Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:23-08-2015 Ran by admin (administrator) on LAB2-15 (24-08-2015 11:42:17) Running from C:\Documents and Settings\admin.WSIE\Moje dokumenty\Pobrane Loaded Profiles: UpdatusUser & admin (Available Profiles: admin & UpdatusUser & Administrator & student & admin) Platform: Microsoft Windows XP Professional Dodatek Service Pack 3 (X86) Language: Polski Internet Explorer Version 8 (Default browser: Opera) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Autodesk, Inc.) C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe (ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\ekrn.exe (Aladdin Knowledge Systems Ltd.) C:\WINDOWS\system32\hasplms.exe (FirebirdSQL Project) C:\Program Files\Firebird\bin\ibguard.exe (Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSRS10.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe (SafeNet, Inc) C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe (Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Embarcadero Technologies, Inc.) C:\Documents and Settings\All Users\Dane aplikacji\Embarcadero\AppWaveBrowser\StreamingCore.exe (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe (FirebirdSQL Project) C:\Program Files\Firebird\bin\ibserver.exe (Microsoft Corporation) C:\WINDOWS\SoftwareDistribution\Download\Install\Windows-KB890830-V5.27.exe (Microsoft Corporation) D:\2a55ff9e0b19a4b7dc0aa4\mrtstub.exe (Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE (ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe (Microsoft Corporation) C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [20065896 2012-04-24] (Realtek Semiconductor Corp.) HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe [3158584 2013-02-14] (ESET) HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated) HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation) HKLM\...\Run: [DWQueuedReporting] => C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [520424 2013-03-06] (Microsoft Corporation) HKU\S-1-5-21-3351379224-2185005437-3067649877-1654\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-10-01] (Google Inc.) ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\WINDOWS\system32\AcSignIcon.dll [2013-02-08] (Autodesk, Inc.) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKU\S-1-5-21-3351379224-2185005437-3067649877-1654\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-3351379224-2185005437-3067649877-1654\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://gazeta.pl/0,0.html?sc=1 URLSearchHook: [S-1-5-21-1343024091-1177238915-770213442-1004] ATTENTION => Default URLSearchHook is missing SearchScopes: HKU\S-1-5-21-3351379224-2185005437-3067649877-1654 -> {819EC3CE-4B56-4ED0-B560-329EBE07CC18} URL = hxxp://szukaj.gazeta.pl/portalSearch.do?s.si(navigation).navigationEnabled=true&s.sm.query={searchTerms} BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation) BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2014-01-28] (Oracle Corporation) BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-08-19] (Google Inc.) BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation) BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2014-01-28] (Oracle Corporation) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-08-19] (Google Inc.) Toolbar: HKU\S-1-5-21-3351379224-2185005437-3067649877-1654 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2015-08-19] (Google Inc.) Tcpip\Parameters: [DhcpNameServer] 10.1.1.3 10.1.1.5 Tcpip\..\Interfaces\{3D55087A-E9B1-4C78-9D49-3D55F1793A85}: [DhcpNameServer] 10.1.1.3 10.1.1.5 FireFox: ======== FF ProfilePath: C:\Documents and Settings\admin.WSIE\Dane aplikacji\Mozilla\Firefox\Profiles\qu6ui9ik.default FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-19] () FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google) FF Plugin: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-01-28] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2014-01-28] (Oracle Corporation) FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation) FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation) FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-08-19] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-08-19] (Google Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-3351379224-2185005437-3067649877-1654: www.embarcadero.com/appWaveBrowserDetector -> C:\Documents and Settings\All Users\Dane aplikacji\Embarcadero\AppWaveBrowser\npappWaveBrowserDetector.dll [2013-09-23] (Embarcadero Technologies) FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2013-09-24] FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Endpoint Antivirus\Mozilla Thunderbird FF Extension: ESET Endpoint Security Extension - C:\Program Files\ESET\ESET Endpoint Antivirus\Mozilla Thunderbird [2013-09-24] Chrome: ======= CHR Profile: C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default CHR Extension: (Google Docs) - C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-09-05] CHR Extension: (Google Drive) - C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-09-05] CHR Extension: (YouTube) - C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-09-05] CHR Extension: (Google Search) - C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-09-05] CHR Extension: (Google Wallet) - C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-05] CHR Extension: (Gmail) - C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-09-05] ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 Autodesk Content Service; C:\Program Files\Autodesk\Content Service\Connect.Service.ContentService.exe [12288 2012-12-13] (Autodesk, Inc.) [File not signed] S3 Autodesk Network Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe [902760 2007-02-12] (Autodesk, Inc.) S3 EhttpSrv; C:\Program Files\ESET\ESET Endpoint Antivirus\EHttpSrv.exe [33136 2013-02-14] (ESET) R2 ekrn; C:\Program Files\ESET\ESET Endpoint Antivirus\ekrn.exe [1020304 2013-02-14] (ESET) S3 ESHASRV; C:\Program Files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [183944 2013-02-14] (ESET) S3 FlexNet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1074480 2014-03-26] (Flexera Software LLC) R2 hasplms; C:\WINDOWS\system32\hasplms.exe [2869760 2009-04-21] (Aladdin Knowledge Systems Ltd.) R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-01-28] (Oracle Corporation) S4 MSSQLFDLauncher$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\fdlauncher.exe [31256 2008-07-10] (Microsoft Corporation) S4 msvsmon90; C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe [3201024 2008-07-29] (Microsoft Corporation) R2 ReportServer$SQLEXPRESS; C:\Program Files\Microsoft SQL Server\MSRS10.SQLEXPRESS\Reporting Services\ReportServer\bin\ReportingServicesService.exe [1106968 2008-07-10] (Microsoft Corporation) R2 SentinelProtectionServer; C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe [206400 2006-05-07] (SafeNet, Inc) R2 StreamingCore; C:\Documents and Settings\All Users\Dane aplikacji\Embarcadero\AppWaveBrowser\StreamingCore.exe [3765184 2013-09-23] (Embarcadero Technologies, Inc.) R2 InterBaseGuardian; C:\Program Files\Firebird\bin\ibguard -s [X] R3 InterBaseServer; C:\Program Files\Firebird\bin\ibserver -s [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 aksfridge; C:\WINDOWS\system32\drivers\aksfridge.sys [352256 2009-01-16] (Aladdin Knowledge Systems Ltd.) S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative) R1 eamon; C:\WINDOWS\System32\DRIVERS\eamon.sys [164488 2013-02-04] (ESET) R1 ehdrv; C:\WINDOWS\System32\DRIVERS\ehdrv.sys [124848 2013-02-04] (ESET) R1 epfwtdir; C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [107856 2013-02-04] (ESET) S3 grmnusb; C:\WINDOWS\System32\drivers\grmnusb.sys [15720 2012-04-18] (GARMIN Corp.) R2 Hardlock; C:\WINDOWS\system32\drivers\hardlock.sys [586752 2009-03-13] (Aladdin Knowledge Systems Ltd.) R2 Haspnt; C:\WINDOWS\system32\drivers\Haspnt.sys [47616 2013-09-24] (Aladdin Knowledge Systems) [File not signed] S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.) S4 RsFx0102; C:\WINDOWS\System32\DRIVERS\RsFx0102.sys [242712 2008-07-10] (Microsoft Corporation) S3 StreamingFSD; C:\Documents and Settings\All Users\Dane aplikacji\Embarcadero\AppWaveBrowser\wxp\StreamingFSD.sys [551096 2013-09-23] (Embarcadero Technologies, Inc.) R1 Tcpip; C:\WINDOWS\System32\DRIVERS\tcpip.sys [361600 2013-09-30] (Microsoft Corporation) [File not signed] S3 TrmbTS; C:\WINDOWS\System32\Drivers\TrmbTS.sys [29184 2007-04-23] (Trimble AB, Sweden) [File not signed] S3 TRMUSB5K; C:\WINDOWS\System32\drivers\TRMUSB5K.sys [9881 2000-06-20] (e-TEK Labs) [File not signed] S4 IntelIde; no ImagePath S3 Sntnlusb; system32\DRIVERS\SNTNLUSB.SYS [X] U1 WS2IFSL; no ImagePath ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-08-21 13:34 - 2015-08-24 11:42 - 00000000 ____D C:\FRST 2015-08-21 13:33 - 2015-08-21 13:33 - 00049990 _____ C:\Documents and Settings\admin.WSIE\Moje dokumenty\gmer log.log 2015-08-19 10:31 - 2015-08-24 11:42 - 00000000 ____D C:\Documents and Settings\admin.WSIE\Moje dokumenty\Pobrane 2015-08-19 10:23 - 2015-08-24 11:39 - 00000222 _____ C:\WINDOWS\Tasks\Powiadomienie o zakończeniu obsługi systemu Microsoft Windows XP — logowanie.job 2015-08-19 10:23 - 2015-08-24 11:39 - 00000216 _____ C:\WINDOWS\Tasks\Powiadomienie o zakończeniu obsługi systemu Microsoft Windows XP — co miesiąc.job ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-08-24 11:43 - 2013-09-05 12:52 - 00000000 ____D C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Temp 2015-08-24 11:42 - 2013-10-15 14:06 - 00000000 ____D C:\WINDOWS\system32\MRT 2015-08-24 11:41 - 2013-09-05 10:56 - 01363307 _____ C:\WINDOWS\WindowsUpdate.log 2015-08-24 11:39 - 2013-09-05 14:00 - 00001032 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 2015-08-24 11:39 - 2008-04-15 14:00 - 00013646 _____ C:\WINDOWS\system32\wpa.dbl 2015-08-24 11:38 - 2013-09-05 12:37 - 00000000 ____D C:\WINDOWS\security 2015-08-24 11:37 - 2014-09-20 11:14 - 00000159 _____ C:\WINDOWS\wiadebug.log 2015-08-24 11:36 - 2014-09-20 11:14 - 00000050 _____ C:\WINDOWS\wiaservc.log 2015-08-24 11:36 - 2013-09-05 12:50 - 00000112 _____ C:\WINDOWS\system32\config\netlogon.ftl 2015-08-24 11:36 - 2013-09-05 11:03 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2015-08-21 13:36 - 2013-09-23 14:33 - 00065536 _____ C:\WINDOWS\system32\config\Streamin.evt 2015-08-21 13:36 - 2013-09-05 12:52 - 00000188 ___SH C:\Documents and Settings\admin.WSIE\ntuser.ini 2015-08-21 13:36 - 2013-09-05 11:03 - 00032354 _____ C:\WINDOWS\SchedLgU.Txt 2015-08-21 13:33 - 2013-09-05 12:52 - 00000000 ___RD C:\Documents and Settings\admin.WSIE\Moje dokumenty 2015-08-21 13:27 - 2013-09-05 14:00 - 00001036 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 2015-08-21 13:26 - 2013-09-05 14:02 - 00000930 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2015-08-21 10:27 - 2013-09-05 12:52 - 00000000 ___HD C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Dane aplikacji 2015-08-19 10:29 - 2013-09-05 14:00 - 00001819 _____ C:\Documents and Settings\All Users\Pulpit\Google Chrome.lnk 2015-08-19 10:27 - 2013-10-28 15:17 - 00000000 ___RD C:\Documents and Settings\student\Moje dokumenty 2015-08-19 10:27 - 2013-10-28 15:17 - 00000000 ____D C:\Documents and Settings\student\Pulpit 2015-08-19 10:26 - 2013-09-05 14:02 - 00778440 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe 2015-08-19 10:26 - 2013-09-05 14:02 - 00142536 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl 2015-08-19 10:26 - 2013-09-05 12:52 - 00000000 ____D C:\Documents and Settings\admin.WSIE 2015-08-19 10:24 - 2013-10-28 15:17 - 00000188 ___SH C:\Documents and Settings\student\ntuser.ini 2015-08-19 10:23 - 2013-10-28 15:17 - 00000000 ____D C:\Documents and Settings\student\Ustawienia lokalne\Temp 2015-07-28 11:01 - 2013-09-23 15:43 - 129304528 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe ==================== Files in the root of some directories ======= 2014-01-28 15:37 - 2014-01-28 15:37 - 0003584 _____ () C:\Documents and Settings\admin.WSIE\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2013-09-24 14:05 - 2006-05-25 12:18 - 0003554 _____ () C:\Documents and Settings\All Users\reg119.txt Some files in TEMP: ==================== C:\Documents and Settings\student\Ustawienia lokalne\Temp\FNP_ACT_InstallerCA.dll ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End of log ============================