Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-03-2017 Ran by Krzysztof (administrator) on 1-425232528F714 (17-03-2017 18:13:47) Running from C:\Documents and Settings\Krzysztof\Desktop\FRST Loaded Profiles: Krzysztof (Available Profiles: Krzysztof & Administrator) Platform: Microsoft Windows XP Professional Service Pack 3 (X86) Language: English (United States) Internet Explorer Version 6 (Default browser: FF) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe (Microsoft Corporation) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe (Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.exe (Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Samsung Electronics,.LTD) C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe (Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe () C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe (Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (CANON INC.) C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe (ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (Microsoft Corporation) C:\WINDOWS\system32\regsvr32.exe (Microsoft Corporation) C:\WINDOWS\system32\regsvr32.exe (Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe (C. Ghisler & Co.) C:\totalcmd\TOTALCMD.EXE (Microsoft Corporation) C:\WINDOWS\system32\regsvr32.exe (Microsoft Corporation) C:\WINDOWS\system32\regsvr32.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [BluetoothAuthenticationAgent] => rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [90112 2006-11-10] () HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [16380416 2007-07-05] (Realtek Semiconductor Corp.) HKLM\...\Run: [Alcmtr] => C:\WINDOWS\ALCMTR.EXE [69632 2005-05-03] (Realtek Semiconductor Corp.) HKLM\...\Run: [] => [X] HKLM\...\Run: [EDS] => C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe [634880 2007-09-20] (Samsung Electronics,.LTD) HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [761947 2005-12-07] (Synaptics, Inc.) HKLM\...\Run: [BatteryManager] => C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe [2764800 2007-09-03] () HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated) HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation) HKLM\...\Run: [IJNetworkScannerSelectorEX] => C:\Program Files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe [452016 2011-01-15] (CANON INC.) HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes) HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [205512 2017-03-16] (AVAST Software) Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll [2007-10-11] (ATI Technologies Inc.) HKU\S-1-5-21-1123561945-879983540-1547161642-1003\...\Run: [*wdaphjujw<*>] => "C:\Documents and Settings\Krzysztof\Local Settings\Application Data\4cafa\1f864.bat" <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1123561945-879983540-1547161642-1003\...\MountPoints2: {f9c7881c-eb1c-11e6-bcb1-001bdc0f90cc} - G:\RunClubSanDisk.exe ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2017-03-16] (AVAST Software) ShellIconOverlayIdentifiers: [Uchwyt nakładania ikony podpisu cyfrowego] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\WINDOWS\system32\AcSignIcon.dll [2004-02-25] (Autodesk) Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Przyspieszenie uruchomienia programu AutoCAD.lnk [2016-08-26] ShortcutTarget: Przyspieszenie uruchomienia programu AutoCAD.lnk -> C:\Program Files\Common Files\Autodesk Shared\acstart16.exe (Autodesk, Inc) BootExecute: autocheck autochk * sdnclean.exe ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 Tcpip\..