Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-01-2014 Ran by Aleksandra at 2014-01-23 18:34:51 Run:1 Running from C:\Users\Aleksandra\Documents\ZZZInne\blad Boot Mode: Normal ============================================== Content of fixlist: ***************** () C:\Users\Aleksandra\pwo5\svchost.exe () C:\Users\Aleksandra\AppData\Local\Temp\_MEI33322\bin\winlogon.exe (Simplygen) C:\Program Files (x86)\Protected Search\ProtectedSearch.exe C:\Users\Aleksandra\pwo5 C:\Users\Aleksandra\AppData\Local\Temp\_MEI33322 C:\Program Files (x86)\AVG-AntiVirus-Free-Edition(13206).exe HKLM\...\Run: [] - [x] HKCU\...\Run: [pwo5] - C:\Users\Aleksandra\pwo5\svchost.exe [7691285 2013-08-24] () HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.certified-toolbar.com?si=41460&home=true&tid=2937 HKCU\Software\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2937 HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Default_Page_URL = http://search.certified-toolbar.com?si=41460&home=true&tid=2937 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Bar = http://search.certified-toolbar.com?si=41460&tid=2937&bs=true&q= SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - DefaultScope {DADA8261-F308-45D0-B44D-A7C56054184E} URL = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms} SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms} SearchScopes: HKLM-x32 - {DADA8261-F308-45D0-B44D-A7C56054184E} URL = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms} SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.certified-toolbar.com?si=41460&bs=true&tid=2937&q={searchTerms} Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\Web Search.xml Task: {AC0B81C6-70DB-4C2A-93AD-2530DBDF1EFF} - System32\Tasks\ProtectedSearch\Protected Search => C:\Program Files (x86)\Protected Search\ProtectedSearch.exe [2012-10-11] (Simplygen) <==== ATTENTION S3 Lanillat; Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\AboutURLs" /f Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\Search" /f Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchURI" /f Reg: reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchUrl" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchURI" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl" /f Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\AboutURLs" /f Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Main" /f Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Search" /f Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes" /f Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchURI" /f Reg: reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchUrl" /f Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search" /f Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchURI" /f Reg: reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl" /f CMD: netsh advfirewall reset CMD: for /d %f in (C:\Users\Aleksandra\AppData\Local\{*}) do rd /s /q "%f" ***************** C:\Users\Aleksandra\pwo5\svchost.exe => No running process found [1080] C:\Users\Aleksandra\AppData\Local\Temp\_MEI33322\bin\winlogon.exe => Process closed successfully. [3220] C:\Program Files (x86)\Protected Search\ProtectedSearch.exe => Process closed successfully. "C:\Users\Aleksandra\pwo5" directory move: C:\Users\Aleksandra\pwo5\cached-certs => Moved successfully. C:\Users\Aleksandra\pwo5\cached-consensus => Moved successfully. C:\Users\Aleksandra\pwo5\cached-descriptors => Moved successfully. C:\Users\Aleksandra\pwo5\cached-descriptors.new => Moved successfully. C:\Users\Aleksandra\pwo5\lock => Moved successfully. C:\Users\Aleksandra\pwo5\state => Moved successfully. Could not move "C:\Users\Aleksandra\pwo5\svchost.exe" => Scheduled to move on reboot. Could not move "C:\Users\Aleksandra\pwo5" directory. => Scheduled to move on reboot. C:\Users\Aleksandra\AppData\Local\Temp\_MEI33322 => Moved successfully. C:\Program Files (x86)\AVG-AntiVirus-Free-Edition(13206).exe => Moved successfully. HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully. HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\pwo5 => Value deleted successfully. HKCU\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully. HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully. HKCU\Software\Microsoft\Internet Explorer\Main\\Start Default_Page_URL => Value deleted successfully. HKCU\Software\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully. HKCU\Software\Microsoft\Internet Explorer\Main\\Search Bar => Value deleted successfully. HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully. HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully. HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Default_Page_URL => Value deleted successfully. HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Bar => Value deleted successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully. HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully. HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key deleted successfully. HKCR\Wow6432Node\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{DADA8261-F308-45D0-B44D-A7C56054184E} => Key deleted successfully. HKCR\Wow6432Node\CLSID\{DADA8261-F308-45D0-B44D-A7C56054184E} => Key not found. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key deleted successfully. HKCR\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b} => Key not found. HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully. HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found. C:\Program Files (x86)\mozilla firefox\searchplugins\Web Search.xml => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{AC0B81C6-70DB-4C2A-93AD-2530DBDF1EFF} => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC0B81C6-70DB-4C2A-93AD-2530DBDF1EFF} => Key deleted successfully. C:\Windows\System32\Tasks\ProtectedSearch\Protected Search => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProtectedSearch\Protected Search => Key deleted successfully. Lanillat => Service deleted successfully. ========= reg delete "HKCU\Software\Microsoft\Internet Explorer\AboutURLs" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Internet Explorer\Search" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchURI" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Internet Explorer\SearchUrl" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchURI" /f ========= ERROR: The system was unable to find the specified registry key or value. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\AboutURLs" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Main" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\Search" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchURI" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchUrl" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchURI" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= netsh advfirewall reset ========= Ok. ========= End of CMD: ========= ========= for /d %f in (C:\Users\Aleksandra\AppData\Local\{*}) do rd /s /q "%f" ========= ========= End of CMD: ========= => Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-23 18:41:38)<= C:\Users\Aleksandra\pwo5\svchost.exe => Is moved successfully. C:\Users\Aleksandra\pwo5 => Moved successfully. ==== End of Fixlog ====