Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-10-2014 01 Ran by KJ at 2014-10-30 22:57:53 Run:1 Running from C:\Users\KJ\Desktop Loaded Profile: KJ (Available profiles: KJ) Boot Mode: Safe Mode (minimal) ============================================== Content of fixlist: ***************** CloseProcesses: HKLM-x32\...\Winlogon: [Shell] Explorer.exe "C:\Windows\KesenjanganSosial.exe" [44417 ] () <=== ATTENTION HKLM-x32\...\Run: [Bron-Spizaetus] => C:\Windows\ShellNew\RakyatKelaparan.exe [44417 2012-11-25] () HKLM-x32\...\Run: [YTDownloader] => "C:\Program Files (x86)\YTDownloader\YTDownloader.exe" /boot HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Run: [Tok-Cirrhatus-1233] => C:\Users\KJ\AppData\Local\br3489on.exe [44417 2012-11-25] () HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Run: [Tok-Cirrhatus] => C:\Users\KJ\AppData\Local\br3489on.exe wnloader.exe [44417 2012-11-25] () HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Run: [YTDownloader] => "C:\Program Files (x86)\YTDownloader\YTDownloader.exe" /boot HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Policies\system: [DisableRegistryTools] 1 HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Policies\Explorer: [HideSCAVolume] 0 HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Policies\Explorer: [NoFolderOptions] 1 HKU\S-1-5-18\...\Run: [Tok-Cirrhatus-1860] => "C:\Windows\System32\config\systemprofile\AppData\Local\br4743on.exe" HKU\S-1-5-18\...\Run: [Tok-Cirrhatus] => "C:\Windows\System32\config\systemprofile\AppData\Local\br4743on.exe" (the data entry has 824 more characters). HKU\S-1-5-18\...\Policies\system: [DisableRegistryTools] 1 HKU\S-1-5-18\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-18\...\Policies\Explorer: [NoFolderOptions] 1 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe () Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe () Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe () Startup: C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif () Startup: C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe () AlternateShell: cmd-brontok.exe Task: {008238F6-D5DE-4670-A314-B8E2BC3FE6DF} - System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update2 <==== ATTENTION Task: {05AD1E67-2B01-4AF3-8BC1-9799A41591A7} - System32\Tasks\YTDownloader => C:\Program Files (x86)\YTDownloader\YTDownloader.exe <==== ATTENTION Task: {7F104F9E-27CF-402A-91A1-056F60FDA14A} - System32\Tasks\At1 => C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\5160-NendangBro.com [2012-11-25] () <==== ATTENTION Task: {83E52CC3-A64B-4505-AC86-BF4A9233A03C} - System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update3 <==== ATTENTION Task: {C155BD04-A4F9-403F-8288-21F98E2CCC83} - System32\Tasks\SMupdate1 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update1 <==== ATTENTION Task: {C5EFAF60-87B6-4E44-AD4B-3A79229D8C86} - System32\Tasks\At2 => C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\5160-NendangBro.com [2012-11-25] () <==== ATTENTION Task: C:\windows\Tasks\At1.job => ? Task: C:\windows\Tasks\At2.job => ? CHR StartupUrls: Default -> "hxxp://www.sweet-page.com/?type=hp&ts=1411311658&from=cor&uid=INTELXSSDSC2BB300G4_BTWL404105SG300PGN" StartMenuInternet: IEXPLORE.EXE - iexplore.exe C:\Program Files (x86)\Common Files\System\SysMenu.dll C:\Program Files (x86)\YTDownloader C:\ProgramData\All Users.exe C:\Users\Default\Default.exe C:\Users\KJ\KJ.exe C:\Users\KJ\AppData\Local\*.bin C:\Users\KJ\AppData\Local\*.exe C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\5160-NendangBro.com C:\Users\Public\Public.exe C:\Windows\cmd-brontok.exe C:\Windows\KesenjanganSosial.exe C:\Windows\ShellNew\RakyatKelaparan.exe C:\Windows\System32\config\systemprofile\AppData\Local\*.bin C:\Windows\System32\config\systemprofile\AppData\Local\*.exe CMD: dir /a C:\Users CMD: for /d %f in (C:\Users\KJ\AppData\Local\*Bron*) do rd /s /q "%f" CMD: for /d %f in (C:\Windows\System32\config\systemprofile\AppData\Local\*Bron*) do rd /s /q "%f" Folder: C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates Hosts: EmptyTemp: ***************** Processes closed successfully. HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Bron-Spizaetus => value deleted successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\YTDownloader => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Run\\Tok-Cirrhatus-1233 => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Run\\Tok-Cirrhatus => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Run\\YTDownloader => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableRegistryTools => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableCMD => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAVolume => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFolderOptions => value deleted successfully. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Tok-Cirrhatus-1860 => value deleted successfully. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Tok-Cirrhatus => value deleted successfully. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableRegistryTools => value deleted successfully. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableCMD => value deleted successfully. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFolderOptions => value deleted successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe => Moved successfully. C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe => Moved successfully. C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe not found. C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif => Moved successfully. C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe => Moved successfully. hklm\System\CurrentControlSet\Control\SafeBoot\\AlternateShell => Value was restored successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{008238F6-D5DE-4670-A314-B8E2BC3FE6DF}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{008238F6-D5DE-4670-A314-B8E2BC3FE6DF}" => Key deleted successfully. C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\SMupdate2" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{05AD1E67-2B01-4AF3-8BC1-9799A41591A7}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{05AD1E67-2B01-4AF3-8BC1-9799A41591A7}" => Key deleted successfully. C:\Windows\System32\Tasks\YTDownloader => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\YTDownloader" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7F104F9E-27CF-402A-91A1-056F60FDA14A}" => Key not found. C:\Windows\System32\Tasks\At1 => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{83E52CC3-A64B-4505-AC86-BF4A9233A03C}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{83E52CC3-A64B-4505-AC86-BF4A9233A03C}" => Key deleted successfully. C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\SMupdate3" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C155BD04-A4F9-403F-8288-21F98E2CCC83}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C155BD04-A4F9-403F-8288-21F98E2CCC83}" => Key deleted successfully. C:\Windows\System32\Tasks\SMupdate1 => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMupdate1" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C5EFAF60-87B6-4E44-AD4B-3A79229D8C86}" => Key not found. C:\Windows\System32\Tasks\At2 => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At2" => Key deleted successfully. C:\windows\Tasks\At1.job => Moved successfully. C:\windows\Tasks\At2.job => Moved successfully. Chrome StartupUrls deleted successfully. HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => Value was restored successfully. "C:\Program Files (x86)\Common Files\System\SysMenu.dll" => File/Directory not found. "C:\Program Files (x86)\YTDownloader" => File/Directory not found. C:\ProgramData\All Users.exe => Moved successfully. C:\Users\Default\Default.exe => Moved successfully. C:\Users\KJ\KJ.exe => Moved successfully. C:\Users\KJ\AppData\Local\*.bin => Moved successfully. C:\Users\KJ\AppData\Local\*.exe => Moved successfully. C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\5160-NendangBro.com => Moved successfully. C:\Users\Public\Public.exe => Moved successfully. "C:\Windows\cmd-brontok.exe" => File/Directory not found. C:\Windows\KesenjanganSosial.exe => Moved successfully. C:\Windows\ShellNew\RakyatKelaparan.exe => Moved successfully. "C:\Windows\System32\config\systemprofile\AppData\Local\*.bin" => File/Directory not found. "C:\Windows\System32\config\systemprofile\AppData\Local\*.exe" => File/Directory not found. ========= dir /a C:\Users ========= Volume in drive C is System Volume Serial Number is B4F5-12B7 Directory of C:\Users 2014-10-27 17:03 . 2014-10-27 17:03 .. 2014-01-20 23:47 Administrator 2009-07-14 06:08 All Users [C:\ProgramData] 2012-11-25 18:31 44ÿ417 Data KJ.exe 2014-10-30 22:57 Default 2009-07-14 06:08 Default User [C:\Users\Default] 2009-07-14 05:54 174 desktop.ini 2014-10-30 22:57 KJ 2014-10-30 22:57 Public 2012-11-25 18:31 44ÿ417 Users.exe 3 File(s) 89ÿ008 bytes 8 Dir(s) 30ÿ410ÿ395ÿ648 bytes free ========= End of CMD: ========= ========= for /d %f in (C:\Users\KJ\AppData\Local\*Bron*) do rd /s /q "%f" ========= ========= End of CMD: ========= ========= for /d %f in (C:\Windows\System32\config\systemprofile\AppData\Local\*Bron*) do rd /s /q "%f" ========= ========= End of CMD: ========= ========================= Folder: C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates ======================== 2011-08-19 15:29 - 2012-11-25 18:31 - 0044417 _____ () C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\Templates.exe ====== End of Folder: ====== C:\Windows\System32\Drivers\etc\hosts => Moved successfully. Hosts was reset successfully. EmptyTemp: => Removed 693.9 MB temporary data. The system needed a reboot. ==== End of Fixlog ====