CloseProcesses: CreateRestorePoint: R1 adgnetworkwfpdrv; C:\Windows\System32\drivers\adgnetworkwfpdrv.sys [55800 2015-06-02] (Insoft LLC -> ) S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [57144 2013-09-26] () [Brak podpisu cyfrowego] R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-10-31] (AVG Technologies CZ, s.r.o. -> AVG Technologies CZ, s.r.o.) S3 cpuz138; \??\C:\Users\janczak\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X] <==== UWAGA S3 cpuz145; \??\C:\Windows\temp\cpuz145\cpuz145_x64.sys [X] S3 Imf8HpRegFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\ImfHpRegFilter.sys [X] S3 ImfHpFileFilter; \??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64\ImfHpFileFilter.sys [X] S0 MBAMSwissArmy; system32\drivers\MBAMSwissArmy.sys [X] S3 RRNetCap; system32\DRIVERS\rrnetcap.sys [X] S3 RRNetCapMP; system32\DRIVERS\rrnetcap.sys [X] HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service" HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE -> HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE -> HKU\S-1-5-21-3875675890-4072692999-1131883279-1001\...\MountPoints2: {fa93c66b-08c9-11e3-b5a1-902b34721d7f} - L:\Startme.exe HKU\S-1-5-21-3875675890-4072692999-1131883279-501\...\Run: [KSPlus] => C:\Program Files (x86)\Komputer Świat Plus\KSPlus.exe /min HKU\S-1-5-21-3875675890-4072692999-1131883279-501\...\MountPoints2: {ac7cb306-34d5-11e2-b4f7-806e6f6e6963} - D:\KaczorDonald.exe HKU\S-1-5-21-3875675890-4072692999-1131883279-501\...\MountPoints2: {fa93c66b-08c9-11e3-b5a1-902b34721d7f} - L:\Startme.exe HKU\S-1-5-18\...\Run: [Norton Download Manager{NIS-22190963-SHPD-FSD5200007-FLU}] => C:\Users\Public\Downloads\Norton\{NIS-22190963-SHPD-FSD5200007-FLU}\NISFSD.exe [3670512 2019-12-12] (Symantec Corporation -> Symantec Corporation) HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{73FA19D0-2D75-11D2-995D-00C04F98BBC9}] -> HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> "C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level HKLM\SOFTWARE\Policies\Mozilla\Firefox: Ograniczenia <==== UWAGA HKLM\SOFTWARE\Policies\Google: Ograniczenia <==== UWAGA MSCONFIG\startupreg: WallpaperHd => "C:\Users\janczak\AppData\Local\WallpaperHd\WallpaperHd.exe" /regrun MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^iPrint.lnk => C:\Windows\pss\iPrint.lnk.CommonStartup Task: {08E6D658-4CA8-4BF4-AE82-3A72A12B33B6} - System32\Tasks\HPCustPartic.exe_{910D724F-251E-4DA7-B8D6-E25BC02D5641} => C:\Program Files\HP\HP DeskJet 2130 series\Bin\HPCustPartic.exe Task: {11D6E2DB-076D-4D1F-A1C0-2BFC6A5E71B6} - System32\Tasks\{473AC282-D4F2-4FE8-8B28-8D84D4B6C2EC} => C:\Windows\system32\pcalua.exe -a "C:\Program Files\Edukacja XXI wieku\Szkoła\Uninstall.exe" Task: {49285F35-4FD9-44A3-B48A-B86CE5A746C4} - System32\Tasks\{6E9DDE07-AE3F-47A6-ABDB-A5FE50352C74} => C:\Windows\system32\pcalua.exe -a "C:\Users\janczak\Downloads\Loguś - Komputerowe Gry Logopedyczne .exe" -d C:\Users\janczak\Downloads Task: {5F050AA6-3A43-4D57-975C-93EDFCDCB33D} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Internet Security\Upgrade.exe [1346024 2015-08-06] (Symantec Corporation -> Symantec Corporation) Task: {75F1ABC3-DB09-4412-9A63-71B33AA58547} - System32\Tasks\IU Xmas Task (One-Time) => C:\Program Files (x86)\IObit\IObit Uninstaller\xmasnew.exe Task: {75F1ABC3-DB09-4412-9A63-71B33AA58547} - System32\Tasks\IU Xmas Task (One-Time) => C:\Program Files (x86)\IObit\IObit Uninstaller\xmasnew.exe Task: {7C927D92-61CF-497D-AC8E-FB3966DFEE1E} - System32\Tasks\Opera