Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

sysanti.exe


  • Please log in to reply

#1
koniord

koniord

    Member

  • Member
  • PipPip
  • 49 posts

Hi folks,

 

This appeared after a file transfer from a USB drive on a winxpsp2 computer that has no network or internet access, and no protection active whatsoever because in the past this stuff have messed up a number of hardware and software that run on this computer.

 

Any input from other drives or the web normally goes through a computer that scans everything, but I stupidly hooked up a client's USB stick without checking it first.

 

It's a trojan so obviously it can't do much without access to the outside world, but I still want to get rid of it because I rely on this computer for daily work, and it's otherwise working perfectly - has been for many years.

 

Sysanti.exe doesn't show in the task manager, but I have hidden files set to visible at all times so I noticed it right away.

Deleting either the executables or the registry entries doesn't work as they instantly regenerate.

 

Is there any easy way to get rid of it without touching anything else - like literally nothing else?

 

Many thanks,

k


Edited by koniord, 14 January 2015 - 07:33 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Can you boot into Safe Mode?  

 

(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly.  Keep tapping until the Safe Mode Menu appears and choose Safe Mode.  Login with your usual login.)

 

Try deleting the file.  Does it come back right away in Safe Mode?  If not try creating a folder of the same name in the same location.   Also delete the file c:\Windows\Server.exe   and any of these which exist:

 

C:\Program Files\Common Files\SysAnti.exe
C:\Windows\Fonts\dcgje.dll
C:\Windows\Fonts\akkna.fon
C:\Windows\Fonts\rdjqa.fon
C:\Windows\Fonts\coju.fon
C:\Windows\Fonts\gdwfs.fon
C:\Windows\Fonts\hfdkj.fon
C:\Windows\Fonts\gccpx.dll

C:\Windows\svghost.exe

 

Look for files with the same date stamp as the names may change.

 

There may also be a new service called DrvKiller or winmgmt  that needs to be stopped and changed to Disabled.

 

Then boot back into regular mode.  

 

If that doesn't help then I will need a FRST log to see how it works.

 

Please download Farbar Recovery Scan Tool and save it to your Desktop. 
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. 
 
  •  
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer. 
  • Press Scan button. 
  • It will produce a log called FRST.txt in the same directory the tool is run from.  
  • Please copy and paste log back here. 
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply. 

    • 0

    #3
    koniord

    koniord

      Member

    • Topic Starter
    • Member
    • PipPip
    • 49 posts

    Thank you for your reply, it's much appreciated. My apologies for the delay.

    The sysanti.exe keeps regenerating in all its locations in safe mode and I didn't find any of the other files and services you mentioned.

    C:\Program Files\Common Files\SysAnti.exe in particular says that it can't be deleted because another program is using it,

    which is someting I knew how to work around once upon a time, but not any more.

     

    FRST.txt

     

