Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016 Ran by Gocha (administrator) on GOSIA (10-09-2016 00:55:16) Running from C:\Users\Gocha\Downloads Loaded Profiles: Gocha (Available Profiles: Gocha) Platform: Windows 8.1 Enterprise (Update) (X64) Language: Angielski (Stany Zjednoczone) Internet Explorer Version 11 (Default browser: FF) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Intel Corporation) C:\Windows\System32\igfxCUIService.exe (Nero AG) C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe (Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe () C:\Program Files (x86)\HTC\HTC Sync Manager\HTC Sync\adb.exe (Intel Corporation) C:\Windows\System32\igfxEM.exe (Intel Corporation) C:\Windows\System32\igfxHK.exe (Intel Corporation) C:\Windows\System32\igfxTray.exe (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe (Microsoft Corporation) C:\Windows\System32\SkyDrive.exe (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe (Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe (Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe () C:\Users\Gocha\Downloads\3cj0lhqr.exe (Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.18384_none_fa1d93c39b41b41a\TiWorker.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [2864528 2014-07-13] (ELAN Microelectronics Corp.) HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation) HKU\S-1-5-21-2176414354-3222065998-314886352-1001\...\MountPoints2: {79bccd80-fa47-11e4-8274-201a06d1ef15} - "E:\HTC_Sync_Manager_PC.exe" Startup: C:\Users\Gocha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk [2014-07-13] ShortcutTarget: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) BootExecute: autocheck autochk * ffnd.exe {949E979C-EB1F-11DB-92AC-22C456D89593} GroupPolicy: Restriction - Chrome <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{400AE538-A0EB-48F6-A88B-DD6C5C2B9337}: [DhcpNameServer] 82.163.143.171 Tcpip\..\Interfaces\{BFEFA339-8996-4342-B912-1C66D2B18340}: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{C76F78A3-1DD4-4516-9827-1A4A1B142607}: [DhcpNameServer] 82.163.143.171 Internet Explorer: ================== HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=9&ar=msnhome HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=9&ar=msnhome HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\S-1-5-21-2176414354-3222065998-314886352-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=9&ar=msnhome HKU\S-1-5-21-2176414354-3222065998-314886352-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=9&ar=msnhome SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = SearchScopes: HKLM-x32 -> DefaultScope value is missing BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation) Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll No File StartMenuInternet: IEXPLORE.EXE - iexplore.exe FireFox: ======== FF ProfilePath: C:\Users\Gocha\AppData\Roaming\Mozilla\Firefox\Profiles\xekeu0cz.default FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation) FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation) Chrome: ======= CHR StartupUrls: Default -> "hxxps:\/\/www.google.pl\/" CHR DefaultSearchURL: Default -> hxxp:\/\/srch.bar\/{searchTerms} CHR DefaultSuggestURL: Default -> hxxp:\/\/srch.bar\/?s={searchTerms} CHR Profile: C:\Users\Gocha\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (Dysk Google) - C:\Users\Gocha\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-14] CHR Extension: (YouTube) - C:\Users\Gocha\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25] CHR Extension: (Google Search) - C:\Users\Gocha\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-14] CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\Gocha\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2016-07-03] CHR Extension: (Mahjong Solitaire) - C:\Users\Gocha\AppData\Local\Google\Chrome\User Data\Default\Extensions\neojceinbonpjjcokpokpeobkhcpiloc [2015-04-27] CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\Gocha\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-13] CHR Extension: (Gmail) - C:\Users\Gocha\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-02] CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx CHR HKU\S-1-5-21-2176414354-3222065998-314886352-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25] CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 HTCMonitorService; C:\Program Files (x86)\HTC\HTC Sync Manager\HSMServiceEntry.exe [87368 2014-06-27] (Nero AG) R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [314696 2014-05-21] (Intel Corporation) R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed] S3 vmicvss; C:\Windows\System32\ICSvc.dll [524800 2014-10-29] (Microsoft Corporation) R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation) R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation) S2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [X] S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation) S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation) R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation) R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation) S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X] S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X] U3 uxldqpod; \??