Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-12-2014 03 Ran by HolloW at 2014-12-14 15:58:29 Run:1 Running from C:\Users\HolloW\Desktop Loaded Profile: HolloW (Available profiles: HolloW & Dom) Boot Mode: Normal ============================================== Content of fixlist: ***************** CloseProcesses: R2 tor; C:\Program Files (x86)\Tor\tor.exe [3233806 2013-08-23] () [File not signed] R2 WebCake Desktop Updater; C:\Program Files (x86)\WBDesktop.Updater.exe [51992 2013-08-11] (cake bake) ) S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 ewusbmbb; system32\DRIVERS\ewusbwwan.sys [X] S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X] S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X] S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X] S3 MSICDSetup; \??\D:\CDriver64.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] S3 X6va016; \??\C:\Windows\SysWOW64\Drivers\X6va016 [X] GroupPolicyUsers\S-1-5-21-400919767-554095329-431794452-1003\User: Group Policy restriction detected <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-400919767-554095329-431794452-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-400919767-554095329-431794452-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKU\S-1-5-21-400919767-554095329-431794452-1000 -> DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=119370&tt=190313_wo1&babsrc=SP_ss_din2g&mntrId=14B3001333AFDA05 SearchScopes: HKU\S-1-5-21-400919767-554095329-431794452-1000 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=119370&tt=190313_wo1&babsrc=SP_ss_din2g&mntrId=14B3001333AFDA05 SearchScopes: HKU\S-1-5-21-400919767-554095329-431794452-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.22find.com/web/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX-00ERMA0_WD-WCC2ER47144071440&ts=1362147945 ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX-00ERMA0_WD-WCC2ER47144071440&ts=1362147942 ShortcutWithArgument: C:\Users\Dom\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX-00ERMA0_WD-WCC2ER47144071440&ts=1362147942 ShortcutWithArgument: C:\Users\HolloW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX-00ERMA0_WD-WCC2ER47144071440&ts=1362147942 ShortcutWithArgument: C:\Users\HolloW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX-00ERMA0_WD-WCC2ER47144071440&ts=1362147942 ShortcutWithArgument: C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX ShortcutWithArgument: C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX-00ERMA0_WD-WCC2ER47144071440&ts=1362147942 ShortcutWithArgument: C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX ShortcutWithArgument: C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX-00ERMA0_WD-WCC2ER47144071440&ts=1362147942 ShortcutWithArgument: C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX-00ERMA0_WD-WCC2ER47144071440&ts=1362147942 ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.22find.com/?utm_source=b&utm_medium=prs&from=prs&uid=WDCXWD5000AAKX-00ERMA0_WD-WCC2ER47144071440&ts=1362147942 FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation) CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - No Path HKU\S-1-5-21-400919767-554095329-431794452-1000\...\RunOnce: [Adobe Speed Launcher] => 1418382088 Task: {2724D264-9F0A-4532-94C4-7E230BD75DB3} - System32\Tasks\RunAsStdUser => C:\Program Files (x86)\Desk 365\desk365.exe <==== ATTENTION Task: {3FB5F7AA-2883-420E-8B88-15B92CE70DEE} - System32\Tasks\{0D8742BB-7A83-4D0E-A8FE-7194F9A46058} => Firefox.exe http://ui.skype.com/ui/0/6.2.0.106/pl/abandoninstall?source=lightinstaller&page=tsInstall Task: {69190F3F-D8F8-4CA6-9EDA-999DCAE8CE2B} - System32\Tasks\AdobeFlashPlayerUpdate 2 => C:\Windows\SysWOW64\FlashPlayerUpdateService.exe Task: {B3547192-8E82-4399-B625-F5A23A124062} - System32\Tasks\AdobeFlashPlayerUpdate => C:\Windows\SysWOW64\FlashPlayerUpdateService.exe C:\Program Files (x86)\WBDesktop.Updater.exe C:\Program Files (x86)\Betcat C:\Program Files (x86)\Tor C:\Program Files (x86)\Mozilla Firefox\plugins C:\ProgramData\TEMP C:\Windows\SysWow64\ᅑ C:\Windows\SysWow64\o C:\Windows\SysWow64\꜉鮇D C:\Windows\SysWow64\晻 C:\Windows\SysWow64\⋨ⵗY C:\Windows\SysWow64\⃻쑈 C:\Windows\SysWow64\↻䁘 C:\Windows\SysWow64\゚맆 C:\Windows\SysWow64\⼹㬡 Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main" /f Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main" /f Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main" /f CMD: netsh advfirewall reset EmptyTemp: ***************** Processes closed successfully. tor => Service stopped successfully. tor => Service deleted successfully. WebCake Desktop Updater => Service deleted successfully. catchme => Service deleted successfully. ewusbmbb => Service deleted successfully. ew_hwusbdev => Service deleted successfully. huawei_enumerator => Service deleted successfully. hwdatacard => Service deleted successfully. MSICDSetup => Service deleted successfully. VGPU => Service deleted successfully. X6va016 => Service