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-01-2015 01
    Ran by Administrator (administrator) on ZPLANE on 27-01-2015 19:39:40
    Running from C:\Documents and Settings\z-plane\Desktop
    Loaded Profiles: z-plane & Administrator (Available profiles: z-plane & Administrator)
    Platform: Microsoft Windows XP Professional Service Pack 2 (X86) OS Language: English (United States)
    Internet Explorer Version 6 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [Matrox PowerDesk 8] => C:\Program Files\Matrox Graphics Inc\PowerDesk HF\matrox.powerdesk.exe [278898 2005-08-10] (Matrox Graphics Inc.)
    HKLM\...\Run: [HDSPTray1] => C:\WINDOWS\system32\hdsp32.exe [824759 2013-04-08] (RME)
    HKLM\...\Run: [HDSPTray2] => C:\WINDOWS\system32\hdspmix.exe [1335636 2013-04-08] (RME)
    HKLM\...\Run: [StartAlphaTrackApplet] => C:\WINDOWS\system32\AlphaTrackApplet.exe [590208 2007-09-25] (Frontier Design Group, LLC)
    HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.)
    HKLM\...\Run: [NeroFilterCheck] => C:\WINDOWS\system32\NeroCheck.exe [155648 2006-01-12] (Nero AG)
    HKLM\...\Winlogon: [Userinit] C:\WINDOWS\system32\userinit.exe,,C:\Program Files\lvqssqln\tcifdtre.exe
    HKLM\...\Policies\Explorer\Run: [SysAnti] => C:\Program Files\Common Files\SysAnti.exe [52121 2015-01-27] ( ())
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: C - C:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: D - D:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: E - E:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: F - F:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: G - G:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: H - H:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: {2106317c-9a82-11e4-8689-000423c3e0ad} - J:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: {414391e7-d3ab-11e3-8653-000423c3e0ad} - K:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: {41e28fe2-b077-11e2-98ad-806d6172696f} - C:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: {41e28fe3-b077-11e2-98ad-806d6172696f} - F:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: {41e28fe4-b077-11e2-98ad-806d6172696f} - D:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: {41e28fe5-b077-11e2-98ad-806d6172696f} - G:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: {41e28fe6-b077-11e2-98ad-806d6172696f} - E:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\...\MountPoints2: {41e28fe7-b077-11e2-98ad-806d6172696f} - H:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-500\...\MountPoints2: C - C:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-500\...\MountPoints2: D - D:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-500\...\MountPoints2: E - E:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-500\...\MountPoints2: F - F:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-500\...\MountPoints2: G - G:\SysAnti.exe
    HKU\S-1-5-21-1801674531-796845957-839522115-500\...\MountPoints2: H - H:\SysAnti.exe
    IFEO\360hotfix.exe: [Debugger] ntsd -d
    IFEO\360rpt.exe: [Debugger] ntsd -d
    IFEO\360Safe.exe: [Debugger] ntsd -d
    IFEO\360safebox.exe: [Debugger] ntsd -d
    IFEO\360tray.exe: [Debugger] ntsd -d
    IFEO\adam.exe: [Debugger] ntsd -d
    IFEO\AgentSvr.exe: [Debugger] ntsd -d
    IFEO\AntiArp.exe: [Debugger] ntsd -d
    IFEO\AppSvc32.exe: [Debugger] ntsd -d
    IFEO\arvmon.exe: [Debugger] ntsd -d
    IFEO\AutoGuarder.exe: [Debugger] ntsd -d
    IFEO\autoruns.exe: [Debugger] ntsd -d
    IFEO\avgrssvc.exe: [Debugger] ntsd -d
    IFEO\AvMonitor.exe: [Debugger] ntsd -d
    IFEO\avp.com: [Debugger] ntsd -d
    IFEO\avp.exe: [Debugger] ntsd -d
    IFEO\CCenter.exe: [Debugger] ntsd -d
    IFEO\ccSvcHst.exe: [Debugger] ntsd -d
    IFEO\FileDsty.exe: [Debugger] ntsd -d
    IFEO\findt2005.exe: [Debugger] ntsd -d
    IFEO\FTCleanerShell.exe: [Debugger] ntsd -d
    IFEO\HijackThis.exe: [Debugger] ntsd -d
    IFEO\IceSword.exe: [Debugger] ntsd -d
    IFEO\iparmo.exe: [Debugger] ntsd -d
    IFEO\Iparmor.exe: [Debugger] ntsd -d
    IFEO\IsHelp.exe: [Debugger] ntsd -d
    IFEO\isPwdSvc.exe: [Debugger] ntsd -d
    IFEO\kabaload.exe: [Debugger] ntsd -d
    IFEO\KaScrScn.SCR: [Debugger] ntsd -d
    IFEO\KASMain.exe: [Debugger] ntsd -d
    IFEO\KASTask.exe: [Debugger] ntsd -d
    IFEO\KAV32.exe: [Debugger] ntsd -d
    IFEO\KAVDX.exe: [Debugger] ntsd -d
    IFEO\KAVPFW.exe: [Debugger] ntsd -d
