Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-10-2014 01 Ran by KJ at 2014-10-31 17:46:29 Run:3 Running from C:\Users\KJ\Desktop Loaded Profile: KJ (Available profiles: KJ) Boot Mode: Safe Mode (minimal) ============================================== Content of fixlist: ***************** CloseProcesses: HKLM-x32\...\Run: [Bron-Spizaetus] => C:\Windows\ShellNew\RakyatKelaparan.exe [44417 2012-11-25] () HKLM-x32\...\Winlogon: [Shell] Explorer.exe "C:\Windows\KesenjanganSosial.exe" [44417 ] () <=== ATTENTION HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Run: [Tok-Cirrhatus-1233] => C:\Users\KJ\AppData\Local\br3489on.exe [44417 2012-11-25] () HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Run: [Tok-Cirrhatus] => C:\Users\KJ\AppData\Local\br3489on.exe [44417 2012-11-25] () HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Policies\system: [DisableCMD] 0 HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Policies\system: [DisableRegistryTools] 1 HKU\S-1-5-21-440814284-2810997126-872106338-1008\...\Policies\Explorer: [NoFolderOptions] 1 Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe () Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe () Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe () Startup: C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif () Startup: C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe () AlternateShell: cmd-brontok.exe Task: {18448E81-DF41-499B-B70B-3D43253FB67F} - System32\Tasks\At2 => C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\5160-NendangBro.com [2012-11-25] () <==== ATTENTION Task: {6FFFACFF-4708-46B1-BBC4-FA56A172B6FF} - System32\Tasks\At1 => C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\5160-NendangBro.com [2012-11-25] () <==== ATTENTION Task: C:\windows\Tasks\At1.job => ? Task: C:\windows\Tasks\At2.job => ? CHR StartupUrls: Default -> "hxxp://www.sweet-page.com/?type=hp&ts=1411311658&from=cor&uid=INTELXSSDSC2BB300G4_BTWL404105SG300PGN" CMD: for /d %f in (C:\Users\KJ\AppData\Local\*Bron*) do rd /s /q "%f" C:\ProgramData\All Users.exe C:\Users\Data KJ.exe C:\Users\Default\Default.exe C:\Users\KJ\KJ.exe C:\Users\KJ\AppData\Local\*.bin C:\Users\KJ\AppData\Local\*.exe C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\5160-NendangBro.com C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\Templates.exe C:\Users\Public\Public.exe C:\Users\Users.exe C:\windows\0PSQcsabWsfmis C:\Windows\KesenjanganSosial.exe C:\Windows\ShellNew\RakyatKelaparan.exe C:\windows\SysWOW64\cmd-brontok.exe RemoveDirectory: C:\Users\KJ\Desktop\FRST-OlderVersion Hosts: EmptyTemp: ***************** Processes closed successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Bron-Spizaetus => value deleted successfully. HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Run\\Tok-Cirrhatus-1233 => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Run\\Tok-Cirrhatus => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableCMD => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableRegistryTools => value deleted successfully. HKU\S-1-5-21-440814284-2810997126-872106338-1008\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFolderOptions => value deleted successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe => Moved successfully. C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe => Moved successfully. C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe not found. C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif => Moved successfully. C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.exe => Moved successfully. hklm\System\CurrentControlSet\Control\SafeBoot\\AlternateShell => Value was restored successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{18448E81-DF41-499B-B70B-3D43253FB67F}" => Key not found. C:\Windows\System32\Tasks\At2 => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At2" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6FFFACFF-4708-46B1-BBC4-FA56A172B6FF}" => Key not found. C:\Windows\System32\Tasks\At1 => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1" => Key deleted successfully. C:\windows\Tasks\At1.job => Moved successfully. C:\windows\Tasks\At2.job => Moved successfully. Chrome StartupUrls deleted successfully. ========= for /d %f in (C:\Users\KJ\AppData\Local\*Bron*) do rd /s /q "%f" ========= ========= End of CMD: ========= C:\ProgramData\All Users.exe => Moved successfully. C:\Users\Data KJ.exe => Moved successfully. C:\Users\Default\Default.exe => Moved successfully. C:\Users\KJ\KJ.exe => Moved successfully. C:\Users\KJ\AppData\Local\*.bin => Moved successfully. C:\Users\KJ\AppData\Local\*.exe => Moved successfully. C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\5160-NendangBro.com => Moved successfully. C:\Users\KJ\AppData\Roaming\Microsoft\Windows\Templates\Templates.exe => Moved successfully. C:\Users\Public\Public.exe => Moved successfully. C:\Users\Users.exe => Moved successfully. C:\windows\0PSQcsabWsfmis => Moved successfully. C:\Windows\KesenjanganSosial.exe => Moved successfully. C:\Windows\ShellNew\RakyatKelaparan.exe => Moved successfully. C:\windows\SysWOW64\cmd-brontok.exe => Moved successfully. "C:\Users\KJ\Desktop\FRST-OlderVersion" => Removed successfully. C:\Windows\System32\Drivers\etc\hosts => Moved successfully. Hosts was reset successfully. EmptyTemp: => Removed 47.4 MB temporary data. The system needed a reboot. ==== End of Fixlog ====