Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018 Ran by Piotr (27-01-2018 18:22:37) Run:1 Running from G:\Pobrane\BezpieczeĹ„stwo Loaded Profiles: Piotr (Available Profiles: Piotr) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION GroupPolicy: Restriction - Chrome <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://uk.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_ir_16_38¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0CtBtBtD0ByE0D0AyDtAzyyB0AyBtDtN0D0Tzu0StCyBtBzytN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEyE0FyDyC0BtByCtGyDtAtAzytG0F0CzytDtGyB0FtA0AtGyDtBzy0EtC0B0ByDzyzytC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzztBzy0AtCzzyDyDtGyCyCtA0BtGyEyE0E0BtGzytCtDtAtGyB0BtCtB0D0EtC0FyB0FtAyB2QtN0A0LzuyE%26cr%3D652085609%26a%3Dwnf_ir_16_38%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate HKU\S-1-5-21-1572406964-1192249908-263256314-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://uk.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_ir_16_38¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0CtBtBtD0ByE0D0AyDtAzyyB0AyBtDtN0D0Tzu0StCyBtBzytN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEyE0FyDyC0BtByCtGyDtAtAzytG0F0CzytDtGyB0FtA0AtGyDtBzy0EtC0B0ByDzyzytC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzztBzy0AtCzzyDyDtGyCyCtA0BtGyEyE0E0BtGzytCtDtAtGyB0BtCtB0D0EtC0FyB0FtAyB2QtN0A0LzuyE%26cr%3D652085609%26a%3Dwnf_ir_16_38%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate HKU\S-1-5-21-1572406964-1192249908-263256314-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-gb/?ocid=iehp SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_ir_16_38¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0CtBtBtD0ByE0D0AyDtAzyyB0AyBtDtN0D0Tzu0StCyBtBzytN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEyE0FyDyC0BtByCtGyDtAtAzytG0F0CzytDtGyB0FtA0AtGyDtBzy0EtC0B0ByDzyzytC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzztBzy0AtCzzyDyDtGyCyCtA0BtGyEyE0E0BtGzytCtDtAtGyB0BtCtB0D0EtC0FyB0FtAyB2QtN0A0LzuyE%26cr%3D652085609%26a%3Dwnf_ir_16_38%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms} SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_ir_16_38¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0CtBtBtD0ByE0D0AyDtAzyyB0AyBtDtN0D0Tzu0StCyBtBzytN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEyE0FyDyC0BtByCtGyDtAtAzytG0F0CzytDtGyB0FtA0AtGyDtBzy0EtC0B0ByDzyzytC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzztBzy0AtCzzyDyDtGyCyCtA0BtGyEyE0E0BtGzytCtDtAtGyB0BtCtB0D0EtC0FyB0FtAyB2QtN0A0LzuyE%26cr%3D652085609%26a%3Dwnf_ir_16_38%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_ir_16_38¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0CtBtBtD0ByE0D0AyDtAzyyB0AyBtDtN0D0Tzu0StCyBtBzytN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEyE0FyDyC0BtByCtGyDtAtAzytG0F0CzytDtGyB0FtA0AtGyDtBzy0EtC0B0ByDzyzytC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzztBzy0AtCzzyDyDtGyCyCtA0BtGyEyE0E0BtGzytCtDtAtGyB0BtCtB0D0EtC0FyB0FtAyB2QtN0A0LzuyE%26cr%3D652085609%26a%3Dwnf_ir_16_38%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms} SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_ir_16_38¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0CtBtBtD0ByE0D0AyDtAzyyB0AyBtDtN0D0Tzu0StCyBtBzytN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEyE0FyDyC0BtByCtGyDtAtAzytG0F0CzytDtGyB0FtA0AtGyDtBzy0EtC0B0ByDzyzytC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzztBzy0AtCzzyDyDtGyCyCtA0BtGyEyE0E0BtGzytCtDtAtGyB0BtCtB0D0EtC0FyB0FtAyB2QtN0A0LzuyE%26cr%3D652085609%26a%3Dwnf_ir_16_38%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms} SearchScopes: HKU\S-1-5-21-1572406964-1192249908-263256314-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_ir_16_38¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0CtBtBtD0ByE0D0AyDtAzyyB0AyBtDtN0D0Tzu0StCyBtBzytN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEyE0FyDyC0BtByCtGyDtAtAzytG0F0CzytDtGyB0FtA0AtGyDtBzy0EtC0B0ByDzyzytC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzztBzy0AtCzzyDyDtGyCyCtA0BtGyEyE0E0BtGzytCtDtAtGyB0BtCtB0D0EtC0FyB0FtAyB2QtN0A0LzuyE%26cr%3D652085609%26a%3Dwnf_ir_16_38%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms} SearchScopes: HKU\S-1-5-21-1572406964-1192249908-263256314-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_ir_16_38¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dgb%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0A0CtBtBtD0ByE0D0AyDtAzyyB0AyBtDtN0D0Tzu0StCyBtBzytN1L2XzutAtFtByEtFyCtFyDtBtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEyE0FyDyC0BtByCtGyDtAtAzytG0F0CzytDtGyB0FtA0AtGyDtBzy0EtC0B0ByDzyzytC0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzztBzy0AtCzzyDyDtGyCyCtA0BtGyEyE0E0BtGzytCtDtAtGyB0BtCtB0D0EtC0FyB0FtAyB2QtN0A0LzuyE%26cr%3D652085609%26a%3Dwnf_ir_16_38%26os_ver%3D6.1%26os%3DWindows%2B7%2BUltimate&p={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = U3 idsvc; no ImagePath ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} => -> No File Task: {CBDCB786-CB0A-4C40-A7F7-9B2EB7284A6B} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {4BBB237A-7DD9-4333-B34F-0CF9B16AB278} - System32\Tasks\Yahoo! Powered renol => C:\Windows\system32\wscript.exe "C:\ProgramData\{4D9888FB-C7DA-023D-411C-9C7FDB5E17B1}\sele.txt" "687474703a2f2f7761676e672e636f6d" "433a5c50726f6772616d446174615c7b34443938383846422d433744412d303233442d343131432d3943374644423545313742317d5c6e61726f6e65" "433a5c50726f6772616d446174615c7b34443938383846422d433744412d303233442d343131 (the data entry has 78 more characters). <==== ATTENTION Task: C:\WINDOWS\Tasks\Yahoo! Powered renol.job => Wscript.exe C:\ProgramData\{4D9888FB-C7DA-023D-411C-9C7FDB5E17B1}\sele.txt <==== ATTENTION C:\ProgramData\{4D9888FB-C7DA-023D-411C-9C7FDB5E17B1}\sele.txt EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully "HKLM\SOFTWARE\Policies\Google" => removed successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKU\S-1-5-21-1572406964-1192249908-263256314-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully "HKU\S-1-5-21-1572406964-1192249908-263256314-1000\Software\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache" => removed successfully HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => removed successfully HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found "HKU\S-1-5-21-1572406964-1192249908-263256314-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully "HKU\S-1-5-21-1572406964-1192249908-263256314-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => removed successfully HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully "HKLM\System\CurrentControlSet\Services\idsvc" => removed successfully idsvc => service removed successfully "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1" => removed successfully HKLM\Software\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2" => removed successfully HKLM\Software\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3" => removed successfully HKLM\Software\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4" => removed successfully HKLM\Software\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5" => removed successfully HKLM\Software\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6" => removed successfully HKLM\Software\Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => key not found "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1" => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2" => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3" => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4" => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5" => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6" => removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => key not found HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CBDCB786-CB0A-4C40-A7F7-9B2EB7284A6B} => could not remove key. ErrorCode1: 0x00000002 "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CBDCB786-CB0A-4C40-A7F7-9B2EB7284A6B}" => removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => key not found "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4BBB237A-7DD9-4333-B34F-0CF9B16AB278}" => removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4BBB237A-7DD9-4333-B34F-0CF9B16AB278}" => removed successfully C:\WINDOWS\System32\Tasks\Yahoo! Powered renol => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Yahoo! Powered renol" => removed successfully C:\WINDOWS\Tasks\Yahoo! Powered renol.job => moved successfully "C:\ProgramData\{4D9888FB-C7DA-023D-411C-9C7FDB5E17B1}\sele.txt" => not found =========== EmptyTemp: ========== BITS transfer queue => 7364608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 23392148 B Java, Flash, Steam htmlcache => 2177 B Windows/system/drivers => 815917 B Edge => 26391791 B Chrome => 410182266 B Firefox => 442045239 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 13970 B NetworkService => 1316 B Piotr => 119556030 B RecycleBin => 0 B EmptyTemp: => 982.1 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 18:23:26 ====