    IFEO\KAVSetup.exe: [Debugger] ntsd -d
    IFEO\KAVStart.exe: [Debugger] ntsd -d
    IFEO\killhidepid.exe: [Debugger] ntsd -d
    IFEO\KISLnchr.exe: [Debugger] ntsd -d
    IFEO\KMailMon.exe: [Debugger] ntsd -d
    IFEO\KMFilter.exe: [Debugger] ntsd -d
    IFEO\KPFW32.exe: [Debugger] ntsd -d
    IFEO\KPFW32X.exe: [Debugger] ntsd -d
    IFEO\KPFWSvc.exe: [Debugger] ntsd -d
    IFEO\KRepair.COM: [Debugger] ntsd -d
    IFEO\KsLoader.exe: [Debugger] ntsd -d
    IFEO\KVCenter.kxp: [Debugger] ntsd -d
    IFEO\KvDetect.exe: [Debugger] ntsd -d
    IFEO\kvfw.exe: [Debugger] ntsd -d
    IFEO\KvfwMcl.exe: [Debugger] ntsd -d
    IFEO\KVMonXP.kxp: [Debugger] ntsd -d
    IFEO\KVMonXP_1.kxp: [Debugger] ntsd -d
    IFEO\kvol.exe: [Debugger] ntsd -d
    IFEO\kvolself.exe: [Debugger] ntsd -d
    IFEO\KvReport.kxp: [Debugger] ntsd -d
    IFEO\KVScan.kxp: [Debugger] ntsd -d
    IFEO\KVSrvXP.exe: [Debugger] ntsd -d
    IFEO\KVStub.kxp: [Debugger] ntsd -d
    IFEO\kvupload.exe: [Debugger] ntsd -d
    IFEO\kvwsc.exe: [Debugger] ntsd -d
    IFEO\KvXP.kxp: [Debugger] ntsd -d
    IFEO\KvXP_1.kxp: [Debugger] ntsd -d
    IFEO\KWatch.exe: [Debugger] ntsd -d
    IFEO\KWatch9x.exe: [Debugger] ntsd -d
    IFEO\KWatchX.exe: [Debugger] ntsd -d
    IFEO\LiveUpdate360.exe: [Debugger] ntsd -d
    IFEO\loaddll.exe: [Debugger] ntsd -d
    IFEO\MagicSet.exe: [Debugger] ntsd -d
    IFEO\mcconsol.exe: [Debugger] ntsd -d
    IFEO\mmqczj.exe: [Debugger] ntsd -d
    IFEO\mmsk.exe: [Debugger] ntsd -d
    IFEO\NAVSetup.exe: [Debugger] ntsd -d
    IFEO\nod32krn.exe: [Debugger] ntsd -d
    IFEO\nod32kui.exe: [Debugger] ntsd -d
    IFEO\PFW.exe: [Debugger] ntsd -d
    IFEO\PFWLiveUpdate.exe: [Debugger] ntsd -d
    IFEO\QHSET.exe: [Debugger] ntsd -d
    IFEO\Ras.exe: [Debugger] ntsd -d
    IFEO\Rav.exe: [Debugger] ntsd -d
    IFEO\RavCopy.exe: [Debugger] ntsd -d
    IFEO\RavMon.exe: [Debugger] ntsd -d
    IFEO\RavMonD.exe: [Debugger] ntsd -d
    IFEO\RavStore.exe: [Debugger] ntsd -d
    IFEO\RavStub.exe: [Debugger] ntsd -d
    IFEO\ravt08.exe: [Debugger] ntsd -d
    IFEO\RavTask.exe: [Debugger] ntsd -d
    IFEO\RegClean.exe: [Debugger] ntsd -d
    IFEO\RegEx.exe: [Debugger] ntsd -d
    IFEO\rfwcfg.exe: [Debugger] ntsd -d
    IFEO\RfwMain.exe: [Debugger] ntsd -d
    IFEO\rfwolusr.exe: [Debugger] ntsd -d
    IFEO\rfwProxy.exe: [Debugger] ntsd -d
    IFEO\rfwsrv.exe: [Debugger] ntsd -d
    IFEO\RsAgent.exe: [Debugger] ntsd -d
    IFEO\Rsaupd.exe: [Debugger] ntsd -d
    IFEO\RsMain.exe: [Debugger] ntsd -d
    IFEO\rsnetsvr.exe: [Debugger] ntsd -d
    IFEO\RSTray.exe: [Debugger] ntsd -d
    IFEO\runiep.exe: [Debugger] ntsd -d
    IFEO\safebank.exe: [Debugger] ntsd -d
    IFEO\safeboxTray.exe: [Debugger] ntsd -d
    IFEO\safelive.exe: [Debugger] ntsd -d
    IFEO\scan32.exe: [Debugger] ntsd -d
    IFEO\ScanFrm.exe: [Debugger] ntsd -d
    IFEO\shcfg32.exe: [Debugger] ntsd -d
    IFEO\smartassistant.exe: [Debugger] ntsd -d
    IFEO\SmartUp.exe: [Debugger] ntsd -d
    IFEO\SREng.exe: [Debugger] ntsd -d
    IFEO\SREngPS.exe: [Debugger] ntsd -d
    IFEO\symlcsvc.exe: [Debugger] ntsd -d
    IFEO\syscheck.exe: [Debugger] ntsd -d
    IFEO\Syscheck2.exe: [Debugger] ntsd -d
    IFEO\SysSafe.exe: [Debugger] ntsd -d
    IFEO\ToolsUp.exe: [Debugger] ntsd -d
    IFEO\TrojanDetector.exe: [Debugger] ntsd -d
    IFEO\Trojanwall.exe: [Debugger] ntsd -d
    IFEO\TrojDie.kxp: [Debugger] ntsd -d
    IFEO\UIHost.exe: [Debugger] ntsd -d
    IFEO\UmxAgent.exe: [Debugger] ntsd -d
    IFEO\UmxAttachment.exe: [Debugger] ntsd -d
    IFEO\UmxCfg.exe: [Debugger] ntsd -d
    IFEO\UmxFwHlp.exe: [Debugger] ntsd -d
    IFEO\UmxPol.exe: [Debugger] ntsd -d
    IFEO\UpLive.exe: [Debugger] ntsd -d
    IFEO\WoptiClean.exe: [Debugger] ntsd -d
    IFEO\zxsweep.exe: [Debugger] ntsd -d
    Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Lynx Tray Volume.lnk
    ShortcutTarget: Lynx Tray Volume.lnk -> C:\Program Files\Lynx Studio Technology\LynxTrayVolume.exe (Lynx Studio Technology, Inc.)
    Startup: C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Lynx Tray Volume.lnk
    ShortcutTarget: Lynx Tray Volume.lnk -> C:\Program Files\Lynx Studio Technology\LynxTrayVolume.exe (Lynx Studio Technology, Inc.)
    Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\tcifdtre.exe ()
    Startup: C:\Documents and Settings\z plane\Start Menu\Programs\Startup\tcifdtre.exe ()
    Startup: C:\Documents and Settings\zplane\Start Menu\Programs\Startup\tcifdtre.exe ()

