Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:10-05-2014 Ran by SYSTEM on REATOGO on 11-05-2014 02:13:31 Running from E:\ Platform: Microsoft Windows XP (X86) OS Language: English(US) Internet Explorer Version 8 Boot Mode: Recovery The current controlset is ControlSet002 [b]ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.[/b] The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Registry (Whitelisted) ================== HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [774233 2006-05-19] (Synaptics, Inc.) HKLM\...\Run: [igfxhkcmd] => C:\WINDOWS\system32\hkcmd.exe [77824 2006-03-23] (Intel Corporation) HKLM\...\Run: [igfxpers] => C:\WINDOWS\system32\igfxpers.exe [118784 2006-03-23] (Intel Corporation) HKLM\...\Run: [AzMixerSel] => C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe [53248 2007-08-23] (Realtek Semiconductor Corp.) HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-10-02] (Adobe Systems Incorporated) HKLM\...\Run: [RTHDCPL] => C:\Windows\RTHDCPL.EXE [16062464 2006-12-19] (Realtek Semiconductor Corp.) HKLM\...\Run: [SkyTel] => C:\Windows\SkyTel.EXE [2879488 2006-05-16] (Realtek Semiconductor Corp.) HKLM\...\Run: [Alcmtr] => C:\Windows\ALCMTR.EXE [69632 2005-05-03] (Realtek Semiconductor Corp.) HKLM\...\Run: [AGRSMMSG] => C:\Windows\AGRSMMSG.exe [89542 2006-08-30] (Agere Systems) HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [248552 2010-05-14] (Sun Microsystems, Inc.) HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation) HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [935288 2009-09-04] (Adobe Systems Incorporated) HKLM\...\Run: [ROC_ROC_NT] => "C:\Program Files\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT HKU\Admin\...\Run: [MSMSGS] => C:\Program Files\Messenger\msmsgs.exe [1695232 2008-04-14] (Microsoft Corporation) HKU\Admin\...\Run: [GG] => C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\GG\Application\gghub.exe [3377288 2012-10-31] (GG Network S.A.) ========================== Services (Whitelisted) ================= S2 GtFlashSwitch; C:\Program Files\Common Files\GtFlashSwitch\GtFlashSwitch.exe [176128 2007-02-09] (OptionNV) S2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [153376 2010-10-12] (Sun Microsystems, Inc.) S2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-04-03] (Malwarebytes Corporation) S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [857912 2014-04-03] (Malwarebytes Corporation) S2 S24EventMonitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [937984 2006-08-01] (Intel Corporation ) S2 winmgmt; C:\Documents and Settings\All Users\Dane aplikacji\dodoigkdo.cpp\dodoigkdo.cpp [168486 2014-05-08] (Microsoft Corporation) ==================== Drivers (Whitelisted) ==================== S2 AegisP; C:\Windows\System32\DRIVERS\AegisP.sys [21419 2010-10-06] (Meetinghouse Data Communications) S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [1286144 2008-02-20] (Broadcom Corporation) S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation) S3 GTMNDISIRPXP; C:\Windows\System32\DRIVERS\Gtm51Irp.sys [122496 2007-04-13] (Option N.V.) S3 GTPTSER; C:\Windows\System32\DRIVERS\gtptser.sys [8064 2007-04-13] (Option N.V.) S3 GTUQBUS; C:\Windows\System32\DRIVERS\gtuqbus.sys [37120 2007-04-13] (Option N.V.) S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [23256 2014-04-03] (Malwarebytes Corporation) S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation) S3 rtl8139; C:\Windows\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation) S2 s24trans; C:\Windows\System32\DRIVERS\s24trans.sys [12544 2006-08-01] (Intel Corporation) S1 ggprljxn; \??\C:\WINDOWS\system32\drivers\ggprljxn.sys [X] S4 IntelIde; No ImagePath S5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation) S1 WS2IFSL; ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-05-11 02:11 - 2014-05-11 02:11 - 00000000 ____D () C:\FRST 2014-05-11 00:50 - 2014-05-11 00:52 - 00034150 _____ () C:\OTL.Txt 2014-05-09 19:52 - 2014-05-09 19:52 - 00000000 ____D () C:\Windows\CSC 2014-05-09 07:25 - 2014-05-10 17:37 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0 2014-05-09 05:20 - 2014-05-09 05:20 - 00000000 __SHD () C:\Documents and Settings\Administrator\PrivacIE 2014-05-09 03:44 - 2014-05-10 14:54 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys 2014-05-09 03:42 - 2014-05-09 03:43 