Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-06-2014 01 Ran by Klient (administrator) on KLIENT-PC on 02-06-2014 09:32:37 Running from C:\Users\Klient\Desktop\narzedzia Platform: Microsoft® Windows Vista™ Business Service Pack 2 (X86) OS Language: Polish Internet Explorer Version 9 Boot Mode: Normal The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Microsoft Corporation) C:\Windows\System32\SLsvc.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe (ELAN Microelectronic Corp.) C:\Program Files\Elantech\ETDCtrl.exe (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\ekrn.exe () C:\ProgramData\MobileBrServ\mbbService.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe (Compal Electronics, Inc.) C:\Program Files\Wireless Select Switch\WLSS.exe (ELAN Microelectronic Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\NvTmru.exe (ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe (Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe (OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org) C:\Program Files\OpenOffice.org 3\program\soffice.bin (Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe (Microsoft Corporation) C:\Windows\System32\conime.exe (Microsoft Corporation) C:\Windows\System32\RacAgent.exe (Microsoft Corporation) C:\Windows\System32\WerFault.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-21] (Microsoft Corporation) HKLM\...\Run: [ETDWare] => C:\Program Files\Elantech\ETDCtrl.exe [548744 2010-04-13] (ELAN Microelectronic Corp.) HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [9398888 2010-07-28] (Realtek Semiconductor) HKLM\...\Run: [WLSS] => C:\Program Files\Wireless Select Switch\WLSS.exe [189736 2007-10-17] (Compal Electronics, Inc.) HKLM\...\Run: [Nvtmru] => C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe [1012000 2013-05-16] (NVIDIA Corporation) HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe [3158584 2013-02-14] (ESET) HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation) HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [2273056 2013-11-29] (NVIDIA Corporation) HKLM\...\Run: [mobilegeni daemon] => C:\Program Files\Mobogenie\DaemonProcess.exe HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter HKU\S-1-5-21-2265191351-1951022783-2934723849-1000\...\Run: [Facebook Update] => C:\Users\Klient\AppData\Local\Facebook\Update\FacebookUpdate.exe [138096 2013-10-06] (Facebook Inc.) HKU\S-1-5-21-2265191351-1951022783-2934723849-1000\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.) HKU\S-1-5-21-2265191351-1951022783-2934723849-1000\...\MountPoints2: {2c24c4e7-00cf-11e3-8ed3-001eec58cff2} - E:\AutoRun.exe HKU\S-1-5-21-2265191351-1951022783-2934723849-1000\...\MountPoints2: {2c24c4fe-00cf-11e3-8ed3-001eec58cff2} - E:\AutoRun.exe HKU\S-1-5-21-2265191351-1951022783-2934723849-1000\...\MountPoints2: {a62dc2e7-04ae-11e3-8fe9-001eec58cff2} - E:\AutoRun.exe HKU\S-1-5-21-2265191351-1951022783-2934723849-1000\...\MountPoints2: {c89e9589-00d6-11e3-8af3-001eec58cff2} - E:\AutoRun.exe HKU\S-1-5-21-2265191351-1951022783-2934723849-1000\...\MountPoints2: {c89e958a-00d6-11e3-8af3-001eec58cff2} - E:\AutoRun.exe HKU\S-1-5-21-2265191351-1951022783-2934723849-1000\...\MountPoints2: {c89e9592-00d6-11e3-8af3-001eec58cff2} - E:\AutoRun.exe Startup: C:\Users\Klient\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.4.1.lnk ShortcutTarget: OpenOffice.org 3.4.1.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe () ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/ BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Rich Media Downloader - {A7DF592F-6E2A-45C4-9A87-4BD217D714ED} - C:\Users\Klient\AppData\Local\Rich Media Player\BrowserExtensions\IE\RichMediaDownloader.dll No File BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) FireFox: ======== FF ProfilePath: C:\Users\Klient\AppData\Roaming\Mozilla\Firefox\Profiles\ur0sis3b.default FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_214.dll () FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Plugin HKCU: @Skype Limited.com/Facebook Video Calling Plugin - C:\Users\Klient\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppluginrichmediaplayer.dll () FF Extension: Adblock Plus - C:\Users\Klient\AppData\Roaming\Mozilla\Firefox\Profiles\ur0sis3b.