\Interfaces\{D615CA50-B799-4A7A-B749-7B4525E5A29F}: [DhcpNameServer] 192.168.1.254 Internet Explorer: ================== HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm HKU\S-1-5-21-1123561945-879983540-1547161642-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome HKU\S-1-5-21-1123561945-879983540-1547161642-1003\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch URLSearchHook: HKU\S-1-5-21-1123561945-879983540-1547161642-1003 - Microsoft Url Search Hook - {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation) HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "" <======= ATTENTION SearchScopes: HKLM -> DefaultScope value is missing BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation) Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation) FireFox: ======== FF DefaultProfile: oa980c5p.default FF ProfilePath: C:\Documents and Settings\Krzysztof\Application Data\Mozilla\Firefox\Profiles\oa980c5p.default [2017-03-17] FF Homepage: C:\Documents and Settings\Krzysztof\Application Data\Mozilla\Firefox\Profiles\oa980c5p.default -> interia.pl FF Extension: (Adblock Plus) - C:\Documents and Settings\Krzysztof\Application Data\Mozilla\Firefox\Profiles\oa980c5p.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-24] FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF48 FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF48 [2017-03-16] FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF48 FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF48 [2017-03-16] FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_24_0_0_221.dll [2017-02-28] () FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-17] (Google Inc.) FF Plugin: @videolan.org/vlc,version=2.2.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-01-21] (VideoLAN) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.) Chrome: ======= CHR Profile: C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default [2017-03-06] CHR Extension: (Google Slides) - C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-02-04] CHR Extension: (Google Docs) - C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-02-04] CHR Extension: (Google Drive) - C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-04] CHR Extension: (YouTube) - C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-02-04] CHR Extension: (Google Search) - C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-04] CHR Extension: (Google Sheets) - C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-02-04] CHR Extension: (Google Docs Offline) - C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-07-25] CHR Extension: (Chrome Web Store Payments) - C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-12] CHR Extension: (Gmail) - C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-02-04] ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\aswidsagent.exe [5545144 2017-03-16] (AVAST Software s.r.o.) R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [262736 2017-03-16] (AVAST Software) R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [3303888 2017-01-20] (Malwarebytes) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 AR5211; C:\WINDOWS\System32\DRIVERS\ar5211.sys [547904 2007-07-26] (Atheros Communications, Inc.) R1 aswbidsdriver; C:\WINDOWS\system32\drivers\aswbidsdriverx.sys [257288 2017-03-16] (AVAST Software s.r.o.) R0 aswbidsh; C:\WINDOWS\system32\drivers\aswbidshx.sys [148720 2017-03-16] (AVAST Software s.r.o.) R0 