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
    HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...er=6&ar=msnhome
    HKU\S-1-5-21-1801674531-796845957-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
    URLSearchHook: HKU\S-1-5-21-1801674531-796845957-839522115-1003 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)
    URLSearchHook: [S-1-5-21-1801674531-796845957-839522115-500] ATTENTION ==> Default URLSearchHook is missing.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION
    SearchScopes: HKLM -> DefaultScope value is missing.
    BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

    FireFox:
    ========
    FF Plugin: @java.com/DTPlugin,version=10.9.2 -> C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=10.9.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2014-10-28]

    ========================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [161768 2013-05-09] (Oracle Corporation)
    R2 PaceLicenseDServices; C:\Program Files\Common Files\PACE\Services\LicenseServices\LDSvc.exe [17191840 2014-01-16] (PACE Anti-Piracy, Inc.)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S3 AlphaTrack; C:\WINDOWS\System32\Drivers\AlphaTrack.sys [104064 2009-10-23] (Frontier Design Group, LLC) [File not signed]
    S3 AlphaTrackWdmService; C:\WINDOWS\System32\Drivers\AlphaTrackWdm.sys [34816 2006-12-18] (Frontier Design Group, LLC) [File not signed]
    S3 CisUtMonitor; C:\WINDOWS\System32\DRIVERS\CisUtMonitor.sys [27600 2011-10-30] (CrystalIdea Software)
    R3 E1000; C:\WINDOWS\System32\DRIVERS\e1000325.sys [125952 2003-08-14] (Intel Corporation)
    S3 egg; C:\Documents and Settings\z-plane\Local Settings\Temp~egg.tmp [8256 2015-01-27] () [File not signed]
    R3 gameenum; C:\WINDOWS\System32\DRIVERS\gameenum.sys [10624 2004-08-03] (Microsoft Corporation)
    R3 hdsp; C:\WINDOWS\System32\drivers\hdsp.sys [70144 2013-04-08] (RME) [File not signed]
    R3 hypaudio; C:\WINDOWS\System32\DRIVERS\hypaudio.sys [1351168 2011-10-25] (Universal Audio, Inc.) [File not signed]
    R3 hypkern; C:\WINDOWS\System32\drivers\hypkern.sys [164864 2011-10-25] () [File not signed]
    S3 iam; C:\Documents and Settings\z-plane\Local Settings\Temp~iam.tmp [8256 2015-01-27] () [File not signed]
    R3 iLokDrvr; C:\WINDOWS\System32\DRIVERS\iLokDrvr.sys [22736 2014-05-21] ()
    R3 LynxWDM; C:\WINDOWS\System32\DRIVERS\LynxWDM.sys [230632 1617-11-22] (Lynx Studio Technology, Inc.)
    R3 MTXPARH; C:\WINDOWS\System32\DRIVERS\MTXPARHM.sys [516480 2005-08-10] (Matrox Graphics Inc.) [File not signed]
    R3 PowerCore; C:\WINDOWS\System32\DRIVERS\pcore.sys [308856 2011-10-15] ()
    S3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2004-08-03] (Realtek Semiconductor Corporation)
    S3 Secdrv; C:\WINDOWS\System32\DRIVERS\secdrv.sys [27440 2004-08-04] ()
    R3 synasusb; C:\WINDOWS\System32\Drivers\synasusb.sys [23696 2011-12-14] (Steinberg Media Technologies GmbH)
    S3 tbl; C:\Documents and Settings\Administrator\Local Settings\Temp~tbl.tmp [8256 2015-01-25] () [File not signed]
    R0 TPkd; C:\WINDOWS\system32\Drivers\TPkd.sys [94416 2013-04-11] (PACE Anti-Piracy, Inc.)
    S3 bgr; \??\C:\DOCUME~1\z-plane\LOCALS~1\Temp~bgr.tmp [X]
    S3 DrvKiller; \??\C:\WINDOWS\Fonts\eojq.fon [X]
    S3 iog; \??\C:\DOCUME~1\z-plane\LOCALS~1\Temp~iog.tmp [X]
    U1 WS2IFSL; No ImagePath

    ==================== NetSvcs (Whitelisted) ===================


    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-01-27 19:39 - 2015-01-27 19:39 - 00015849 _____ () C:\Documents and Settings\z-plane\Desktop\FRST.txt
    2015-01-27 19:38 - 2015-01-27 19:39 - 00000000 ____D () C:\FRST
    2015-01-27 19:38 - 2015-01-26 20:08 - 01120768 _____ (Farbar) C:\Documents and Settings\z-plane\Desktop\FRST.exe
    2015-01-27 19:22 - 2015-01-27 19:22 - 00008256 _____ () C:\Documents and Settings\z-plane\Local Settings\Temp~egg.tmp
    2015-01-27 19:12 - 2015-01-27 19:12 - 00008256 _____ () C:\Documents and Settings\z-plane\Local Settings\Temp~iam.tmp
    2015-01-25 18:47 - 2015-01-25 18:47 - 00008256 _____ () C:\Documents and Settings\Administrator\Local Settings\Temp~tbl.tmp
    2015-01-25 18:45 - 2015-01-27 19:39 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\Temp
    2015-01-25 18:45 - 2015-01-25 18:48 - 00000178 ___SH () C:\Documents and Settings\Administrator\ntuser.ini
    2015-01-25 18:45 - 2015-01-25 18:45 - 00000000 ____D () C:\Documents and Settings\Administrator
    2015-01-25 18:45 - 2013-04-29 02:11 - 00001601 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
    2015-01-25 18:45 - 2013-04-29 02:11 - 00000794 _____ () C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
    2015-01-25 18:45 - 2013-04-29 02:11 - 00000000 ___RD () C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
    2015-01-12 17:46 - 2015-01-12 17:46 - 00019135 _____ () C:\WINDOWS\unins002.dat
    2015-01-12 17:46 - 2015-01-12 17:45 - 00718497 _____ () C:\WINDOWS\unins002.exe
    2015-01-12 17:41 - 2015-01-27 19:12 - 00052121 ___SH () C:\SysAnti.exe
    2015-01-12 17:41 - 2015-01-27 19:12 - 00052121 ____H () C:\Program Files\Common Files\SysAnti.exe

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2015-01-27 19:38 - 2013-05-07 18:09 - 00173419 _____ () C:\WINDOWS\Explorermgr.exe
    2015-01-27 19:38 - 2013-04-29 02:18 - 00000000 ____D () C:\Documents and Settings\z-plane\Local Settings\Temp
    2015-01-27 19:37 - 2013-04-29 02:10 - 00430570 _____ () C:\WINDOWS\WindowsUpdate.log
    2015-01-27 19:35 - 2013-04-29 02:59 - 00601906 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
    2015-01-27 19:31 - 2013-05-07 13:44 - 00173419 _____ () C:\WINDOWS\system32\hdspmixmgr.exe
    2015-01-27 19:31 - 2013-05-07 13:44 - 00173419 _____ () C:\WINDOWS\system32\hdsp32mgr.exe
    2015-01-27 19:31 - 2013-04-29 02:15 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
    2015-01-27 19:30 - 2013-04-29 02:18 - 00000178 ___SH () C:\Documents and Settings\z-plane\ntuser.ini
    2015-01-27 19:17 - 2013-04-29 02:15 - 00032646 _____ () C:\WINDOWS\SchedLgU.Txt
    2015-01-27 19:12 - 2013-04-29 02:15 - 00000178 ___SH () C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.ini
    2015-01-27 19:08 - 2004-08-04 01:07 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
    2015-01-19 08:01 - 2006-09-23 17:31 - 00000000 ___HD () C:\Program Files\WindowsUpdate
    2015-01-15 17:34 - 2013-04-29 02:18 - 00000000 ____D () C:\Documents and Settings\z-plane
    2015-01-15 12:26 - 2013-04-29 02:58 - 00099048 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
    2015-01-14 20:14 - 2013-05-09 06:53 - 00065536 _____ () C:\WINDOWS\system32\config\PowerCor.evt
    2015-01-14 20:03 - 2013-04-29 02:19 - 00014072 _____ () C:\Documents and Settings\z-plane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2015-01-12 17:40 - 2013-04-29 02:58 - 00813904 _____ () C:\WINDOWS\setupapi.log

    ==================== Files in the root of some directories =======

    2015-01-12 17:41 - 2015-01-27 19:12 - 0052121 ____H () C:\Program Files\Common Files\SysAnti.exe

    Files to move or delete:
    ====================
    C:\Documents and Settings\z plane\x.exe


    Some content of TEMP:
    ====================

    C:\Documents and Settings\z plane\Local Settings\Temp\InstallSplash.exe
    C:\Documents and Settings\z plane\Local Settings\Temp\madExcept Patch.dll
    C:\Documents and Settings\z plane\Local Settings\Temp\NEW121.tmp.exe
    C:\Documents and Settings\z plane\Local Settings\Temp\PlaySound.dll
    C:\Documents and Settings\z plane\Local Settings\Temp\PLZ.EXE
    C:\Documents and Settings\z plane\Local Settings\Temp\svchost.exe
    C:\Documents and Settings\z plane\Local Settings\Temp\SyncrosoftLicenseControlSetup.exe
    C:\Documents and Settings\z-plane\Local Settings\Temp\madExcept Patch.dll
    C:\Documents and Settings\z-plane\Local Settings\Temp\svchost.exe


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

    ==================== End Of Log ============================

     

    Addition.txt

     

    Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-01-2015 01
    Ran by Administrator at 2015-01-27 19:40:11
    Running from C:\Documents and Settings\z-plane\Desktop
    Boot Mode: Normal
    ==========================================================


    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)


    ==================== Installed Programs ======================

    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    7-Zip 9.22beta (HKLM\...\7-Zip) (Version:  - )
    Bonjour (HKLM\...\{07287123-B8AC-41CE-8346-3D777245C35B}) (Version: 1.0.106 - Apple Inc.)
    Intel® Integrated Performance Primitives RTI 4.0 (HKLM\...\{51C91B84-7B46-4FE7-8999-8228CFA75F89}) (Version: 4.0.23 - Intel Corporation)
    Intel® PRO Network Adapters and Drivers (HKLM\...\PROSet) (Version:  - )
    Java 7 Update 9 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217009FF}) (Version: 7.0.90 - Oracle)
    LameXP (HKLM\...\{FBD7A67D-D700-4043-B54F-DD106D00F308}) (Version:  - )
    Lynx Version 2 Driver (Remove Only) (HKLM\...\LynxWDM) (Version:  - Lynx Studio Technology, Inc.)
    Matrox Driver (HKLM\...\Matrox Parhelia Driver Uninstaller) (Version:  - Matrox Graphics Inc.)
    Matrox PowerDesk-HF (HKLM\...\{90ED357B-5993-42F7-AF70-2D60A7250A32}) (Version: 8.10.0100.0038 - Matrox Graphics Inc.)
    Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
    Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
    Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
    Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
    Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
    Uninstall Tool (HKLM\...\Uninstall Tool_is1) (Version: 3.3 - CrystalIDEA Software, Inc.)
    Visual C++ Redistributables (HKLM\...\InstallShield_{F03117FA-9270-46B0-9666-0B4BC2CDEBF5}) (Version: 1.3.0.8766 - PACE Anti-Piracy, Inc.)
    WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden
    Windows Imaging Component (HKLM\...\WIC) (Version: 3.0.0.0 - Microsoft Corporation)
    Word Reader 6.24 (HKLM\...\Word Reader 6.24) (Version:  - http://www.word-reader.com/)

    ==================== Custom CLSID (selected items): ==========================

    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


    ==================== Restore Points  =========================

    ATTENTION: System Restore is disabled.

