Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-02-2014 Ran by tds at 2014-02-09 14:23:23 Run:1 Running from C:\Users\tds\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** () C:\Program Files (x86)\PenWes\PenWesService.exe () C:\ProgramData\cpu\svchost.exe () C:\ProgramData\load32.exe (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe Startup: C:\Users\tds\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url () HKLM\...\Run: [CPU] - c:\programdata\cpu\cpu.bat [168 2013-12-27] () HKLM-x32\...\Run: [NT Kernel Service] - C:\ProgramData\load32.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" HKU\.DEFAULT\...\Policies\Explorer: [NoSaveSettings] 0 HKU\S-1-5-21-2337871059-3691734657-1116950341-1000\...\CurrentVersion\Windows: [Load] C:\NTKernel\nt32.exe <===== ATTENTION HKU\S-1-5-21-2337871059-3691734657-1116950341-1000\...\Policies\Explorer: [NoSaveSettings] 0 HKU\S-1-5-21-2337871059-3691734657-1116950341-1000\...\Winlogon: [Shell] explorer.exe,"C:\ProgramData\load32.exe" [494592 2014-02-05] () <==== ATTENTION AppInit_DLLs: C:\PROGRA~2\GS-ENA~1\BROWSA~1.DLL => File Not Found IFEO\AvastSvc.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\AvastUI.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avcenter.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avconfig.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avgcsrvx.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avgidsagent.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avgnt.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avgrsx.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avguard.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avgui.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avgwdsvc.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avp.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\avscan.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\bdagent.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\ccuac.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\ComboFix.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\egui.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\hijackthis.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\instup.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\KeyScrambler.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\mbam.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\mbamgui.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\mbampt.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\mbamscheduler.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\mbamservice.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\MpCmdRun.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\MSASCui.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\MsMpEng.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\msseces.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\Navw32.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\NIS.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\rstrui.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\spybotsd.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\wireshark.exe: [Debugger] C:\Users\tds\Documents\315load32.exe IFEO\zlclient.exe: [Debugger] C:\Users\tds\Documents\315load32.exe R2 PenWesController; C:\Program Files (x86)\Penwes\PenwesService.exe [1515008 2013-10-19] () S3 dgderdrv; System32\drivers\dgderdrv.sys [X] HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\97814441.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\97814441.sys => ""="Driver" Task: {153C567D-5801-4AC7-9309-909CCB0C91B3} - System32\Tasks\{6CF082BA-25C8-47FF-90F5-B44287A44E0B} => E:\Program Files (x86)\Spider-Man 3\Game.exe Task: {60F1EE96-E658-42FE-A33B-D3B64BF9D520} - System32\Tasks\{30BAEE5F-1CEA-497F-B993-4B7305662A75} => E:\Program Files (x86)\Spider-Man 3\Game.exe Task: {99A5140B-1B88-4FF1-910D-4AFF9103F9BF} - System32\Tasks\PenWes => C:\Program Files (x86)\PenWes\penwes.exe Task: {AD012ADB-3D30-4607-83E5-C59F1A8BE699} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2337871059-3691734657-1116950341-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe Task: {C27BEE03-344F-4F03-A401-4683E643187D} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2337871059-3691734657-1116950341-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?searchsource=10&cui=un39948887164765202&um=2&ctid=ct3289847&sspv=tb_t5 SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3315513&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SP1C759CD2-34A5-4B63-A42A-DD7E24C7D77D&q={searchTerms}&SSPV= FF user.js: detected! => C:\Users\tds\AppData\Roaming\Mozilla\Firefox\Profiles\vh22l8id.default-1382198420472\user.js FF SearchPlugin: C:\Users\tds\AppData\Roaming\Mozilla\Firefox\Profiles\vh22l8id.default-1382198420472\searchplugins\conduit-search.xml FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird C:\NTKernel C:\315load32.exe C:\Update.Microsoft.com.url C:\ProgramData\load32.exe C:\ProgramData\cpu C:\ProgramData\MFAData C:\Program Files (x86)\ESET C:\Users\tds\Documents\315load32.exe C:\Users\tds\AppData\Roaming\dclogs C:\Users\tds\AppData\Roaming\ESET C:\Users\tds\AppData\Roaming\HoolappForAndroid C:\Users\tds\AppData\Roaming\Origin\update.vbe C:\Users\tds\AppData\Roaming\QuickScan Folder: C:\ProgramData\CODEX Folder: C:\Users\tds\AppData\Roaming\ATI Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MenuExt\Free YouTube to MP3 Converter" /f Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\MenuExt\Free YouTube to MP3 Converter" /f Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes" /v DefaultScope /t REG_SZ /d {0633EE93-D776-472f-A0FF-E1416B8B2E3A} /f Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f ***************** [1384] C:\Program Files (x86)\PenWes\PenWesService.exe => Process closed successfully. [1136] C:\ProgramData\cpu\svchost.exe => Process closed successfully. C:\ProgramData\load32.exe => No running process found [2916] C:\Windows\SysWOW64\wscript.exe => Process closed successfully. "C:\Users\tds\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url" => Could not move. HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\CPU => Value deleted successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\NT Kernel Service => Value deleted successfully. HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings => Value deleted successfully. HKU\S-1-5-21-2337871059-3691734657-1116950341-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Error setting value. HKU\S-1-5-21-2337871059-3691734657-1116950341-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings => Value deleted successfully. HKU\S-1-5-21-2337871059-3691734657-1116950341-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found. "C:\\PROGRA~2\\GS-ENA~1\\BROWSA~1.DLL" => Value Data removed successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastSvc.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastUI.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avconfig.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgcsrvx.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgidsagent.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgnt.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgrsx.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgwdsvc.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avscan.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\instup.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\KeyScrambler.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamgui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbampt.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamscheduler.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamservice.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\Navw32.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\NIS.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe => Key deleted successfully. PenWesController => Service deleted successfully. dgderdrv => Service deleted successfully. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\97814441.sys => Key deleted successfully. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\97814441.sys => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{153C567D-5801-4AC7-9309-909CCB0C91B3} => Error deleting key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{153C567D-5801-4AC7-9309-909CCB0C91B3} => Error deleting key C:\Windows\System32\Tasks\{6CF082BA-25C8-47FF-90F5-B44287A44E0B} => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{6CF082BA-25C8-47FF-90F5-B44287A44E0B} => Error deleting key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{60F1EE96-E658-42FE-A33B-D3B64BF9D520} => Error deleting key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{60F1EE96-E658-42FE-A33B-D3B64BF9D520} => Error deleting key C:\Windows\System32\Tasks\{30BAEE5F-1CEA-497F-B993-4B7305662A75} => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{30BAEE5F-1CEA-497F-B993-4B7305662A75} => Error deleting key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{99A5140B-1B88-4FF1-910D-4AFF9103F9BF} => Error deleting key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{99A5140B-1B88-4FF1-910D-4AFF9103F9BF} => Error deleting key C:\Windows\System32\Tasks\PenWes => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PenWes => Error deleting key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AD012ADB-3D30-4607-83E5-C59F1A8BE699} => Error deleting key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD012ADB-3D30-4607-83E5-C59F1A8BE699} => Error deleting key C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2337871059-3691734657-1116950341-1000 => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2337871059-3691734657-1116950341-1000 => Error deleting key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C27BEE03-344F-4F03-A401-4683E643187D} => Error deleting key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C27BEE03-344F-4F03-A401-4683E643187D} => Error deleting key C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2337871059-3691734657-1116950341-1000 => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RealPlayerRealUpgradeLogonTaskS-1-5-21-2337871059-3691734657-1116950341-1000 => Error deleting key HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} => Key deleted successfully. HKCR\CLSID\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} => Key not found. C:\Users\tds\AppData\Roaming\Mozilla\Firefox\Profiles\vh22l8id.default-1382198420472\user.js => Moved successfully. C:\Users\tds\AppData\Roaming\Mozilla\Firefox\Profiles\vh22l8id.default-1382198420472\searchplugins\conduit-search.xml => Moved successfully. HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\eplgTb@eset.com => Value deleted successfully. "C:\NTKernel" directory move: Could not move "C:\NTKernel" directory. => Scheduled to move on reboot. C:\315load32.exe => Moved successfully. C:\Update.Microsoft.com.url => Moved successfully. Could not move "C:\ProgramData\load32.exe" => Scheduled to move on reboot. C:\ProgramData\cpu => Moved successfully. C:\ProgramData\MFAData => Moved successfully. "C:\Program Files (x86)\ESET" directory move: Could not move "C:\Program Files (x86)\ESET" directory. => Scheduled to move on reboot. Could not move "C:\Users\tds\Documents\315load32.exe" => Scheduled to move on reboot. C:\Users\tds\AppData\Roaming\dclogs => Moved successfully. C:\Users\tds\AppData\Roaming\ESET => Moved successfully. C:\Users\tds\AppData\Roaming\HoolappForAndroid => Moved successfully. C:\Users\tds\AppData\Roaming\Origin\update.vbe => Moved successfully. C:\Users\tds\AppData\Roaming\QuickScan => Moved successfully. ========================= Folder: C:\ProgramData\CODEX ======================== 2014-02-08 17:34 - 2014-02-08 17:34 - 0000000 ____D () C:\ProgramData\CODEX\CODEX 2014-02-08 17:34 - 2014-02-08 17:34 - 0000000 ____D () C:\ProgramData\CODEX\CODEX\256350 2014-02-08 17:34 - 2014-02-08 17:34 - 0000000 ____D () C:\ProgramData\CODEX\CODEX\256350\local 2014-02-08 17:34 - 2014-02-08 17:34 - 0000000 ____D () C:\ProgramData\CODEX\CODEX\256350\saves 2014-02-08 17:34 - 2014-02-08 17:49 - 0000000 ____D () C:\ProgramData\CODEX\CODEX\256350\stats 2014-02-08 17:49 - 2014-02-08 17:49 - 0000108 _____ () C:\ProgramData\CODEX\CODEX\256350\stats\achievements.ini ====== End of Folder: ====== ========================= Folder: C:\Users\tds\AppData\Roaming\ATI ======================== ====== End of Folder: ====== ========= reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MenuExt\Free YouTube to MP3 Converter" /f ========= Bť¤D: System nie znalazˆ w rejestrze okre˜lonego klucza albo warto˜ci. ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Internet Explorer\MenuExt\Free YouTube to MP3 Converter" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes" /v DefaultScope /t REG_SZ /d {0633EE93-D776-472f-A0FF-E1416B8B2E3A} /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= => Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-02-09 14:24:35)<= C:\NTKernel => Moved successfully. C:\ProgramData\load32.exe => Moved successfully. C:\Program Files (x86)\ESET => Moved successfully. C:\Users\tds\Documents\315load32.exe => Moved successfully. ==== End of Fixlog ====