Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-09-2014 Ran by Adam at 2014-09-29 18:28:23 Run:1 Running from D:\Nowy folder Loaded Profile: Adam (Available profiles: Adam & Agnieszka & Gosia & DefaultAppPool) Boot Mode: Normal ============================================== Content of fixlist: ***************** CloseProcesses: R1 {2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gw64; C:\Windows\System32\drivers\{2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gw64.sys [61120 2014-04-24] (StdLib) S3 ESETOlmarikOlmascoCleaner; C:\Windows\system32\Drivers\ESETOlmarikOlmascoCleaner.sys [157384 2014-07-30] () HKU\S-1-5-21-3227529036-3496675472-4090108443-1001\...\Winlogon: [Shell] explorer.exe, <==== ATTENTION AppInit_DLLs: °L7 => °L7 File Not Found AppInit_DLLs-x32: ŘŢâö => "ŘŢâö" File Not Found IFEO\AvastSvc.exe: [Debugger] nqij.exe IFEO\AvastUI.exe: [Debugger] nqij.exe IFEO\avcenter.exe: [Debugger] nqij.exe IFEO\avconfig.exe: [Debugger] nqij.exe IFEO\avgcsrvx.exe: [Debugger] nqij.exe IFEO\avgidsagent.exe: [Debugger] nqij.exe IFEO\avgnt.exe: [Debugger] nqij.exe IFEO\avgrsx.exe: [Debugger] nqij.exe IFEO\avguard.exe: [Debugger] nqij.exe IFEO\avgui.exe: [Debugger] nqij.exe IFEO\avgwdsvc.exe: [Debugger] nqij.exe IFEO\avp.exe: [Debugger] nqij.exe IFEO\avscan.exe: [Debugger] nqij.exe IFEO\bdagent.exe: [Debugger] nqij.exe IFEO\blindman.exe: [Debugger] nqij.exe IFEO\ccuac.exe: [Debugger] nqij.exe IFEO\ComboFix.exe: [Debugger] nqij.exe IFEO\egui.exe: [Debugger] nqij.exe IFEO\hijackthis.exe: [Debugger] nqij.exe IFEO\instup.exe: [Debugger] nqij.exe IFEO\keyscrambler.exe: [Debugger] nqij.exe IFEO\mbam.exe: [Debugger] nqij.exe IFEO\mbamgui.exe: [Debugger] nqij.exe IFEO\mbampt.exe: [Debugger] nqij.exe IFEO\mbamscheduler.exe: [Debugger] nqij.exe IFEO\mbamservice.exe: [Debugger] nqij.exe IFEO\MpCmdRun.exe: [Debugger] nqij.exe IFEO\MSASCui.exe: [Debugger] nqij.exe IFEO\MsMpEng.exe: [Debugger] nqij.exe IFEO\msseces.exe: [Debugger] nqij.exe IFEO\rstrui.exe: [Debugger] nqij.exe IFEO\SDFiles.exe: [Debugger] nqij.exe IFEO\SDMain.exe: [Debugger] nqij.exe IFEO\SDWinSec.exe: [Debugger] nqij.exe IFEO\spybotsd.exe: [Debugger] nqij.exe IFEO\wireshark.exe: [Debugger] nqij.exe IFEO\zlclient.exe: [Debugger] nqij.exe HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=pl&pid=N360&pvid=21.3.0.12 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=pl&pid=N360&pvid=21.3.0.12 StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = SearchScopes: HKLM-x32 - DefaultScope value is missing. BHO: No Name -> {D35A64A0-B744-A172-0061-26EC45627EB4} -> No File BHO-x32: No Name -> {D35A64A0-B744-A172-0061-26EC45627EB4} -> No File FF NewTab: chrome://quick_start/content/index.html CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CustomCLSID: HKU\S-1-5-21-3227529036-3496675472-4090108443-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Komputronik\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ESETOlmarikOlmascoCleaner => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ESETOlmarikOlmascoCleaner.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ESETOlmarikOlmascoCleaner => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ESETOlmarikOlmascoCleaner.sys => ""="Driver" Reg: reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v cssrrs /f Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v cssrrs /f Reg: reg query "HKCU\Software\Microsoft\Windows Script" /s Reg: reg query "HKCU\Software\Microsoft\Windows Script Host" /s Reg: reg query HKLM\SYSTEM\CurrentControlSet\Services\Schedule /s C:\ProgramData\TEMP C:\Users\Komputronik\AppData\Roaming\msconfig.ini C:\Users\Komputronik\AppData\Roaming\3909 C:\Users\Komputronik\AppData\Roaming\AVG C:\Windows\System32\drivers\{2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gw64.sys C:\Windows\system32\Drivers\ESETOlmarikOlmascoCleaner.sys EmptyTemp: ***************** Processes closed successfully. {2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gw64 => Unable to stop service {2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gw64 => Service deleted successfully. ESETOlmarikOlmascoCleaner => Service deleted successfully. HKU\S-1-5-21-3227529036-3496675472-4090108443-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully. "°L7" => Value Data removed successfully. "ŘŢâö" => Value Data not found. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastSvc.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastUI.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avconfig.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgcsrvx.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgidsagent.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgnt.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgrsx.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgwdsvc.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avscan.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\blindman.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\instup.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamgui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbampt.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamscheduler.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamservice.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDFiles.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDMain.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDWinSec.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe" => Key deleted successfully. HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully. HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully. HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => Value was restored successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D35A64A0-B744-A172-0061-26EC45627EB4}" => Key deleted successfully. "HKCR\CLSID\{D35A64A0-B744-A172-0061-26EC45627EB4}" => Key not found. "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D35A64A0-B744-A172-0061-26EC45627EB4}" => Key deleted successfully. "HKCR\Wow6432Node\CLSID\{D35A64A0-B744-A172-0061-26EC45627EB4}" => Key not found. Firefox newtab deleted successfully. "HKLM\SOFTWARE\Policies\Google" => Key deleted successfully. "HKU\S-1-5-21-3227529036-3496675472-4090108443-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}" => Key deleted successfully. "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\ESETOlmarikOlmascoCleaner" => Key deleted successfully. "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\ESETOlmarikOlmascoCleaner.sys" => Key deleted successfully. "HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ESETOlmarikOlmascoCleaner" => Key deleted successfully. "HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ESETOlmarikOlmascoCleaner.sys" => Key deleted successfully. ========= reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v cssrrs /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v cssrrs /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg query "HKCU\Software\Microsoft\Windows Script" /s ========= ERROR: The system was unable to find the specified registry key or value. ========= End of Reg: ========= ========= reg query "HKCU\Software\Microsoft\Windows Script Host" /s ========= HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings ========= End of Reg: ========= ========= reg query HKLM\SYSTEM\CurrentControlSet\Services\Schedule /s ========= HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule AtTaskMaxHours REG_DWORD 0x48 DisplayName REG_SZ Harmonogram zadaä ErrorControl REG_DWORD 0x1 Group REG_SZ SchedulerGroup ImagePath REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs Start REG_DWORD 0x2 Type REG_DWORD 0x20 Description REG_SZ @%SystemRoot%\system32\schedsvc.dll,-101 DependOnService REG_MULTI_SZ RPCSS\0SystemEventsBroker ObjectName REG_SZ LocalSystem ServiceSidType REG_DWORD 0x1 RequiredPrivileges REG_MULTI_SZ SeIncreaseQuotaPrivilege\0SeChangeNotifyPrivilege\0SeAuditPrivilege\0SeImpersonatePrivilege\0SeAssignPrimaryTokenPrivilege\0SeTcbPrivilege\0SeRestorePrivilege FailureActions REG_BINARY 80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Parameters ServiceDllUnloadOnStop REG_DWORD 0x1 ServiceMain REG_SZ ServiceMain ServiceDll REG_EXPAND_SZ %systemroot%\system32\schedsvc.dll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Security Security REG_BINARY 01001480A8000000B4000000140000003000000002001C000100000002801400FF010F000101000000000001000000000200780005000000000014008D00020001010000000000050B00000000001800DD010E000102000000000005200000002002000000001400FF010F00010100000000000512000000000018008D00020001020000000000052000000021020000000018002200010001020000000000052000000020020000010100000000000512000000010100000000000512000000 ========= End of Reg: ========= C:\ProgramData\TEMP => Moved successfully. C:\Users\Komputronik\AppData\Roaming\msconfig.ini => Moved successfully. C:\Users\Komputronik\AppData\Roaming\3909 => Moved successfully. C:\Users\Komputronik\AppData\Roaming\AVG => Moved successfully. C:\Windows\System32\drivers\{2c976a7f-dbdc-4756-870f-f6d183fe7a7e}Gw64.sys => Moved successfully. C:\Windows\system32\Drivers\ESETOlmarikOlmascoCleaner.sys => Moved successfully. EmptyTemp: => Removed 1.2 GB temporary data. The system needed a reboot. ==== End of Fixlog ====