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-08-09] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [] FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Endpoint Antivirus\Mozilla Thunderbird FF Extension: ESET Endpoint Security Extension - C:\Program Files\ESET\ESET Endpoint Antivirus\Mozilla Thunderbird [2013-08-05] ========================== Services (Whitelisted) ================= S3 EhttpSrv; C:\Program Files\ESET\ESET Endpoint Antivirus\EHttpSrv.exe [33136 2013-02-14] (ESET) R2 ekrn; C:\Program Files\ESET\ESET Endpoint Antivirus\ekrn.exe [1020304 2013-02-14] (ESET) S3 ESHASRV; C:\Program Files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [183944 2013-02-14] (ESET) R2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [232288 2012-03-12] () R2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1370912 2013-11-29] (NVIDIA Corporation) ==================== Drivers (Whitelisted) ==================== R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [175288 2013-02-04] (ESET) R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [124848 2013-02-04] (ESET) R0 EMSC; C:\Windows\System32\DRIVERS\EMSC.SYS [11776 2007-02-13] (Windows (R) Codename Longhorn DDK provider) R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [108344 2013-02-04] (ESET) R3 ETD; C:\Windows\System32\DRIVERS\ETD.sys [109960 2010-04-13] (ELAN Microelectronic Corp.) R3 NETwNv32; C:\Windows\System32\DRIVERS\NETwNv32.sys [6680064 2010-07-14] (Intel Corporation) S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X] S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X] S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2014-06-02 09:31 - 2014-06-02 09:33 - 00000000 ____D () C:\FRST 2014-06-02 09:27 - 2014-06-02 09:32 - 00000000 ____D () C:\Users\Klient\Desktop\narzedzia 2014-06-02 08:38 - 2014-06-02 08:38 - 00000000 ____D () C:\ProgramData\WindowsSearch 2014-06-02 08:27 - 2014-06-02 09:13 - 00000000 ____D () C:\Users\Klient\Desktop\otl 2014-05-21 23:39 - 2014-05-21 23:39 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_07_00.Wdf 2014-05-21 07:55 - 2014-04-07 12:53 - 00011776 _____ () C:\Users\Klient\Desktop\stany_rio - Kopia.xls 2014-05-21 07:00 - 2014-06-01 16:41 - 00000000 ____D () C:\Users\Klient\Desktop\Lista zamówień_pliki 2014-05-16 03:00 - 2014-05-06 01:32 - 12347392 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-05-16 03:00 - 2014-05-06 01:14 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-05-16 03:00 - 2014-05-06 01:14 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2014-05-15 16:58 - 2014-03-25 15:26 - 11587584 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll 2014-05-12 10:39 - 2014-05-12 10:39 - 00000000 ____D () C:\Program Files\Mozilla Firefox 2014-05-07 19:01 - 2014-05-07 21:39 - 00000000 ____D () C:\Program Files\Mozilla Thunderbird ==================== One Month Modified Files and Folders ======= 2014-06-02 09:33 - 2014-06-02 09:31 - 00000000 ____D () C:\FRST 2014-06-02 09:33 - 2013-07-23 17:41 - 00000000 ____D () C:\Users\Klient\AppData\Local\Temp 2014-06-02 09:32 - 2014-06-02 09:27 - 00000000 ____D () C:\Users\Klient\Desktop\narzedzia 2014-06-02 09:17 - 2013-07-23 17:31 - 00000930 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-06-02 09:13 - 2014-06-02 08:27 - 00000000 ____D () C:\Users\Klient\Desktop\otl 2014-06-02 08:38 - 2014-06-02 08:38 - 00000000 ____D () C:\ProgramData\WindowsSearch 2014-06-02 08:31 - 2009-04-13 09:16 - 01616086 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-06-02 08:31 - 2009-04-13 09:15 - 00714916 _____ () C:\Windows\system32\perfh015.dat 2014-06-02 08:31 - 2009-04-13 09:15 - 00151756 _____ () C:\Windows\system32\perfc015.dat 2014-06-02 08:16 - 2006-11-02 15:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-06-02 08:16 - 2006-11-02 14:47 - 00003760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2014-06-02 08:16 - 2006-11-02 14:47 - 00003760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2014-06-01 17:15 - 2009-04-11 14:36 - 01482167 _____ () C:\Windows\WindowsUpdate.log 2014-06-01 17:15 - 2006-11-02 