Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-06-2017 Ran by piotrek (administrator) on PIOTREK-PC (25-06-2017 18:00:32) Running from C:\frt Loaded Profiles: piotrek (Available Profiles: piotrek & Administrator) Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Lenovo.) C:\Windows\System32\ibmpmsvc.exe (ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe (ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe (Microsoft Corporation) C:\Windows\System32\wlanext.exe (BlueStack Systems, Inc.) C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe (ESET) C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe (Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Apple Inc.) C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe (TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe (Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe (VMware, Inc.) C:\Windows\SysWOW64\vmnetdhcp.exe (VMware, Inc.) C:\Windows\SysWOW64\vmnat.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (BlackBerry Limited) C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe (Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\tphkload.exe (VMware, Inc.) C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe (Greenshot) C:\Program Files\Greenshot\Greenshot.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe (ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe (Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe (Flux Software LLC) C:\Users\piotrek\AppData\Local\FluxSoftware\Flux\flux.exe (Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\shtctky.exe (BlueStack Systems, Inc.) C:\Program Files (x86)\Bluestacks\HD-Agent.exe (Lenovo Group Limited) C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Lenovo Group Limited) C:\Program Files\Lenovo\ZOOM\TpScrex.exe (ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe (Microsoft Corporation) C:\Windows\System32\rundll32.exe (BlackBerry Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (BlackBerry Limited) C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe (Lenovo Group Limited) C:\Program Files (x86)\ThinkPad\Utilities\SCHTASK.EXE (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (BlackBerry Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPLpr.exe () C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe () C:\Program Files (x86)\Common Files\Research In Motion\nginx\nginx.exe (Lenovo) C:\Program Files (x86)\Lenovo\Message Center Plus\MCPLaunch.exe (Lenovo) C:\Users\piotrek\AppData\Local\Apps\2.0\TW5NZ323.4M5\GBT1ZO0J.573\lsb...tion_2d7b41b05b24775e_0001.0006_3b0a905c8de4f74a\LSB.exe (Lenovo) C:\Program Files (x86)\ThinkPad\Utilities\PWMDBSVC.exe (ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Farbar) C:\frt\FRST64 (1).exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [Greenshot] => C:\Program Files\Greenshot\Greenshot.exe [552368 2016-12-30] (Greenshot) HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [3146704 2017-05-09] (Malwarebytes) HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Smart Security\egui.exe [5618456 2013-09-12] (ESET) HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [90112 2006-11-10] () HKLM-x32\...\Run: [PWMTRV] => rundll32 "C:\Program Files (x86)\ThinkPad\Utilities\PWMTR64V.DLL",PwrMgrBkGndMonitor HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] => C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [443640 2014-11-01] (BlackBerry Limited) HKLM-x32\...\Run: [RIM PeerManager] => C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\PeerManager.exe [4730616 2015-05-27] (BlackBerry Limited) HKU\S-1-5-21-586139971-3745640054-995972772-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9803992 2017-06-13] (Piriform Ltd) HKU\S-1-5-21-586139971-3745640054-995972772-1000\...