\C:\Users\Gocha\AppData\Local\Temp\uxldqpod.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-09-10 00:55 - 2016-09-10 00:55 - 00010320 _____ C:\Users\Gocha\Downloads\FRST.txt 2016-09-10 00:54 - 2016-09-10 00:54 - 00001008 _____ C:\Users\Gocha\Desktop\GMER.txt 2016-09-09 22:29 - 2016-09-09 22:29 - 00380928 _____ C:\Users\Gocha\Downloads\3cj0lhqr.exe 2016-09-09 22:27 - 2016-09-10 00:55 - 00000000 ____D C:\FRST 2016-09-09 22:26 - 2016-09-09 22:26 - 02397696 _____ (Farbar) C:\Users\Gocha\Downloads\FRST64.exe 2016-09-09 21:45 - 2010-03-08 12:10 - 00013824 _____ (Kephyr) C:\Windows\system32\ffnd.exe 2016-09-09 20:45 - 2016-09-09 20:51 - 00000000 ____D C:\AdwCleaner 2016-09-09 20:45 - 2016-09-09 20:45 - 03826240 _____ C:\Users\Gocha\Downloads\adwcleaner_6.010_www.INSTALKI.pl.exe 2016-09-09 20:24 - 2016-09-09 20:24 - 00000000 ____D C:\Users\Gocha\AppData\Local\Chromium ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2016-09-09 22:11 - 2014-07-13 03:58 - 00770504 _____ C:\Windows\system32\perfh015.dat 2016-09-09 22:11 - 2014-07-13 03:58 - 00155698 _____ C:\Windows\system32\perfc015.dat 2016-09-09 22:11 - 2013-09-30 06:14 - 01735328 _____ C:\Windows\system32\PerfStringBackup.INI 2016-09-09 22:11 - 2013-08-22 15:36 - 00000000 ____D C:\Windows\Inf 2016-09-09 21:07 - 2014-07-13 03:33 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2176414354-3222065998-314886352-1001 2016-09-09 20:53 - 2015-05-17 11:02 - 00000000 ____D C:\Users\Gocha\AppData\Local\HTC MediaHub 2016-09-09 20:53 - 2014-07-13 04:32 - 00000000 ___DO C:\Users\Gocha\SkyDrive 2016-09-09 20:53 - 2013-08-22 16:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2016-09-09 20:52 - 2016-08-03 01:44 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox 2016-09-09 20:52 - 2016-07-28 21:26 - 00123160 _____ C:\Windows\ZAM_Guard.krnl.trace 2016-09-09 20:52 - 2016-07-28 21:26 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware 2016-09-09 20:52 - 2016-06-25 01:39 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2016-09-09 20:52 - 2013-08-22 15:25 - 00262144 ___SH C:\Windows\system32\config\BBI 2016-09-09 20:28 - 2016-07-28 21:26 - 00121898 _____ C:\Windows\ZAM.krnl.trace 2016-09-09 20:27 - 2014-07-13 04:22 - 00000000 ____D C:\Program Files (x86)\Google 2016-08-27 01:03 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\system32\NDF 2016-08-17 12:30 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\rescache 2016-08-16 20:34 - 2013-08-22 16:44 - 00481176 _____ C:\Windows\system32\FNTCACHE.DAT 2016-08-16 20:28 - 2013-08-22 17:36 - 00000000 ___RD C:\Windows\ToastData 2016-08-16 20:28 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\system32\SecureBootUpdates 2016-08-16 20:27 - 2013-08-22 17:20 - 00000000 ____D C:\Windows\CbsTemp 2016-08-14 01:37 - 2014-07-20 12:16 - 00000000 ____D C:\Users\Gocha\AppData\Roaming\Skype 2016-08-12 22:13 - 2013-08-22 17:36 - 00000000 ___HD C:\Program Files\WindowsApps 2016-08-12 22:13 - 2013-08-22 17:36 - 00000000 ____D C:\Windows\AppReadiness 2016-08-12 22:04 - 2014-07-17 16:49 - 00000000 ____D C:\Windows\system32\MRT 2016-08-12 21:55 - 2014-07-17 16:49 - 147640136 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe ==================== Files in the root of some directories ======= 2016-06-08 01:03 - 2016-06-08 01:03 - 2387474 _____ () C:\Users\Gocha\AppData\Roaming\sb796.dat 2016-05-09 19:03 - 2016-06-22 21:03 - 0000220 _____ () C:\Users\Gocha\AppData\Roaming\WB.CFG 2014-11-09 21:58 - 2014-11-09 21:58 - 0003584 _____ () C:\Users\Gocha\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini Some files in TEMP: ==================== C:\Users\Gocha\AppData\Local\Temp\app_e.exe C:\Users\Gocha\AppData\Local\Temp\crpt.exe C:\Users\Gocha\AppData\Local\Temp\Hola-Setup-x64-1.12.970.exe C:\Users\Gocha\AppData\Local\Temp\libcurl-4.dll C:\Users\Gocha\AppData\Local\Temp\libeay32.dll C:\Users\Gocha\AppData\Local\Temp\msvcr120.dll C:\Users\Gocha\AppData\Local\Temp\ose00000.exe C:\Users\Gocha\AppData\Local\Temp\pthreadGC2-w64.dll C:\Users\Gocha\AppData\Local\Temp\Quarantine.exe C:\Users\Gocha\AppData\Local\Temp\SHSetup.exe C:\Users\Gocha\AppData\Local\Temp\SkypeSetup.exe C:\Users\Gocha\AppData\Local\Temp\sqlite3.dll ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2016-09-08 19:49 ==================== End of FRST.txt ============================