Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014 Ran by grzegorz at 2014-04-04 19:31:59 Run:1 Running from C:\Users\grzegorz\Downloads\Nowy folder Boot Mode: Normal ============================================== Content of fixlist: ***************** (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe HKU\S-1-5-21-3990852856-1956993013-1042417060-1001\...\Winlogon: [Shell] explorer.exe,"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" <==== ATTENTION IFEO\AvastSvc.exe: [Debugger] nqij.exe IFEO\AvastUI.exe: [Debugger] nqij.exe IFEO\avcenter.exe: [Debugger] nqij.exe IFEO\avconfig.exe: [Debugger] nqij.exe IFEO\avgnt.exe: [Debugger] nqij.exe IFEO\avgrsx.exe: [Debugger] nqij.exe IFEO\avguard.exe: [Debugger] nqij.exe IFEO\avp.exe: [Debugger] nqij.exe IFEO\avscan.exe: [Debugger] nqij.exe IFEO\bdagent.exe: [Debugger] nqij.exe IFEO\blindman.exe: [Debugger] nqij.exe IFEO\ccuac.exe: [Debugger] nqij.exe IFEO\ComboFix.exe: [Debugger] nqij.exe IFEO\egui.exe: [Debugger] nqij.exe IFEO\hijackthis.exe: [Debugger] nqij.exe IFEO\instup.exe: [Debugger] nqij.exe IFEO\keyscrambler.exe: [Debugger] nqij.exe IFEO\mbam.exe: [Debugger] nqij.exe IFEO\mbamgui.exe: [Debugger] nqij.exe IFEO\mbampt.exe: [Debugger] nqij.exe IFEO\mbamscheduler.exe: [Debugger] nqij.exe IFEO\mbamservice.exe: [Debugger] nqij.exe IFEO\MpCmdRun.exe: [Debugger] nqij.exe IFEO\MSASCui.exe: [Debugger] nqij.exe IFEO\MsMpEng.exe: [Debugger] nqij.exe IFEO\msseces.exe: [Debugger] nqij.exe IFEO\rstrui.exe: [Debugger] nqij.exe IFEO\SDFiles.exe: [Debugger] nqij.exe IFEO\SDMain.exe: [Debugger] nqij.exe IFEO\SDWinSec.exe: [Debugger] nqij.exe IFEO\spybotsd.exe: [Debugger] nqij.exe IFEO\wireshark.exe: [Debugger] nqij.exe IFEO\zlclient.exe: [Debugger] nqij.exe GroupPolicyUsers\S-1-5-21-3990852856-1956993013-1042417060-1016\User: Group Policy restriction detected <======= ATTENTION ProxyServer: 192.168.1.99.:8889 SearchScopes: HKCU - DefaultScope {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incredibar.com/mb201/?search={searchTerms}&loc=IB_DS&a=6R8RQQvEKY&i=26 SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://isearch.avg.com/search?cid={828B99D2-85E0-4BAB-8EFC-721C6AFE3B60}&mid=84516ae2fd6c47d08c4abd2b2b993ca0-5b7541b455c9f6844024dfae844bfe8fa91870cf&lang=pl&ds=AVG&pr=fr&d=2012-07-11 14:41:35&v=12.2.5.32&sap=dsp&q={searchTerms} SearchScopes: HKCU - {AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8} URL = http://www.daemon-search.com/search?q={searchTerms} SearchScopes: HKCU - {CFF4DB9B-135F-47c0-9269-B4C6572FD61A} URL = http://mystart.incredibar.com/mb201/?search={searchTerms}&loc=IB_DS&a=6R8RQQvEKY&i=26 Toolbar: HKLM - DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll () Toolbar: HKLM-x32 - DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll () Toolbar: HKCU - DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll () Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File FF HKLM\...\Firefox\Extensions: [{336D0C35-8A85-403a-B9D2-65C292C39087}] - C:\Program Files\IB Updater\Firefox Task: {044A981B-D1B6-42F2-BE49-E024B3C7D68C} - System32\Tasks\Express FilesUpdate => C:\Program Files (x86)\ExpressFiles\EFUpdater.exe <==== ATTENTION Task: {5A631E5F-6480-44D2-ADD8-0EF6EB3933B9} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001Core => C:\Users\grzegorz\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-15] (Google Inc.) Task: {5C15B3C0-E859-4348-98C8-C53FC701EEE5} - System32\Tasks\Google Updater and Installer => C:\Users\grzegorz\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-15] (Google Inc.) Task: {64A94C11-F16D-457D-8FC4-43261991FCB5} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001UA => C:\Users\grzegorz\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-15] (Google Inc.) Task: {ECA3B344-340E-4247-A103-C31F293C5DA0} - \Program aktualizacji online firmy Adobe. No Task File Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001Core.job => C:\Users\grzegorz\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001UA.job => C:\Users\grzegorz\AppData\Local\Google\Update\GoogleUpdate.exe S3 cpuz130; \??