\Run: [f.lux] => C:\Users\piotrek\AppData\Local\FluxSoftware\Flux\flux.exe [1024240 2016-12-06] (Flux Software LLC) HKU\S-1-5-21-586139971-3745640054-995972772-1000\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\Bluestacks\HD-Agent.exe [1690248 2016-12-01] (BlueStack Systems, Inc.) HKU\S-1-5-21-586139971-3745640054-995972772-1000\...\RunOnce: [Uninstall 17.3.6917.0607] => C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\piotrek\AppData\Local\Microsoft\OneDrive\17.3.6917.0607" HKU\S-1-5-21-586139971-3745640054-995972772-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1 HKU\S-1-5-21-586139971-3745640054-995972772-1000\...\Policies\Explorer: [TaskbarNoNotification] 1 ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => -> No File ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => -> No File ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => -> No File Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Core Temp.lnk [2016-12-08] ShortcutTarget: Core Temp.lnk -> C:\Program Files\Core Temp\Core Temp.exe () Startup: C:\Users\piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk [2016-12-09] ShortcutTarget: CCC.lnk -> C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (ATI Technologies Inc.) GroupPolicy: Restriction <======= ATTENTION ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Tcpip\Parameters: [DhcpNameServer] 217.172.224.160 89.231.1.206 Tcpip\..\Interfaces\{4976D233-5E86-4B14-BB50-6D3E4C248F10}: [DhcpNameServer] 192.168.44.1 Tcpip\..\Interfaces\{5EFFD602-F8FB-4F84-A86E-ABB155BF7F2D}: [DhcpNameServer] 192.168.26.2 Tcpip\..\Interfaces\{D10F5CD4-BDC4-4B72-8824-539501B6B8F3}: [DhcpNameServer] 217.172.224.160 89.231.1.206 Internet Explorer: ================== HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-586139971-3745640054-995972772-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab FireFox: ======== FF DefaultProfile: ic1t9xky.default FF ProfilePath: C:\Users\piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\ic1t9xky.default [2017-06-25] FF NetworkProxy: Mozilla\Firefox\Profiles\ic1t9xky.default -> autoconfig_url", "data:text/plain, function FindProxyForURL(url, host) {if(isInNet(host, '192.168.0.0', '255.255.0.0')) return 'DIRECT'; \nif(host == 'us1-base.cd-n.net') return 'DIRECT'; \nif(host == 'us2-base.cd-n.net') return 'DIRECT'; \nif(host == 'us3-base.cd-n.net') return 'DIRECT'; \nif(host == 'jp1-base.cd-n.net') return 'DIRECT'; \nif(host == 'de1-base.cd-n.net') return 'DIRECT'; \nif(host == 'au1-base.cd-n.net') return 'DIRECT'; \nif(host == 'ir1-base.cd-n.net') return 'DIRECT'; \nif(host == 'sg1-base.cd-n.net') return 'DIRECT'; \nif(host == 'kr1-base.cd-n.net') return 'DIRECT'; \nif(host == '127.0.0.1') return 'DIRECT'; \nif(host == 'localhost') return 'DIRECT'; \nif(host == 'de1-base.cd-n.net') return 'DIRECT'; \nif(host == '127.0.0.1') return 'DIRECT'; \nif(host == 'localhost') return 'DIRECT'; \nif(host == 'de1-base.cd-n.net') return 'DIRECT'; \nreturn 'HTTPS ha3c4mjqguxdkmjoge2dqizrgq4tkobugmzdama.mycdns.com:443';}" FF NetworkProxy: Mozilla\Firefox\Profiles\ic1t9xky.default -> type", 0 FF Extension: (Hoxx VPN Proxy) - C:\Users\piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\ic1t9xky.default\Extensions\@hoxx-vpn.xpi [2017-06-05] FF Extension: (RAMBack) - C:\Users\piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\ic1t9xky.default\Extensions\ramback@pavlov.net.xpi [2016-12-13] FF Extension: (uBlock Origin) - C:\Users\piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\ic1t9xky.default\Extensions\uBlock0@raymondhill.net.xpi [2017-06-21] FF Extension: (Default Full Zoom