Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 24-09-2014 Ran by Świerszcz at 2014-09-24 19:31:03 Run:1 Running from C:\Documents and Settings\Świerszcz\Moje dokumenty\Pobrane Boot Mode: Normal ============================================== Content of fixlist: ***************** CloseProcesses: Task: C:\WINDOWS\Tasks\AVG_SYS_TASK_0814av.job => C:\Documents and Settings\All Users\Dane aplikacji\Avg_Update_0814av\AVG-Secure-Search-Update_0814av.exe Task: C:\WINDOWS\Tasks\AVG_SYS_TASK_0814av_DELETE.job => C:\Documents and Settings\All Users\Dane aplikacji\Avg_Update_0814av\AVG-Secure-Search-Update_0814av.exe Task: C:\WINDOWS\Tasks\OGHF.job => C:\Documents and Settings\wierszcz\Dane aplikacji\OGHF.exe Task: C:\WINDOWS\Tasks\YHSNBE.job => C:\Documents and Settings\wierszcz\Dane aplikacji\YHSNBE.exe S3 e4usbaw; system32\DRIVERS\e4usbaw.sys [X] S2 IKANLOADER2; System32\Drivers\e4ldr.sys [X] S3 PCAMPR5; \??\C:\WINDOWS\system32\PCAMPR5.SYS [X] S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2012.SP4c\WNt500x86\Sandra.sys [X] HKU\S-1-5-21-1935655697-1965331169-725345543-1004\...\Run: [AVG-Secure-Search-Update_0814av] => C:\Documents and Settings\Zwierszcz\Dane aplikacji\Avg_Update_0814av\AVG-Secure-Search-Update_0814av.exe /PROMPT /mid=0181fd34b89d4e3887dad00ae870dc6b-48c509dde6808136529a66293ed6d56a3b11f74c /CMPID= (the data entry has 6 more characters). ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} => No File BootExecute: autocheck autochk * ???????????????????? ????????????? ????? ???????????????????????????? ????????????? ????? ???????? URLSearchHook: HKLM - Default Value = {CCC7B151-1D8C-11E3-B2AD-F3EF3D58318D} CHR NewTab: Default -> "chrome-extension://pelmeidfhdlhlbjimpabfcbnnojbboma/index.html" CHR DefaultSearchKeyword: Default -> istartsurf CHR DefaultSearchURL: Default -> http://www.istartsurf.com/web/?type=ds&ts=1410028189&from=ild&uid=SAMSUNGXHD161HJ_S0V3J9CQ109876&q={searchTerms} CHR DefaultSuggestURL: Default -> FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird C:\Documents and Settings\All Users\Dane aplikacji\AVAST Software C:\Documents and Settings\All Users\Dane aplikacji\InstallMate C:\Documents and Settings\Świerszcz\Dane aplikacji\OGHF C:\Documents and Settings\Świerszcz\Dane aplikacji\YHSNBE C:\Program Files\mozilla firefox\plugins C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Hoolapp Android" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebCake Desktop" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser" /v {10921475-03CE-4E04-90CE-E2E7EF20C814} /f Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser" /v {C86EB8A9-CCC2-4B6C-B75D-73576ED591BF} /f Reg: reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" Reg: reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" EmptyTemp: ***************** Processes closed successfully. C:\WINDOWS\Tasks\AVG_SYS_TASK_0814av.job => Moved successfully. C:\WINDOWS\Tasks\AVG_SYS_TASK_0814av_DELETE.job => Moved successfully. C:\WINDOWS\Tasks\OGHF.job => Moved successfully. C:\WINDOWS\Tasks\YHSNBE.job => Moved successfully. e4usbaw => Service deleted successfully. IKANLOADER2 => Service deleted successfully. PCAMPR5 => Service deleted successfully. SANDRA => Service deleted successfully. HKU\S-1-5-21-1935655697-1965331169-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Run\\AVG-Secure-Search-Update_0814av => value deleted successfully. "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => Key deleted successfully. "HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}" => Key not found. HKLM\System\CurrentControlSet\Control\Session Manager\\BootExecute => Value was restored successfully. HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks\\ => value deleted successfully. Chrome NewTab deleted successfully. Chrome DefaultSearchKeyword deleted successfully. Chrome DefaultSearchURL deleted successfully. Chrome DefaultSuggestURL deleted successfully. HKLM\Software\Mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b} => value deleted successfully. HKLM\Software\Mozilla\Thunderbird\Extensions\\eplgTb@eset.com => value deleted successfully. C:\Documents and Settings\All Users\Dane aplikacji\AVAST Software => Moved successfully. C:\Documents and Settings\All Users\Dane aplikacji\InstallMate => Moved successfully. C:\Documents and Settings\Świerszcz\Dane aplikacji\OGHF => Moved successfully. C:\Documents and Settings\Świerszcz\Dane aplikacji\YHSNBE => Moved successfully. C:\Program Files\mozilla firefox\plugins => Moved successfully. C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension => Moved successfully. ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Hoolapp Android" /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck" /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebCake Desktop" /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes" /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchScopes" /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser" /v {10921475-03CE-4E04-90CE-E2E7EF20C814} /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser" /v {C86EB8A9-CCC2-4B6C-B75D-73576ED591BF} /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg delete "HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes" /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg delete "HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes" /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg delete "HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes" /f ========= Operacja ukończona pomyślnie ========= End of Reg: ========= ========= reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ========= ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Logitech Hardware Abstraction Layer REG_SZ KHALMNPR.EXE amd_dc_opt REG_SZ C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe Adobe ARM REG_SZ "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" AVG_UI REG_SZ "C:\Program Files\AVG\AVG2014\avgui.exe" /TRAYONLY NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup SunJavaUpdateSched REG_SZ "C:\Program Files\Common Files\Java\Java Update\jusched.exe" ========= End of Reg: ========= ========= reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" ========= ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon AutoRestartShell REG_DWORD 0x1 DefaultDomainName REG_SZ CENTRALHOMECOMP DefaultUserName REG_SZ Świerszcz LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PowerdownAfterShutdown REG_SZ 0 ReportBootOk REG_SZ 1 Shell REG_SZ Explorer.exe ShutdownWithoutLogon REG_SZ 0 System REG_SZ Userinit REG_SZ C:\WINDOWS\system32\userinit.exe, VmApplet REG_SZ rundll32 shell32,Control_RunDLL "sysdm.cpl" SfcQuota REG_DWORD 0xffffffff allocatecdroms REG_SZ 0 allocatedasd REG_SZ 0 allocatefloppies REG_SZ 0 cachedlogonscount REG_SZ 10 forceunlocklogon REG_DWORD 0x0 passwordexpirywarning REG_DWORD 0xe scremoveoption REG_SZ 0 AllowMultipleTSSessions REG_DWORD 0x1 UIHost REG_EXPAND_SZ logonui.exe LogonType REG_DWORD 0x1 Background REG_SZ 0 0 0 DebugServerCommand REG_SZ no SFCDisable REG_DWORD 0x0 WinStationsDisabled REG_SZ 0 HibernationPreviouslyEnabled REG_DWORD 0x1 ShowLogonOptions REG_DWORD 0x0 AltDefaultUserName REG_SZ Świerszcz AltDefaultDomainName REG_SZ CENTRALHOMECOMP ChangePasswordUseKerberos REG_DWORD 0x1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials Error: Access is denied in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials ========= End of Reg: ========= EmptyTemp: => Removed 1.5 GB temporary data. The system needed a reboot. ==== End of Fixlog ====