    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2004-08-04 01:07 - 2015-01-27 19:31 - 00000794 ____A C:\WINDOWS\system32\Drivers\etc\hosts
    127.0.0.1 www.360.cn
    127.0.0.1 www.360safe.cn
    127.0.0.1 www.360safe.com
    127.0.0.1 www.chinakv.com
    127.0.0.1 www.rising.com.cn
    127.0.0.1 rising.com.cn
    127.0.0.1 dl.jiangmin.com
    127.0.0.1 jiangmin.com
    127.0.0.1 www.jiangmin.com
    127.0.0.1 www.duba.net
    127.0.0.1 www.eset.com.cn
    127.0.0.1 www.nod32.com
    127.0.0.1 shadu.duba.net
    127.0.0.1 union.kingsoft.com
    127.0.0.1 www.kaspersky.com.cn
    127.0.0.1 kaspersky.com.cn
    127.0.0.1 virustotal.com
    127.0.0.1 virscan.org
    127.0.0.1 www.virscan.org
    127.0.0.1 www.kaspersky.com
    127.0.0.1 www.cnnod32.cn
    127.0.0.1 www.lanniao.org
    127.0.0.1 www.nod32club.com
    127.0.0.1 www.dswlab.com
    127.0.0.1 bbs.sucop.com
    127.0.0.1 www.virustotal.com
    127.0.0.1 tool.ikaka.com
    127.0.0.1 360.qihoo.com
    127.0.0.1 www.kafan.cn


    ==================== Scheduled Tasks (whitelisted) =============


    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


    ==================== Loaded Modules (whitelisted) =============


    ==================== Alternate Data Streams (whitelisted) =========

    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

    AlternateDataStreams: C:\Program Files\Outlook Express:5DQlDKvSKQjZg7F5jsZrl
    AlternateDataStreams: C:\Program Files\Outlook Express:MeXb3S6f7VSLqZKPg5Nz
    AlternateDataStreams: C:\Program Files\WindowsUpdate:46UyyiEkPA0cyTAcm2S0ACnt
    AlternateDataStreams: C:\Program Files\WindowsUpdate:jthzWNKkfYbvopry5aOhM8M
    AlternateDataStreams: C:\Program Files\WindowsUpdate:Qt2dEkGpBjBQsBlAq5AGc4LDbNb
    AlternateDataStreams: C:\Program Files\Common Files\Microsoft Shared:1RKz1ShK9bA3HMGF
    AlternateDataStreams: C:\Program Files\Common Files\Microsoft Shared:r7OSFr3hfFJQERBrn5O6Q3AadWv
    AlternateDataStreams: C:\Program Files\Common Files\System:asM3twJzSuIdne3yVofr
    AlternateDataStreams: C:\Program Files\Common Files\System:P1EvKHFikTdx5GHYseeymsxTJ
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:4mVLRj85FEr1XeKhSLp
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:a0r9OUKIpZL8uyFHuztsE
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:BvZPzkbi93NFrOn7Gp3WAtGYdi
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:dB7dIasj88pHR2dcvFX
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:FkI8g4PyJ6KUIQ7CrWJkIcQI
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:GZ36kPc041TFIlIEi8OLjda
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:IbQ10949tTM7a9x6fJLtMhaRWMZ
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:Ie2E2cZYwZadBFTYmGqRs6nIt
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:kKQRX7ZDRGXhifbsE3AZYJXPL
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:lfuemx1XdhjewHT7ACEsBXSRC4XkN
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:Lkydlz7H2vKPOrYZoZGseFdco
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:midqFSdBpCe2wTTNQnnA7
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:nS7sDv4WL8hS6MqKfzFo8
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:r5oW9FzsIW6fmRAI2dypSg
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:SOsT7nG1DAncMCZYu1axnRq
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:V9bYNwNJ3qS6rC1e01tSrhE1
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:zhYrr9i5QqEkOsNXnEwoJ9AgNPd
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\PACE:BF62A1EDD6B2C259
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:4mVLRj85FEr1XeKhSLp
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:a0r9OUKIpZL8uyFHuztsE
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:BvZPzkbi93NFrOn7Gp3WAtGYdi
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:dB7dIasj88pHR2dcvFX
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:FkI8g4PyJ6KUIQ7CrWJkIcQI
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:GZ36kPc041TFIlIEi8OLjda
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:IbQ10949tTM7a9x6fJLtMhaRWMZ
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:Ie2E2cZYwZadBFTYmGqRs6nIt
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:kKQRX7ZDRGXhifbsE3AZYJXPL
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:lfuemx1XdhjewHT7ACEsBXSRC4XkN
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:Lkydlz7H2vKPOrYZoZGseFdco
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:midqFSdBpCe2wTTNQnnA7
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:nS7sDv4WL8hS6MqKfzFo8
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:r5oW9FzsIW6fmRAI2dypSg
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:SOsT7nG1DAncMCZYu1axnRq
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:V9bYNwNJ3qS6rC1e01tSrhE1
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft:zhYrr9i5QqEkOsNXnEwoJ9AgNPd
    AlternateDataStreams: C:\Documents and Settings\All Users.WINDOWS\Application Data\PACE:BF62A1EDD6B2C259
    AlternateDataStreams: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files:ePs2xtkJEIY3KEEeSQXvOMNBcGu
    AlternateDataStreams: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files:FQC8mJK7h9KowLDP3Ez4dfNgPWYw
    AlternateDataStreams: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files:fyagEEVPcLPIHzcIdvVkZQ0MF5F0
    AlternateDataStreams: C:\Documents and Settings\z plane\Cookies:0iQ6M3agGXti0UK6lxB1e5QKxblMj
    AlternateDataStreams: C:\Documents and Settings\z plane\Local Settings\Application Data:EEje7zVD0de5rLOIFKtzb
    AlternateDataStreams: C:\Documents and Settings\z plane\Local Settings\Application Data:Fq1EbsV2zNimqK9RUyBwtOtP6Q
    AlternateDataStreams: C:\Documents and Settings\z plane\Local Settings\Application Data:wt8dLI2AWWFORvVFfs6hWhd
    AlternateDataStreams: C:\Documents and Settings\z plane\Local Settings\Application Data:XNdRA7Nuxqca8WWGoqG6C
    AlternateDataStreams: C:\Documents and Settings\z plane\Local Settings\Temp:puAjn1YoWGYC9rGBgbeaWKYZUgu
    AlternateDataStreams: C:\Documents and Settings\z plane\Local Settings\Temporary Internet Files:a9lgdvGL48fcNCCmLoMId65
    AlternateDataStreams: C:\Documents and Settings\z plane\Local Settings\Temporary Internet Files:ckgQyxHTYDON0IlqPxXVVcciU
    AlternateDataStreams: C:\Documents and Settings\z plane\Local Settings\Temporary Internet Files:zJaIYaYnZ1bxfHnUwRJkP
    AlternateDataStreams: C:\Documents and Settings\z plane\Local Settings\Application Data\09Brf6EXmy:C33t5pwFAKZYQlFuNt19Y0NVdHGU
    AlternateDataStreams: C:\Documents and Settings\z-plane\Cookies:0iQ6M3agGXti0UK6lxB1e5QKxblMj
    AlternateDataStreams: C:\Documents and Settings\z-plane\Local Settings\Application Data:EEje7zVD0de5rLOIFKtzb
    AlternateDataStreams: C:\Documents and Settings\z-plane\Local Settings\Application Data:Fq1EbsV2zNimqK9RUyBwtOtP6Q
    AlternateDataStreams: C:\Documents and Settings\z-plane\Local Settings\Application Data:XNdRA7Nuxqca8WWGoqG6C
    AlternateDataStreams: C:\Documents and Settings\z-plane\Local Settings\Temp:puAjn1YoWGYC9rGBgbeaWKYZUgu
    AlternateDataStreams: C:\Documents and Settings\z-plane\Local Settings\Temporary Internet Files:a9lgdvGL48fcNCCmLoMId65
    AlternateDataStreams: C:\Documents and Settings\z-plane\Local Settings\Application Data\09Brf6EXmy:C33t5pwFAKZYQlFuNt19Y0NVdHGU
    AlternateDataStreams: C:\Documents and Settings\zplane\Local Settings\Application Data:EEje7zVD0de5rLOIFKtzb