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware 2014-05-09 03:42 - 2014-04-03 03:51 - 00050648 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamchameleon.sys 2014-05-09 03:42 - 2014-04-03 03:50 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys 2014-05-09 03:16 - 2014-05-10 16:27 - 00000188 ___SH () C:\Documents and Settings\Administrator\ntuser.ini 2014-05-09 03:16 - 2014-05-09 05:19 - 00000000 ____D () C:\Documents and Settings\Administrator\Ulubione 2014-05-09 03:16 - 2010-10-20 16:16 - 00000000 __SHD () C:\Documents and Settings\Administrator\IETldCache 2014-05-09 03:16 - 2010-10-05 10:39 - 00000000 __RHD () C:\Documents and Settings\Administrator\Dane aplikacji 2014-05-09 03:16 - 2010-10-05 10:39 - 00000000 ___RD () C:\Documents and Settings\Administrator\Menu Start 2014-05-09 03:16 - 2010-10-05 10:39 - 00000000 ___HD () C:\Documents and Settings\Administrator\Ustawienia lokalne 2014-05-09 03:16 - 2010-10-05 10:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Pulpit 2014-05-09 03:16 - 2010-10-05 10:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Moje dokumenty 2014-05-09 03:16 - 2010-10-05 09:04 - 00000000 ___HD () C:\Documents and Settings\Administrator\Szablony 2014-05-06 10:01 - 2014-05-06 10:03 - 00005811 _____ () C:\Windows\KB2964358-IE8.log ==================== One Month Modified Files and Folders ======= 2014-05-11 02:11 - 2014-05-11 02:11 - 00000000 ____D () C:\FRST 2014-05-11 00:52 - 2014-05-11 00:50 - 00034150 _____ () C:\OTL.Txt 2014-05-10 17:37 - 2014-05-09 07:25 - 00000000 ____D () C:\Kaspersky Rescue Disk 10.0 2014-05-10 17:30 - 2010-10-05 10:42 - 00000216 _____ () C:\Windows\wiadebug.log 2014-05-10 17:30 - 2010-10-05 09:15 - 00000188 ___SH () C:\Documents and Settings\Admin\ntuser.ini 2014-05-10 17:30 - 2010-10-05 09:13 - 00032572 _____ () C:\Windows\SchedLgU.Txt 2014-05-10 17:30 - 2010-10-05 09:07 - 01815523 _____ () C:\Windows\WindowsUpdate.log 2014-05-10 17:07 - 2010-10-05 10:42 - 00000050 _____ () C:\Windows\wiaservc.log 2014-05-10 17:06 - 2004-08-04 07:00 - 00013646 _____ () C:\Windows\System32\wpa.dbl 2014-05-10 16:27 - 2014-05-09 03:16 - 00000188 ___SH () C:\Documents and Settings\Administrator\ntuser.ini 2014-05-10 14:54 - 2014-05-09 03:44 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys 2014-05-09 20:57 - 2010-10-05 10:38 - 00743307 _____ () C:\Windows\setupapi.log 2014-05-09 19:52 - 2014-05-09 19:52 - 00000000 ____D () C:\Windows\CSC 2014-05-09 05:21 - 2010-10-05 10:39 - 00000000 ____D () C:\Documents and Settings\All Users\Pulpit 2014-05-09 05:20 - 2014-05-09 05:20 - 00000000 __SHD () C:\Documents and Settings\Administrator\PrivacIE 2014-05-09 05:19 - 2014-05-09 03:16 - 00000000 ____D () C:\Documents and Settings\Administrator\Ulubione 2014-05-09 04:23 - 2010-10-05 10:38 - 00000000 __RHD () C:\Documents and Settings\All Users\Dane aplikacji 2014-05-09 04:23 - 2010-10-05 09:15 - 00000000 __RHD () C:\Documents and Settings\Admin\Dane aplikacji 2014-05-09 03:43 - 2014-05-09 03:42 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware 2014-05-06 10:03 - 2014-05-06 10:01 - 00005811 _____ () C:\Windows\KB2964358-IE8.log 2014-05-06 10:03 - 2010-10-06 15:49 - 00000000 ____D () C:\Windows\ie8updates 2014-05-06 10:03 - 2010-10-06 02:26 - 00282095 _____ () C:\Windows\updspapi.log 2014-05-06 10:03 - 2010-10-05 10:40 - 01915772 _____ () C:\Windows\iis6.log 2014-05-06 10:03 - 2010-10-05 10:40 - 01736527 _____ () C:\Windows\FaxSetup.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00840552 _____ () C:\Windows\ocgen.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00798540 _____ () C:\Windows\tsoc.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00589669 _____ () C:\Windows\comsetup.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00551392 _____ () C:\Windows\msmqinst.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00355180 _____ () C:\Windows\ntdtcsetup.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00304621 _____ () C:\Windows\netfxocm.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00121860 _____ () C:\Windows\MedCtrOC.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00108398 _____ () C:\Windows\ocmsn.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00090459 _____ () C:\Windows\tabletoc.