Fix result of Farbar Recovery Scan Tool (x64) Version: 28-08-2016 Ran by Marcinia (29-08-2016 09:47:36) Run:1 Running from C:\Users\Marcinia\Downloads\FRST-OlderVersion Loaded Profiles: Marcinia (Available Profiles: Marcinia & Guest) Boot Mode: Normal ============================================== fixlist content: ***************** Task: {675B2AFB-B43A-456D-975C-14FDA3133145} - System32\Tasks\shrpubw => C:\Users\Marcinia\AppData\Roaming\{B57E0505-8B70-0F52-EA42-A6DAB926BC45}\shrpubw.exe Task: {AD2F9C94-BFA6-4ED7-AECC-F87F321A583C} - System32\Tasks\SpyHunter4Startup => C:\Users\Marcinia\Downloads\SpyHunter 4.21.10.4585 Portable by wood\SpyHunter4.exe RemoveDirectory: C:\Users\Marcinia\Downloads\SpyHunter 4.21.10.4585 Portable by wood RemoveDirectory: C:\Users\Marcinia\AppData\Roaming\{B57E0505-8B70-0F52-EA42-A6DAB926BC45} ShortcutWithArgument: C:\Users\Marcinia\AppData\Local\Google\Chrome\User Data\Program uruchamiający aplikacje Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --show-app-list ShortcutWithArgument: C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Program uruchamiający aplikacje Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --show-app-list ShortcutWithArgument: C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Aplikacje Chrome\Infinite HD App.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=laealigljflmglcgncipdbmbjgjdpiim HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [**ojllf<*>] => "C:\Users\Marcinia\AppData\Local\a71b3\95b72.lnk" <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [AZQworks] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Marcinia\AppData\Local\Apworks\gDrvHelper.dll HKU\S-1-5-21-1922820034-4019851082-616782839-1001\...\Run: [YdhPack] => regsvr32.exe C:\Users\Marcinia\AppData\Local\YdhPack\CoolXx24.dll <===== ATTENTION RemoveDirectory: C:\Users\Marcinia\AppData\Local\a71b3 RemoveDirectory: C:\Users\Marcinia\AppData\Local\Apworks RemoveDirectory: C:\Users\Marcinia\AppData\Local\YdhPack ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} => No File Startup: C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf033.lnk [2016-05-14] Startup: C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRRJXRdZaWFVfMACCcH.lnk [2016-02-05] ShortcutTarget: TRRJXRdZaWFVfMACCcH.lnk -> C:\Users\Marcinia\AppData\Local\Temp\tibia86.exe (No File) BootExecute: autocheck autochk * sh4native Sh4Removal HKU\S-1-5-21-1922820034-4019851082-616782839-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION FF DefaultSearchEngine: Yahoo® FF SelectedSearchEngine: Yahoo® CHR DefaultSearchURL: Default -> hxxp://feed.safefinder.biz/?fext=true&publisherid=51218&publisher=extensiondefaultap&st=ed&q={searchTerms} CHR DefaultSearchKeyword: Default -> SafeFinder S2 tmrkfoj; C:\WINDOWS\System32\zyzkamhd.dll [X] S1 bwlhzojn; \??\C:\WINDOWS\system32\drivers\bwlhzojn.sys [X] S1 epp; \??\C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [X] S3 esgiguard; \??\C:\Users\Marcinia\Downloads\SpyHunter 4.21.10.4585 Portable by wood\esgiguard.sys [X] S1 gwbmdsow; \??\C:\WINDOWS\system32\drivers\gwbmdsow.sys [X] R4 IOMap; \??\C:\WINDOWS\system32\drivers\IOMap64.sys [X] S1 wqvidjlq; \??\C:\WINDOWS\system32\drivers\wqvidjlq.sys [X] U3 pxldypog; \??\C:\Users\Marcinia\AppData\Local\Temp\pxldypog.sys [X] 1602-05-15 16:07 - 1602-05-15 16:07 - 0004924 _____ () C:\Users\Marcinia\AppData\Roaming\-H2kh7EUAp.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0127876 _____ () C:\Users\Marcinia\AppData\Roaming\9bMSRfc3nd.cerber 2016-02-04 00:18 - 2016-02-04 00:18 - 0697360 ___SH () C:\Users\Marcinia\AppData\Roaming\AZWIQObFgKSgUfEYL 1602-05-15 16:07 - 1602-05-15 16:07 - 6494620 _____ () C:\Users\Marcinia\AppData\Roaming\bapBplEat2.cerber 1997-02-18 02:00 - 1997-02-18 02:00 - 0002345 _____ () C:\Users\Marcinia\AppData\Roaming\Bathyscape.aCP 1994-08-23 01:00 - 1994-08-23 01:00 - 0126185 _____ () C:\Users\Marcinia\AppData\Roaming\Caribou.cpt 1602-05-15 16:07 - 1602-05-15 16:07 - 0000796 _____ () C:\Users\Marcinia\AppData\Roaming\Dkk_AGqKNN.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0000482 _____ () C:\Users\Marcinia\AppData\Roaming\fBDL6VNuGv.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0126842 _____ () C:\Users\Marcinia\AppData\Roaming\fMBiN_cDJf.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0000430 _____ () C:\Users\Marcinia\AppData\Roaming\GtJqbKKaI9.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0005942 _____ () C:\Users\Marcinia\AppData\Roaming\gWVBj7acDS.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0018810 _____ () C:\Users\Marcinia\AppData\Roaming\hADoDY1aGA.cerber 2016-05-13 17:44 - 2016-05-13 17:44 - 1626652 _____ () C:\Users\Marcinia\AppData\Roaming\Holddex.tst 1602-05-15 16:07 - 1602-05-15 16:07 - 0000796 _____ () C:\Users\Marcinia\AppData\Roaming\q7Q1PL4Z_0.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 0065614 _____ () C:\Users\Marcinia\AppData\Roaming\ShjUVq0rgD.cerber 2016-02-04 00:18 - 2016-02-04 00:18 - 0061515 ___SH () C:\Users\Marcinia\AppData\Roaming\TRRJXRdZaWFVfMACCcH.au3 1602-05-15 16:07 - 1602-05-15 16:07 - 0014868 _____ () C:\Users\Marcinia\AppData\Roaming\wOXSofHjJU.cerber 1602-05-15 16:07 - 1602-05-15 16:07 - 2279970 _____ () C:\Users\Marcinia\AppData\Roaming\zGv-fxJiAS.cerber C:\Users\Marcinia\AppData\Roaming\Microsoft\*.dll C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SMRecorder\SMRecorder.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SMRecorder\Uninstall.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SMRecorder\Website.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client\FileZilla.lnk C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRRJXRdZaWFVfMACCcH.lnk Reg: reg query HKLM\SYSTEM\CurrentControlSet\services\Winmgmt /s EmptyTemp: ***************** "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{675B2AFB-B43A-456D-975C-14FDA3133145}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{675B2AFB-B43A-456D-975C-14FDA3133145}" => key removed successfully C:\WINDOWS\System32\Tasks\shrpubw => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\shrpubw" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{AD2F9C94-BFA6-4ED7-AECC-F87F321A583C}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD2F9C94-BFA6-4ED7-AECC-F87F321A583C}" => key removed successfully C:\WINDOWS\System32\Tasks\SpyHunter4Startup => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpyHunter4Startup" => key removed successfully "C:\Users\Marcinia\Downloads\SpyHunter 4.21.10.4585 Portable by wood" => not found. "C:\Users\Marcinia\AppData\Roaming\{B57E0505-8B70-0F52-EA42-A6DAB926BC45}" => removed successfully. C:\Users\Marcinia\AppData\Local\Google\Chrome\User Data\Program uruchamiający aplikacje Chrome.lnk => Shortcut argument removed successfully. C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome\Program uruchamiający aplikacje Chrome.lnk => Shortcut argument removed successfully. C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Aplikacje Chrome\Infinite HD App.lnk => Shortcut argument removed successfully. HKU\S-1-5-21-1922820034-4019851082-616782839-1001\Software\Microsoft\Windows\CurrentVersion\Run\\**ojllf<*> => value removed successfully HKU\S-1-5-21-1922820034-4019851082-616782839-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AZQworks => value removed successfully HKU\S-1-5-21-1922820034-4019851082-616782839-1001\Software\Microsoft\Windows\CurrentVersion\Run\\YdhPack => value removed successfully "C:\Users\Marcinia\AppData\Local\a71b3" => removed successfully. "C:\Users\Marcinia\AppData\Local\Apworks" => removed successfully. "C:\Users\Marcinia\AppData\Local\YdhPack" => removed successfully. "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0PerformanceMonitor" => key removed successfully HKCR\CLSID\{3B5B973C-92A4-4855-9D3F-0F3D23332208} => key not found. C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf033.lnk => moved successfully C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRRJXRdZaWFVfMACCcH.lnk => moved successfully C:\Users\Marcinia\AppData\Local\Temp\tibia86.exe => not found. hklm\System\CurrentControlSet\Control\Session Manager\\BootExecute => value restored successfully "HKU\S-1-5-21-1922820034-4019851082-616782839-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully Firefox DefaultSearchEngine removed successfully Firefox SelectedSearchEngine removed successfully Chrome DefaultSearchURL => removed successfully Chrome DefaultSearchKeyword => removed successfully tmrkfoj => service removed successfully bwlhzojn => service removed successfully epp => service removed successfully esgiguard => service removed successfully gwbmdsow => service removed successfully IOMap => Unable to stop service. IOMap => service removed successfully wqvidjlq => service removed successfully pxldypog => service not found. C:\Users\Marcinia\AppData\Roaming\-H2kh7EUAp.