    ==================== Safe Mode (whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

    ==================== EXE Association (whitelisted) =============

    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


    ==================== MSCONFIG/TASK MANAGER disabled items =========

    (Currently there is no automatic fix for this section.)

    MSCONFIG\startupfolder: C:^Documents and Settings^z-plane^Start Menu^Programs^Startup^tcifdtre.exe => C:\WINDOWS\pss\tcifdtre.exeStartup
    MSCONFIG\startupreg: Matrox PowerDesk SE => "c:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe"

    ========================= Accounts: ==========================

    Administrator (S-1-5-21-1801674531-796845957-839522115-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
    ASPNET (S-1-5-21-1801674531-796845957-839522115-1005 - Limited - Enabled)
    Guest (S-1-5-21-1801674531-796845957-839522115-501 - Limited - Enabled)
    HelpAssistant (S-1-5-21-1801674531-796845957-839522115-1000 - Limited - Disabled)
    SUPPORT_388945a0 (S-1-5-21-1801674531-796845957-839522115-1002 - Limited - Disabled)
    z-plane (S-1-5-21-1801674531-796845957-839522115-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\z-plane

    ==================== Faulty Device Manager Devices =============

    Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
    Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
    Class Guid: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Manufacturer: Realtek
    Service: rtl8139
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (01/14/2015 07:31:41 PM) (Source: EventSystem) (EventID: 4609) (User: )
    Description: The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 800706BA from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.

    Error: (01/14/2015 07:22:51 PM) (Source: EventSystem) (EventID: 4609) (User: )
    Description: The COM+ Event System detected a bad return code during its internal processing.  HRESULT was 800706BA from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp.  Please contact Microsoft Product Support Services to report this error.

    Error: (10/28/2014 03:48:06 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
    Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

    Error: (07/14/2014 03:15:55 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application nuendo5.exe, version 5.1.1.651, faulting module nuendo5.exe, version 5.1.1.651, fault address 0x00f8a4b4.
    Processing media-specific event for [nuendo5.exe!ws!]

    Error: (07/14/2014 03:15:13 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application nuendo5.exe, version 5.1.1.651, faulting module nuendo5.exe, version 5.1.1.651, fault address 0x00f8a4b4.
    Processing media-specific event for [nuendo5.exe!ws!]

    Error: (06/25/2014 07:43:49 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application nuendo5.exe, version 5.1.1.651, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00011e58.
    Processing media-specific event for [nuendo5.exe!ws!]

    Error: (06/25/2014 02:39:34 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application explorer.exe, version 6.0.2900.2180, faulting module gdiplus.dll, version 5.1.3102.2180, fault address 0x0006073a.
    Processing media-specific event for [explorer.exe!ws!]

    Error: (06/25/2014 02:36:18 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application explorer.exe, version 6.0.2900.2180, faulting module gdiplus.dll, version 5.1.3102.2180, fault address 0x0006073a.
    Processing media-specific event for [explorer.exe!ws!]

    Error: (06/02/2014 05:43:58 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application nuendo5.exe, version 5.1.1.651, faulting module unknown, version 0.0.0.0, fault address 0x259cb60e.
    Processing media-specific event for [nuendo5.exe!ws!]

    Error: (06/01/2014 02:18:12 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application nuendo5.exe, version 5.1.1.651, faulting module unknown, version 0.0.0.0, fault address 0x2493b60e.
    Processing media-specific event for [nuendo5.exe!ws!]


    System errors:
    =============
    Error: (01/27/2015 07:30:07 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
    Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
    in order to run the server:
    {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error: (01/27/2015 07:22:23 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
    Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
    in order to run the server:
    {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error: (01/27/2015 07:20:53 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
    Description: The following boot-start or system-start driver(s) failed to load:
    AFD
    Fips
    intelppm
    IPSec
    MRxSmb
    NetBIOS
    NetBT
    RasAcd
    Rdbss
    Tcpip

    Error: (01/27/2015 07:20:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
    %%31

    Error: (01/27/2015 07:20:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
    %%31

    Error: (01/27/2015 07:20:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
    %%31

    Error: (01/27/2015 07:20:53 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
    %%31

    Error: (01/27/2015 07:11:36 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
    Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
    in order to run the server:
    {1BE1F766-5536-11D1-B726-00C04FB926AF}

    Error: (01/27/2015 07:09:17 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
    Description: The following boot-start or system-start driver(s) failed to load:
    AFD
    Fips
    intelppm
    IPSec
    MRxSmb
    NetBIOS
    NetBT
    RasAcd
    Rdbss
    Tcpip

    Error: (01/27/2015 07:09:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
    Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
    %%31


    Microsoft Office Sessions:
    =========================
    Error: (01/14/2015 07:31:41 PM) (Source: EventSystem) (EventID: 4609) (User: )
    Description: d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp44800706BA

    Error: (01/14/2015 07:22:51 PM) (Source: EventSystem) (EventID: 4609) (User: )
    Description: d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp44800706BA

    Error: (10/28/2014 03:48:06 AM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )
    Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

    Error: (07/14/2014 03:15:55 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: nuendo5.exe5.1.1.651nuendo5.exe5.1.1.65100f8a4b4

    Error: (07/14/2014 03:15:13 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: nuendo5.exe5.1.1.651nuendo5.exe5.1.1.65100f8a4b4

    Error: (06/25/2014 07:43:49 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: nuendo5.exe5.1.1.651ntdll.dll5.1.2600.218000011e58

    Error: (06/25/2014 02:39:34 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: explorer.exe6.0.2900.2180gdiplus.dll5.1.3102.21800006073a

    Error: (06/25/2014 02:36:18 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: explorer.exe6.0.2900.2180gdiplus.dll5.1.3102.21800006073a

    Error: (06/02/2014 05:43:58 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: nuendo5.exe5.1.1.651unknown0.0.0.0259cb60e

    Error: (06/01/2014 02:18:12 AM) (Source: Application Error) (EventID: 1000) (User: )
    Description: nuendo5.exe5.1.1.651unknown0.0.0.02493b60e


    ==================== Memory info ===========================

    Processor: Intel® Core™2 Quad CPU @ 2.40GHz
    Percentage of memory in use: 11%
    Total physical RAM: 3317.79 MB
    Available physical RAM: 2929.93 MB
    Total Pagefile: 5231.78 MB
    Available Pagefile: 5021.45 MB
    Total Virtual: 2899.88 MB
    Available Virtual: 2809.29 MB

    ==================== Drives ================================

    Drive c: (OS) (Fixed) (Total:37.28 GB) (Free:4.06 GB) NTFS ==>[Drive with boot components (Windows XP)]
    Drive d: (Audio) (Fixed) (Total:341.8 GB) (Free:48.73 GB) NTFS ==>[Drive with boot components (Windows XP)]
    Drive e: (BFD) (Fixed) (Total:68.82 GB) (Free:26.66 GB) NTFS
    Drive f: (CB&N) (Fixed) (Total:37.28 GB) (Free:18.63 GB) NTFS
    Drive g: (K2, Jx, Gog, SP) (Fixed) (Total:123.96 GB) (Free:47.03 GB) NTFS
    Drive h: (SAMPLES) (Fixed) (Total:164.06 GB) (Free:50.88 GB) NTFS
    Drive j: (X 8GB) (Removable) (Total:7.2 GB) (Free:5.77 GB) FAT32
    Drive k: (X 31GB) (Removable) (Total:28.94 GB) (Free:5.36 GB) FAT32

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows XP) (Size: 74.6 GB) (Disk ID: 4AC94AC8)
    Partition 1: (Active) - (Size=37.3 GB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=37.3 GB) - (Type=OF Extended)

    ========================================================
    Disk: 1 (MBR Code: Windows XP) (Size: 465.8 GB) (Disk ID: B44BBD7A)
    Partition 1: (Active) - (Size=341.8 GB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=124 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 2 (Size: 232.9 GB) (Disk ID: F3B5F3B6)
    Partition 1: (Not Active) - (Size=68.8 GB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=164.1 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 3 (MBR Code: Windows XP) (Size: 29 GB) (Disk ID: C3072E18)
    Partition 1: (Not Active) - (Size=29 GB) - (Type=0C)

    ========================================================
    Disk: 4 (Size: 7.2 GB) (Disk ID: 7E4F2752)
    Partition 1: (Active) - (Size=7.2 GB) - (Type=0B)

    ==================== End Of Log ============================


    Edited by koniord, 27 January 2015 - 02:09 PM.

    • 0

    #4
    koniord

    koniord

      Member

    • Topic Starter
    • Member
    • PipPip
    • 49 posts

    Any info on this would be much appreciated.


    • 0

    #5
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 24,598 posts
    • MVP

    Looks like a new version.  Let's see what FRST can do:

     

    Download the attached fixlist.txt to the same location as FRST
    Run FRST and press Fix
    A fix log will be generated please post that.  Run FRST again, check the Additions box and then Scan.  You will get two logs.  Post them both.

    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP