Settings\Temp 2017-06-12 09:08 - 2017-06-12 09:08 - 00000000 ____D C:\Documents and Settings\admin 2017-06-12 09:08 - 2007-06-22 13:27 - 00003584 _____ C:\Documents and Settings\admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2017-06-12 09:08 - 2007-06-22 13:25 - 00000767 _____ C:\Documents and Settings\admin\Start Menu\Programs\Internet Explorer.lnk 2017-06-12 09:08 - 2007-06-22 13:25 - 00000738 _____ C:\Documents and Settings\admin\Start Menu\Programs\Outlook Express.lnk 2017-06-12 09:08 - 2007-06-22 13:25 - 00000000 ___RD C:\Documents and Settings\admin\My Documents\My Pictures 2017-06-12 09:08 - 2007-06-22 13:25 - 00000000 ___RD C:\Documents and Settings\admin\My Documents\My Music 2017-06-12 09:08 - 2007-06-22 13:25 - 00000000 ___RD C:\Documents and Settings\admin\My Documents 2017-06-12 09:08 - 2007-03-30 16:52 - 00001599 _____ C:\Documents and Settings\admin\Start Menu\Programs\Remote Assistance.lnk 2017-06-12 09:06 - 2017-06-12 09:06 - 00000000 ____D C:\WINDOWS\pss 2017-06-12 08:55 - 2017-06-12 08:55 - 00000000 ____H C:\Documents and Settings\CSM7100\My Documents\Default.rdp 2017-06-12 08:50 - 2017-06-12 08:50 - 00000000 ____D C:\Documents and Settings\CSM7100\Local Settings\Application Data\Bron.tok-12-12 2017-06-09 14:10 - 2007-03-07 11:55 - 01024000 _____ (ESSEMTEC AG) C:\Documents and Settings\Administrator\Desktop\LightPlacer.exe 2017-06-09 13:05 - 2017-06-12 09:04 - 00480130 _____ C:\WINDOWS\ntbtlog.txt ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-06-13 21:01 - 2007-07-16 06:52 - 00000000 ____D C:\Documents and Settings\CSM7100\Local Settings\Temp 2017-06-13 20:58 - 2007-03-30 16:55 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-06-13 13:41 - 2007-03-30 16:55 - 00032626 _____ C:\WINDOWS\SchedLgU.Txt 2017-06-13 13:39 - 2007-07-16 06:52 - 00000178 ___SH C:\Documents and Settings\CSM7100\ntuser.ini 2017-06-13 13:39 - 2007-03-30 16:52 - 00000007 ___SH C:\AUTOEXEC.BAT 2017-06-13 12:16 - 2007-03-31 01:40 - 00012598 _____ C:\WINDOWS\system32\wpa.dbl 2017-06-13 12:13 - 2007-03-30 18:41 - 00000000 RSHDC C:\WINDOWS\system32\dllcache 2017-06-12 11:32 - 2007-05-07 14:14 - 00018997 _____ C:\WINDOWS\LightPlacer.ini 2017-06-12 09:54 - 2007-07-16 07:07 - 00000000 ____D C:\CSM7000 2017-06-12 09:17 - 2007-03-31 01:40 - 00000477 _____ C:\WINDOWS\win.ini 2017-06-12 09:17 - 2007-03-31 01:40 - 00000227 _____ C:\WINDOWS\system.ini 2017-06-12 09:17 - 2007-03-31 01:40 - 00000211 __RSH C:\boot.ini 2017-06-12 09:08 - 2007-03-30 18:45 - 00000000 ____D C:\Documents and Settings 2017-06-12 08:55 - 2007-07-16 06:52 - 00000000 ___RD C:\Documents and Settings\CSM7100\My Documents 2017-06-12 08:50 - 2007-03-30 18:46 - 00355944 _____ C:\WINDOWS\system32\PerfStringBackup.INI ==================== Files in the root of some directories ======= 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\CSM7100\Local Settings\Application Data\csrss.exe 2007-07-16 06:52 - 2007-06-22 13:27 - 0003584 _____ () C:\Documents and Settings\CSM7100\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\CSM7100\Local Settings\Application Data\inetinfo.exe 2014-08-01 12:57 - 2014-08-01 12:57 - 0000051 _____ () C:\Documents and Settings\CSM7100\Local Settings\Application Data\Kosong.Bron.Tok.txt 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\CSM7100\Local Settings\Application Data\lsass.exe 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\CSM7100\Local Settings\Application Data\services.exe 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 _____ () C:\Documents and Settings\CSM7100\Local Settings\Application Data\smss.exe 2009-07-23 10:37 - 2009-07-23 10:37 - 0042713 ____N () C:\Documents and Settings\CSM7100\Local Settings\Application Data\winlogon.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End of FRST.txt ============================