Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-02-2014 01 Ran by SYSTEM at 2014-02-17 13:36:43 Run:2 Running from G:\ Boot Mode: Recovery ============================================== Content of fixlist: ***************** C:\NTKernel C:\ProgramData\load32.vbs HKLM-x32\...\Run: [NT Kernel Service] - C:\NTKernel\nt32.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" Unlock: C:\Users\Artur Machnicki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup C:\Users\Artur Machnicki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.ini.url Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options IFEO\AvastSvc.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\AvastUI.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\avgcsrvx.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\avgidsagent.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\avgrsx.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\avgui.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\avgwdsvc.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\avp.exe: [Debugger] euaie.exe IFEO\bdagent.exe: [Debugger] euaie.exe IFEO\ccuac.exe: [Debugger] euaie.exe IFEO\ComboFix.exe: [Debugger] euaie.exe IFEO\egui.exe: [Debugger] euaie.exe IFEO\hijackthis.exe: [Debugger] euaie.exe IFEO\instup.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\keyscrambler.exe: [Debugger] euaie.exe IFEO\mbam.exe: [Debugger] euaie.exe IFEO\mbamgui.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\mbampt.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\mbamscheduler.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\mbamservice.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\MpCmdRun.exe: [Debugger] euaie.exe IFEO\MSASCui.exe: [Debugger] euaie.exe IFEO\MsMpEng.exe: [Debugger] euaie.exe IFEO\msseces.exe: [Debugger] euaie.exe IFEO\rstrui.exe: [Debugger] C:\Users\Artur Machnicki\Documents\315load32.exe IFEO\spybotsd.exe: [Debugger] euaie.exe IFEO\wireshark.exe: [Debugger] euaie.exe IFEO\zlclient.exe: [Debugger] euaie.exe Reg: reg add HKLM\SYSTEM\ControlSet001\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f CMD: reg load HKU\Temp "C:\Users\Artur Machnicki\NTUSER.DAT" CMD: reg query "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" CMD: reg query "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows" CMD: F:\SetACL.exe -on "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ot reg -actn setprot -op "dacl:np" CMD: F:\SetACL.exe -on "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows" -ot reg -actn setprot -op "dacl:np" CMD: reg query "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" CMD: reg query "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows" CMD: reg delete "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f CMD: reg add "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "" /f CMD: reg unload HKU\Temp ***************** C:\NTKernel => Moved successfully. C:\ProgramData\load32.vbs => Moved successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\NT Kernel Service => Value deleted successfully. "C:\Users\Artur Machnicki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" => File/Directory unlocked successfully. C:\Users\Artur Machnicki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.ini.url => Moved successfully. "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" => Key unlocked successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastSvc.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastUI.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgcsrvx.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgidsagent.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgrsx.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgui.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgwdsvc.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\instup.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamgui.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbampt.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamscheduler.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamservice.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe => Key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe => Key not found. ========= reg add HKLM\SYSTEM\ControlSet001\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg load HKU\Temp "C:\Users\Artur Machnicki\NTUSER.DAT" ========= The operation completed successfully. ========= End of CMD: ========= ========= reg query "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ========= ERROR: Access is denied. ========= End of CMD: ========= ========= reg query "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows" ========= ERROR: Access is denied. ========= End of CMD: ========= ========= F:\SetACL.exe -on "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -ot reg -actn setprot -op "dacl:np" ========= The device is not ready. ========= End of CMD: ========= ========= F:\SetACL.exe -on "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows" -ot reg -actn setprot -op "dacl:np" ========= The device is not ready. ========= End of CMD: ========= ========= reg query "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" ========= ERROR: Access is denied. ========= End of CMD: ========= ========= reg query "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows" ========= ERROR: Access is denied. ========= End of CMD: ========= ========= reg delete "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f ========= ERROR: Access is denied. ========= End of CMD: ========= ========= reg add "HKU\Temp\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "" /f ========= ERROR: Access is denied. ========= End of CMD: ========= ========= reg unload HKU\Temp ========= The operation completed successfully. ========= End of CMD: ========= ==== End of Fixlog ====