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\9bMSRfc3nd.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\AZWIQObFgKSgUfEYL => moved successfully C:\Users\Marcinia\AppData\Roaming\bapBplEat2.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\Bathyscape.aCP => moved successfully C:\Users\Marcinia\AppData\Roaming\Caribou.cpt => moved successfully C:\Users\Marcinia\AppData\Roaming\Dkk_AGqKNN.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\fBDL6VNuGv.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\fMBiN_cDJf.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\GtJqbKKaI9.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\gWVBj7acDS.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\hADoDY1aGA.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\Holddex.tst => moved successfully C:\Users\Marcinia\AppData\Roaming\q7Q1PL4Z_0.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\ShjUVq0rgD.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\TRRJXRdZaWFVfMACCcH.au3 => moved successfully C:\Users\Marcinia\AppData\Roaming\wOXSofHjJU.cerber => moved successfully C:\Users\Marcinia\AppData\Roaming\zGv-fxJiAS.cerber => moved successfully =========== "C:\Users\Marcinia\AppData\Roaming\Microsoft\*.dll" ========== C:\Users\Marcinia\AppData\Roaming\Microsoft\1eaadjc.dll => moved successfully C:\Users\Marcinia\AppData\Roaming\Microsoft\AdjMmsVista.dll => moved successfully C:\Users\Marcinia\AppData\Roaming\Microsoft\bass.dll => moved successfully C:\Users\Marcinia\AppData\Roaming\Microsoft\kfgresk.dll => moved successfully C:\Users\Marcinia\AppData\Roaming\Microsoft\mjcriu.dll => moved successfully C:\Users\Marcinia\AppData\Roaming\Microsoft\peaadje.dll => moved successfully C:\Users\Marcinia\AppData\Roaming\Microsoft\qwadjb.dll => moved successfully C:\Users\Marcinia\AppData\Roaming\Microsoft\rsaadjd.dll => moved successfully ========= End -> "C:\Users\Marcinia\AppData\Roaming\Microsoft\*.dll" ======== C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SMRecorder\SMRecorder.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SMRecorder\Uninstall.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SMRecorder\Website.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client\FileZilla.lnk => moved successfully "C:\Users\Marcinia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRRJXRdZaWFVfMACCcH.lnk" => not found. ========= reg query HKLM\SYSTEM\CurrentControlSet\services\Winmgmt /s ========= HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt DisplayName REG_SZ @%Systemroot%\system32\wbem\wmisvc.dll,-205 ErrorControl REG_DWORD 0x0 ImagePath REG_EXPAND_SZ %systemroot%\system32\svchost.exe -k netsvcs Start REG_DWORD 0x2 Type REG_DWORD 0x20 Description REG_SZ @%Systemroot%\system32\wbem\wmisvc.dll,-204 DependOnService REG_MULTI_SZ RPCSS ObjectName REG_SZ localSystem ServiceSidType REG_DWORD 0x1 FailureActions REG_BINARY 805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters ServiceDllUnloadOnStop REG_DWORD 0x1 ServiceMain REG_SZ ServiceMain ServiceDll REG_EXPAND_SZ %SystemRoot%\system32\wbem\WMIsvc.dll ========= End of Reg: ========= =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12814244 B Java, Flash, Steam htmlcache => 61116998 B Windows/system/drivers => 12708248 B Edge => 0 B Chrome => 650178108 B Firefox => 11808345 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 3162 B NetworkService => 0 B Marcinia => 268143971 B Guest => 0 B RecycleBin => 0 B EmptyTemp: => 977.7 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 09:47:43 ====