\C:\Users\grzegorz\AppData\Local\Temp\cpuz130\cpuz_x64.sys [X] S3 cpuz132; \??\C:\Users\grzegorz\AppData\Local\Temp\cpuz132\cpuz132_x64.sys [X] S3 cpuz136; \??\C:\Users\grzegorz\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [X] S1 MagicTune; \SystemRoot\system32\drivers\MTiCtwl.sys [X] S3 MSICDSetup; \??\F:\CDriver64.sys [X] S3 WinRing0_1_2_0; \??\C:\Program Files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [X] C:\Program Files\IB Updater C:\Program Files (x86)\Perion C:\Program Files (x86)\Mozilla Firefox\extensions C:\Program Files (x86)\mozilla firefox\searchplugins C:\Users\grzegorz\AppData\Local\CRE C:\Users\grzegorz\AppData\Local\Google C:\Users\grzegorz\AppData\Roaming\msconfig.ini C:\Users\grzegorz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk C:\Users\grzegorz\Downloads\CCleaner(13061).exe C:\Users\grzegorz\Downloads\Registry-Life(18391).exe C:\Users\grzegorz\tla51h49917jc C:\Windows\SysWOW64\Windows Services Reg: reg delete HKCU\Software\Google /f Reg: reg delete HKLM\SOFTWARE\Wow6432Node\Google /f Reg: reg query "HKCU\Software\Microsoft\Windows Script" /s Reg: reg query "HKCU\Software\Microsoft\Windows Script Host" /s Reg: reg query HKLM\SYSTEM\CurrentControlSet\Services\Schedule Reboot: ***************** C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe => No running process found HKU\S-1-5-21-3990852856-1956993013-1042417060-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastSvc.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastUI.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avconfig.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgnt.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgrsx.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avscan.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\blindman.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\instup.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamgui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbampt.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamscheduler.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamservice.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDFiles.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDMain.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDWinSec.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe => Key deleted successfully. C:\Windows\system32\GroupPolicyUsers\S-1-5-21-3990852856-1956993013-1042417060-1016\User => Moved successfully. C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => Value deleted successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key deleted successfully. HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8} => Key deleted successfully. HKCR\CLSID\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8} => Key not found. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A} => Key deleted successfully. HKCR\CLSID\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A} => Key not found. HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{32099AAC-C132-4136-9E9A-4E364A424E17} => Value deleted successfully. HKCR\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17} => Key deleted successfully. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{32099AAC-C132-4136-9E9A-4E364A424E17} => Value deleted successfully. HKCR\Wow6432Node\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17} => Key deleted successfully. HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} => Value deleted successfully. HKCR\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17} => Key not found. HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Value deleted successfully. HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Key not found. HKLM\Software\Mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087} => Value deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{044A981B-D1B6-42F2-BE49-E024B3C7D68C} => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{044A981B-D1B6-42F2-BE49-E024B3C7D68C} => Key deleted successfully. C:\Windows\System32\Tasks\Express FilesUpdate => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Express