Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-08-2014 03 Ran by Adam at 2014-08-25 19:02:20 Run:1 Running from C:\Users\Adam\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** HKU\S-1-5-21-2674638956-974565503-767073827-1000\...\Winlogon: [Shell] explorer.exe, <==== ATTENTION IFEO\AvastSvc.exe: [Debugger] nqij.exe IFEO\AvastUI.exe: [Debugger] nqij.exe IFEO\avcenter.exe: [Debugger] nqij.exe IFEO\avconfig.exe: [Debugger] nqij.exe IFEO\avgcsrvx.exe: [Debugger] nqij.exe IFEO\avgidsagent.exe: [Debugger] nqij.exe IFEO\avgnt.exe: [Debugger] nqij.exe IFEO\avgrsx.exe: [Debugger] nqij.exe IFEO\avguard.exe: [Debugger] nqij.exe IFEO\avgui.exe: [Debugger] nqij.exe IFEO\avgwdsvc.exe: [Debugger] nqij.exe IFEO\Avira.OE.Systray.exe: [Debugger] nqij.exe IFEO\avp.exe: [Debugger] nqij.exe IFEO\avscan.exe: [Debugger] nqij.exe IFEO\avshadow.exe: [Debugger] nqij.exe IFEO\bdagent.exe: [Debugger] nqij.exe IFEO\blindman.exe: [Debugger] nqij.exe IFEO\ccuac.exe: [Debugger] nqij.exe IFEO\ComboFix.exe: [Debugger] nqij.exe IFEO\egui.exe: [Debugger] nqij.exe IFEO\hijackthis.exe: [Debugger] nqij.exe IFEO\instup.exe: [Debugger] nqij.exe IFEO\keyscrambler.exe: [Debugger] nqij.exe IFEO\mbam.exe: [Debugger] nqij.exe IFEO\mbamgui.exe: [Debugger] nqij.exe IFEO\mbampt.exe: [Debugger] nqij.exe IFEO\mbamscheduler.exe: [Debugger] nqij.exe IFEO\mbamservice.exe: [Debugger] nqij.exe IFEO\MpCmdRun.exe: [Debugger] nqij.exe IFEO\MSASCui.exe: [Debugger] nqij.exe IFEO\MsMpEng.exe: [Debugger] nqij.exe IFEO\msseces.exe: [Debugger] nqij.exe IFEO\rstrui.exe: [Debugger] nqij.exe IFEO\SDFiles.exe: [Debugger] nqij.exe IFEO\SDMain.exe: [Debugger] nqij.exe IFEO\SDWinSec.exe: [Debugger] nqij.exe IFEO\spybotsd.exe: [Debugger] nqij.exe IFEO\wireshark.exe: [Debugger] nqij.exe IFEO\zlclient.exe: [Debugger] nqij.exe R4 AVGIDSHA; system32\DRIVERS\avgidsha.sys [X] S2 avgntflt; system32\DRIVERS\avgntflt.sys [X] R4 Avgrkx64; system32\DRIVERS\avgrkx64.sys [X] R4 Avgtdia; system32\DRIVERS\avgtdia.sys [X] S1 avipbb; system32\DRIVERS\avipbb.sys [X] S1 avkmgr; system32\DRIVERS\avkmgr.sys [X] S3 FairplayKD1; \??\C:\ProgramData\MTA San Andreas All\Common\temp\FairplayKD.sys [X] Task: {0C4C8FF9-924F-450E-91C9-1F84809385BD} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\SymErr.exe Task: {4D8E4CB5-8AB3-4971-9F94-97E5F557B442} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\SymErr.exe RemoveDirectory: C:\ProgramData\AVAST Software RemoveDirectory: C:\ProgramData\AVG2014 RemoveDirectory: C:\ProgramData\MFAData RemoveDirectory: C:\ProgramData\NCOTEMP RemoveDirectory: C:\ProgramData\Norton RemoveDirectory: C:\Users\Adam\AppData\Local\Avg2014 RemoveDirectory: C:\Users\Adam\AppData\Local\MFAData RemoveDirectory: C:\Users\Adam\AppData\Roaming\TuneUp Software C:\Users\Adam\AppData\Roaming\msconfig.ini C:\Windows\SysWOW64\Windows Server Folder: C:\OETemp Reg: reg delete "HKCU\Software\Microsoft\Windows Script" /f Reg: reg delete "HKCU\Software\Microsoft\Windows Script Host" /f Reg: reg add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f EmptyTemp: ***************** HKU\S-1-5-21-2674638956-974565503-767073827-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastSvc.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\AvastUI.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avcenter.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avconfig.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgcsrvx.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgidsagent.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgnt.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgrsx.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avguard.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avgwdsvc.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\Avira.OE.Systray.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avp.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avscan.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\avshadow.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bdagent.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\blindman.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ccuac.