scheduled Autoupdate 1444306866 => c:\program files (x86)\opera\launcher.exe Task: {941EE942-D680-4D74-AADA-F937862E2A94} - System32\Tasks\{7B0C6C83-A871-4896-BB21-D7B72021CE9F} => C:\Windows\system32\pcalua.exe -a C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe -c /M{457D7505-D665-4F95-91C3-ECB8C56E9ACA} Task: {99B09F0C-A8E9-4654-AA1B-23838D26D11B} - System32\Tasks\{B17C37BE-1547-4B76-9327-9DCF9C67D261} => C:\Windows\system32\pcalua.exe -a D:\Setup.exe -d D:\ Task: {A3786DD9-918B-460D-804F-F63808A4425C} - System32\Tasks\{4A12C654-460C-4ADC-A409-9894D3FD92FE} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\CyberLink\Power2Go9\ISOViewer9.exe" -d "C:\Users\janczak\Desktop\MS Office 2013 [32 bit] [PL]" -c "C:\Users\janczak\Desktop\MS Office 2013 [32 bit] [PL]\SW_DVD5_Office_Professional_Plus_2013_W32_Polish_MLF_X18-55173.ISO" Task: {DC1FB2C0-9E98-4D0A-8A2B-F1BAAF7BBDBF} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe Task: {FCCF2A52-F934-4B42-94DF-FCFC68B19ED4} - System32\Tasks\{50FC81E1-0D6C-4065-8905-E94AA399DABE} => C:\Windows\system32\pcalua.exe -a D:\startuj.exe -d D:\ ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Brak pliku ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => -> Brak pliku ContextMenuHandlers1: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => -> Brak pliku ContextMenuHandlers2: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => -> Brak pliku ContextMenuHandlers2: [IVBShlExt] -> {5B9C04C2-5EB5-4B60-8B71-46964DB8CDBF} => -> Brak pliku ContextMenuHandlers6: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => -> Brak pliku BHO-x32: Brak nazwy -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> Brak pliku CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKU\S-1-5-21-3875675890-4072692999-1131883279-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.global-pl.com/ HKU\S-1-5-21-3875675890-4072692999-1131883279-501\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie HKU\S-1-5-21-3875675890-4072692999-1131883279-501\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://v9.com?type=hp&ts=1450710265&from=mych123&uid=wdcxwd10earx-00n0yb0_wd-wcc0s095613256132&z=7c0610958d781d0b414f070gazfwae0mfg8eco9q5q SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001 -> DefaultScope {B0CD8F74-01AB-4540-B43D-69835065F881} URL = hxxp://www.global-pl.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001 -> NTURL hxxp://www.bing.com/search?FORM=UWDFNU&PC=U218&q={searchTerms}&src=IE-TopResult SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001 -> {19FB89A4-9E8A-44F5-8046-CED817A05382} URL = hxxp://www.global-pl.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001 -> {4AE4B81F-EA79-410B-88FA-789C5935CF5B} URL = hxxp://www.nav-pl.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001 -> {66EEEBE2-1CD6-452C-97DE-9CE2A58FE61D} URL = hxxp://www.nav-pl.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001 -> {A91837E9-F15A-4260-83F5-A5130D47583F} URL = hxxp://www.web-pl.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001 -> {B0CD8F74-01AB-4540-B43D-69835065F881} URL = hxxp://www.global-pl.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001 -> {B1B55794-9B47-43E8-BA99-69FD690A4D1B} URL = hxxp://www.global-pl.