Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014 Ran by Admin (administrator) on SZKO-2B683CDBE9 on 13-03-2014 10:49:51 Running from C:\Documents and Settings\Admin\Pulpit\fix Microsoft Windows XP Professional Dodatek Service Pack 3 (X86) OS Language: Polish Internet Explorer Version 6 Boot Mode: Normal The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (Arcabit) C:\Program Files\ArcaBit\common\arcaconfsv.exe (Arcabit) C:\Program Files\ArcaBit\arcaupdate\update.exe (TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe (S3 Graphics, Inc.) C:\WINDOWS\system32\VTTimer.exe (S3 Graphics Co., Ltd.) C:\WINDOWS\system32\S3trayp.exe (Realtek Semiconductor Corp.) C:\WINDOWS\SOUNDMAN.EXE (Arcabit) C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe (Arcabit) C:\Program Files\ArcaBit\arcavir\arcamainsv.exe (Arcabit) C:\Program Files\ArcaBit\arcaagent\arcaremotesvc.exe (Arcabit) C:\Program Files\ArcaBit\arcatools\arcabackup\arcabackupservice.exe (TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer.exe (TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\tv_w32.exe (ArcaBit) C:\Program Files\ArcaBit\common\arcatasksservice.exe (Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe (Arcabit) C:\Program Files\ArcaBit\arcavir\arcamainsv.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [VTTimer] - C:\WINDOWS\system32\VTTimer.exe [53248 2006-06-16] (S3 Graphics, Inc.) HKLM\...\Run: [S3Trayp] - C:\WINDOWS\system32\S3trayp.exe [176128 2006-07-11] (S3 Graphics Co., Ltd.) HKLM\...\Run: [SoundMan] - C:\WINDOWS\SOUNDMAN.EXE [577536 2006-08-03] (Realtek Semiconductor Corp.) HKLM\...\Run: [Skaner] - C:\Program Files\Ochraniacz\OPZTskaner.exe HKLM\...\Run: [tguard] - C:\Program Files\Beniamin\tguard.exe HKLM\...\Run: [SSC Service Utility] - C:\Program Files\SSC Service Utility\ssc_serv.exe /s HKLM\...\Run: [AvMenu] - C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe [397824 2014-03-06] (Arcabit) HKLM\...\Run: [ABREGMON] - C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe HKLM\...\Run: [ArcaClean] - C:\Program Files\ArcaBit\ArcaVir\ArcaClean.exe [59984 2014-03-03] (ArcaBit) HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe <====== ATTENTION HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe <====== ATTENTION HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION HKU\S-1-5-21-823518204-1035525444-682003330-1003\...\Policies\Explorer: [NoPublishingWizard] 1 HKU\S-1-5-21-823518204-1035525444-682003330-1003\...\Policies\Explorer: [NoWebServices] 1 HKU\S-1-5-21-823518204-1035525444-682003330-1003\...\Policies\Explorer: [NoOnlinePrintsWizard] 1 HKU\S-1-5-21-823518204-1035525444-682003330-1003\...\Policies\Explorer: [NoInternetOpenWith] 1 ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/ HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home SearchScopes: HKLM - DefaultScope value is missing. Toolbar: HKCU - &Adres - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation) Toolbar: HKCU - &Łącza - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation) DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1393845460281 DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Tcpip\Parameters: [DhcpNameServer] 208.67.222.222 208.67.220.220 194.204.152.34 194.204.159.1 67.215.65.132 FireFox: ======== FF ProfilePath: C:\Documents and Settings\Admin\Dane aplikacji\Mozilla\Firefox\Profiles\ik0vcyf4.default FF Homepage: hxxp://www.google.pl/ FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.) FF Extension: ArcaBit Ext. - C:\Program Files\Mozilla Firefox\extensions\arcabit@www.arcabit.pl [2011-11-04] Chrome: ======= CHR HomePage: hxxp://www.google.com CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\33.0.1750.146\PepperFlash\pepflashplayer.dll () CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\33.0.1750.146\ppGoogleNaClPluginChrome.dll () CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\33.0.1750.146\pdf.dll () CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation) CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.)) CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation) CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.) CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll () CHR Extension: (Google Wallet) - C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-03-03] ========================== Services (Whitelisted) ================= R2 ABConfSV; C:\Program Files\ArcaBit\common\arcaconfsv.exe [142384 2014-03-03] (Arcabit) R2 ABMainSV; C:\Program Files\ArcaBit\arcavir\arcamainsv.exe [162984 2014-03-03] (Arcabit) R2 ArcaRemoteService; C:\Program Files\ArcaBit\arcaagent\arcaremotesvc.exe [570864 2014-03-03] (Arcabit) R2 AVBackup; C:\Program Files\ArcaBit\arcatools\arcabackup\arcabackupservice.exe [187704 2014-03-03] (Arcabit) R2 AVTasks2; C:\Program Files\ArcaBit\common\arcatasksservice.exe [130024 2014-03-03] (ArcaBit) R2 AVUpdate; C:\Program Files\ArcaBit\arcaupdate\update.exe [200064 2014-03-07] (Arcabit) ==================== Drivers (Whitelisted) ==================== R3 ABFLT; C:\Program Files\ArcaBit\ArcaVir\ABFLT.sys [66800 2014-03-03] (ArcaBit) R3 ALCXWDM; C:\WINDOWS\System32\drivers\ALCXWDM.SYS [4019072 2006-09-20] (Realtek Semiconductor Corp.) R1 arcawfp; C:\WINDOWS\System32\drivers\arcawfp.sys [54200 2014-03-13] (NetFilterSDK.com) S3 GCCUSBD; C:\WINDOWS\System32\DRIVERS\gccusd.sys [9590 2003-07-03] (GCC) R3 rtl8139; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [20992 2008-04-13] (Realtek Semiconductor Corporation) R3 S3GIGP; C:\WINDOWS\System32\DRIVERS\S3gIGPm.sys [654336 2006-08-11] (S3 Graphics Co., Ltd.) R0 videX32; C:\WINDOWS\System32\DRIVERS\videX32.sys [9728 2006-02-23] (VIA Technologies, Inc.) R0 xfilt; C:\WINDOWS\System32\DRIVERS\xfilt.sys [11264 2006-02-23] (VIA Technologies,Inc) S1 ABTDI; \??\C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys [X] S3 cfvrrtiwx; \??\C:\WINDOWS\system32\09D.tmp [X] S4 IntelIde; No ImagePath S3 pszrpghz; \??\C:\WINDOWS\system32\01.tmp [X] S3 tfhmwqka; \??\C:\WINDOWS\system32\054E.tmp [X] ==================== NetSvcs (Whitelisted) =================== NETSVC: jrndnunlg -> No Registry Path. NETSVC: vesmabzas -> No Registry Path. ==================== One Month Created Files and Folders ======== 2014-03-03 14:26 - 2014-03-03 14:26 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\TeamViewer 9 2014-03-03 13:58 - 2014-03-03 14:26 - 00000815 _____ () C:\Documents and Settings\All Users\Pulpit\TeamViewer 9.lnk 2014-03-03 13:58 - 2014-03-03 13:58 - 00000000 ____D () C:\Program Files\TeamViewer 2014-03-03 13:55 - 2014-03-13 10:49 - 00000000 ____D () C:\FRST 2014-03-03 13:53 - 2014-03-03 13:53 - 00090112 _____ () C:\WINDOWS\Minidump\Mini030314-01.dmp 2014-03-03 13:53 - 2014-03-03 13:53 - 00000000 ____D () C:\WINDOWS\Minidump 2014-03-03 13:08 - 2014-03-03 13:08 - 00000100 _____ () C:\Documents and Settings\Admin\Pulpit\Microsoft Fix it.url 2014-03-03 12:45 - 2014-03-03 13:42 - 00000000 ____D () C:\WINDOWS\Microsoft.NET 2014-03-03 12:26 - 2014-03-03 13:29 - 00000000 ____D () C:\3dd0746854d7df0fb08dda30f4a6 2014-03-03 12:18 - 2012-06-02 15:19 - 00015896 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll.mui 2014-03-03 11:53 - 2014-03-13 10:49 - 00000000 ____D () C:\Documents and Settings\Admin\Pulpit\fix 2014-03-03 11:33 - 2014-03-03 12:30 - 00000000 ____D () C:\Documents and Settings\All Users\arcabit 2014-03-03 11:30 - 2014-03-13 10:48 - 00054200 _____ (NetFilterSDK.com) C:\WINDOWS\system32\Drivers\arcawfp.sys 2014-03-03 11:28 - 2014-03-03 11:28 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\Arcabit 2014-03-03 11:27 - 2014-03-03 11:28 - 00000000 ____D () C:\Program Files\ArcaBit 2014-03-03 11:22 - 2014-03-03 11:22 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service 2014-03-03 11:22 - 2014-03-03 11:22 - 00000000 ____D () C:\Documents and Settings\All Users\Dane aplikacji\Mozilla 2014-02-11 09:00 - 2014-02-11 09:00 - 00020604 _____ () C:\Documents and Settings\Uczeń\Moje dokumenty\imgres.htm ==================== One Month Modified Files and Folders ======= 2014-03-13 10:49 - 2014-03-03 13:55 - 00000000 ____D () C:\FRST 2014-03-13 10:49 - 2014-03-03 11:53 - 00000000 ____D () C:\Documents and Settings\Admin\Pulpit\fix 2014-03-13 10:48 - 2014-03-03 11:30 - 00054200 _____ (NetFilterSDK.com) C:\WINDOWS\system32\Drivers\arcawfp.sys 2014-03-13 10:47 - 2011-11-04 12:08 - 00000300 _____ () C:\WINDOWS\wiadebug.log 2014-03-13 10:47 - 2011-11-04 12:08 - 00000050 _____ () C:\WINDOWS\wiaservc.log 2014-03-13 10:47 - 2011-11-04 10:35 - 00001030 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 2014-03-13 10:46 - 2013-04-29 07:25 - 00169968 _____ () C:\WINDOWS\WindowsUpdate.log 2014-03-13 10:46 - 2011-06-13 08:56 - 00032594 _____ () C:\WINDOWS\SchedLgU.Txt 2014-03-13 10:46 - 2011-06-13 08:56 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT 2014-03-13 10:44 - 2011-08-18 07:16 - 00000000 ____D () C:\Documents and Settings\Admin\Moje dokumenty\Pobieranie 2014-03-13 10:36 - 2011-06-13 09:08 - 00000188 ___SH () C:\Documents and Settings\Admin\ntuser.ini 2014-03-13 10:26 - 2011-06-13 08:48 - 00000000 ____D () C:\WINDOWS\system32\Restore 2014-03-13 10:07 - 2011-11-04 10:35 - 00001034 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 2014-03-13 09:21 - 2011-06-13 08:48 - 00000000 ____D () C:\Program Files\Movie Maker 2014-03-13 08:54 - 2011-06-13 09:50 - 00000188 ___SH () C:\Documents and Settings\Uczeń\ntuser.ini 2014-03-12 10:16 - 2008-04-15 13:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl 2014-03-11 08:54 - 2011-06-13 10:27 - 00191384 _____ () C:\WINDOWS\system32\FNTCACHE.DAT 2014-03-04 10:14 - 2011-11-04 10:38 - 00001819 _____ () C:\Documents and Settings\All Users\Pulpit\Google Chrome.lnk 2014-03-03 14:26 - 2014-03-03 14:26 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\TeamViewer 9 2014-03-03 14:26 - 2014-03-03 13:58 - 00000815 _____ () C:\Documents and Settings\All Users\Pulpit\TeamViewer 9.lnk 2014-03-03 14:26 - 2011-06-13 10:29 - 00000000 ___RD () C:\Documents and Settings\All Users\Menu Start\Programy 2014-03-03 14:26 - 2011-06-13 10:29 - 00000000 ____D () C:\Documents and Settings\All Users\Pulpit 2014-03-03 13:58 - 2014-03-03 13:58 - 00000000 ____D () C:\Program Files\TeamViewer 2014-03-03 13:53 - 2014-03-03 13:53 - 00090112 _____ () C:\WINDOWS\Minidump\Mini030314-01.dmp 2014-03-03 13:53 - 2014-03-03 13:53 - 00000000 ____D () C:\WINDOWS\Minidump 2014-03-03 13:53 - 2011-06-13 09:08 - 00000000 ____D () C:\Documents and Settings\Admin\Pulpit 2014-03-03 13:42 - 2014-03-03 12:45 - 00000000 ____D () C:\WINDOWS\Microsoft.NET 2014-03-03 13:29 - 2014-03-03 12:26 - 00000000 ____D () C:\3dd0746854d7df0fb08dda30f4a6 2014-03-03 13:23 - 2008-04-15 13:00 - 00453654 _____ () C:\WINDOWS\system32\perfh015.dat 2014-03-03 13:23 - 2008-04-15 13:00 - 00075880 _____ () C:\WINDOWS\system32\perfc015.dat 2014-03-03 13:22 - 2011-06-13 10:29 - 00878904 _____ () C:\WINDOWS\system32\PerfStringBackup.INI 2014-03-03 13:08 - 2014-03-03 13:08 - 00000100 _____ () C:\Documents and Settings\Admin\Pulpit\Microsoft Fix it.url 2014-03-03 12:54 - 2011-06-13 10:21 - 00000000 ____D () C:\WINDOWS\system32\mui 2014-03-03 12:30 - 2014-03-03 11:33 - 00000000 ____D () C:\Documents and Settings\All Users\arcabit 2014-03-03 12:20 - 2011-06-13 11:23 - 00000000 ___SD () C:\Documents and Settings\Admin\UserData 2014-03-03 12:18 - 2013-05-24 07:15 - 00043607 _____ () C:\WINDOWS\setupapi.log 2014-03-03 12:18 - 2011-06-13 10:21 - 00000000 ____D () C:\WINDOWS\Help 2014-03-03 11:30 - 2011-11-04 09:53 - 00000000 ____D () C:\Documents and Settings\All Users\Dane aplikacji\ArcaBit 2014-03-03 11:28 - 2014-03-03 11:28 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\Arcabit 2014-03-03 11:28 - 2014-03-03 11:27 - 00000000 ____D () C:\Program Files\ArcaBit 2014-03-03 11:22 - 2014-03-03 11:22 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service 2014-03-03 11:22 - 2014-03-03 11:22 - 00000000 ____D () C:\Documents and Settings\All Users\Dane aplikacji\Mozilla 2014-03-03 11:22 - 2011-06-13 12:45 - 00000000 ____D () C:\Program Files\Mozilla Firefox 2014-03-03 11:22 - 2011-06-13 10:27 - 00000000 __RHD () C:\Documents and Settings\All Users\Dane aplikacji 2014-03-03 11:18 - 2011-12-02 09:13 - 00000000 ____D () C:\WINDOWS\system32\appmgmt 2014-03-03 11:17 - 2011-11-04 09:33 - 00000000 ____D () C:\Program Files\Common Files\Wise Installation Wizard 2014-03-03 11:15 - 2011-08-18 07:45 - 00041776 _____ () C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2014-02-11 09:28 - 2011-06-13 09:50 - 00000000 ___RD () C:\Documents and Settings\Uczeń\Moje dokumenty\Moje obrazy 2014-02-11 09:28 - 2011-06-13 09:50 - 00000000 ___RD () C:\Documents and Settings\Uczeń\Moje dokumenty 2014-02-11 09:00 - 2014-02-11 09:00 - 00020604 _____ () C:\Documents and Settings\Uczeń\Moje dokumenty\imgres.htm ==================== Bamital & volsnap Check ================= C:\WINDOWS\explorer.exe [2008-04-15 13:00] - [2008-04-15 13:00] - 1035264 ____A (Microsoft Corporation) c791ed9eac5e76d9525e157b1d7a599a C:\WINDOWS\system32\winlogon.exe [2008-04-15 13:00] - [2008-04-15 13:00] - 0510464 ____A (Microsoft Corporation) 51fd2e13d723857b9ca239ae77150f48 C:\WINDOWS\system32\svchost.exe [2008-04-15 13:00] - [2008-04-15 13:00] - 0014336 ____A (Microsoft Corporation) 8607d35d92528e2df386f19a960d23ce C:\WINDOWS\system32\services.exe [2008-04-15 13:00] - [2008-04-15 13:00] - 0109056 ____A (Microsoft Corporation) 3e3ae424e27c4cefe4cab368c7b570ea C:\WINDOWS\system32\User32.dll [2008-04-15 13:00] - [2008-04-15 13:00] - 0580096 ____A (Microsoft Corporation) a435c5c069afd901751ac323ad238793 C:\WINDOWS\system32\userinit.exe [2008-04-15 13:00] - [2008-04-15 13:00] - 0026624 ____A (Microsoft Corporation) 2a5b37d520508be6570a3ea79695f5b5 C:\WINDOWS\system32\rpcss.dll [2008-04-15 13:00] - [2008-04-15 13:00] - 0399360 ____A (Microsoft Corporation) 02396dab9dd407b06539981f477f3fec ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected. C:\WINDOWS\system32\Drivers\volsnap.sys [2008-04-15 13:00] - [2008-04-15 13:00] - 0052864 ____A (Microsoft Corporation) 56b191ac5fc0df219949c95a6c87afe7 ==================== End Of Log ============================