aswblog; C:\WINDOWS\system32\drivers\aswblogx.sys [267016 2017-03-16] (AVAST Software s.r.o.) R0 aswbuniv; C:\WINDOWS\system32\drivers\aswbunivx.sys [41176 2017-03-16] (AVAST Software s.r.o.) S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [34136 2017-03-16] (AVAST Software) R1 aswKbd; C:\WINDOWS\system32\drivers\aswKbd.sys [31064 2017-03-16] (AVAST Software) R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [106392 2017-03-16] (AVAST Software) R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [60632 2017-03-16] (AVAST Software) R0 aswRvrt; C:\WINDOWS\system32\drivers\aswRvrt.sys [62152 2017-03-16] (AVAST Software) R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [756200 2017-03-16] (AVAST Software) R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [465024 2017-03-16] (AVAST Software) R3 aswStmXP; C:\WINDOWS\system32\drivers\aswStmXP.sys [184208 2017-03-16] (AVAST Software) R0 aswVmm; C:\WINDOWS\system32\drivers\aswVmm.sys [278776 2017-03-16] (AVAST Software) R3 DNSeFilter; C:\WINDOWS\System32\drivers\SamsungEDS.sys [29184 2007-09-19] (Samsung Electronics,.LTD) [File not signed] R2 DOSMEMIO; C:\WINDOWS\system32\MEMIO.SYS [4300 2007-05-23] () [File not signed] R1 ESProtectionDriver; C:\WINDOWS\system32\drivers\mbae.sys [59968 2017-02-24] () S1 eusk2par; C:\WINDOWS\system32\Drivers\eusk2par.sys [24786 2004-06-23] (EUTRON) [File not signed] S3 FTDIBUS; C:\WINDOWS\System32\drivers\ftdibus.sys [57672 2009-02-17] (FTDI Ltd.) R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [148256 2017-03-16] (Malwarebytes) R3 MBAMProtection; C:\WINDOWS\system32\drivers\mbam.sys [39360 2017-03-17] (Malwarebytes) R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [219584 2017-03-17] (Malwarebytes) R3 yukonwxp; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [249856 2006-08-25] (Marvell) S4 IntelIde; no ImagePath U1 WS2IFSL; no ImagePath ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-03-17 18:13 - 2017-03-17 18:13 - 00000000 ____D C:\FRST 2017-03-17 18:13 - 2017-03-17 18:13 - 00000000 ____D C:\Documents and Settings\Krzysztof\Desktop\FRST 2017-03-17 17:42 - 2017-03-17 17:42 - 00000000 ____D C:\Documents and Settings\Krzysztof\Application Data\AVAST Software 2017-03-16 22:28 - 2017-03-16 22:28 - 00000000 ____D C:\Documents and Settings\Krzysztof\Desktop\decrypt 2017-03-16 21:49 - 2017-03-16 21:49 - 00007906 _____ C:\Documents and Settings\Krzysztof\Desktop\Finanse.xlsx 2017-03-16 21:48 - 2017-03-15 19:35 - 00192000 _____ C:\Documents and Settings\Krzysztof\Desktop\Finanse.xls.crypted 2017-03-16 20:48 - 2017-03-17 17:34 - 00000480 _____ C:\WINDOWS\Tasks\SafeZone scheduled Autoupdate 1489697299.job 2017-03-16 20:48 - 2017-03-16 20:48 - 00000756 _____ C:\Documents and Settings\All Users\Start Menu\Programs\Avast SafeZone Browser.lnk 2017-03-16 20:48 - 2017-03-16 20:48 - 00000756 _____ C:\Documents and Settings\All Users\Desktop\Avast SafeZone Browser.lnk 2017-03-16 20:47 - 2017-03-16 20:47 - 00031064 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswKbd.sys 2017-03-16 20:34 - 2017-03-16 20:24 - 00328208 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe 2017-03-16 20:27 - 2017-03-16 20:27 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\CEF 2017-03-16 20:27 - 2017-03-16 20:27 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\AVAST Software 2017-03-16 20:26 - 2017-03-16 20:35 - 00001689 _____ C:\Documents and Settings\All Users\Desktop\Avast Free Antivirus.lnk 2017-03-16 20:26 - 2017-03-16 20:26 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVAST Software 2017-03-16 20:25 - 2017-03-17 17:34 - 00000324 ____H C:\WINDOWS\Tasks\Avast Emergency Update.job 2017-03-16 20:25 - 2017-03-16 20:34 - 00465024 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsp.sys 2017-03-16 20:25 - 2017-03-16 20:34 - 00278776 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswvmm.sys 2017-03-16 20:25 - 2017-03-16 20:25 - 00184208 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStmXP.sys 2017-03-16 20:25 - 2017-03-16 20:25 - 00106392 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys 2017-03-16 20:25 - 2017-03-16 20:25 - 00062152 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys 2017-03-16 20:25 - 2017-03-16 20:25 - 00034136 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys 2017-03-16 20:25 - 2017-03-16 20:24 - 00921280 _____ (Microsoft Corporation) C:\WINDOWS\ucrtbase.dll 2017-03-16 20:25 - 2017-03-16 20:24 - 00756200 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys 2017-03-16 20:25 - 2017-03-16 20:24 - 00060632 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr.sys 2017-03-16 20:25 - 2017-03-16 20:23 - 00267016 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswblogx.sys 2017-03-16 20:25 - 2017-03-16 20:23 - 00257288 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsdriverx.sys 2017-03-16 20:25 - 2017-03-16 20:23 - 00148720 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidshx.sys 2017-03-16 20:25 - 2017-03-16 20:23 - 00041176 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbunivx.sys 2017-03-16 20:22 - 2017-03-16 20:47 - 00000000 ____D C:\Program Files\AVAST Software 2017-03-16 20:21 - 2017-03-16 21:36 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\AVAST Software 2017-03-16 20:21 - 2017-03-16 20:21 - 00098064 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2017-03-16 20:21 - 2017-03-16 20:21 - 00013158 _____ C:\Documents and Settings\All Users\Application Data\agent.1489695655.bdinstall.bin 2017-03-16 20:21 - 2017-03-16 20:21 - 00000000 ____D C:\Program Files\Bitdefender Agent 2017-03-16 20:20 - 2017-03-16 20:20 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\GHISLER 2017-03-16 20:19 - 2017-03-16 20:19 - 00000534 _____ C:\Documents and Settings\Administrator\Desktop\Total Commander 32.lnk 2017-03-16 20:03 - 2017-03-16 20:04 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Mozilla 2017-03-16 20:03 - 2017-03-16 20:03 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla 2017-03-16 20:01 - 2017-03-16 20:01 - 00000000 __SHD C:\WINDOWS\CSC 2017-03-16 06:45 - 2017-03-16 06:56 - 00003528 _____ C:\RakhniDecryptor.1.17.17.0_16.03.2017_06.45.05_log.txt 2017-03-16 00:34 - 2017-03-16 00:34 - 00000000 ____D C:\Documents and Settings\Krzysztof\Local Settings\Application Data\4cafa 2017-03-15 23:29 - 2017-03-15 23:29 - 00000079 _____ C:\WINDOWS\wininit.ini 2017-03-15 23:16 - 2017-03-16 20:02 - 00148256 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMChameleon.sys 2017-03-15 23:15 - 2017-03-17 17:36 - 00039360 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys 2017-03-15 23:15 - 2017-03-17 17:34 - 00219584 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2017-03-15 23:15 - 2017-03-15 23:15 - 00001715 _____ C:\Documents and Settings\All Users\Desktop\Malwarebytes.lnk 2017-03-15 23:15 - 2017-03-15 23:15 - 00000000 ____D C:\Program Files\Malwarebytes 2017-03-15 23:15 - 2017-03-15 23:15 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Malwarebytes 2017-03-15 23:15 - 2017-02-24 06:23 - 00059968 _____ C:\WINDOWS\system32\Drivers\mbae.sys 2017-03-15 22:57 - 2017-03-16 20:43 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini 2017-03-15 22:57 - 2017-03-16 20:39 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Temp 2017-03-15 22:57 - 2017-03-16 20:37 - 00237834 _____ C:\WINDOWS\ntbtlog.txt 2017-03-15 22:57 - 2017-03-15 22:57 - 00000000 ____D C:\Documents and Settings\Administrator 2017-03-15 22:57 - 2016-01-29 19:07 - 00001599 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk 2017-03-15 22:57 - 2016-01-29 19:07 - 00000792 _____ C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk 2017-03-15 22:57 - 2016-01-29 18:57 - 00000000 ____D C:\Documents and Settings\Administrator\My Documents 2017-03-15 22:11 - 2017-03-16 20:00 - 00065536 _____ C:\WINDOWS\system32\config\WindowsPowerShell.evt 2017-03-15 22:11 - 2017-03-15 22:13 - 00065536 _____ C:\WINDOWS\system32\config\EventForwarding-Operational.Evt 2017-03-15 21:50 - 2017-03-15 21:50 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Application Data\AVG 2017-03-15 21:42 - 2017-03-15 21:42 - 00000000 ____D C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Temp 2017-03-15 20:40 - 2017-03-15 23:41 - 00000000 ____D C:\Program Files\Spybot - Search & Destroy 2 2017-03-15 20:40 - 2017-03-15 23:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2017-03-15 20:40 - 2017-03-15 22:10 - 00065536 _____ C:\WINDOWS\system32\config\SpybotSD.evt 2017-03-15 20:24 - 2017-03-15 20:24 - 00000000 __HDC C:\WINDOWS\$NtUninstallWdf01009$ 2017-03-15 20:24 - 2008-11-07 18:55 - 00016928 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsgXP_2k3.dll 2017-03-15 20:18 - 2017-03-16 19:30 - 00000000 ____D C:\Program Files\AVG 2017-03-15 20:17 - 2017-03-16 19:29 - 00000000 ____D C:\Documents and Settings\Krzysztof\Local Settings\Application Data\AvgSetupLog 2017-03-15 20:17 - 2017-03-16 19:29 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Avg 2017-03-15 20:17 - 2017-03-15 21:49 - 00000000 ____D C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Avg 2017-03-15 19:40 - 2017-03-15 22:10 - 00065536 _____ C:\WINDOWS\system32\config\Windows .evt 2017-03-15 19:40 - 2017-03-15 22:10 - 00065536 _____ C:\WINDOWS\system32\config\Microsof.evt 2017-03-15 19:39 - 2017-03-15 19:40 - 00000000 __HDC C:\WINDOWS\$968930Uinstall_KB968930$ 2017-03-15 19:39 - 2017-03-15 19:39 - 00000000 ____D C:\WINDOWS\system32\winrm 2017-03-15 19:39 - 2017-03-15 19:39 - 00000000 ____D C:\WINDOWS\system32\GroupPolicy 2017-03-15 19:39 - 2017-03-15 19:39 - 00000000 ____D C:\WINDOWS\$NtUninstallKB968930$ 2017-03-15 19:39 - 2009-06-17 18:59 - 00014640 ____N (Microsoft Corporation) C:\WINDOWS\system32\spmsg.dll 2017-03-15 19:39 - 2008-11-07 18:55 - 00026144 _____ (Microsoft Corporation) C:\WINDOWS\system32\spupdsvc.exe 2017-03-15 19:31 - 2017-03-15 19:41 - 00000000 ____D C:\Documents and Settings\Krzysztof\Local Settings\Application Data\fozeh 2017-03-15 19:31 - 2017-03-15 19:31 - 00001353 _____ C:\Documents and Settings\Krzysztof\Desktop\DECRYPT.txt 2017-03-02 22:53 - 2017-03-02 22:53 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon MG3100 series 2017-02-23 23:12 - 2017-03-15 19:31 - 00218896 _____ C:\Documents and Settings\Krzysztof\Desktop\333.jpg.crypted ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-03-17 18:14 - 2016-12-14 02:39 - 00000000 ____D C:\Documents and Settings\Krzysztof\Local Settings\Temp 2017-03-17 18:12 - 2016-01-29 20:30 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job 2017-03-17 18:09 - 2016-02-04 20:33 - 