15:01 - 00032544 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-06-01 16:42 - 2006-11-02 13:18 - 00000000 ____D () C:\Windows\system32\Msdtc 2014-06-01 16:41 - 2014-05-21 07:00 - 00000000 ____D () C:\Users\Klient\Desktop\Lista zamówień_pliki 2014-06-01 16:41 - 2014-03-26 21:20 - 00000000 ___RD () C:\Program Files\Skype 2014-06-01 16:41 - 2014-03-26 21:20 - 00000000 ____D () C:\Program Files\Common Files\Skype 2014-06-01 16:41 - 2013-07-23 17:41 - 00000000 ____D () C:\Users\Klient 2014-06-01 16:41 - 2006-11-02 13:18 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories 2014-06-01 16:41 - 2006-11-02 13:18 - 00000000 ____D () C:\Windows\system32\spool 2014-06-01 16:41 - 2006-11-02 13:18 - 00000000 ____D () C:\Windows\registration 2014-06-01 16:41 - 2006-11-02 12:22 - 39059456 _____ () C:\Windows\system32\config\system_previous 2014-06-01 16:41 - 2006-11-02 12:22 - 29360128 _____ () C:\Windows\system32\config\software_previous 2014-06-01 16:41 - 2006-11-02 12:22 - 26476544 _____ () C:\Windows\system32\config\components_previous 2014-06-01 16:41 - 2006-11-02 12:22 - 00262144 _____ () C:\Windows\system32\config\security_previous 2014-06-01 16:41 - 2006-11-02 12:22 - 00262144 _____ () C:\Windows\system32\config\sam_previous 2014-06-01 16:41 - 2006-11-02 12:22 - 00262144 _____ () C:\Windows\system32\config\default_previous 2014-06-01 13:06 - 2014-03-03 09:49 - 00000000 ____D () C:\Users\Klient\Desktop\PrymusAgd 2014-06-01 12:54 - 2006-11-02 14:52 - 00133320 _____ () C:\Windows\setupact.log 2014-06-01 10:29 - 2014-01-02 12:55 - 00000000 ____D () C:\Users\Klient\AppData\Roaming\Skype 2014-05-28 17:41 - 2014-03-24 10:54 - 00000000 ____D () C:\Users\Klient\Desktop\Odbiorcy Czarek 2014-05-27 21:26 - 2014-01-02 12:54 - 00000000 ____D () C:\ProgramData\Skype 2014-05-26 09:12 - 2014-01-02 10:33 - 00000000 ____D () C:\Users\Klient\Desktop\Nowy katalog 2014-05-22 01:39 - 2013-10-06 16:31 - 00000932 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2265191351-1951022783-2934723849-1000UA.job 2014-05-21 23:39 - 2014-05-21 23:39 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdMtpDr_01_07_00.Wdf 2014-05-21 18:53 - 2013-10-06 16:31 - 00000910 _____ () C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2265191351-1951022783-2934723849-1000Core.job 2014-05-16 03:37 - 2006-11-02 13:18 - 00000000 ____D () C:\Windows\Microsoft.NET 2014-05-16 03:24 - 2013-07-23 17:10 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service 2014-05-16 03:24 - 2006-11-02 15:00 - 00095450 _____ () C:\Windows\PFRO.log 2014-05-16 03:05 - 2013-07-24 12:57 - 00000000 ____D () C:\Windows\system32\MRT 2014-05-16 03:03 - 2006-11-02 12:24 - 90547776 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe 2014-05-14 13:50 - 2013-07-23 17:31 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe 2014-05-14 13:50 - 2013-07-23 17:31 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl 2014-05-12 10:39 - 2014-05-12 10:39 - 00000000 ____D () C:\Program Files\Mozilla Firefox 2014-05-07 21:39 - 2014-05-07 19:01 - 00000000 ____D () C:\Program Files\Mozilla Thunderbird 2014-05-06 01:32 - 2014-05-16 03:00 - 12347392 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-05-06 01:14 - 2014-05-16 03:00 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-05-06 01:14 - 2014-05-16 03:00 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll Some content of TEMP: ==================== C:\Users\Klient\AppData\Local\Temp\DataCard_Setup.exe C:\Users\Klient\AppData\Local\Temp\fp_pl_pfs_installer.exe C:\Users\Klient\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe C:\Users\Klient\AppData\Local\Temp\ResetDevice.exe ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\system32\winlogon.exe => MD5 is legit C:\Windows\system32\wininit.exe => MD5 is legit C:\Windows\system32\svchost.exe => MD5 is legit C:\Windows\system32\services.exe => MD5 is legit C:\Windows\system32\User32.dll => MD5 is legit C:\Windows\system32\userinit.exe => MD5 is legit C:\Windows\system32\rpcss.dll => MD5 is legit C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit LastRegBack: 2014-06-02 09:33 ==================== End Of Log ============================