Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-12-2013 01 Ran by SYSTEM on MININT-PSUUL52 on 13-12-2013 22:56:53 Running from G:\ Windows 7 Home Premium (X64) OS Language: English(US) Internet Explorer Version 10 Boot Mode: Recovery The current controlset is ControlSet001 [b]ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.[/b] ==================== Registry (Whitelisted) ================== HKLM\...\Run: [cAudioFilterAgent] - C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe [518784 2011-03-28] (Conexant Systems, Inc.) HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] () HKLM\...\Run: [Apoint] - C:\Program Files\Apoint\Apoint.exe [226672 2011-02-16] (Alps Electric Co., Ltd.) HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [296960 2010-11-20] (Microsoft Corporation) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] C:\$Recycle.Bin\S-1-5-18\$86a5dcb24eedf9369d27e77b70010620\n. ATTENTION! ====> ZeroAccess? HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0 HKLM-x32\...\Run: [IAStorIcon] - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [283160 2010-09-13] (Intel Corporation) HKLM-x32\...\Run: [ISBMgr.exe] - C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe [2757312 2011-02-15] (Sony Corporation) HKLM-x32\...\Run: [PMBVolumeWatcher] - C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [648032 2010-11-26] (Sony Corporation) HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.) HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe [49208 2011-05-09] (Hewlett-Packard) HKLM-x32\...\Run: [] - [x] HKLM-x32\...\Run: [SearchProtectAll] - C:\Program Files (x86)\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit) HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.) HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-08-16] (Apple Inc.) HKU\Penwitt\...\Run: [HP Deskjet 3050A J611 series (NET)] - C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\ScanToPCActivationApp.exe [2676584 2011-06-08] (Hewlett-Packard Co.) HKU\Penwitt\...\Run: [Elbserver] - C:\Program Files (x86)\Sony\Media Gallery\ElbServer.exe [83344 2011-04-02] (Sony Corporation) HKU\Penwitt\...\Run: [SmileboxTray] - C:\Users\Penwitt\AppData\Roaming\Smilebox\SmileboxTray.exe [309544 2013-07-23] (Smilebox, Inc.) HKU\Penwitt\...\Run: [Skype] - C:\Program Files (x86)\Skype\Phone\Skype.exe [19603048 2013-06-03] (Skype Technologies S.A.) HKU\Penwitt\...\Run: [SearchProtect] - C:\Users\Penwitt\AppData\Roaming\SearchProtect\bin\cltmng.exe [2852640 2013-05-07] (Conduit) HKU\Penwitt\...\Winlogon: [Shell] Explorer.exe [2871808 2011-02-24] (Microsoft Corporation) <==== ATTENTION AppInit_DLLs: C:\Program Files (x86)\KeyCryptSDK\KeyCrypt64(4).dll [88376 2013-07-24] (Zemana Ltd.) AppInit_DLLs-x32: C:\PROGRA~2\KEYCRY~1\KE96AA~1.DLL [81160 2013-07-24] (Zemana Ltd.) ==================== Services (Whitelisted) ================= S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.) S2 CltMngSvc; C:\Program Files (x86)\SearchProtect\bin\CltMngSvc.exe [93984 2013-04-11] (Conduit) S2 SampleCollector; C:\Program Files\Sony\VAIO Care\VCPerfService.exe [259192 2011-01-29] (Sony Corporation) S2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [105024 2011-02-23] (ArcSoft, Inc.) S2 Updater Service for AMZN; C:\Program Files (x86)\Amazon Browser Bar\ToolbarUpdaterService.exe [222368 2012-05-22] () S2 VCFw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [887000 