Level) - C:\Users\piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\ic1t9xky.default\Extensions\{D9A7CBEC-DE1A-444f-A092-844461596C4D} [2016-12-13] FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird FF Extension: (ESET Smart Security Extension) - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2017-06-25] [not signed] FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird FF Plugin: @microsoft.com/GENUINE -> disabled [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation) FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1225195.dll [2016-09-20] (Adobe Systems, Inc.) FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File] FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation) FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 -> C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll [2015-05-22] () FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-28] (Google Inc.) Chrome: ======= CHR StartupUrls: Default -> "hxxp://www.google.pl/" CHR Profile: C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default [2017-06-25] CHR Extension: (Tłumacz Google) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2016-12-18] CHR Extension: (Prezentacje Google) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-12-18] CHR Extension: (Dokumenty Google) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-12-18] CHR Extension: (Dysk Google) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-12-18] CHR Extension: (MEGA) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\bigefpfhnfcobdlfbedofhhaibnlghod [2017-06-25] CHR Extension: (YouTube) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-12-18] CHR Extension: (uBlock Origin) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-06-25] CHR Extension: (Arkusze Google) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-12-18] CHR Extension: (I don't care about cookies) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\fihnjjcciajhdojfnbdddfaoknhalnja [2017-03-31] CHR Extension: (Dokumenty Google offline) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-12-19] CHR Extension: (Kill News Feed) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjobfcedfgohjkaieocljfcppjbkglfd [2017-01-02] CHR Extension: (Social Fixer for Facebook) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\ifmhoabcaeehkljcfclfiieohkohdgbb [2017-03-31] CHR Extension: (BB10 / PlayBook App Manager) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmbaalodpmjjhpobkgljnelbpblnikkp [2017-04-25] CHR Extension: (Hotspot Shield VPN Free Proxy – Unblock Sites) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbejmccbhkncgokjcmghpfloaajcffj [2017-06-25] CHR Extension: (Płatności w sklepie Chrome Web Store) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-31] CHR Extension: (Gmail) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-12-18] CHR Extension: (Chrome Media Router) - C:\Users\piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-12] ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 BlackBerry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [588024 2014-11-01] (BlackBerry Limited) S3 BstHdAndroidSvc; C:\Program Files (x86)\Bluestacks\HD-Service.exe [486936 2016-12-01] (BlueStack Systems, Inc.) R2 BstHdLogRotatorSvc; C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe [470552 2016-12-01] (BlueStack Systems, Inc.) S3 BstHdPlusAndroidSvc; C:\Program Files (x86)\Bluestacks\HD-Plus-Service.exe [511512 2016-12-01] (BlueStack Systems, Inc.) S3 DozeSvc; C:\Program Files (x86)\ThinkPad\Utilities\DZSVC64.EXE [326160 2016-04-14] (Lenovo.) R2 ekrn; C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [1337752 2013-09-12] (ESET) S2 LPlatSvc; C:\Windows\system32\LPlatSvc.exe [711256 2016-10-17] (Lenovo.) R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4470736 2017-05-09] (Malwarebytes) R2 RIM MDNS; C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\mDNSResponder.exe [396024 2015-05-27] (Apple Inc.) R2 RIM Tunnel Service; C:\Program Files (x86)\Common Files\Research In Motion\Tunnel Manager\tunmgr.exe [1355000 2015-05-27] (BlackBerry Limited) S3 SUService; C:\Program Files (x86)\Lenovo\System Update\SUService.exe [23416 2016-12-10] () R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10888944 2017-04-25] (TeamViewer GmbH) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation) ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 blackberryncm; C:\Windows\System32\DRIVERS\blackberryncm6_AMD64.sys [25600 2015-01-23] (BlackBerry Limited) S3 BstHdDrv; C:\Program Files (x86)\Bluestacks\HD-Hypervisor-amd64.sys [152672 2016-12-01] (BlueStack Systems) S3 BstkDrv; C:\Program Files (x86)\Bluestacks\BstkDrv.sys [270904 2016-11-08] (Bluestack System Inc. ) R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [239320 2013-09-17] (ESET) U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [239296 2013-09-17] (ESET) R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [168256 2013-09-17] (ESET) R2 epfw; C:\Windows\System32\DRIVERS\epfw.sys [220232 2013-09-17] (ESET) R1 EpfwLWF; C:\Windows\System32\DRIVERS\EpfwLWF.sys [44120 2013-09-17] (ESET) R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [62136 2013-09-17] (ESET) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [252832 2017-06-25] (Malwarebytes) S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [80384 2015-01-14] (BlackBerry Limited) R3 rimvndis; C:\Windows\System32\Drivers\rimvndis6_AMD64.sys [18432 2015-05-27] (BlackBerry Limited) R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-11] (Research in Motion Ltd) U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] () R1 vmkbd3; C:\Windows\System32\DRIVERS\vmkbd.sys [52288 2016-10-21] (VMware, Inc.) R0 vsock; C:\Windows\System32\DRIVERS\vsock.sys [93248 2016-09-30] (VMware, Inc.) S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 VGPU; System32\drivers\rdvgkmd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-06-25 18:04 - 2017-06-25 18:04 - 00010069 _____ C:\Users\piotrek\Downloads\e.txt 2017-06-25 18:00 - 2017-06-25 18:00 - 00000000 ____D C:\frt 2017-06-25 18:00 - 2017-06-25 18:00 - 00000000 ____D C:\FRST 2017-06-25 17:59 - 2017-06-25 17:59 - 02441216 _____ (Farbar) C:\Users\piotrek\Downloads\FRST64 (1).exe 2017-06-25 17:58 - 2017-06-25 17:58 - 00042734 _____ C:\Users\piotrek\Downloads\Addition (1).txt 2017-06-25 17:15 - 2017-06-25 17:15 - 00000000 ____D C:\Users\piotrek\AppData\Roaming\ESET 2017-06-25 17:15 - 2017-06-25 17:15 - 00000000 ____D C:\Users\piotrek\AppData\Local\ESET 2017-06-25 17:14 - 2017-06-25 17:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET 2017-06-25 17:14 - 2017-06-25 17:14 - 00000000 ____D C:\ProgramData\ESET 2017-06-25 17:14 - 2017-06-25 17:14 - 00000000 ____D C:\Program Files\ESET 2017-06-25 13:23 - 2017-06-25 13:23 - 00000000 ____D C:\ProgramData\LockHunter 2017-06-25 13:17 - 2017-06-25 13:17 - 03029032 _____ (Crystal Rich Ltd ) C:\Users\piotrek\Downloads\lockhuntersetup_3-1-1.exe 2017-06-25 13:17 - 2017-06-25 13:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LockHunter 2017-06-25 13:15 - 2017-06-25 13:16 - 00000000 ____D C:\Program Files\Unlocker 2017-06-25 13:15 - 2017-06-25 13:15 - 00000000 ____D C:\Users\piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker 2017-06-25 13:15 - 2017-06-25 13:15 - 00000000 ____D C:\Users\piotrek\AppData\Roaming\Babylon 2017-06-25 13:15 - 2017-06-25 13:15 - 00000000 ____D C:\Users\piotrek\AppData\Local\Babylon 2017-06-25 13:15 - 2017-06-25 13:15 - 00000000 ____D C:\ProgramData\Babylon 2017-06-25 12:51 - 2017-06-25 12:51 - 00113964 _____ C:\Users\Administrator\Downloads\unlocker1.9.0-portable.zip 2017-06-25 12:51 - 2017-06-25 12:51 - 00000000 ____D C:\Users\Administrator\Downloads\unlocker1.9.0-portable 2017-06-25 12:51 - 2017-06-25 12:51 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\WinRAR 2017-06-25 12:50 - 2017-06-25 12:50 - 00346112 _____ C:\Users\Administrator\Downloads\Unlocker 1.9.2.msi 2017-06-25 12:43 - 2017-06-25 12:43 - 00000000 ____D C:\Windows\pss 2017-06-25 12:42 - 2017-06-25 12:42 - 00020978 _____ C:\Users\piotrek\Downloads\Addition.txt 2017-06-25 12:41 - 2017-06-25 12:42 - 00027897 _____ C:\Users\piotrek\Downloads\FRST.txt 2017-06-25 12:41 - 2017-06-25 12:41 - 02440704 _____ (Farbar) C:\Users\piotrek\Downloads\FRST64.exe 2017-06-25 12:38 - 2017-06-25 12:38 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\PwrMgr 2017-06-25 12:33 - 2017-06-25 12:34 - 00000000 ____D C:\Users\Administrator\AppData\Local\Lenovo 2017-06-25 12:33 - 2017-06-25 12:33 - 00062696 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT 2017-06-25 12:33 - 2017-06-25 12:33 - 00001409 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk 2017-06-25 12:33 - 2017-06-25 12:33 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Greenshot 2017-06-25 12:33 - 2017-06-25 12:33 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\ATI 2017-06-25 12:33 - 2017-06-25 12:33 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe 2017-06-25 12:33 - 2017-06-25 12:33 - 00000000 ____D C:\Users\Administrator\AppData\Local\Research In Motion 2017-06-25 12:33 - 2017-06-25 12:33 - 00000000 ____D C:\Users\Administrator\AppData\Local\Greenshot 2017-06-25 12:33 - 2017-06-25 12:33 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google 2017-06-25 12:33 - 2017-06-25 12:33 - 00000000 ____D C:\Users\Administrator\AppData\Local\BlackBerry 2017-06-25 12:33 - 2017-06-25 12:33 - 00000000 ____D C:\Users\Administrator\AppData\Local\ATI 2017-06-25 12:32 - 2017-06-25 12:33 - 00000000 ____D C:\Users\Administrator 2017-06-25 12:32 - 2017-06-25 12:32 - 00000020 ___SH C:\Users\Administrator\ntuser.ini 2017-06-25 12:32 - 2017-06-25 12:32 - 00000000 _SHDL C:\Users\Administrator\My Documents 2017-06-25 12:32 - 2017-06-25 12:32 - 00000000 _SHDL C:\Users\Administrator\Documents\My Videos 2017-06-25 12:32 - 2017-06-25 12:32 - 00000000 _SHDL C:\Users\Administrator\Documents\My Pictures 2017-06-25 12:32 - 2017-06-25 12:32 - 00000000 _SHDL C:\Users\Administrator\Documents\My Music 2017-06-25 12:32 - 2017-06-25 12:32 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Intel 2017-06-25 12:32 - 2011-04-12 10:28 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Media Center Programs 2017-06-25 11:40 - 2017-06-25 17:46 - 00252832 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2017-06-25 11:40 - 2017-06-25 11:40 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk 2017-06-25 11:40 - 2017-06-25 11:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes 2017-06-25 11:39 - 2017-06-25 13:02 - 00077376 _____ C:\Windows\system32\Drivers\mbae64.sys 2017-06-25 11:39 - 2017-06-25 11:39 - 00000000 ____D C:\ProgramData\Malwarebytes 2017-06-25 11:39 - 2017-06-25 11:39 - 00000000 ____D C:\Program Files\Malwarebytes 2017-06-25 11:36 - 2017-06-25 11:40 - 00000000 ____D C:\AdwCleaner 2017-06-25 11:36 - 2017-06-25 11:36 - 04110280 _____ C:\Users\piotrek\Downloads\AdwCleaner.exe 2017-06-25 11:09 - 2017-06-25 11:09 - 00021018 _____ C:\ComboFix.txt 2017-06-25 10:25 - 2017-06-25 16:48 - 00000000 ____D C:\Qoobox 2017-06-25 10:25 - 2017-06-25 10:59 - 00000000 ____D C:\Windows\erdnt 2017-06-25 10:25 - 2011-06-26 08:45 - 00256000 _____ C:\Windows\PEV.exe 2017-06-25 10:25 - 2010-11-07 19:20 - 00208896 _____ C:\Windows\MBR.exe 2017-06-25 10:25 - 2009-04-20 06:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe 2017-06-25 10:25 - 2000-08-31 02:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe 2017-06-25 10:25 - 2000-08-31 02:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe 2017-06-25 10:25 - 2000-08-31 02:00 - 00098816 _____ C:\Windows\sed.exe 2017-06-25 10:25 - 2000-08-31 02:00 - 00080412 _____ C:\Windows\grep.exe 2017-06-25 10:25 - 2000-08-31 02:00 - 00068096 _____ C:\Windows\zip.exe 2017-06-25 10:24 - 2017-06-25 10:24 - 05659194 ____R (Swearware) C:\Users\piotrek\Downloads\ComboFix.exe 2017-06-25 10:23 - 2017-06-25 10:23 - 09598376 _____ (Piriform Ltd) C:\Users\piotrek\Downloads\ccsetup531.exe 2017-06-19 19:18 - 2017-06-25 10:21 - 00000000 ____D C:\Users\piotrek\AppData\LocalLow\Mozilla 2017-06-18 19:35 - 2017-06-18 19:35 - 00000000 ____D C:\Users\piotrek\Downloads\Skany 2017-06-18 19:34 - 2017-06-18 19:34 - 03706875 _____ C:\Users\piotrek\Downloads\Skany.zip ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-06-25 17:57 - 2009-07-14 07:13 - 00785510 _____ C:\Windows\system32\PerfStringBackup.INI 2017-06-25 17:57 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\inf 2017-06-25 17:53 - 2009-07-14 06:45 - 00026768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2017-06-25 17:53 - 2009-07-14 06:45 - 00026768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2017-06-25 17:49 - 2016-12-13 00:58 - 00000000 ___RD C:\Users\piotrek\OneDrive 2017-06-25 17:46 - 2016-12-13 23:38 - 00000000 ____D C:\ProgramData\VMware 2017-06-25 17:45 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2017-06-25 16:53 - 2016-12-16 14:47 - 00000000 ____D C:\Users\piotrek\AppData\Roaming\Tibia 2017-06-25 16:37 - 2016-12-09 00:34 - 00000000 ____D C:\Windows\SysWOW64\Macromed 2017-06-25 16:37 - 2016-12-09 00:34 - 00000000 ____D C:\Windows\system32\Macromed 2017-06-25 13:17 - 2016-12-09 00:58 - 00000000 ____D C:\Program Files\LockHunter 2017-06-25 12:33 - 2009-07-14 06:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk 2017-06-25 11:48 - 2016-12-08 22:13 - 00000000 ____D C:\Users\piotrek\AppData\Local\Deployment 2017-06-25 11:43 - 2016-12-08 22:13 - 00000000 ____D C:\Users\piotrek\AppData\Local\Apps\2.0 2017-06-25 11:40 - 2016-12-09 00:32 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2017-06-25 10:41 - 2009-07-14 04:34 - 00000215 _____ C:\Windows\system.ini 2017-06-25 10:32 - 2016-12-09 01:11 - 00000866 _____ C:\Users\Public\Desktop\CCleaner.lnk 2017-06-25 10:26 - 2017-05-15 13:17 - 00000000 ____D C:\Program Files (x86)\TeamViewer 2017-06-21 17:09 - 2016-12-18 21:32 - 00002201 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk 2017-06-21 17:09 - 2016-12-18 21:32 - 00002189 _____ C:\Users\Public\Desktop\Google Chrome.lnk 2017-06-19 19:18 - 2016-12-09 00:32 - 00000000 ____D C:\Program Files\Mozilla Firefox 2017-06-18 23:15 - 2017-03-06 19:46 - 00000000 ____D C:\ProgramData\TEMP 2017-05-30 22:00 - 2016-12-09 18:25 - 00000000 ____D C:\Users\piotrek\AppData\Local\ElevatedDiagnostics 2017-05-28 14:12 - 2016-12-13 00:54 - 00000552 _____ C:\Users\piotrek\AppData\Local\TroubleshooterConfig.json 2017-05-28 14:12 - 2016-12-13 00:52 - 00000000 ____D C:\ProgramData\BlueStacksSetup ==================== Files in the root of some directories ======= 2016-12-13 00:54 - 2017-05-28 14:12 - 0000552 _____ () C:\Users\piotrek\AppData\Local\TroubleshooterConfig.json ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-06-25 11:27 ==================== End of FRST.txt ============================