Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-11-2013 Ran by krystyna (administrator) on KRYSTYNKA on 16-11-2013 13:52:36 Running from C:\Users\krystyna\Desktop\fixit Microsoft Windows 7 Professional (X86) OS Language: Polish Internet Explorer Version 9 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (AuthenTec, Inc.) C:\Program Files\Fingerprint Sensor\AtService.exe (IDT, Inc.) C:\Program Files\IDT\WDM\STacSV.exe (Microsoft Corporation) C:\Windows\system32\WLANExt.exe (Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (Andrea Electronics Corporation) C:\Program Files\IDT\WDM\aestsrv.exe (Broadcom Corporation) C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe (Broadcom Corporation.) c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe (Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe () C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe (Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (RealVNC Ltd.) C:\Program Files\RealVNC\VNC4\WinVNC4.exe (Microsoft Corporation) C:\Windows\system32\wbem\unsecapp.exe (Dell Inc.) c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe (Dell Inc.) c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe (Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe (IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe (Intel Corporation) C:\Windows\System32\igfxtray.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (Dell Inc.) C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe (Broadcom Corporation) C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe (CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (Creative Technology Ltd) C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe (Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.) C:\Program Files\DellTPad\HidFind.exe (Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apntex.exe (Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Dell Inc.) C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Wave Systems Corp.) C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe (Broadcom Corporation.) c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe (Intel Corporation) C:\Windows\system32\igfxext.exe (Intel Corporation) C:\Windows\system32\igfxsrvc.exe (Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe () C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe () C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe (Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Apoint] - C:\Program Files\DellTPad\Apoint.exe [278528 2010-02-17] (Alps Electric Co., Ltd.) HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray.exe [495708 2010-05-25] (IDT, Inc.) HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] () HKLM\...\Run: [DellControlPoint] - C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe [657920 2009-11-02] (Dell Inc.) HKLM\...\Run: [WavXMgr] - C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe [147840 2010-07-21] (Wave Systems Corp.) HKLM\...\Run: [USCService] - C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe [34232 2010-06-22] (Broadcom Corporation) HKLM\...\Run: [PDVDDXSrv] - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [140520 2009-12-29] (CyberLink Corp.) HKLM\...\Run: [Dell Webcam Central] - C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [462993 2010-03-12] (Creative Technology Ltd) HKLM\...\Run: [DBRMTray] - C:\dell\DBRM\Reminder\DbrmTrayicon.exe [206336 2010-05-20] (Microsoft) HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252848 2012-07-03] (Sun Microsystems, Inc.) HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe [41208 2012-12-19] (Adobe Systems Incorporated) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-02] (Adobe Systems Incorporated) HKLM\...\RunOnce: [DBRMTray] - C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft) HKLM\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe,,C:\ProgramData\UDvngvrU\UDvngvrU.exe -sm, HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path) Lsa: [Authentication Packages] msv1_0 wvauth ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default.aspx?c=pl&l=pl&s=pad BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) DPF: {68282C51-9459-467B-95BF-3C0E89627E55} http://www.mks.com.pl/skaner/SkanerOnline.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1 Tcpip\..\Interfaces\{2B3A03EB-81FF-49AD-BD7B-6071D556A89E}: [NameServer]8.8.8.8,194.204.159.1 FireFox: ======== FF ProfilePath: C:\Users\krystyna\AppData\Roaming\Mozilla\Firefox\Profiles\96j9yag9.default FF Homepage: hxxp://www.onet.pl/ FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32.dll () FF Plugin: @java.com/DTPlugin,version=10.15.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=10.15.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin: @microsoft.com/GENUINE - disabled No File FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\4.0.60310.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Extension: Adblock Plus - C:\Users\krystyna\AppData\Roaming\Mozilla\Firefox\Profiles\96j9yag9.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi ========================== Services (Whitelisted) ================= R2 ATService; C:\Program Files\Fingerprint Sensor\AtService.exe [1803584 2010-05-10] (AuthenTec, Inc.) R2 BrcmMgmtAgent; C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [114688 2009-11-05] (Broadcom Corporation) R2 buttonsvc32; c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe [278304 2009-11-20] (Dell Inc.) R2 dcpsysmgrsvc; c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [386928 2010-02-08] (Dell Inc.) R2 InstallFilterService; C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [60928 2010-01-10] () S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [1032192 2010-02-03] (Wave Systems Corp.) R2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [245842 2010-05-25] (IDT, Inc.) S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1273856 2008-11-12] () R2 TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [1164648 2010-03-29] (Wave Systems Corp.) R2 WinVNC4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [439632 2008-10-15] (RealVNC Ltd.) S2 gupdate; "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc [x] S3 gupdatem; "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc [x] U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{b18cba3c-d44d-af1f-2b7d-eca3ecd67da1}\ \...\???\{b18cba3c-d44d-af1f-2b7d-eca3ecd67da1}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess) ==================== Drivers (Whitelisted) ==================== R3 Acceler; C:\Windows\System32\DRIVERS\Accelern.sys [42672 2010-01-18] (ST Microelectronics) S3 Blfp; C:\Windows\System32\DRIVERS\basp.sys [85504 2009-10-15] (Broadcom Corporation) R3 btwampfl; C:\Windows\System32\drivers\btwampfl.sys [274472 2010-01-11] (Broadcom Corporation.) S3 CtAudDrv; C:\Windows\system32\Drivers\CtAudDrv.sys [134144 2009-05-28] (Creative Technology Ltd.) R0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2008-06-04] (Dell Inc) R2 risdpcie; C:\Windows\System32\DRIVERS\risdpe86.sys [59904 2010-03-21] (REDC) S3 rixdpcie; C:\Windows\system32\DRIVERS\rixdpe86.sys [38912 2010-03-21] (REDC) R0 stdflt; C:\Windows\System32\DRIVERS\stdfltn.sys [17072 2010-01-18] (ST Microelectronics) R2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [229888 2010-01-19] (Wave Systems Corp.) ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-11-16 13:52 - 2013-11-16 13:52 - 00000000 ____D C:\FRST 2013-11-16 13:51 - 2013-11-16 13:52 - 00000000 ____D C:\Users\krystyna\Desktop\fixit 2013-11-16 13:34 - 2013-11-16 13:34 - 00000000 ____D C:\Program Files\ESET 2013-11-16 13:32 - 2013-11-16 13:32 - 00000000 ____D C:\Program Files\SkanerOnline 2013-11-16 11:21 - 2013-11-16 11:21 - 00002659 _____ C:\Users\krystyna\Desktop\fix.reg 2013-11-15 23:04 - 2013-11-16 11:00 - 00000118 _____ C:\Users\krystyna\Desktop\Antivirus Security Pro support.url 2013-11-15 22:35 - 2013-11-16 10:34 - 00000000 ____D C:\Program Files\Google 2013-11-15 22:35 - 2013-11-15 22:58 - 00000000 ____D C:\Users\krystyna\AppData\Local\Google 2013-11-10 16:11 - 2013-11-10 16:11 - 00000000 ____D C:\ProgramData\Mozilla 2013-11-10 16:11 - 2013-11-10 16:11 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service 2013-10-20 16:30 - 2013-10-20 21:41 - 00206848 _____ C:\Users\krystyna\Desktop\Zestawienie sprzetu medycznego, wyposażenia i robót budowlanych SPZZOZ w Janowie Lubelskim.xls 2013-10-20 15:11 - 2013-10-20 15:10 - 00143872 _____ C:\Users\krystyna\Desktop\zestawienie_azy.xls ==================== One Month Modified Files and Folders ======= 2013-11-16 13:52 - 2013-11-16 13:52 - 00000000 ____D C:\FRST 2013-11-16 13:52 - 2013-11-16 13:51 - 00000000 ____D C:\Users\krystyna\Desktop\fixit 2013-11-16 13:50 - 2011-01-22 22:47 - 00000000 ____D C:\Pobrane 2013-11-16 13:39 - 2009-07-14 05:34 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-11-16 13:39 - 2009-07-14 05:34 - 00014256 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-11-16 13:34 - 2013-11-16 13:34 - 00000000 ____D C:\Program Files\ESET 2013-11-16 13:32 - 2013-11-16 13:32 - 00000000 ____D C:\Program Files\SkanerOnline 2013-11-16 13:21 - 2010-10-13 15:42 - 01549506 _____ C:\Windows\system32\PerfStringBackup.INI 2013-11-16 13:21 - 2009-07-14 09:07 - 00697912 _____ C:\Windows\system32\perfh015.dat 2013-11-16 13:21 - 2009-07-14 09:07 - 00134990 _____ C:\Windows\system32\perfc015.dat 2013-11-16 13:16 - 2010-11-29 08:21 - 00000000 _____ C:\Users\krystyna\AppData\Local\WavXMapDrive.bat 2013-11-16 13:16 - 2010-10-13 15:35 - 00000398 __RSH C:\ProgramData\ntuser.pol 2013-11-16 13:16 - 2009-07-14 05:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-11-16 11:21 - 2013-11-16 11:21 - 00002659 _____ C:\Users\krystyna\Desktop\fix.reg 2013-11-16 11:08 - 2010-12-28 07:34 - 00000000 ____D C:\Program Files\Mozilla Firefox 2013-11-16 11:00 - 2013-11-15 23:04 - 00000118 _____ C:\Users\krystyna\Desktop\Antivirus Security Pro support.url 2013-11-16 10:34 - 2013-11-15 22:35 - 00000000 ____D C:\Program Files\Google 2013-11-15 22:58 - 2013-11-15 22:35 - 00000000 ____D C:\Users\krystyna\AppData\Local\Google 2013-11-10 16:11 - 2013-11-10 16:11 - 00000000 ____D C:\ProgramData\Mozilla 2013-11-10 16:11 - 2013-11-10 16:11 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service 2013-10-24 19:49 - 2009-07-14 05:53 - 00032604 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2013-10-20 21:41 - 2013-10-20 16:30 - 00206848 _____ C:\Users\krystyna\Desktop\Zestawienie sprzetu medycznego, wyposażenia i robót budowlanych SPZZOZ w Janowie Lubelskim.xls 2013-10-20 15:10 - 2013-10-20 15:11 - 00143872 _____ C:\Users\krystyna\Desktop\zestawienie_azy.xls Files to move or delete: ==================== ZeroAccess: C:\Users\krystyna\AppData\Local\Google\Desktop\Install ZeroAccess: C:\Program Files\Google\Desktop\Install ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender LastRegBack: 2013-11-15 23:26 ==================== End Of Log ============================