2011-01-20] (Sony Corporation) ==================== Drivers (Whitelisted) ==================== S1 AntiLog32; C:\Windows\system32\drivers\AntiLog64.sys [49240 2013-09-13] (Zemana Ltd.) S3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.) S3 keycrypt; C:\Windows\System32\DRIVERS\KeyCrypt64.sys [25056 2013-07-24] (Zemana Ltd.) S4 ccSet_N360; \SystemRoot\system32\drivers\N360x64\1404000.028\ccSetx64.sys [x] S4 IDSVia64; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\Definitions\IPSDefs\20131001.002\IDSvia64.sys [x] S4 SRTSPX; \SystemRoot\system32\drivers\N360x64\1404000.028\SRTSPX64.SYS [x] S4 SymDS; system32\drivers\N360x64\1404000.028\SYMDS64.SYS [x] S4 SymEFA; system32\drivers\N360x64\1404000.028\SYMEFA64.SYS [x] S4 SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-12-13 22:56 - 2013-12-13 22:56 - 00000000 ____D C:\FRST 2013-12-13 14:05 - 2013-12-13 14:05 - 02237968 _____ (Kaspersky Lab ZAO) C:\tdsskiller.exe 2013-12-09 04:36 - 2013-12-09 04:36 - 00000000 ____D C:\Users\Penwitt\AppData\Local\SearchProtect ==================== One Month Modified Files and Folders ======= 2013-12-13 22:56 - 2013-12-13 22:56 - 00000000 ____D C:\FRST 2013-12-13 14:05 - 2013-12-13 14:05 - 02237968 _____ (Kaspersky Lab ZAO) C:\tdsskiller.exe 2013-12-11 16:12 - 2012-02-11 21:43 - 00000000 ____D C:\users\Penwitt 2013-12-11 16:11 - 2013-08-19 15:59 - 00000000 ____D C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 2013-12-11 16:11 - 2013-08-19 15:59 - 00000000 ____D C:\Program Files\iTunes 2013-12-11 16:11 - 2013-05-19 13:31 - 00000000 ____D C:\Program Files (x86)\Amazon Browser Bar 2013-12-11 16:11 - 2013-03-13 17:20 - 00000000 ____D C:\Program Files\Microsoft Silverlight 2013-12-11 16:11 - 2013-03-13 17:20 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight 2013-12-11 16:11 - 2013-01-13 08:36 - 00000000 ____D C:\Program Files (x86)\Norton Security Suite 2013-12-11 16:11 - 2013-01-13 08:08 - 00000000 ____D C:\Windows\SysWOW64\ZALSDK_uninst 2013-12-11 16:11 - 2012-04-13 07:58 - 00000000 ___RD C:\Program Files (x86)\Skype 2013-12-11 16:11 - 2012-04-13 07:58 - 00000000 ____D C:\ProgramData\Skype 2013-12-11 16:11 - 2012-04-12 15:33 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-12-11 16:11 - 2012-03-15 06:02 - 00000000 ____D C:\Program Files (x86)\Constant Guard Protection Suite 2013-12-11 16:11 - 2012-03-05 14:39 - 00000000 ____D C:\Windows\System32\Macromed 2013-12-11 16:11 - 2012-02-19 00:32 - 00000000 ____D C:\Program Files (x86)\iTunes 2013-12-11 16:11 - 2012-02-12 11:06 - 00000000 ____D C:\ProgramData\HP Photo Creations 2013-12-11 16:11 - 2012-02-12 11:06 - 00000000 ____D C:\Program Files (x86)\HP Photo Creations 2013-12-11 16:11 - 2011-05-03 23:33 - 00000000 ____D C:\ProgramData\Norton 2013-12-11 16:11 - 2011-05-03 22:50 - 00000000 ____D C:\Windows\SysWOW64\Macromed 2013-12-11 16:11 - 2011-05-03 22:44 - 00000000 ____D C:\ProgramData\Sony Corporation 2013-12-11 16:11 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD 2013-12-11 16:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF 2013-12-11 16:11 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions 2013-12-11 16:11 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared 2013-12-11 16:08 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration 2013-12-11 16:04 - 2012-04-13 07:59 - 00000000 ____D C:\Users\Penwitt\AppData\Roaming\Skype 2013-12-11 16:04 - 2012-02-12 11:20 - 00000000 ____D C:\Users\Penwitt\AppData\Roaming\SoftGrid Client 2013-12-11 16:03 - 2012-03-15 06:04 - 00000000 ____D C:\Users\Penwitt\AppData\Local\ID Vault 2013-12-11 16:02 - 2013-04-19 21:18 - 00000000 ____D C:\Users\Penwitt\AppData\Local\Conduit 2013-12-11 16:02 - 2012-02-19 00:32 - 00000000 ____D C:\Program Files\iPod 2013-12-11 16:01 - 2012-02-12 11:25 - 00000000 __RHD C:\MSOCache 2013-12-11 15:58 - 2012-03-15 06:04 - 00000000 ____D C:\Users\Penwitt\AppData\Roaming\ID Vault 2013-12-11 15:58 - 2009-07-13 20:45 - 00020928 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-12-11 15:58 - 2009-07-13 20:45 - 00020928 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-12-09 04:36 - 2013-12-09 04:36 - 00000000 ____D C:\Users\Penwitt\AppData\Local\SearchProtect 2013-11-30 18:52 - 2012-04-28 00:16 - 00005618 _____ C:\test.xml 2013-11-13 09:39 - 2013-08-15 11:49 - 00000000 ____D C:\Windows\System32\MRT ZeroAccess: C:\$Recycle.Bin\S-1-5-18\$86a5dcb24eedf9369d27e77b70010620 ZeroAccess: C:\$Recycle.Bin\S-1-5-21-471084762-3375877555-2118701254-1006\$86a5dcb24eedf9369d27e77b70010620 Files to move or delete: ==================== C:\Users\Public\AlexaNSISPlugin.8348.dll Some content of TEMP: ==================== C:\Users\Penwitt\AppData\Local\Temp\SEVINST64x86.EXE C:\Users\Penwitt\AppData\Local\Temp\SkypeSetup.exe C:\Users\Penwitt\AppData\Local\Temp\_unps.exe C:\Users\Penwitt\AppData\Local\Temp\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}_N360_12185.exe ==================== Known DLLs (Whitelisted) ================ C:\Windows\System32\LPK.dll IS MISSING <==== ATTENTION! C:\Windows\SysWOW64\LPK.dll IS MISSING <==== ATTENTION! ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== EXE ASSOCIATION ===================== HKLM\...\.exe: exefile => OK HKLM\...\exefile\DefaultIcon: %1 => OK HKLM\...\exefile\open\command: "%1" %* => OK ==================== Restore Points ========================= 12 Restore point made on: 2013-10-09 04:50:42 Restore point made on: 2013-11-13 09:38:21 Restore point made on: 2013-12-04 18:18:46 Restore point made on: 2013-12-11 01:00:44 Restore point made on: 2013-12-11 15:49:33 Restore point made on: 2013-12-11 15:49:37 Restore point made on: 2013-12-11 15:49:37 Restore point made on: 2013-12-11 15:49:37 Restore point made on: 2013-12-11 15:49:41 Restore point made on: 2013-12-11 15:49:43 Restore point made on: 2013-12-11 15:49:44 Restore point made on: 2013-12-11 15:57:55 ==================== Memory info =========================== Percentage of memory in use: 15% Total physical RAM: 4043.86 MB Available physical RAM: 3401.48 MB Total Pagefile: 4042.01 MB Available Pagefile: 3442.23 MB Total Virtual: 8192 MB Available Virtual: 8191.88 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:455.34 GB) (Free:348.98 GB) NTFS Drive e: (Recovery) (Fixed) (Total:10.32 GB) (Free:0.88 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive g: () (Removable) (Total:30.23 GB) (Free:30.14 GB) NTFS Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: A338678A) Partition 1: (Not Active) - (Size=10 GB) - (Type=27) Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=455 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 30 GB) (Disk ID: 6E697373) No partition Table on disk 1. LastRegBack: 2013-09-23 15:50 ==================== End Of Log ============================