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\ComboFix.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\egui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\hijackthis.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\instup.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\keyscrambler.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbam.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamgui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbampt.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamscheduler.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\mbamservice.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MpCmdRun.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MSASCui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\MsMpEng.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\msseces.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\rstrui.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDFiles.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDMain.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\SDWinSec.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\spybotsd.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wireshark.exe" => Key deleted successfully. "HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\zlclient.exe" => Key deleted successfully. AVGIDSHA => Service not found. avgntflt => Service deleted successfully. Avgrkx64 => Service not found. Avgtdia => Service not found. avipbb => Service deleted successfully. avkmgr => Service deleted successfully. FairplayKD1 => Service deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0C4C8FF9-924F-450E-91C9-1F84809385BD}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C4C8FF9-924F-450E-91C9-1F84809385BD}" => Key deleted successfully. C:\Windows\System32\Tasks\Norton Identity Safe\Norton Error Analyzer => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Norton Identity Safe\Norton Error Analyzer" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4D8E4CB5-8AB3-4971-9F94-97E5F557B442}" => Key deleted successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D8E4CB5-8AB3-4971-9F94-97E5F557B442}" => Key deleted successfully. C:\Windows\System32\Tasks\Norton Identity Safe\Norton Error Processor => Moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Norton Identity Safe\Norton Error Processor" => Key deleted successfully. "C:\ProgramData\AVAST Software" => removed successfully. "C:\ProgramData\AVG2014" => File/Directory not found. "C:\ProgramData\MFAData" => removed successfully. "C:\ProgramData\NCOTEMP" => removed successfully. "C:\ProgramData\Norton" => removed successfully. "C:\Users\Adam\AppData\Local\Avg2014" => File/Directory not found. "C:\Users\Adam\AppData\Local\MFAData" => removed successfully. "C:\Users\Adam\AppData\Roaming\TuneUp Software" => removed successfully. C:\Users\Adam\AppData\Roaming\msconfig.ini => Moved successfully. "C:\Windows\SysWOW64\Windows Server" => File/Directory not found. ========================= Folder: C:\OETemp ======================== 2014-08-25 13:40 - 2014-08-25 13:40 - 0000082 _____ () C:\OETemp\OERegentry096995c372eb49e489841147905e0171096995c3.txt 2014-07-27 13:56 - 2014-07-27 13:56 - 0000082 _____ () C:\OETemp\OERegentry2aa75f92fab04738bf5c86ef9a9e6c3e2aa75f92.txt 2014-07-27 13:42 - 2014-07-27 13:42 - 0000082 _____ () C:\OETemp\OERegentry33a9a0d8c4d64013984325a87a1cc37c33a9a0d8.txt 2014-07-27 13:37 - 2014-07-27 13:37 - 0000082 _____ () C:\OETemp\OERegentry5cf36834db0c41dbb75fc4a293d060dc5cf36834.txt 2014-08-25 17:46 - 2014-08-25 17:46 - 0000082 _____ () C:\OETemp\OERegentryc78ca9a4fbad4a32b3096f449d751fb0c78ca9a4.txt ====== End of Folder: ====== ========= reg delete "HKCU\Software\Microsoft\Windows Script" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg delete "HKCU\Software\Microsoft\Windows Script Host" /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= ========= reg add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f ========= Operacja ukoäczona pomy˜lnie. ========= End of Reg: ========= EmptyTemp: => Removed 1.1 GB temporary data. The system needed a reboot. ==== End of Fixlog ====