Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 20-02-2014 Ran by blade at 2014-02-20 09:40:17 Run:1 Running from C:\Users\blade\Downloads Boot Mode: Normal ============================================== Content of fixlist: ***************** HKLM\...\Run: [Windows COM Host] - C:\{$3639-2282-3518-6023$}\iexplorer_.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" HKU\S-1-5-21-1427241637-3662617669-1930280946-1008\...\CurrentVersion\Windows: [Load] C:\ProgramData\{$3639-2282-3518-6023$}\iexplorer_.exe <===== ATTENTION IFEO\avcenter.exe: [Debugger] nsjw.exe IFEO\avguard.exe: [Debugger] nsjw.exe IFEO\avp.exe: [Debugger] nsjw.exe IFEO\bdagent.exe: [Debugger] nsjw.exe IFEO\ccuac.exe: [Debugger] nsjw.exe IFEO\ComboFix.exe: [Debugger] nsjw.exe IFEO\egui.exe: [Debugger] nsjw.exe IFEO\hijackthis.exe: [Debugger] nsjw.exe IFEO\keyscrambler.exe: [Debugger] nsjw.exe IFEO\mbam.exe: [Debugger] nsjw.exe IFEO\MpCmdRun.exe: [Debugger] nsjw.exe IFEO\MSASCui.exe: [Debugger] nsjw.exe IFEO\MsMpEng.exe: [Debugger] nsjw.exe IFEO\msseces.exe: [Debugger] nsjw.exe IFEO\spybotsd.exe: [Debugger] nsjw.exe IFEO\wireshark.exe: [Debugger] nsjw.exe IFEO\zlclient.exe: [Debugger] nsjw.exe Startup: C:\Users\blade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.com.url () U3 a9nezuf7; C:\Windows\system32\Drivers\a9nezuf7.sys [0 ] (Microsoft Corporation) GroupPolicyUsers\S-1-5-21-1427241637-3662617669-1930280946-1008\User: Group Policy restriction detected <======= ATTENTION SearchScopes: HKLM - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm0039Nus&ptb=E3C13CCC-C3D4-4C98-AF44-517A76638301&psa=&ind=2011101519&ptnrS=XPxdm0039Nus&si=CKyhvZ3d6asCFRVOgwodjlz9wQ&st=sb&n=77def94f&searchfor={searchTerms} SearchScopes: HKCU - {a5b9c0f5-5616-47cd-a95f-e43b488faccf} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XPxdm0039Nus&ptb=E3C13CCC-C3D4-4C98-AF44-517A76638301&psa=&ind=2011101515&ptnrS=XPxdm0039Nus&si=CKyhvZ3d6asCFRVOgwodjlz9wQ&st=sb&n=77def94b&searchfor={searchTerms} FF Extension: No Name - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-02-16] 2014-02-19 14:45 - 2014-02-19 22:31 - 00000000 ___HD () C:\ProgramData\{$3639-2282-3518-6023$} 2014-02-19 14:45 - 2014-02-19 15:58 - 00000000 ___HD () C:\{$3639-2282-3518-6023$} C:\Users\Frank\AppData\Roaming\msconfig.ini C:\Users\Mike\AppData\Roaming\msconfig.ini C:\ProgramData\PKP_DLdu.DAT C:\Users\blade\AppData\Roaming\msconfig.ini C:\Windows\system32\Drivers\a9nezuf7.sys ***************** HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Windows COM Host => Unable to delete value HKU\S-1-5-21-1427241637-3662617669-1930280946-1008\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Error setting value. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe => Error deleting key HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe => Error deleting key C:\Users\blade\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google.com.url => Moved successfully. a9nezuf7 => Error deleting Service "C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1427241637-3662617669-1930280946-1008\User" directory move: Could not move "C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1427241637-3662617669-1930280946-1008\User\Registry.pol" => Scheduled to move on reboot. Could not move "C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1427241637-3662617669-1930280946-1008\User" directory. => Scheduled to move on reboot. Could not move "C:\Windows\system32\GroupPolicy\GPT.ini" => Scheduled to move on reboot. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Error deleting key HKCR\Wow6432Node\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Key not found. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Key deleted successfully. HKCR\Wow6432Node\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf} => Key not found. "C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}" directory move: Could not move "C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}" directory. => Scheduled to move on reboot. C:\ProgramData\{$3639-2282-3518-6023$} => Moved successfully. C:\{$3639-2282-3518-6023$} => Moved successfully. Could not move "C:\Users\Frank\AppData\Roaming\msconfig.ini" => Scheduled to move on reboot. Could not move "C:\Users\Mike\AppData\Roaming\msconfig.ini" => Scheduled to move on reboot. Could not move "C:\ProgramData\PKP_DLdu.DAT" => Scheduled to move on reboot. C:\Users\blade\AppData\Roaming\msconfig.ini => Moved successfully. Could not move "C:\Windows\system32\Drivers\a9nezuf7.sys" => Scheduled to move on reboot. => Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-02-20 09:43:37)<= ==> ATTENTION: System is not rebooted. "C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1427241637-3662617669-1930280946-1008\User\Registry.pol" => File could not move. "C:\Windows\system32\GroupPolicyUsers\S-1-5-21-1427241637-3662617669-1930280946-1008\User" => Directory could not move. "C:\Windows\system32\GroupPolicy\GPT.ini" => File could not move. "C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}" => Directory could not move. C:\Users\Frank\AppData\Roaming\msconfig.ini => Is moved successfully. C:\Users\Mike\AppData\Roaming\msconfig.ini => Is moved successfully. "C:\ProgramData\PKP_DLdu.DAT" => File could not move. "C:\Windows\system32\Drivers\a9nezuf7.sys" => File could not move. ==== End of Fixlog ====