Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-12-2013 Ran by Jarek i Ela at 2013-12-03 16:55:42 Run:2 Running from C:\Users\Jarek i Ela.JarekiEla-PC\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** HKCU\...0c966feabec1\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess? Task: C:\Windows\Tasks\{DD552472-A185-4a0c-AC58-90AA40E9E26A}.job => C:\Windows\explorer.exe SearchScopes: HKLM - DefaultScope value is missing. SearchScopes: HKCU - DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = S3 GAPNVWQKS; C:\Users\JAREKI~1.JAR\AppData\Local\Temp\GAPNVWQKS.exe [416640 2013-11-25] (Sysinternals - www.sysinternals.com) S3 MAODQ; C:\Users\JAREKI~1.JAR\AppData\Local\Temp\MAODQ.exe [445312 2013-11-25] (Sysinternals - www.sysinternals.com) S4 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [x] S4 BTOA; C:\Users\JAREKI~1.JAR\AppData\Local\Temp\BTOA.exe [x] R0 DwProt; C:\Windows\System32\drivers\dwprot.sys [135032 2011-01-21] (Doctor Web, Ltd.) R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [66344 2013-11-19] (GFI Software) S2 Haspnt; \??\C:\Windows\system32\drivers\Haspnt.sys [x] S3 IntcAzAudAddService; system32\drivers\RTKVHDA.sys [x] S3 MEMSWEEP2; \??\C:\Windows\system32\337E.tmp [x] U4 Messenger; S1 SBRE; \SystemRoot\system32\drivers\SBREDrv.sys [x] S0 szkgfs; system32\drivers\szkgfs.sys [x] HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service" C:\Windows\System32\drivers\dwprot.sys C:\Windows\system32\Drivers\sbapifs.sys C:\Windows\system32\Drivers\sbaphd.sys C:\Windows\system32\Drivers\RKREVEAL150.SYS C:\Windows\system32\SBBD.EXE C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local\Temp\*.exe C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local\Mozilla C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\ArcaVirMicroScan C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\AVG C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Azureus(768) C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\DSite C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\ExpressFiles C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Mozilla C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Ulead Systems(780) C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\UserTile (2).png C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local\GDIPFONTCACHEV1 (2).DAT C:\Users\All Users\AVG C:\Users\All Users\AVG10 C:\Users\All Users\AVG2012 C:\Users\All Users\HP(737) C:\Users\All Users\Malwarebytes(738) C:\Users\All Users\Microsoft(739) C:\Users\All Users\Mozilla C:\Users\All Users\page C:\Users\All Users\page(741) C:\Users\All Users\Real(742) C:\Users\All Users\SecTaskMan(743) C:\Users\All Users\Skype(744) Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup Folder: C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Reg: reg delete HKCU\Software\Classes\.exe /f Reg: reg delete HKCU\Software\Mozilla /f Reg: reg delete HKLM\SOFTWARE\MozillaPlugins /f Reg: reg delete HKLM\SOFTWARE\Mozilla /f Reg: reg delete HKLM\SOFTWARE\mozilla.org /f Reg: reg delete HKLM\SOFTWARE\MozillaPlugins /f Reg: reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /s Reg: reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /s Reg: reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /s Reg: reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /s Reg: reg query HKLM\SYSTEM\CurrentControlSet\services\Winmgmt /s Reg: reg query HKLM\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s Reg: reg query HKLM\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s CMD: winmgmt /verifyrepository ***************** HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} => Key not found. C:\Windows\Tasks\{DD552472-A185-4a0c-AC58-90AA40E9E26A}.job => Moved successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully. HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key deleted successfully. HKCR\Wow6432Node\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found. GAPNVWQKS => Service deleted successfully. MAODQ => Service deleted successfully. AVG Security Toolbar Service => Service deleted successfully. BTOA => Service deleted successfully. DwProt => Service not found. sbapifs => Service deleted successfully. Haspnt => Service deleted successfully. IntcAzAudAddService => Service deleted successfully. MEMSWEEP2 => Service deleted successfully. Messenger => Service deleted successfully. SBRE => Service deleted successfully. szkgfs => Service not found. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => Key deleted successfully. HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => Key deleted successfully. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => Key deleted successfully. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => Key deleted successfully. HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vsmon => Key not found. C:\Windows\System32\drivers\dwprot.sys => Moved successfully. "C:\Windows\system32\Drivers\sbapifs.sys" => File/Directory not found. "C:\Windows\system32\Drivers\sbaphd.sys" => File/Directory not found. C:\Windows\system32\Drivers\RKREVEAL150.SYS => Moved successfully. "C:\Windows\system32\SBBD.EXE" => File/Directory not found. "C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local\Temp\*.exe" => File/Directory not found. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local\Mozilla => Moved successfully. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\ArcaVirMicroScan => Moved successfully. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\AVG => Moved successfully. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Azureus(768) => Moved successfully. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\DSite => Moved successfully. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\ExpressFiles => Moved successfully. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Mozilla => Moved successfully. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Ulead Systems(780) => Moved successfully. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\UserTile (2).png => Moved successfully. C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local\GDIPFONTCACHEV1 (2).DAT => Moved successfully. C:\Users\All Users\AVG => Moved successfully. C:\Users\All Users\AVG10 => Moved successfully. C:\Users\All Users\AVG2012 => Moved successfully. C:\Users\All Users\HP(737) => Moved successfully. C:\Users\All Users\Malwarebytes(738) => Moved successfully. C:\Users\All Users\Microsoft(739) => Moved successfully. C:\Users\All Users\Mozilla => Moved successfully. C:\Users\All Users\page => Moved successfully. C:\Users\All Users\page(741) => Moved successfully. C:\Users\All Users\Real(742) => Moved successfully. C:\Users\All Users\SecTaskMan(743) => Moved successfully. C:\Users\All Users\Skype(744) => Moved successfully. ========================= Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup ======================== 2009-07-04 15:19 - 2009-07-04 15:19 - 0000174 __ASH () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ====== End of Folder: ====== ========================= Folder: C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup ======================== 2009-04-04 22:35 - 2009-04-04 22:35 - 0000174 __ASH () C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ====== End of Folder: ====== ========= reg delete HKCU\Software\Classes\.exe /f ========= Operacja ukończona pomyślnie. ========= End of Reg: ========= ========= reg delete HKCU\Software\Mozilla /f ========= Operacja ukończona pomyślnie. ========= End of Reg: ========= ========= reg delete HKLM\SOFTWARE\MozillaPlugins /f ========= Operacja ukończona pomyślnie. ========= End of Reg: ========= ========= reg delete HKLM\SOFTWARE\Mozilla /f ========= Operacja ukończona pomyślnie. ========= End of Reg: ========= ========= reg delete HKLM\SOFTWARE\mozilla.org /f ========= Operacja ukończona pomyślnie. ========= End of Reg: ========= ========= reg delete HKLM\SOFTWARE\MozillaPlugins /f ========= BŁĄD: System nie znalazł w rejestrze określonego klucza albo wartości. ========= End of Reg: ========= ========= reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /s ========= HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders !Do not use this registry key REG_SZ Use the SHGetFolderPath or SHGetKnownFolderPath function instead Local AppData REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local My Video REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\Videos AppData REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming My Pictures REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\Pictures Desktop REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\Desktop History REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local\Microsoft\Windows\History NetHood REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts Cookies REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Cookies Favorites REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\Favorites SendTo REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\SendTo Start Menu REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Start Menu My Music REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\Music Programs REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs Recent REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Recent CD Burning REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local\Microsoft\Windows\Burn\Burn PrintHood REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Administrative Tools REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools Personal REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\Documents Cache REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files