Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 22-01-2014 02 Ran by Wojciech (administrator) on WOJCIECH-PC on 22-01-2014 21:54:26 Running from C:\Users\Wojciech\Desktop Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) OS Language: Polish Internet Explorer Version 9 Boot Mode: Normal The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) =================== (Microsoft Corporation) C:\Windows\System32\SLsvc.exe (ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe (Intel Corporation) C:\Windows\System32\igfxtray.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe () C:\ProgramData\DatacardService\HWDeviceService.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Sony Corporation) C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe (ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe (Huawei Technologies Co., Ltd.) C:\ProgramData\DatacardService\DCSHelper.exe (Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe (Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Intel Corporation) C:\Windows\System32\igfxsrvc.exe (OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.exe () C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe (Conexant Systems, Inc.) C:\Windows\System32\drivers\XAudio.exe (OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.bin (Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe (Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe (Hewlett-Packard) C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe () C:\Users\Wojciech\AppData\Roaming\pwo6\svchost.exe () C:\Users\Wojciech\AppData\Local\Temp\_MEI21042\bin\winlogon.exe (Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe (Microsoft Corporation) C:\Windows\System32\conime.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated) HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [54840 2007-05-08] (Hewlett-Packard) HKLM\...\Run: [ContentTransferWMDetector.exe] - C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe [497000 2009-07-30] (Sony Corporation) HKLM\...\Run: [egui] - C:\Program Files\ESET\ESET Smart Security\egui.exe [5110672 2013-09-12] (ESET) HKCU\...\Run: [pwo6] - C:\Users\Wojciech\AppData\Roaming\pwo6\svchost.exe [7321417 2013-10-10] () HKCU\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-21] (Microsoft Corporation) MountPoints2: {1a1bd646-301c-11e3-ab07-001e6841a527} - H:\AutoRun.exe MountPoints2: {1a1bd64f-301c-11e3-ab07-001e6841a527} - H:\AutoRun.exe HKU\Default\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation) HKU\Default User\...\Run: [WindowsWelcomeCenter] - C:\Windows\system32\oobefldr.dll [ 2009-04-11] (Microsoft Corporation) Startup: C:\Users\Wojciech\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe () ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.pl/ SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.) BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.) DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 FireFox: ======== FF ProfilePath: C:\Users\Wojciech\AppData\Roaming\Mozilla\Firefox\Profiles\2u1lpu8b.default FF Homepage: https://www.google.pl/ FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_170.dll () FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.) FF Plugin: @videolan.org/vlc,version=2.1.0 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin: @videolan.org/vlc,version=2.1.1 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin: @videolan.org/vlc,version=2.1.2 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Extension: Adblock Plus - C:\Users\Wojciech\AppData\Roaming\Mozilla\Firefox\Profiles\2u1lpu8b.