deleted successfully. C:\Windows\system32\GroupPolicyUsers\S-1-5-21-400919767-554095329-431794452-1003\User => Moved successfully. C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully. "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully. "HKU\S-1-5-21-400919767-554095329-431794452-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully. HKU\S-1-5-21-400919767-554095329-431794452-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully. HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => Value was restored successfully. HKU\S-1-5-21-400919767-554095329-431794452-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully. "HKU\S-1-5-21-400919767-554095329-431794452-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" => Key deleted successfully. "HKCR\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}" => Key not found. "HKU\S-1-5-21-400919767-554095329-431794452-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}" => Key deleted successfully. "HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86}" => Key not found. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument was removed successfully. C:\Users\Dom\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk => Shortcut argument was removed successfully. C:\Users\HolloW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument was removed successfully. C:\Users\HolloW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => Shortcut argument was restored successfully. C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument was removed successfully. C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Shortcut argument was removed successfully. C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => Shortcut argument was removed successfully. C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk => Shortcut argument was removed successfully. C:\Users\HolloW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk => Shortcut argument was removed successfully. C:\Users\Public\Desktop\Mozilla Firefox.lnk => Shortcut argument was removed successfully. "HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/Lync,version=15.0" => Key deleted successfully. C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll => Moved successfully. "HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => Key deleted successfully. "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => Key deleted successfully. HKU\S-1-5-21-400919767-554095329-431794452-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Adobe Speed Launcher => value deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2724D264-9F0A-4532-94C4-7E230BD75DB3}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2724D264-9F0A-4532-94C4-7E230BD75DB3}" => Key deleted successfully. C:\Windows\System32\Tasks\RunAsStdUser => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RunAsStdUser" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3FB5F7AA-2883-420E-8B88-15B92CE70DEE}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3FB5F7AA-2883-420E-8B88-15B92CE70DEE}" => Key deleted successfully. C:\Windows\System32\Tasks\{0D8742BB-7A83-4D0E-A8FE-7194F9A46058} => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{0D8742BB-7A83-4D0E-A8FE-7194F9A46058}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{69190F3F-D8F8-4CA6-9EDA-999DCAE8CE2B}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{69190F3F-D8F8-4CA6-9EDA-999DCAE8CE2B}" => Key deleted successfully. C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate 2 => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AdobeFlashPlayerUpdate 2" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B3547192-8E82-4399-B625-F5A23A124062}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B3547192-8E82-4399-B625-F5A23A124062}" => Key deleted successfully. C:\Windows\System32\Tasks\AdobeFlashPlayerUpdate => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AdobeFlashPlayerUpdate" => Key deleted successfully. C:\Program Files (x86)\WBDesktop.Updater.exe => Moved successfully. C:\Program Files (x86)\Betcat => Moved successfully. C:\Program Files (x86)\Tor => Moved successfully. C:\Program Files (x86)\Mozilla Firefox\plugins => Moved successfully. C:\ProgramData\TEMP => Moved successfully. "C:\Windows\SysWow64\ᅑ" => File/Directory not found. "C:\Windows\SysWow64\o" => File/Directory not found. "C:\Windows\SysWow64\꜉鮇D" => File/Directory not found. "C:\Windows\SysWow64\晻" => File/Directory not found. "C:\Windows\SysWow64\⋨ⵗY" => File/Directory not found. "C:\Windows\SysWow64\⃻쑈" => File/Directory not found. "C:\Windows\SysWow64\↻䁘" => File/Directory not found. "C:\Windows\SysWow64\゚맆" => File/Directory not found. "C:\Windows\SysWow64\⼹㬡" => File/Directory not found. ========= reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= netsh advfirewall reset ========= Ok. ========= End of CMD: ========= EmptyTemp: => Removed 1 GB temporary data. The system needed a reboot. ==== End of Fixlog ====