Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-03-2014 01 Ran by Monika at 2014-03-12 17:10:37 Run:1 Running from C:\!fixit Boot Mode: Normal ============================================== Content of fixlist: ***************** () C:\ProgramData\NTKernel\nt32.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Microsoft Corporation) C:\Windows\SysWOW64\WScript.exe () C:\ProgramData\{$5365-6581-2698-7441-1850$}\nacl64.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe (Microsoft Corporation) C:\Windows\SysWOW64\WScript.exe HKLM-x32\...\Run: [Windows Configuration] - C:\{$5365-6581-2698-7441-1850$}\nacl64.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" HKU\S-1-5-21-2282721227-1211064884-3465515418-1000\...\CurrentVersion\Windows: [Load] C:\ProgramData\{$5365-6581-2698-7441-1850$}\wintask32.exe <===== ATTENTION HKU\S-1-5-21-2282721227-1211064884-3465515418-1000\...\Winlogon: [Shell] explorer.exe,"C:\ProgramData\load32.exe" [619520 2014-02-17] () <==== ATTENTION IFEO\avcenter.exe: [Debugger] euaie.exe IFEO\avguard.exe: [Debugger] euaie.exe IFEO\avp.exe: [Debugger] euaie.exe IFEO\bdagent.exe: [Debugger] euaie.exe IFEO\ccuac.exe: [Debugger] euaie.exe IFEO\ComboFix.exe: [Debugger] euaie.exe IFEO\hijackthis.exe: [Debugger] euaie.exe IFEO\keyscrambler.exe: [Debugger] euaie.exe IFEO\mbam.exe: [Debugger] euaie.exe IFEO\MpCmdRun.exe: [Debugger] euaie.exe IFEO\MSASCui.exe: [Debugger] euaie.exe IFEO\MsMpEng.exe: [Debugger] euaie.exe IFEO\msseces.exe: [Debugger] euaie.exe IFEO\spybotsd.exe: [Debugger] euaie.exe IFEO\wireshark.exe: [Debugger] euaie.exe IFEO\zlclient.exe: [Debugger] euaie.exe InternetURL: C:\Users\Monika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url -> 0 InternetURL: C:\Users\Monika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.ini.url -> 0 InternetURL: C:\Users\Wiktor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.ini.url -> C:\ProgramData\392817338.exe GroupPolicyUsers\S-1-5-21-2282721227-1211064884-3465515418-1001\User: Group Policy restriction detected <======= ATTENTION Task: {2C5B2145-0CFA-4260-8E15-67348EAE85F7} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files (x86)\Ask.com\UpdateTask.exe <==== ATTENTION SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File C:\{$5365-6581-2698-7441-1850$} C:\ProgramData\{$5365-6581-2698-7441-1850$} C:\ProgramData\NTKernel C:\ProgramData\392817338.exe C:\ProgramData\load32.exe C:\Users\Monika\AppData\Local\Temp*.html C:\Users\Monika\AppData\Local\Temp\*.exe C:\Users\Monika\AppData\Roaming\system.ini C:\Users\Monika\AppData\Roaming\Winamp C:\Users\Monika\Documents\315load32.exe Reg: reg delete "HKCU\Software\Microsoft\Windows Script" /f Reg: reg delete "HKCU\Software\Microsoft\Windows Script Host" /f Reg: reg add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f Reboot: ***************** [3880] C:\ProgramData\NTKernel\nt32.exe => Process closed successfully. [3112] C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe => Process closed successfully. [3340] C:\Windows\SysWOW64\WScript.exe => Process closed successfully. [3024] C:\ProgramData\{$5365-6581-2698-7441-1850$}\nacl64.exe => Process closed successfully. [3652] C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe => Process closed successfully. [3700] C:\Windows\SysWOW64\WScript.exe => Process closed successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Windows Configuration => Value deleted successfully. HKU\S-1-5-21-2282721227-1211064884-3465515418-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Value was restored successfully. HKU\S-1-5-21-2282721227-1211064884-3465515418-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe => Key deleted successfully. C:\Users\Monika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url => Moved successfully. C:\Users\Monika\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.ini.url => Moved successfully. C:\Users\Wiktor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.ini.url => Moved successfully. C:\Windows\system32\GroupPolicyUsers\S-1-5-21-2282721227-1211064884-3465515418-1001\User => Moved successfully. C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2C5B2145-0CFA-4260-8E15-67348EAE85F7} => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2C5B2145-0CFA-4260-8E15-67348EAE85F7} => Key deleted successfully. C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar => Key deleted successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully. HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found. HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value deleted successfully. HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found. C:\{$5365-6581-2698-7441-1850$} => Moved successfully. C:\ProgramData\{$5365-6581-2698-7441-1850$} => Moved successfully. C:\ProgramData\NTKernel => Moved successfully. C:\ProgramData\392817338.exe => Moved successfully. C:\ProgramData\load32.exe => Moved successfully. C:\Users\Monika\AppData\Local\Temp*.html => Moved successfully. C:\Users\Monika\AppData\Local\Temp\*.exe => Moved successfully. C:\Users\Monika\AppData\Roaming\system.ini => Moved successfully. C:\Users\Monika\AppData\Roaming\Winamp => Moved successfully. C:\Users\Monika\Documents\315load32.exe => Moved successfully. ========= reg delete "HKCU\Software\Microsoft\Windows Script" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Windows Script Host" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= The system needed a reboot. ==== End of Fixlog ====