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-10-05] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [] FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2013-10-03] FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird FF Extension: ESET Smart Security Extension - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2013-11-06] FF HKCU\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2013-10-03] ========================== Services (Whitelisted) ================= R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [1337752 2013-09-12] (ESET) R2 HWDeviceService.exe; C:\ProgramData\DatacardService\HWDeviceService.exe [271712 2011-03-14] () S2 PLAY ONLINE. RunOuc; C:\Program Files\PLAY ONLINE\UpdateDog\ouc.exe [246112 2013-10-08] () ==================== Drivers (Whitelisted) ==================== R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [188808 2013-09-17] (ESET) R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [134248 2013-09-17] (ESET) R2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [174400 2013-09-17] (ESET) R1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [37416 2013-09-17] (ESET) R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [49240 2013-09-17] (ESET) S3 huawei_cdcacm; C:\Windows\System32\DRIVERS\ew_jucdcacm.sys [95616 2013-10-08] (Huawei Technologies Co., Ltd.) S3 huawei_cdcecm; C:\Windows\System32\DRIVERS\ew_jucdcecm.sys [67584 2013-10-08] (Huawei Technologies Co., Ltd.) S3 huawei_ext_ctrl; C:\Windows\System32\DRIVERS\ew_juextctrl.sys [27520 2013-10-08] (Huawei Technologies Co., Ltd.) U5 ewusbnet; C:\Windows\System32\Drivers\ewusbnet.sys [245376 2013-10-08] (Huawei Technologies Co., Ltd.) S3 IpInIp; system32\DRIVERS\ipinip.sys [x] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-01-22 21:54 - 2014-01-22 21:54 - 00008927 _____ C:\Users\Wojciech\Desktop\FRST.txt 2014-01-22 21:53 - 2014-01-22 21:53 - 00000000 ____D C:\FRST 2014-01-22 21:52 - 2014-01-22 21:52 - 01222144 _____ (Farbar) C:\Users\Wojciech\Desktop\FRST.exe 2014-01-22 05:29 - 2014-01-22 21:19 - 00000000 ____D C:\Users\Wojciech\Desktop\karta sony 2014-01-20 22:09 - 2014-01-20 22:09 - 00000000 ____D C:\Users\Wojciech\Desktop\2014-01 (sty) 2014-01-19 09:41 - 2014-01-19 09:41 - 00000417 _____ C:\Users\Wojciech\Desktop\Under the Dome [1x13] Curtains (wgrane napisy).rmvb.URL 2014-01-19 09:34 - 2014-01-19 09:34 - 00000409 _____ C:\Users\Wojciech\Desktop\True.Detective.S01E01 (wgrane napisy PL).avi.URL 2014-01-17 05:13 - 2014-01-22 21:14 - 00017408 _____ C:\Windows\system32\rpcnetp.exe 2014-01-17 05:13 - 2014-01-22 21:14 - 00017408 _____ C:\Windows\system32\rpcnetp.dll 2014-01-16 21:28 - 2014-01-16 21:28 - 00122955 _____ C:\Users\Wojciech\Desktop\Wizz Air.htm 2014-01-16 21:28 - 2014-01-16 21:28 - 00000000 ____D C:\Users\Wojciech\Desktop\Wizz Air_pliki 2014-01-13 17:43 - 2014-01-13 17:43 - 00000000 ____D C:\Users\Wojciech\AppData\Roaming\Real 2014-01-13 16:01 - 2014-01-13 16:01 - 00009728 _____ C:\Users\Wojciech\Desktop\Pracownia Endoskopii.xls 2014-01-12 18:40 - 2014-01-12 18:40 - 00000216 _____ C:\Users\Wojciech\Desktop\Wizz Air - Polski.URL 2014-01-12 17:04 - 2014-01-12 17:04 - 05092888 _____ (KL ) C:\Users\Wojciech\Desktop\Documents\Kodek rmvb.exe 2013-12-31 15:15 - 2013-12-31 15:35 - 00000000 ____D C:\Users\Wojciech\Desktop\Documents\faktury smartfony ==================== One Month Modified Files and Folders ======= 2014-01-22 21:54 - 2014-01-22 21:54 - 00008927 _____ C:\Users\Wojciech\Desktop\FRST.txt 2014-01-22 21:53 - 2014-01-22 21:53 - 00000000 ____D C:\FRST 2014-01-22 21:52 - 2014-01-22 21:52 - 01222144 _____ (Farbar) C:\Users\Wojciech\Desktop\FRST.exe 2014-01-22 21:42 - 2013-10-10 20:44 - 00000000 ___HD C:\Users\Wojciech\AppData\Roaming\pwo6 2014-01-22 21:41 - 2013-12-01 12:14 - 00001036 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-01-22 21:41 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2014-01-22 21:41 - 2006-11-02 13:47 - 00003760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2014-01-22 21:41 - 2006-11-02 13:47 - 00003760 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2014-01-22 21:40 - 2013-11-04 21:10 - 02033351 _____ C:\Windows\WindowsUpdate.log 2014-01-22 21:40 - 2006-11-02 14:01 - 00032532 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2014-01-22 21:32 - 2013-10-03 09:14 - 00043008 _____ (Absolute Software Corp.) C:\Windows\system32\agremove.exe 2014-01-22 21:25 - 2013-12-01 12:14 - 00001040 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-01-22 21:19 - 2014-01-22 05:29 - 00000000 ____D C:\Users\Wojciech\Desktop\karta sony 2014-01-22 21:14 - 2014-01-17 05:13 - 00017408 _____ C:\Windows\system32\rpcnetp.exe 2014-01-22 21:14 - 2014-01-17 05:13 - 00017408 _____ C:\Windows\system32\rpcnetp.dll 2014-01-22 21:03 - 2013-10-03 12:03 - 00000930 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-01-22 06:04 - 2013-10-05 19:03 - 00000000 ____D C:\Users\Wojciech\AppData\Roaming\vlc 2014-01-22 05:33 - 2009-04-13 09:02 - 01495264 _____ C:\Windows\system32\PerfStringBackup.INI 2014-01-22 05:33 - 2009-04-13 09:01 - 00672140 _____ C:\Windows\system32\perfh015.dat 2014-01-22 05:33 - 2009-04-13 09:01 - 00130516 _____ C:\Windows\system32\perfc015.dat 2014-01-21 15:33 - 2013-10-03 17:08 - 00110592 _____ C:\Users\Wojciech\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2014-01-20 22:09 - 2014-01-20 22:09 - 00000000 ____D C:\Users\Wojciech\Desktop\2014-01 (sty) 2014-01-19 18:06 - 2013-10-05 19:01 - 00000000 ____D C:\Users\Wojciech\AppData\Roaming\Skype 2014-01-19 09:41 - 2014-01-19 09:41 - 00000417 _____ C:\Users\Wojciech\Desktop\Under the Dome [1x13] Curtains (wgrane napisy).rmvb.URL 2014-01-19 09:34 - 2014-01-19 09:34 - 00000409 _____ C:\Users\Wojciech\Desktop\True.Detective.S01E01 (wgrane napisy PL).avi.URL 2014-01-17 05:18 - 2013-10-03 09:52 - 00000000 ____D C:\Windows\system32\MRT 2014-01-17 05:16 - 2006-11-02 11:24 - 83425928 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe 2014-01-16 21:50 - 2013-10-02 16:57 - 00000000 ____D C:\Users\Wojciech\AppData\Local\VirtualStore 2014-01-16 21:28 - 2014-01-16 21:28 - 00122955 _____ C:\Users\Wojciech\Desktop\Wizz Air.htm 2014-01-16 21:28 - 2014-01-16 21:28 - 00000000 ____D C:\Users\Wojciech\Desktop\Wizz Air_pliki 2014-01-13 17:43 - 2014-01-13 17:43 - 00000000 ____D C:\Users\Wojciech\AppData\Roaming\Real 2014-01-13 17:38 - 2013-10-03 21:53 - 00000000 ____D C:\Program Files\CCleaner 2014-01-13 16:01 - 2014-01-13 16:01 - 00009728 _____ C:\Users\Wojciech\Desktop\Pracownia Endoskopii.xls 2014-01-12 18:40 - 2014-01-12 18:40 - 00000216 _____ C:\Users\Wojciech\Desktop\Wizz Air - Polski.URL 2014-01-12 17:04 - 2014-01-12 17:04 - 05092888 _____ (KL ) C:\Users\Wojciech\Desktop\Documents\Kodek rmvb.exe 2013-12-31 15:35 - 2013-12-31 15:15 - 00000000 ____D C:\Users\Wojciech\Desktop\Documents\faktury smartfony ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2014-01-22 21:47 ==================== End Of Log ============================