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00086926 _____ () C:\Windows\msgsocm.log 2014-05-06 10:03 - 2010-10-05 10:40 - 00001355 _____ () C:\Windows\imsins.log 2014-05-02 09:34 - 2010-10-05 09:15 - 00000000 ____D () C:\Documents and Settings\Admin\Pulpit 2014-04-30 04:12 - 2004-08-04 07:00 - 06022144 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll 2014-04-30 04:12 - 2004-08-04 07:00 - 06022144 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll 2014-04-30 04:12 - 2004-08-04 07:00 - 06022144 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll 2014-04-28 15:04 - 2010-10-05 10:40 - 00004854 _____ () C:\Windows\System32\PerfStringBackup.INI 2014-04-28 15:04 - 2004-08-04 07:00 - 00765830 _____ () C:\Windows\System32\perfh015.dat 2014-04-28 15:04 - 2004-08-04 07:00 - 00221528 _____ () C:\Windows\System32\perfc015.dat 2014-04-25 17:06 - 2010-10-05 09:15 - 00000000 ___RD () C:\Documents and Settings\Admin\Ulubione ==================== Known DLLs (Whitelisted) ============ ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe [2004-08-04 07:00] - [2008-04-14 16:51] - 1035264 ____A (Microsoft Corporation) c791ed9eac5e76d9525e157b1d7a599a C:\Windows\System32\winlogon.exe [2004-08-04 07:00] - [2008-04-14 16:51] - 0510464 ____A (Microsoft Corporation) 51fd2e13d723857b9ca239ae77150f48 C:\Windows\System32\svchost.exe [2004-08-04 07:00] - [2008-04-14 16:51] - 0014336 ____A (Microsoft Corporation) 8607d35d92528e2df386f19a960d23ce C:\Windows\System32\services.exe [2004-08-04 07:00] - [2009-02-09 07:25] - 0111104 ____A (Microsoft Corporation) 02a467e27af55f7064c5b251e587315f C:\Windows\System32\User32.dll [2004-08-04 07:00] - [2008-04-14 16:50] - 0580096 ____A (Microsoft Corporation) a435c5c069afd901751ac323ad238793 C:\Windows\System32\userinit.exe [2004-08-04 07:00] - [2008-04-14 16:51] - 0026624 ____A (Microsoft Corporation) 2a5b37d520508be6570a3ea79695f5b5 C:\Windows\System32\rpcss.dll [2004-08-04 07:00] - [2009-02-09 06:53] - 0401408 ____A (Microsoft Corporation) a37311d9d628c1042a2836731787f0f3 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected. C:\Windows\System32\Drivers\volsnap.sys [2004-08-04 07:00] - [2008-04-14 15:31] - 0052864 ____A (Microsoft Corporation) 56b191ac5fc0df219949c95a6c87afe7 ==================== Restore Points (XP) ===================== RP: -> 2014-05-06 10:01 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP577 RP: -> 2014-05-02 11:07 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP576 RP: -> 2014-04-28 14:08 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP575 RP: -> 2014-04-27 10:29 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP574 RP: -> 2014-04-24 15:38 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP573 RP: -> 2014-04-14 13:47 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP572 RP: -> 2014-04-09 12:58 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP571 RP: -> 2014-04-07 12:52 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP570 RP: -> 2014-03-29 14:00 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP569 RP: -> 2014-03-22 12:15 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP568 RP: -> 2014-03-22 11:27 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP567 RP: -> 2014-03-22 11:17 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP566 RP: -> 2014-03-15 05:21 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP565 RP: -> 2014-02-15 19:58 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP564 RP: -> 2014-02-13 09:10 - 024576 _restore{B0AF7B79-972A-4E65-8900-2AE9D38F5B35}\RP563 ==================== Memory info =========================== Percentage of memory in use: 39% Total physical RAM: 502.11 MB Available physical RAM: 304.02 MB Total Pagefile: 453.87 MB Available Pagefile: 327.92 MB Total Virtual: 2047.88 MB Available Virtual: 2000.61 MB ==================== Drives ================================ Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS Drive c: () (Fixed) (Total:37.25 GB) (Free:14.36 GB) NTFS ==>[Drive with boot components (Windows XP)] Drive e: (KINGSTON) (Removable) (Total:1.86 GB) (Free:0.84 GB) FAT Drive x: (ReatogoPE) (CDROM) (Total:0.28 GB) (Free:0 GB) CDFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows XP) (Size: 37 GB) (Disk ID: 696385FF) Partition 1: (Active) - (Size=37 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 2 GB) (Disk ID: 00000000) Partition: GPT Partition Type. ==================== End Of Log ============================