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-501 -> DefaultScope {411C6174-57E0-4253-B3DF-6B543FE4F3FA} URL = SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-501 -> NTURL hxxp://www.bing.com/search?FORM=UWDFNU&PC=U218&q={searchTerms}&src=IE-TopResult SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-501 -> {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL = hxxp://v9.com/web?type=ds&ts=1450710265&from=zzgbkk123&uid=wdcxwd10earx-00n0yb0_wd-wcc0s095613256132&z=7c0610958d781d0b414f070gazfwae0mfg8eco9q5q&q={searchTerms} SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-501 -> {96bd48dd-741b-41ae-ac4a-aff96ba00f7e} URL = hxxp://home.myplaycity.com/results.php?category=web&s={searchTerms} SearchScopes: HKU\S-1-5-21-3875675890-4072692999-1131883279-501 -> {B9C7CE32-DA91-43C2-B7E9-0E9AAFC675CD} URL = hxxp://www.ask.com/web?l=dis&o=APN10383&gct=sb&qsrc=2869&apn_dtid=^YYYYYY^YY^US&apn_ptnrs=^ABI&apn_uid=3084954303214243&p2=^ABI^YYYYYY^YY^US&q={searchTerms} DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main DeleteKey: HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes DeleteKey: HKU\S-1-5-21-3875675890-4072692999-1131883279-501\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains DeleteKey: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains DeleteKey: HKU\S-1-5-21-3875675890-4072692999-1131883279-1001\Software\MozillaPlugins DeleteKey: HKLM\SOFTWARE\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AVAST Software DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Remediation C:\Program Files (x86)\GUTB396.tmp C:\Program Files (x86)\bookingDesktopApp C:\Program Files (x86)\Elektrogames C:\Program Files (x86)\eMule C:\Program Files (x86)\Foto Studio C:\Program Files (x86)\iPrint C:\Program Files (x86)\Jardinains! C:\Program Files (x86)\Java C:\Program Files (x86)\Mio C:\Program Files (x86)\Mozilla Firefox C:\Program Files (x86)\Nero C:\Program Files (x86)\Pizza Dude C:\Program Files (x86)\Przyspiesz C:\Program Files (x86)\Szybki Lopez C:\Program Files (x86)\Temp C:\Program Files (x86)\UMPlayer C:\Program Files\Common Files\AV C:\ProgramData\fontcacheev1.dat C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Przeglądarka Opera.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BettysBeerBar C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CyberLink LabelPrint 2.5 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Elektrogames C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Jardinains! C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kurka Wodna 2 Demo C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pizza Dude C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Play C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Techland C:\ProgramData\Mozilla C:\ProgramData\Orion C:\Users\Gość\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Uninstall Programs.lnk C:\Users\Gość\Desktop\Alawar Games.lnk C:\Users\Gość\Desktop\BrickShooter.lnk C:\Users\Gość\Desktop\Instrukcja aplikacji Symulator Koparki.lnk C:\Users\Gość\Desktop\Kurka Wodna 2 Demo.lnk C:\Users\Gość\Desktop\Onefog Ballines.lnk C:\Users\Gość\Desktop\Onefog Games on the Web.lnk C:\Users\Gość\Desktop\Pizza Dude.lnk C:\Users\Gość\Desktop\Play Jardinains!.lnk C:\Users\Gość\Desktop\Redneck Kentucky.lnk C:\Users\Gość\Desktop\Safari Kids.lnk C:\Users\Gość\Desktop\Symulator Koparki.lnk C:\Users\Gość\Desktop\Try Other Games.lnk C:\Users\Gość\Desktop\Warszawka Racer.lnk C:\Users\janczak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Avast Secure Browser.lnk C:\Users\janczak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk C:\Users\janczak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PhotoScape.lnk C:\Users\janczak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\WarThunder.lnk C:\Users\janczak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk C:\Users\janczak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Firefox.lnk C:\Users\janczak\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Warszawka Racer.lnk C:\Users\janczak\AppData\Roaming\Microsoft\Office\Niedawny\*.LNK C:\Users\janczak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mio C:\Users\janczak\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WarThunder C:\Users\janczak\AppData\Roaming\Mozilla C:\Users\janczak\Desktop\GRY KUBY\Dino Demo.lnk C:\Users\janczak\Desktop\GRY KUBY\FruttiLand_demo.lnk C:\Users\janczak\Desktop\GRY KUBY\Pizza Dude.lnk C:\Users\janczak\Desktop\GRY KUBY\Redneck Kentucky.lnk C:\Users\janczak\Desktop\GRY KUBY\Safari Kids.lnk C:\Users\janczak\Desktop\GRY KUBY\Symulator Koparki.lnk C:\Users\janczak\Desktop\GRY KUBY\WarThunder.lnk C:\Users\janczak\Desktop\GRY KUBY\Warszawka Racer (2).lnk C:\Users\janczak\Desktop\GRY KUBY\Warszawka Racer.lnk C:\Users\janczak\Desktop\GRY KUBY\kuba gra\gry\Kurka Wodna 2 Demo.lnk C:\Users\janczak\Desktop\GRY KUBY\kuba gra\gry\Mad Checkers.lnk C:\Users\janczak\Desktop\GRY KUBY\kuba gra\gry\Pet Racer.lnk C:\Users\janczak\Desktop\GRY KUBY\kuba gra\gry\Pizza Dude (2).lnk C:\Users\janczak\Desktop\GRY KUBY\kuba gra\gry\Play Betty's Beer Bar DEMO.lnk C:\Users\janczak\Desktop\GRY KUBY\kuba gra\gry\Szybki Lopez.lnk C:\Users\janczak\Desktop\GRY KUBY\kuba gra\gry\Try Other Sapphire Games.lnk C:\Users\janczak\Desktop\GRY KUBY\kuba gra\gry\Uruchom Sąsiedzi z piekła rodem - Jazdy z gwiazdą!.lnk C:\Users\janczak\Desktop\GRY KUBY\kuba gra\gry\retusze\PhotoScape.lnk C:\Users\janczak\Desktop\PZU\werka\szkoła.lnk C:\Users\janczak\Desktop\PZU\werka\szkoła\testy\Test Rzeźbiarze powierzchni Ziemi.lnk C:\Users\test\AppData\Local\Abelssoft C:\Users\test\AppData\Local\fotobook.pl C:\Users\test\AppData\Roaming\IObit C:\Users\test\AppData\Roaming\ProductData C:\Users\Public\Desktop\SlimDrivers.lnk C:\Users\Public\Downloads\Norton C:\Windows\System32\drivers\adgnetworkwfpdrv.sys C:\Windows\System32\DRIVERS\avgfwd6a.sys C:\Windows\System32\DRIVERS\avgloga.sys C:\Windows\System32\Tasks\AVAST Software C:\Windows\System32\Tasks\Remediation Folder: C:\Temp Hosts: Reg: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v Path /t REG_EXPAND_SZ /d ^%SystemRoot^%\system32;^%SystemRoot^%;^%SystemRoot^%\System32\Wbem;^%SystemRoot^%\System32\WindowsPowerShell\v1.0\;"C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x86";"C:\Program Files (x86)\Intel\OpenCL SDK\2.0\bin\x64";"C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common" /f̩ Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /f Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /ve /t REG_SZ /d Bing /f Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v URL /t REG_SZ /d "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" /f Reg: reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v DisplayName /t REG_SZ /d "@ieframe.dll,-12512" /f Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /f Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /ve /t REG_SZ /d Bing /f Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v URL /t REG_SZ /d "http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC" /f Reg: reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" /v DisplayName /t REG_SZ /d "@ieframe.dll,-12512" /f cmd: sc config LanmanServer start= auto cmd: ipconfig /flushdns cmd: netsh advfirewall reset cmd: netsh winsock reset Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"} EmptyTemp: