Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 13-03-2014 Ran by Artur at 2014-04-09 10:18:15 Run:1 Running from C:\! programy\diagnostyka\frst Boot Mode: Normal ============================================== Content of fixlist: ***************** () C:\Users\Artur\AppData\Roaming\WinRAR\MsMpCom.exe () C:\ProgramData\335936624.exe () C:\ProgramData\{$3483-6183-1568-3845$}\comhost.exe (Microsoft Corporation) C:\Windows\SysWOW64\WScript.exe (AMD) C:\Users\Artur\AppData\Roaming\WinRAR\AMD External Events Client.exe (Malwarebytes Corporation ) C:\! programy\malavare\mbam-setup-2-0-1-1004.exe () C:\Users\Artur\AppData\Local\Temp\is-077T1.tmp\mbam-setup-2-0-1-1004.tmp (Malwarebytes Corporation ) C:\! programy\malavare\mbam-setup-2-0-1-1004.exe () C:\Users\Artur\AppData\Local\Temp\is-LP2IS.tmp\mbam-setup-2-0-1-1004.tmp HKLM-x32\...\Run: [windows COM Host] - C:\{$3483-6183-1568-3845$}\comhost.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" HKU\S-1-5-21-254236839-2745261332-4042324724-1000\...\Run: [minerd] - C:\Users\Artur\AppData\Roaming\minerd\nircmd.exe [44032 2013-08-11] (NirSoft) HKU\S-1-5-21-254236839-2745261332-4042324724-1000\...\RunOnce: [Windows Base Branding] - C:\Users\Artur\AppData\Roaming\WinRAR\AMD External Events Client.exe [9728 2014-04-09] (AMD) HKU\S-1-5-21-254236839-2745261332-4042324724-1000\...\CurrentVersion\Windows: [Load] C:\ProgramData\335936624.exe <===== ATTENTION IFEO\avcenter.exe: [Debugger] nsjw.exe IFEO\avguard.exe: [Debugger] nsjw.exe IFEO\avp.exe: [Debugger] nsjw.exe IFEO\bdagent.exe: [Debugger] nsjw.exe IFEO\ccuac.exe: [Debugger] nsjw.exe IFEO\ComboFix.exe: [Debugger] nsjw.exe IFEO\egui.exe: [Debugger] nsjw.exe IFEO\hijackthis.exe: [Debugger] nsjw.exe IFEO\keyscrambler.exe: [Debugger] nsjw.exe IFEO\mbam.exe: [Debugger] nsjw.exe IFEO\MpCmdRun.exe: [Debugger] nsjw.exe IFEO\MSASCui.exe: [Debugger] nsjw.exe IFEO\MsMpEng.exe: [Debugger] nsjw.exe IFEO\msseces.exe: [Debugger] nsjw.exe IFEO\spybotsd.exe: [Debugger] nsjw.exe IFEO\SymcPCCULaunchSvc.exe: [Debugger] nsjw.exe IFEO\wireshark.exe: [Debugger] nsjw.exe IFEO\zlclient.exe: [Debugger] nsjw.exe InternetURL: C:\Users\Artur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.com.url -> 0 C:\{$3483-6183-1568-3845$} C:\ProgramData\{$3483-6183-1568-3845$} C:\ProgramData\335936624.exe C:\Users\Artur\AppData\Roaming\system.ini C:\Users\Artur\AppData\Roaming\msconfig.ini C:\Users\Artur\AppData\Roaming\minerd C:\Users\Artur\AppData\Roaming\WinRAR C:\Users\Artur\Downloads\FRST64.exe.part C:\Users\Artur\Downloads\mbam-setup-2.0.1.1004.exe.part C:\Users\Artur\Downloads\install_flashplayer*.exe Reg: reg delete "HKCU\Software\Microsoft\Windows Script" /f Reg: reg delete "HKCU\Software\Microsoft\Windows Script Host" /f Reg: reg add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f Reboot: ***************** [4228] C:\Users\Artur\AppData\Roaming\WinRAR\MsMpCom.exe => Process closed successfully. [4328] C:\ProgramData\335936624.exe => Process closed successfully. [5060] C:\ProgramData\{$3483-6183-1568-3845$}\comhost.exe => Process closed successfully. [4944] C:\Windows\SysWOW64\WScript.exe => Process closed successfully. [5420] C:\Users\Artur\AppData\Roaming\WinRAR\AMD External Events Client.exe => Process closed successfully. C:\! programy\malavare\mbam-setup-2-0-1-1004.exe => No running process found C:\Users\Artur\AppData\Local\Temp\is-077T1.tmp\mbam-setup-2-0-1-1004.tmp => No running process found C:\! programy\malavare\mbam-setup-2-0-1-1004.exe => No running process found C:\Users\Artur\AppData\Local\Temp\is-LP2IS.tmp\mbam-setup-2-0-1-1004.tmp => No running process found HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\windows COM Host => Value deleted successfully. HKU\S-1-5-21-254236839-2745261332-4042324724-1000\Software\Microsoft\Windows\CurrentVersion\Run\\minerd => Value deleted successfully. HKU\S-1-5-21-254236839-2745261332-4042324724-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\\Windows Base Branding => Value deleted successfully. HKU\S-1-5-21-254236839-2745261332-4042324724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows\\Load => Value was restored successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SymcPCCULaunchSvc.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe => Key deleted successfully. HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe => Key deleted successfully. C:\Users\Artur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.com.url => Moved successfully. C:\{$3483-6183-1568-3845$} => Moved successfully. C:\ProgramData\{$3483-6183-1568-3845$} => Moved successfully. C:\ProgramData\335936624.exe => Moved successfully. C:\Users\Artur\AppData\Roaming\system.ini => Moved successfully. C:\Users\Artur\AppData\Roaming\msconfig.ini => Moved successfully. C:\Users\Artur\AppData\Roaming\minerd => Moved successfully. C:\Users\Artur\AppData\Roaming\WinRAR => Moved successfully. "C:\Users\Artur\Downloads\FRST64.exe.part" => File/Directory not found. "C:\Users\Artur\Downloads\mbam-setup-2.0.1.1004.exe.part" => File/Directory not found. C:\Users\Artur\Downloads\install_flashplayer*.exe => Moved successfully. ========= reg delete "HKCU\Software\Microsoft\Windows Script" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Windows Script Host" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= The system needed a reboot. ==== End of Fixlog ====