Templates REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\AppData\Roaming\Microsoft\Windows\Templates Fonts REG_SZ C:\Windows\Fonts ========= End of Reg: ========= ========= reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /s ========= HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders AppData REG_EXPAND_SZ %USERPROFILE%\AppData\Roaming Cache REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files Cookies REG_EXPAND_SZ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Cookies Desktop REG_EXPAND_SZ %USERPROFILE%\Desktop Favorites REG_EXPAND_SZ %USERPROFILE%\Favorites History REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Microsoft\Windows\History Local AppData REG_EXPAND_SZ %USERPROFILE%\AppData\Local My Music REG_EXPAND_SZ %USERPROFILE%\Music My Pictures REG_EXPAND_SZ %USERPROFILE%\Pictures My Video REG_EXPAND_SZ %USERPROFILE%\Videos NetHood REG_EXPAND_SZ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Network Shortcuts Personal REG_EXPAND_SZ %USERPROFILE%\Documents PrintHood REG_EXPAND_SZ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts Programs REG_EXPAND_SZ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs Recent REG_EXPAND_SZ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent SendTo REG_EXPAND_SZ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\SendTo Start Menu REG_EXPAND_SZ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu Templates REG_EXPAND_SZ %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates {374DE290-123F-4565-9164-39C4925E467B} REG_EXPAND_SZ %USERPROFILE%\Downloads ========= End of Reg: ========= ========= reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /s ========= HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Start Menu REG_SZ C:\ProgramData\Microsoft\Windows\Start Menu CommonVideo REG_SZ C:\Users\Public\Videos CommonPictures REG_SZ C:\Users\Public\Pictures Common Programs REG_SZ C:\ProgramData\Microsoft\Windows\Start Menu\Programs CommonMusic REG_SZ C:\Users\Public\Music Common Administrative Tools REG_SZ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools Common Desktop REG_SZ C:\Users\Public\Desktop Common Documents REG_SZ C:\Users\Public\Documents Common Templates REG_SZ C:\ProgramData\Microsoft\Windows\Templates Common AppData REG_SZ C:\ProgramData Personal REG_SZ C:\Users\Jarek i Ela.JarekiEla-PC\Documents\ ========= End of Reg: ========= ========= reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /s ========= HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Desktop REG_EXPAND_SZ %PUBLIC%\Desktop Common Documents REG_EXPAND_SZ %PUBLIC%\Documents CommonPictures REG_EXPAND_SZ %PUBLIC%\Pictures CommonMusic REG_EXPAND_SZ %PUBLIC%\Music CommonVideo REG_EXPAND_SZ %PUBLIC%\Videos {3D644C9B-1FB8-4f30-9B45-F670235F79C0} REG_EXPAND_SZ %PUBLIC%\Downloads Common Start Menu REG_EXPAND_SZ %ProgramData%\Microsoft\Windows\Start Menu Common Programs REG_EXPAND_SZ %ProgramData%\Microsoft\Windows\Start Menu\Programs Common Startup REG_EXPAND_SZ %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup Common AppData REG_EXPAND_SZ %ProgramData% Common Templates REG_EXPAND_SZ %ProgramData%\Microsoft\Windows\Templates ========= End of Reg: ========= ========= reg query HKLM\SYSTEM\CurrentControlSet\services\Winmgmt /s ========= HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt DisplayName REG_SZ @%Systemroot%\system32\wbem\wmisvc.dll,-205 ImagePath REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs Description REG_SZ @%Systemroot%\system32\wbem\wmisvc.dll,-204 ObjectName REG_SZ localSystem ErrorControl REG_DWORD 0x0 Start REG_DWORD 0x2 Type REG_DWORD 0x20 DependOnService REG_MULTI_SZ RPCSS ServiceSidType REG_DWORD 0x1 FailureActions REG_BINARY 840300000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters ServiceDllUnloadOnStop REG_DWORD 0x1 ServiceDll REG_EXPAND_SZ %SystemRoot%\system32\wbem\WMIsvc.dll ServiceMain REG_SZ ServiceMain ========= End of Reg: ========= ========= reg query HKLM\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s ========= HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} (domyślny) REG_SZ Microsoft WBEM New Event Subsystem HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 (domyślny) REG_EXPAND_SZ %systemroot%\system32\wbem\wbemess.dll ThreadingModel REG_SZ Both ========= End of Reg: ========= ========= reg query HKLM\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s ========= HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} (domyślny) REG_SZ Microsoft WBEM _WbemFetchRefresherMgr Proxy Helper HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 (domyślny) REG_EXPAND_SZ %systemroot%\system32\wbem\fastprox.dll ThreadingModel REG_SZ Free ========= End of Reg: ========= ========= winmgmt /verifyrepository ========= Repozytorium WMI jest spjne. ========= End of CMD: ========= ==== End of Fixlog ====