FilesUpdate => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5A631E5F-6480-44D2-ADD8-0EF6EB3933B9} => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A631E5F-6480-44D2-ADD8-0EF6EB3933B9} => Key deleted successfully. C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001Core => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001Core => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5C15B3C0-E859-4348-98C8-C53FC701EEE5} => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C15B3C0-E859-4348-98C8-C53FC701EEE5} => Key deleted successfully. C:\Windows\System32\Tasks\Google Updater and Installer => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Google Updater and Installer => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{64A94C11-F16D-457D-8FC4-43261991FCB5} => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{64A94C11-F16D-457D-8FC4-43261991FCB5} => Key deleted successfully. C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001UA => Moved successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001UA => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ECA3B344-340E-4247-A103-C31F293C5DA0} => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ECA3B344-340E-4247-A103-C31F293C5DA0} => Key deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Program aktualizacji online firmy Adobe. => Key deleted successfully. C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001Core.job => Moved successfully. C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3990852856-1956993013-1042417060-1001UA.job => Moved successfully. cpuz130 => Service deleted successfully. cpuz132 => Service deleted successfully. cpuz136 => Service deleted successfully. MagicTune => Service deleted successfully. MSICDSetup => Service deleted successfully. WinRing0_1_2_0 => Service deleted successfully. "C:\Program Files\IB Updater" => File/Directory not found. C:\Program Files (x86)\Perion => Moved successfully. C:\Program Files (x86)\Mozilla Firefox\extensions => Moved successfully. C:\Program Files (x86)\Mozilla Firefox\searchplugins => Moved successfully. C:\Users\grzegorz\AppData\Local\CRE => Moved successfully. C:\Users\grzegorz\AppData\Local\Google => Moved successfully. C:\Users\grzegorz\AppData\Roaming\msconfig.ini => Moved successfully. C:\Users\grzegorz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => Moved successfully. C:\Users\grzegorz\Downloads\CCleaner(13061).exe => Moved successfully. C:\Users\grzegorz\Downloads\Registry-Life(18391).exe => Moved successfully. C:\Users\grzegorz\tla51h49917jc => Moved successfully. C:\Windows\SysWOW64\Windows Services => Moved successfully. ========= reg delete HKCU\Software\Google /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete HKLM\SOFTWARE\Wow6432Node\Google /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg query "HKCU\Software\Microsoft\Windows Script" /s ========= HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings JITDebug REG_DWORD 0x0 ========= End of Reg: ========= ========= reg query "HKCU\Software\Microsoft\Windows Script Host" /s ========= HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings ========= End of Reg: ========= ========= reg query HKLM\SYSTEM\CurrentControlSet\Services\Schedule ========= HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule AtTaskMaxHours REG_DWORD 0x48 DisplayName REG_SZ @%SystemRoot%\system32\schedsvc.dll,-100 Group REG_SZ SchedulerGroup ImagePath REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs Description REG_SZ @%SystemRoot%\system32\schedsvc.dll,-101 ObjectName REG_SZ LocalSystem ErrorControl REG_DWORD 0x1 Start REG_DWORD 0x4 Type REG_DWORD 0x20 DependOnService REG_MULTI_SZ RPCSS\0EventLog ServiceSidType REG_DWORD 0x1 RequiredPrivileges REG_MULTI_SZ SeIncreaseQuotaPrivilege\0SeChangeNotifyPrivilege\0SeAuditPrivilege\0SeImpersonatePrivilege\0SeAssignPrimaryTokenPrivilege\0SeTcbPrivilege\0SeRestorePrivilege FailureActions REG_BINARY 80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Security ========= End of Reg: ========= The system needed a reboot. ==== End of Fixlog ====