00000886 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 2017-03-17 17:39 - 2016-01-29 19:23 - 00001099 _____ C:\WINDOWS\wincmd.ini 2017-03-17 17:36 - 2016-08-26 19:50 - 00000000 ____D C:\Documents and Settings\Krzysztof\Local Settings\Application Data\ApplicationHistory 2017-03-17 17:34 - 2016-02-04 20:33 - 00000882 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 2017-03-17 17:34 - 2016-01-29 19:12 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-03-16 22:52 - 2016-01-29 19:13 - 00000178 ___SH C:\Documents and Settings\Krzysztof\ntuser.ini 2017-03-16 22:52 - 2016-01-29 19:12 - 00032266 _____ C:\WINDOWS\SchedLgU.Txt 2017-03-16 22:04 - 2016-05-11 21:07 - 00000000 ____D C:\Documents and Settings\Krzysztof\Desktop\1 2017-03-16 20:51 - 2016-01-29 18:49 - 00000000 ___HD C:\WINDOWS\inf 2017-03-16 20:00 - 2016-01-29 19:36 - 00524288 _____ C:\WINDOWS\system32\config\ACEEvent.evt 2017-03-16 07:07 - 2017-01-14 11:05 - 00000000 ____D C:\Documents and Settings\Krzysztof 2017-03-15 23:04 - 2016-02-07 18:24 - 00000644 _____ C:\Documents and Settings\Krzysztof\Desktop\Shortcut to Finanse.lnk 2017-03-15 22:57 - 2016-01-29 18:56 - 00000000 ____D C:\Documents and Settings 2017-03-15 22:14 - 2016-01-29 19:12 - 00000000 ____D C:\Documents and Settings\LocalService\Local Settings\Temp 2017-03-15 20:45 - 2016-01-29 19:12 - 00000000 __SHD C:\Documents and Settings\LocalService 2017-03-15 19:47 - 2016-01-29 18:49 - 00000000 ____D C:\WINDOWS\security 2017-03-15 19:41 - 2016-01-29 18:57 - 00001374 _____ C:\WINDOWS\imsins.BAK 2017-03-15 19:40 - 2016-01-29 18:49 - 00000000 ____D C:\WINDOWS\Help 2017-03-15 19:36 - 2016-01-29 18:57 - 00536798 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-03-15 19:32 - 2016-04-25 19:37 - 00000000 ____D C:\pwrcmdr 2017-03-15 19:32 - 2016-01-29 19:23 - 00000000 ____D C:\totalcmd 2017-03-15 19:31 - 2017-01-25 06:28 - 00034920 _____ C:\Documents and Settings\Krzysztof\Desktop\321.jpg.crypted 2017-03-15 19:31 - 2016-09-25 20:21 - 05036441 _____ C:\Documents and Settings\Krzysztof\Desktop\20160311_134331.jpg.crypted 2017-03-15 19:31 - 2016-08-25 21:31 - 00243985 _____ C:\Documents and Settings\Krzysztof\Desktop\xxx2.jpg.crypted 2017-03-15 19:31 - 2016-08-25 21:30 - 00242243 _____ C:\Documents and Settings\Krzysztof\Desktop\xxx1.jpg.crypted 2017-03-15 19:31 - 2016-08-24 21:37 - 00100850 _____ C:\Documents and Settings\Krzysztof\Desktop\xxx.jpg.crypted 2017-03-15 19:31 - 2016-08-10 19:09 - 00123158 _____ C:\Documents and Settings\Krzysztof\Desktop\ecu3.jpg.crypted 2017-03-15 19:31 - 2016-08-10 19:09 - 00105270 _____ C:\Documents and Settings\Krzysztof\Desktop\ecu2.jpg.crypted 2017-03-15 19:31 - 2016-08-10 19:08 - 00098814 _____ C:\Documents and Settings\Krzysztof\Desktop\ecu1.jpg.crypted 2017-03-15 19:31 - 2016-07-05 19:36 - 00021369 _____ C:\Documents and Settings\Krzysztof\Desktop\collect+label.pdf.crypted 2017-03-15 19:31 - 2016-05-30 13:30 - 00000000 ____D C:\Documents and Settings\Krzysztof\Desktop\tyres 2017-03-15 19:31 - 2016-05-15 12:59 - 00000000 ____D C:\Documents and Settings\Krzysztof\Desktop\shock 2017-03-15 19:31 - 2016-05-07 11:22 - 00295041 _____ C:\Documents and Settings\Krzysztof\Desktop\222.jpg.crypted 2017-03-15 19:31 - 2016-05-03 05:29 - 00076966 _____ C:\Documents and Settings\Krzysztof\Desktop\123.jpg.crypted 2017-03-15 19:31 - 2016-04-26 19:10 - 00099735 _____ C:\Documents and Settings\Krzysztof\Desktop\1 locked compound.jpg.crypted 2017-03-15 19:31 - 2016-04-26 18:32 - 00111133 _____ C:\Documents and Settings\Krzysztof\Desktop\1 privat property.jpg.crypted 2017-03-15 19:31 - 2016-04-21 23:13 - 00012252 _____ C:\Documents and Settings\Krzysztof\Desktop\job statement.docx.crypted 2017-03-15 19:31 - 2016-04-17 21:00 - 00118175 _____ C:\Documents and Settings\Krzysztof\Desktop\zx10r 2010.jpg.crypted 2017-03-15 19:31 - 2016-04-15 05:41 - 00269386 _____ C:\Documents and Settings\Krzysztof\Desktop\Tyre YODEL.pdf.crypted 2017-03-15 19:31 - 2016-04-07 18:51 - 00048601 _____ C:\Documents and Settings\Krzysztof\Desktop\rear sets.jpg.crypted 2017-03-15 19:31 - 2016-04-03 10:26 - 00000000 ____D C:\Documents and Settings\Krzysztof\Desktop\helmet 2017-03-15 19:31 - 2016-03-21 06:55 - 00000000 ____D C:\Documents and Settings\Krzysztof\Desktop\MCE insurance 2017-03-15 19:31 - 2016-03-13 17:53 - 00000000 ____D C:\Documents and Settings\Krzysztof\Desktop\bits 2017-03-15 19:31 - 2016-02-25 20:50 - 00000000 ____D C:\Documents and Settings\Krzysztof\Desktop\Cartagena 2016 2017-03-15 19:31 - 2016-02-23 21:25 - 00299745 _____ C:\Documents and Settings\Krzysztof\Desktop\Order-24720712-Docs-090255.pdf.crypted 2017-03-14 19:16 - 2016-12-17 14:28 - 00000000 ____D C:\Program Files\Mozilla Firefox 2017-03-14 19:16 - 2016-01-29 19:37 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service 2017-03-13 17:46 - 2001-08-23 12:00 - 00002206 _____ C:\WINDOWS\system32\wpa.dbl 2017-03-02 22:52 - 2016-02-09 21:57 - 00001662 _____ C:\Documents and Settings\All Users\Desktop\Canon IJ Network Tool.lnk 2017-03-02 22:52 - 2016-02-09 21:57 - 00000000 ____D C:\Program Files\Canon 2017-03-02 22:52 - 2016-02-09 21:57 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\Canon Utilities 2017-03-02 22:52 - 2016-01-29 18:49 - 00000000 ____D C:\WINDOWS\Media 2017-02-28 22:09 - 2016-01-31 14:20 - 00000000 ____D C:\Documents and Settings\Krzysztof\Application Data\Spotify 2017-02-28 21:46 - 2016-01-31 14:21 - 00000000 ____D C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Spotify 2017-02-28 18:57 - 2016-04-17 09:08 - 00000070 _____ C:\Documents and Settings\Krzysztof\Local Settings\Application Data\DiegoG3-3.0.8.2.INI 2017-02-28 18:45 - 2016-01-29 20:29 - 00802904 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe 2017-02-28 18:45 - 2016-01-29 20:29 - 00144472 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl 2017-02-28 18:45 - 2016-01-29 19:47 - 00000000 ____D C:\Documents and Settings\Krzysztof\Local Settings\Application Data\Adobe 2017-02-28 18:45 - 2016-01-29 19:05 - 00000000 ____D C:\WINDOWS\system32\Macromed 2017-02-27 20:57 - 2016-03-13 20:34 - 00000000 ____D C:\Documents and Settings\Krzysztof\Application Data\vlc ==================== Files in the root of some directories ======= 2017-02-06 20:40 - 2017-02-06 20:48 - 0003048 _____ () C:\Documents and Settings\Krzysztof\Local Settings\Application Data\AcStag.ini 2016-04-17 08:42 - 2016-04-18 16:32 - 0000041 _____ () C:\Documents and Settings\Krzysztof\Local Settings\Application Data\DiegoG3-3.0.1.3.INI 2016-04-17 09:08 - 2017-02-28 18:57 - 0000070 _____ () C:\Documents and Settings\Krzysztof\Local Settings\Application Data\DiegoG3-3.0.8.2.INI 2016-04-18 16:29 - 2016-04-18 16:35 - 0000041 _____ () C:\Documents and Settings\Krzysztof\Local Settings\Application Data\DiegoG3.INI 2017-03-16 20:21 - 2017-03-16 20:21 - 0013158 _____ () C:\Documents and Settings\All Users\Application Data\agent.1489695655.bdinstall.bin ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed ==================== End of FRST.txt ============================