Fix result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017 Ran by nikodem (09-09-2017 16:57:25) Run:1 Running from C:\Users\nikodem\Downloads Loaded Profiles: nikodem (Available Profiles: nikodem) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBPxn49PYmQ6e1krQXBFZY3cpGvurF9zzOIyDLu5uOmkinzBq1bnef-187MIGsU70JH1D5wQ8I1HPbbgiU8eHg-HfpJ0HIqMd_gZGn8-WAp3VhEmC5jRDLM2fUkqlmJ-GJD9msztx10H29dePQibZsKT_lE7bwv8xRM_Zb83FdFuNYrCecXQcI, CHR StartupUrls: Default -> "hxxp://www.istartpageing.com/?type=hp&ts=1451928047&z=4d8f4b76957462447566824gbz9wag6t3o7b1eaz9m&from=cor&uid=st250dm000-1bd141_5vy93k1pxxxx5vy93k1p" FF NewTab: Mozilla\Firefox\Profiles\x5pju775.default -> HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.interia.pl/#utm_source=instalki1&utm_medium=installer&utm_campaign=instalki1&iwa_source=installer_instalki HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.interia.pl/#utm_source=instalki1&utm_medium=installer&utm_campaign=instalki1&iwa_source=installer_instalki HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms} URLSearchHook: HKLM-x32 -> Default = {CCC7B151-1D8C-11E3-B2AD-F3EF3D58318D} SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://www.bing.com/search?q={searchTerms} IFEO\RegWorks.exe: [Debugger] svchost.exe IFEO\RSITx64.exe: [Debugger] svchost.exe GroupPolicy: Restriction <==== ATTENTION GroupPolicyScripts: Restriction <==== ATTENTION GroupPolicyScripts\User: Restriction <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\...\Run: [AdobeBridge] => [X] S3 Hamachi; C:\Windows\system32\DRIVERS\Hamdrv.sys [45680 2017-02-27] (LogMeIn Inc.) MSCONFIG\Services: GalaxyClientService => 3 MSCONFIG\Services: GalaxyCommunication => 3 MSCONFIG\Services: Hamachi2Svc => 2 MSCONFIG\Services: iPod Service => 3 MSCONFIG\Services: LMIGuardianSvc => 2 MSCONFIG\Services: TunnelBearMaintenance => 2 HKLM\...\StartupApproved\Run: => "CMD" HKLM\...\StartupApproved\Run: => "iTunesHelper" HKLM\...\StartupApproved\Run32: => "LogMeIn Hamachi Ui" HKLM\...\StartupApproved\Run32: => "AdobeAAMUpdater-1.0" HKLM\...\StartupApproved\Run32: => "PlaysTV" HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\...\StartupApproved\Run: => "GalaxyClient" HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\...\StartupApproved\Run: => "screenSHU" HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\...\StartupApproved\Run: => "TunnelBear" HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\...\StartupApproved\Run: => "Plex Media Server" HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\...\StartupApproved\Run: => "MyImgur" HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\...\StartupApproved\Run: => "AdobeBridge" DeleteKey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 C:\Program Files (x86)\5ef7ea3b.tmp C:\Program Files (x86)\7dcianqrua.dat C:\ProgramData\mntemp C:\ProgramData\rxsmznjf.zcp C:\ProgramData\TEMP C:\ProgramData\Microsoft\Windows\Start Menu\Programs\D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gothic II\Usu* - Noc Kruka.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Handbrake C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Id C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Native Instruments\Massive\Native Instruments Homepage.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\AT&T WorldNet.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Bot Commands.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Check for Quake III Arena Updates.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Help System.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Play Quake III Arena.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Q3A Community C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The You Testament C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Valendor PL C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WindBot Beta C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WindBot\WindBot 11 Beta.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WindBot\WindAddons\Wind Addons.lnk C:\Users\nikodem\AppData\Local\Google\Chrome\User Data\System Profile C:\Users\nikodem\AppData\Roaming\system.xml C:\Users\nikodem\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WarThunder.lnk C:\Users\nikodem\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\18c7e66df9434f18\TibiaME MMO.lnk C:\Users\nikodem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Play Games Online.url C:\Users\nikodem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\World of Gothic\GOTHIC2 - Odyseja - 'Pakiet systemowy' C:\Users\nikodem\Documents\XenoScan-master\bin\test.lnk C:\Windows\system32\drivers\Hamdrv.sys File: C:\Users\nikodem\AppData\Local\slack\Update.exe CMD: netsh advfirewall reset Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"} EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. Chrome HomePage => removed successfully Chrome StartupUrls => removed successfully Firefox "newtab" removed successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\ => value removed successfully HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ielnksrch => key removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\ielnksrch => key not found. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\RegWorks.exe => key removed successfully HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\RSITx64.exe => key removed successfully C:\Windows\system32\GroupPolicy\Machine => moved successfully C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully "C:\Windows\system32\GroupPolicy\Machine" => not found. C:\Windows\system32\GroupPolicy\User => moved successfully HKLM\SOFTWARE\Policies\Google => key removed successfully HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION => restored successfully HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION => restored successfully HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => key removed successfully HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully HKLM\System\CurrentControlSet\Services\Hamachi => key removed successfully Hamachi => service removed successfully HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\GalaxyClientService => key removed successfully HKLM\System\CurrentControlSet\Services\GalaxyClientService => key removed successfully HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\GalaxyCommunication => key removed successfully HKLM\System\CurrentControlSet\Services\GalaxyCommunication => key removed successfully HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\Hamachi2Svc => key removed successfully HKLM\System\CurrentControlSet\Services\Hamachi2Svc => key not found. HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\iPod Service => key removed successfully HKLM\System\CurrentControlSet\Services\iPod Service => key not found. HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\LMIGuardianSvc => key removed successfully HKLM\System\CurrentControlSet\Services\LMIGuardianSvc => key not found. HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\TunnelBearMaintenance => key removed successfully HKLM\System\CurrentControlSet\Services\TunnelBearMaintenance => key not found. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\CMD => value removed successfully HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\CMD => value not found. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\iTunesHelper => value removed successfully HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\iTunesHelper => value not found. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\LogMeIn Hamachi Ui => value removed successfully HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\LogMeIn Hamachi Ui => value not found. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\AdobeAAMUpdater-1.0 => value removed successfully HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AdobeAAMUpdater-1.0 => value not found. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\PlaysTV => value removed successfully HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\PlaysTV => value not found. HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\GalaxyClient => value removed successfully HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\GalaxyClient => value not found. HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\screenSHU => value removed successfully HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\screenSHU => value not found. HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\TunnelBear => value removed successfully HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\TunnelBear => value not found. HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\Plex Media Server => value removed successfully HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Plex Media Server => value not found. HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\MyImgur => value removed successfully HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MyImgur => value not found. HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\AdobeBridge => value removed successfully HKU\S-1-5-21-2243841881-2731580477-2253573762-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value not found. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 => key removed successfully C:\Program Files (x86)\5ef7ea3b.tmp => moved successfully C:\Program Files (x86)\7dcianqrua.dat => moved successfully C:\ProgramData\mntemp => moved successfully C:\ProgramData\rxsmznjf.zcp => moved successfully C:\ProgramData\TEMP => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\D => moved successfully =========== "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gothic II\Usu* - Noc Kruka.lnk" ========== C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gothic II\Usuñ Gothic II - Noc Kruka.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gothic II\Usuń Gothic II - Noc Kruka.lnk => moved successfully ========= End -> "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gothic II\Usu* - Noc Kruka.lnk" ======== C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Handbrake => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Id => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Native Instruments\Massive\Native Instruments Homepage.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\AT&T WorldNet.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Bot Commands.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Check for Quake III Arena Updates.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Help System.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Play Quake III Arena.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Quake III Arena\Q3A Community => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\The You Testament => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Valendor PL => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WindBot Beta => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WindBot\WindBot 11 Beta.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WindBot\WindAddons\Wind Addons.lnk => moved successfully C:\Users\nikodem\AppData\Local\Google\Chrome\User Data\System Profile => moved successfully C:\Users\nikodem\AppData\Roaming\system.xml => moved successfully C:\Users\nikodem\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WarThunder.lnk => moved successfully C:\Users\nikodem\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\18c7e66df9434f18\TibiaME MMO.lnk => moved successfully C:\Users\nikodem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Play Games Online.url => moved successfully C:\Users\nikodem\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\World of Gothic\GOTHIC2 - Odyseja - 'Pakiet systemowy' => moved successfully C:\Users\nikodem\Documents\XenoScan-master\bin\test.lnk => moved successfully C:\Windows\system32\drivers\Hamdrv.sys => moved successfully ========================= File: C:\Users\nikodem\AppData\Local\slack\Update.exe ======================== File is digitally signed MD5: 11853CE9C5403B52AA0DAFEF2CD1EC56 Creation and modification date: 2016-10-11 23:35 - 2017-08-18 12:39 Size: 001584656 Attributes: ----A Company Name: Internal Name: Original Name: Product: Description: File Version: Product Version: Copyright: VirusTotal: https://www.virustotal.com/file/2bedf3e4b5e5549a93d8b35d31692909b43ee905a981652824c6feab6335b647/analysis/1504097710/ ====== End of File: ====== ========= netsh advfirewall reset ========= Ok. ========= End of CMD: ========= ========= wevtutil el | Foreach-Object {wevtutil cl "$_"} ========= ========= End of Powershell: ========= =========== EmptyTemp: ========== BITS transfer queue => 12582912 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 45224806 B Java, Flash, Steam htmlcache => 408941969 B Windows/system/drivers => 18934224 B Edge => 0 B Chrome => 746896224 B Firefox => 10942985 B Opera => 23404992 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 239791 B systemprofile32 => 129 B LocalService => 0 B NetworkService => 0 B nikodem => 236169218 B RecycleBin => 39055143 B EmptyTemp: => 1.4 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 16:59:26 ====