Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

explorer.exe http://kb-ribaki.org still coming back


  • This topic is locked This topic is locked
17 replies to this topic

#1 Antofima

Antofima

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 28 February 2017 - 03:43 PM

Hello Dears

 

I fight with this subject for a few days. I give up. Please help. I tried few software including SpybotSnD, ADWCleaner... nothing found but I know that it's explorer.exe http://kb-ribaki.org I turned off from StartUp in configuration of system and deleted manually in registry but after reboot problem return.

Please help!
Cheers

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 28 February 2017 - 04:12 PM

Hello Antofima and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
    
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 28 February 2017 - 05:28 PM

Hi Antofima;

G:\Crack\avatar_1.01_americas_europe.exe -d G:\Crack

 

Crack and keygen !
This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Before posting for help, we ask that you uninstall any such applications, as indicated in this sticky topic.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, BC does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine.

In 2006, a study revealed that 59% of keygens and crack tools downloaded from peer-to-peer networks contained malicious or "unwanted" software.
==========================================================================================

 

Download CKScanner from here

Important : Save it to your desktop.

  • Doubleclick CKScanner.exe and click Search For Files.(If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on CKScanner.exe and select Run as Administrator)
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

===========================================================================================

ZoneAlarm Firewall
Outpost Firewall Pro  (Enabled)
Windows Defender      (Enabled)

 

 

Multiple Firewall Programs installed!

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time.

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause.  Firewall programs take up an enormous amount of your computer's resources when they are actively scanning your computer.  Having two     Firewall programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

 

My suggestion,  you uninstall  this the softwares

ZoneAlarm Security
ZoneAlarm Firewall
Outpost Firewall Pro

 

and pc restart
========================================================================================
Please uninstall the following via Start->(or My Computer)->Control Panel->(Programs)->Programs and Features if it still exists:
 µTorrent
MyFreeCodec
Rocket Mania

Crack

 

And PC restart.

==================================================================

Let me know if that completes ok...

 


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 Antofima

Antofima
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 01 March 2017 - 06:02 AM

Hello Olgun52

 

I loged in as administrator as always. G:\ is a CD drive so I can't remove whatever there is. When I scanned yesterday the CD drive was empty. Moreover I don't have any soft that call avatar. Please help to get out this of my computer.

Below you can find result from CKScanner

===========================================================

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad

scanner sequence 3.MN.11.BOLBQ0
 ----- EOF ----- 
===========================================================
 
I don't have ZoneAlarm Firewall. I uninstalled it many months ago. I don't have it in list in Programs and Features. Windows Defender also. I have only Outpost and rest was uninstalled. PC restart done.
 
Regards


#5 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 01 March 2017 - 07:32 AM

Hi again,

I understand you.

 

Please these run now.

ZoneAlarm Uninstall Tool Download
https://www.bleepingcomputer.com/download/zonealarm-uninstall-tool/

Agnitum Outpost Uninstall Utility
http://www.techspot.com/downloads/5380-agnitum-outpost-uninstaller.html

 

Uninstall Ad-Aware

http://www.lavasoft.com/mylavasoft/support/supportcenter/technicalproblems/faqs/how-to-uninstall-0

or;

http://www.wikihow.com/Uninstall-Ad-Aware-Free-Internet-Security

 

And PC restart now.

================================================================================

 

Attention:

Download Rkill and MalwareBytes3 software to your desktop before entering secure mode.
Please update MalwareBytes software

================================

Boot into Safe Mode
Reboot your computer in Safe Mode.

  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

Please do this following

Step 1:

Ensure your external and/or USB drives are inserted during the scan
 
Run FRST fixlist
 
Please open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
Save it to the Desktop, and name it: fixlist.txt

CreateRestorePoint:
CloseProcesses:
Task: {18DCC6AB-51CB-482C-9655-9FE94DD48887} - System32\Tasks\{05322B81-D656-4CB3-90D5-8697D28ADA42} => pcalua.exe -a G:\Crack\avatar_1.01_americas_europe.exe -d G:\Crack
Task: {A108A805-633C-470D-B671-F5EE0653E90A} - System32\Tasks\ESET Windows 10 upgrade – Refresh settings => C:\Program Files\Common Files\AV\ESET NOD32 Antivirus 5.0\upgrade.exe [2017-02-22] (ESET)
Task: {CF04DEEB-7444-4234-90BE-D2ECF7A89981} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {F4F7F65B-B729-4A4C-88A9-AFC06BF42C43} - System32\Tasks\Antofima => cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Antofima /t REG_SZ /d "explorer.exe hxxp://kb-ribaki.org" <==== UWAGA
Task: C:\Windows\Tasks\Ad-Aware Update (Weekly).job => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
AlternateDataStreams: C:\ProgramData\TEMP:792D4CF1 [128]
AlternateDataStreams: C:\ProgramData\TEMP:A1EDB939 [114]
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [4035152 2011-09-22] (ESET)
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\Run: [Antofima] => explorer.exe hxxp://kb-ribaki.org <===== UWAGA
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\Policies\Explorer: []
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: H - H:\autorun.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {1e9af1f5-e41a-11e3-a9cc-902b34d39f88} - H:\LG_PC_Programs.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {26a1d2cb-785c-11e2-88cc-806e6f6e6963} - F:\Run.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {d6f38641-e10f-11e4-8e35-902b34d39f88} - H:\LaunchU3.exe -a
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {ecf9d4dd-41f4-11e6-b554-902b34d39f88} - H:\autorun.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {ecf9d4ee-41f4-11e6-b554-902b34d39f88} - H:\autorun.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {ecf9d504-41f4-11e6-b554-902b34d39f88} - H:\autorun.exe
GroupPolicy: Ograniczenia - Chrome <======= UWAGA
GroupPolicy\User: Ograniczenia <======= UWAGA
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
Toolbar: HKU\S-1-5-21-2595044450-1527691396-1111390530-1000 -> Brak nazwy - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  Brak pliku
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.http", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.http_port", 0);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.no_proxies_on", "localhost, 127.0.0.1");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.share_proxy_settings", false);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.socks", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.socks_port", 0);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.ssl", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.ssl_port", 0);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.type", 5);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.http", "127.0.0.1");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.http_port", 8888);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.no_proxies_on", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.share_proxy_settings", false);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.socks", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.socks_port", 0);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.ssl", "127.0.0.1");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.ssl_port", 8888);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.type", 1);
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: (ESET Smart Security Extension) - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2014-11-29] [Brak podpisu cyfrowego]
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [974944 2011-09-22] (ESET)
R2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [202576 2011-08-09] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [146432 2011-08-04] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [137144 2011-08-04] (ESET)
U3 aqe3ig9o; C:\Windows\System32\Drivers\aqe3ig9o.sys [0 ] (Marvell Semiconductor, Inc.) <==== UWAGA (zerobajtowy plik/folder)
U3 auhi2t7m; C:\Windows\System32\Drivers\auhi2t7m.sys [0 ] (Marvell Semiconductor, Inc.) <==== UWAGA (zerobajtowy plik/folder)
2017-02-28 10:25 - 2017-02-28 12:19 - 00000496 _____ C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2017-02-28 10:25 - 2017-02-28 10:25 - 00003434 _____ C:\Windows\System32\Tasks\Ad-Aware Update (Weekly)
2017-02-28 10:24 - 2017-02-28 12:12 - 00000000 ____D C:\ProgramData\Lavasoft
2017-02-28 10:17 - 2009-06-10 22:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts.20170228-101741.backup
2017-02-28 09:24 - 2017-02-28 09:24 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2017-02-28 08:32 - 2017-02-28 12:13 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
C:\Windows\wininit.ini
2017-02-22 13:39 - 2015-08-04 18:32 - 00003350 _____ C:\Windows\System32\Tasks\ESET Windows 10 upgrade – Refresh settings
2017-02-18 12:54 - 2013-02-17 14:05 - 00000000 ____D C:\Users\Antofima\AppData\Roaming\uTorrent
C:\Users\Antofima\AppData\Roaming\ezpinst.exe
FW: Outpost Firewall Pro (Enabled) {F20EB802-E8F1-2672-C701-E680BB11EFAB}
Task: {18DCC6AB-51CB-482C-9655-9FE94DD48887} - System32\Tasks\{05322B81-D656-4CB3-90D5-8697D28ADA42} => pcalua.exe -a G:\Crack\avatar_1.01_americas_europe.exe -d G:\Crack
Task: {DFDA36F3-EB5B-4B5F-8101-79DA89C21EF1} - System32\Tasks\{51EFFDF5-8B4F-4D66-B107-B296314E3FBE} => pcalua.exe -a F:\Instalki\Programy\ZoneAlarm\zapSetup_80_400_020_en.exe -d F:\Instalki\Programy\ZoneAlarm
2013-12-01 16:08 - 2013-07-31 12:37 - 00183296 _____ () C:\Program Files\Agnitum\Outpost Firewall Pro\zlib.dll
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"
FirewallRules: [{95584096-3F78-42E0-BA3A-E8A166A9346A}] => (Allow) C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
FirewallRules: [{5F52FB43-E8C8-4513-B647-EBACF8E6709E}] => (Allow) C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
FirewallRules: [{BB5A6486-DFCF-4A2C-BD30-8032B4C6F409}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{CE3F7577-8973-4987-9C10-221B8E553F37}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{84C2A6D1-6834-4363-BCB1-CFD50EF8E3FB}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{F2659E14-726D-40F1-9F1A-BB5C4C96CEC9}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D07D50DD-5922-42D0-8951-5B6908CD32BB}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{AC62425B-FFD3-433F-A334-1D62036A0DE1}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
HKLM\...\Run: [OutpostMonitor] => C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe [4650352 2013-09-30] (Agnitum Ltd.)
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hoo~1.dll => c:\Program Files\Agnitum\Outpost Firewall Pro\wl_hook64.dll [1103568 2013-09-27] (Agnitum Ltd.)
AppInit_DLLs-x32: c:\progra~1\agnitum\outpos~1\wl_hook.dll => c:\Program Files\Agnitum\Outpost Firewall Pro\wl_hook.dll [821848 2013-09-27] (Agnitum Ltd.)
R2 acssrv; C:\Program Files\Agnitum\Outpost Firewall Pro\acs.exe [3346360 2013-09-30] (Agnitum Ltd.)
C:\Program Files\Agnitum
C:\Program Files (x86)\CheckPoint
S3 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe -service [X]
R1 afw; C:\Windows\System32\DRIVERS\afw.sys [40544 2012-10-16] (Agnitum Ltd.)
R3 afwcore; C:\Windows\System32\drivers\afwcore.sys [469200 2013-07-24] (Agnitum Ltd.)
U3 aqe3ig9o; C:\Windows\System32\Drivers\aqe3ig9o.sys [0 ] (Marvell Semiconductor, Inc.) <==== UWAGA (zerobajtowy plik/folder)
U3 auhi2t7m; C:\Windows\System32\Drivers\auhi2t7m.sys [0 ] (Marvell Semiconductor, Inc.) <==== UWAGA (zerobajtowy plik/folder)
C:\Windows\wininit.ini
CMD: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
Hosts:

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please run FRST, and press the Fix button, just once, and wait.

When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.

 

Next >>>Safe Mode

  • Please download rkill (Courtesy of Bleepingcomputer.com).
  • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
  • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
  • Note: You only need to get one of the tools to run, not all of them.

1. rkill.exe

2. rkill.com

3. rkill.scr

4. WiNlOgOn.exe

5. uSeRiNiT.exe

 
next....

  • Please download Malwarebytes to your desktop.
  • Double-click mb3-setup-xxxxx.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Edited by olgun52, 01 March 2017 - 07:38 AM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#6 Antofima

Antofima
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 01 March 2017 - 10:43 AM

I stucked while uninstalling Outpost. I downloaded clean64 and I cannot run this in normal mode so I rebooted PC in safe mode and run clean.exe Appears info that after uninstal Outpost PC will be rebooted. I clicked OK. After that after few minutes all icons was deleted from desktop including rkill, mb3-setup... which I downloaded earlier and also deleted FRST and file fixlist.txt Basicly left only trash and MyComputer. I waited half hour but nothing happened. I rebooted PC manually to normal mode. What I should do now? Should I skip this and reboot in safe mode and start from step 1?



#7 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 01 March 2017 - 11:45 AM

What I should do now? Should I skip this and reboot in safe mode and start from step 1?

 

(FRST Fixlist + rkill + Mbam)
Try doing all of these in Safe mode. It will be effective in  malware cleaning.

 

If there is a problem ,at least  you do the  fixlist  process in safe mode.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#8 Antofima

Antofima
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 01 March 2017 - 01:06 PM

OK. done. Below fixlog from FRST

 

====================================================================================================================

Rezultat naprawy Farbar Recovery Scan Tool (x64) Wersja: 01-03-2017
Uruchomiony przez Antofima (01-03-2017 18:36:27) Run:1
Uruchomiony z C:\Users\Antofima\Desktop
Załadowane profile: Antofima (Dostępne profile: Antofima)
Tryb startu: Safe Mode (minimal)
==============================================
 
fixlist - zawartość:
*****************
CreateRestorePoint:
CloseProcesses:
Task: {18DCC6AB-51CB-482C-9655-9FE94DD48887} - System32\Tasks\{05322B81-D656-4CB3-90D5-8697D28ADA42} => pcalua.exe -a G:\Crack\avatar_1.01_americas_europe.exe -d G:\Crack
Task: {A108A805-633C-470D-B671-F5EE0653E90A} - System32\Tasks\ESET Windows 10 upgrade – Refresh settings => C:\Program Files\Common Files\AV\ESET NOD32 Antivirus 5.0\upgrade.exe [2017-02-22] (ESET)
Task: {CF04DEEB-7444-4234-90BE-D2ECF7A89981} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {F4F7F65B-B729-4A4C-88A9-AFC06BF42C43} - System32\Tasks\Antofima => cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Antofima /t REG_SZ /d "explorer.exe hxxp://kb-ribaki.org" <==== UWAGA
Task: C:\Windows\Tasks\Ad-Aware Update (Weekly).job => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
AlternateDataStreams: C:\ProgramData\TEMP:792D4CF1 [128]
AlternateDataStreams: C:\ProgramData\TEMP:A1EDB939 [114]
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [4035152 2011-09-22] (ESET)
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\Run: [Antofima] => explorer.exe hxxp://kb-ribaki.org <===== UWAGA
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\Policies\Explorer: []
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: H - H:\autorun.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {1e9af1f5-e41a-11e3-a9cc-902b34d39f88} - H:\LG_PC_Programs.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {26a1d2cb-785c-11e2-88cc-806e6f6e6963} - F:\Run.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {d6f38641-e10f-11e4-8e35-902b34d39f88} - H:\LaunchU3.exe -a
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {ecf9d4dd-41f4-11e6-b554-902b34d39f88} - H:\autorun.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {ecf9d4ee-41f4-11e6-b554-902b34d39f88} - H:\autorun.exe
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\...\MountPoints2: {ecf9d504-41f4-11e6-b554-902b34d39f88} - H:\autorun.exe
GroupPolicy: Ograniczenia - Chrome <======= UWAGA
GroupPolicy\User: Ograniczenia <======= UWAGA
CHR HKLM\SOFTWARE\Policies\Google: Ograniczenia <======= UWAGA
Toolbar: HKU\S-1-5-21-2595044450-1527691396-1111390530-1000 -> Brak nazwy - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  Brak pliku
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.http", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.http_port", 0);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.no_proxies_on", "localhost, 127.0.0.1");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.share_proxy_settings", false);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.socks", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.socks_port", 0);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.ssl", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.ssl_port", 0);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.disabled.network.proxy.type", 5);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.http", "127.0.0.1");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.http_port", 8888);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.no_proxies_on", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.share_proxy_settings", false);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.socks", "");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.socks_port", 0);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.ssl", "127.0.0.1");
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.ssl_port", 8888);
FF NetworkProxy: Mozilla\Firefox\Profiles\1snx07mr.default -> user_pref("extensions.charles.settings.enabled.network.proxy.type", 1);
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF Extension: (ESET Smart Security Extension) - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2014-11-29] [Brak podpisu cyfrowego]
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [974944 2011-09-22] (ESET)
R2 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [202576 2011-08-09] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [146432 2011-08-04] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [137144 2011-08-04] (ESET)
U3 aqe3ig9o; C:\Windows\System32\Drivers\aqe3ig9o.sys [0 ] (Marvell Semiconductor, Inc.) <==== UWAGA (zerobajtowy plik/folder)
U3 auhi2t7m; C:\Windows\System32\Drivers\auhi2t7m.sys [0 ] (Marvell Semiconductor, Inc.) <==== UWAGA (zerobajtowy plik/folder)
2017-02-28 10:25 - 2017-02-28 12:19 - 00000496 _____ C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2017-02-28 10:25 - 2017-02-28 10:25 - 00003434 _____ C:\Windows\System32\Tasks\Ad-Aware Update (Weekly)
2017-02-28 10:24 - 2017-02-28 12:12 - 00000000 ____D C:\ProgramData\Lavasoft
2017-02-28 10:17 - 2009-06-10 22:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts.20170228-101741.backup
2017-02-28 09:24 - 2017-02-28 09:24 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2017-02-28 08:32 - 2017-02-28 12:13 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
C:\Windows\wininit.ini
2017-02-22 13:39 - 2015-08-04 18:32 - 00003350 _____ C:\Windows\System32\Tasks\ESET Windows 10 upgrade – Refresh settings
2017-02-18 12:54 - 2013-02-17 14:05 - 00000000 ____D C:\Users\Antofima\AppData\Roaming\uTorrent
C:\Users\Antofima\AppData\Roaming\ezpinst.exe
FW: Outpost Firewall Pro (Enabled) {F20EB802-E8F1-2672-C701-E680BB11EFAB}
Task: {18DCC6AB-51CB-482C-9655-9FE94DD48887} - System32\Tasks\{05322B81-D656-4CB3-90D5-8697D28ADA42} => pcalua.exe -a G:\Crack\avatar_1.01_americas_europe.exe -d G:\Crack
Task: {DFDA36F3-EB5B-4B5F-8101-79DA89C21EF1} - System32\Tasks\{51EFFDF5-8B4F-4D66-B107-B296314E3FBE} => pcalua.exe -a F:\Instalki\Programy\ZoneAlarm\zapSetup_80_400_020_en.exe -d F:\Instalki\Programy\ZoneAlarm
2013-12-01 16:08 - 2013-07-31 12:37 - 00183296 _____ () C:\Program Files\Agnitum\Outpost Firewall Pro\zlib.dll
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"
FirewallRules: [{95584096-3F78-42E0-BA3A-E8A166A9346A}] => (Allow) C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
FirewallRules: [{5F52FB43-E8C8-4513-B647-EBACF8E6709E}] => (Allow) C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
FirewallRules: [{BB5A6486-DFCF-4A2C-BD30-8032B4C6F409}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{CE3F7577-8973-4987-9C10-221B8E553F37}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{84C2A6D1-6834-4363-BCB1-CFD50EF8E3FB}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{F2659E14-726D-40F1-9F1A-BB5C4C96CEC9}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D07D50DD-5922-42D0-8951-5B6908CD32BB}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{AC62425B-FFD3-433F-A334-1D62036A0DE1}] => (Allow) C:\Users\Antofima\AppData\Roaming\uTorrent\uTorrent.exe
HKLM\...\Run: [OutpostMonitor] => C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe [4650352 2013-09-30] (Agnitum Ltd.)
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hoo~1.dll => c:\Program Files\Agnitum\Outpost Firewall Pro\wl_hook64.dll [1103568 2013-09-27] (Agnitum Ltd.)
AppInit_DLLs-x32: c:\progra~1\agnitum\outpos~1\wl_hook.dll => c:\Program Files\Agnitum\Outpost Firewall Pro\wl_hook.dll [821848 2013-09-27] (Agnitum Ltd.)
R2 acssrv; C:\Program Files\Agnitum\Outpost Firewall Pro\acs.exe [3346360 2013-09-30] (Agnitum Ltd.)
C:\Program Files\Agnitum
C:\Program Files (x86)\CheckPoint
S3 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe -service [X]
R1 afw; C:\Windows\System32\DRIVERS\afw.sys [40544 2012-10-16] (Agnitum Ltd.)
R3 afwcore; C:\Windows\System32\drivers\afwcore.sys [469200 2013-07-24] (Agnitum Ltd.)
U3 aqe3ig9o; C:\Windows\System32\Drivers\aqe3ig9o.sys [0 ] (Marvell Semiconductor, Inc.) <==== UWAGA (zerobajtowy plik/folder)
U3 auhi2t7m; C:\Windows\System32\Drivers\auhi2t7m.sys [0 ] (Marvell Semiconductor, Inc.) <==== UWAGA (zerobajtowy plik/folder)
C:\Windows\wininit.ini
CMD: ipconfig /flushdns
RemoveProxy:
EmptyTemp:
Hosts:
*****************
 
Błąd: Punkt przywracania można utworzyć tylko w trybie normalnym.
Procesy zostały pomyślnie zamknięte.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{18DCC6AB-51CB-482C-9655-9FE94DD48887} => klucz pomyślnie usunięto
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{18DCC6AB-51CB-482C-9655-9FE94DD48887} => klucz pomyślnie usunięto
C:\Windows\System32\Tasks\{05322B81-D656-4CB3-90D5-8697D28ADA42} => pomyślnie przeniesiono
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{05322B81-D656-4CB3-90D5-8697D28ADA42} => klucz pomyślnie usunięto
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A108A805-633C-470D-B671-F5EE0653E90A} => klucz nie znaleziono. 
C:\Windows\System32\Tasks\ESET Windows 10 upgrade – Refresh settings => pomyślnie przeniesiono
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ESET Windows 10 upgrade – Refresh settings => klucz pomyślnie usunięto
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CF04DEEB-7444-4234-90BE-D2ECF7A89981} => klucz nie znaleziono. 
C:\Windows\System32\Tasks\Ad-Aware Update (Weekly) => nie znaleziono.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Ad-Aware Update (Weekly) => klucz nie znaleziono. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{F4F7F65B-B729-4A4C-88A9-AFC06BF42C43} => klucz pomyślnie usunięto
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F4F7F65B-B729-4A4C-88A9-AFC06BF42C43} => klucz pomyślnie usunięto
C:\Windows\System32\Tasks\Antofima => pomyślnie przeniesiono
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Antofima => klucz pomyślnie usunięto
C:\Windows\Tasks\Ad-Aware Update (Weekly).job => nie znaleziono.
C:\ProgramData\TEMP => ":792D4CF1" ADS pomyślnie usunięto.
C:\ProgramData\TEMP => ":A1EDB939" ADS pomyślnie usunięto.
 
========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
Operacja ukoäczona pomylnie.
 
 
 
========= Koniec  Reg: =========
 
 
========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
Operacja ukoäczona pomylnie.
 
 
 
========= Koniec  Reg: =========
 
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe => pomyślnie przeniesiono
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe => pomyślnie przeniesiono
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\egui => Wartość pomyślnie usunięto
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Wartość pomyślnie usunięto
HKU\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Antofima => Wartość nie znaleziono.
 
=======================================================================================================================


#9 Antofima

Antofima
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 01 March 2017 - 01:07 PM

And from mb3

 

=====================================================================

 

Malwarebytes
www.malwarebytes.com
 
-Szczegóły raportu-
Data skanowania: 01.03.2017
Czas skanowania: 18:47
Raport: Malware.txt
Administrator: Tak
 
-Informacje o oprogramowaniu-
Wersja: 3.0.6.1469
Wersja komponentów: 1.0.50
Aktualna wersja pakietu: 1.0.1394
Licencja: Wersja próbna
 
-Informacje o systemie-
System operacyjny: Windows 7 Service Pack 1
Procesor: x64
System plików: NTFS
Użytkownik: AntofimaPC\Antofima
 
-Wyniki skanowania-
Typ skanowania: Pełne skanowanie
Wynik: Ukończono
Obiekty przeskanowane: 432925
Czas, który upłynął: 3 min, 40 s
 
-Opcje skanowania-
Pamięć: Włączony
Autostart: Włączony
System plików: Włączony
Archiwa: Włączony
Rootkity: Wyłączony
Heurystyka: Włączony
PUP: Włączony
PUM: Włączony
 
-Szczegóły skanowania-
Proces: 0
(Nie wykryto zagrożeń)
 
Moduł: 0
(Nie wykryto zagrożeń)
 
Klucz rejestru: 2
PUP.Optional.FastestTube.ChrPRST, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME, Usunięcie-po-restarcie, [4832], [-1],0.0.0
PUP.Optional.FastestTube.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\CHROME, Usunięcie-po-restarcie, [4832], [-1],0.0.0
 
Wartość rejestru: 2
PUP.Optional.FastestTube.ChrPRST, HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\CHROME\EXTENSIONINSTALLWHITELIST|1, Usunięcie-po-restarcie, [4832], [373197],1.0.1394
PUP.Optional.FastestTube.ChrPRST, HKLM\SOFTWARE\POLICIES\GOOGLE\CHROME\EXTENSIONINSTALLWHITELIST|1, Usunięcie-po-restarcie, [4832], [373197],1.0.1394
 
Dane rejestru: 1
PUM.Optional.DisableShowMyComputer, HKU\S-1-5-21-2595044450-1527691396-1111390530-1000.bak\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|START_SHOWMYCOMPUTER, Zastąpienie-po-restarcie, [19627], [293314],1.0.1394
 
Strumień danych: 0
(Nie wykryto zagrożeń)
 
Folder: 10
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\_locales\en, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\_locales\es, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\_locales\ja, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\_locales\ru, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\_locales, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\icons, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\USERS\ANTOFIMA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PHAHNHBGFDHGOBENEBNJBGMACGPBFAAG, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
 
Plik: 72
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\icons\icon100.png, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\icons\icon128.ico, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\icons\icon128.png, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\icons\icon32.png, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\icons\icon48.png, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\content.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\content_init.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\content_messages.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\content_messages_server.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\frames_communicator_content.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\greasemonkey_client.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\i18n.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\invokeAsyncImpl.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\networkContentProxy.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\includes\wombat_content.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\browser.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\console.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\content_scripts_at_start_loader.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\deferred.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\downloads.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\event_listener.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\event_listener_common.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\frames_communicator_background.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\greasemonkey.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\i18n.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\init.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\io.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\json.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\messages.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\messages_bgClient.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\network.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\storage.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\storage_websql.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\storage_websql_preopen.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\system.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\timer.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\toolbox.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\wombat.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\wombat\xml.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\_locales\en\messages.json, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\_locales\es\messages.json, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\_locales\ja\messages.json, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\_locales\ru\messages.json, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\ad-checker.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\adlesse_disabler.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\background.html, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\cached_http_request.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\extension_info.json, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\fastesttube.css, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\fastesttube.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\fastesttube_bg.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\fastesttube_old.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\inject.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\logger.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\main.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\manifest.json, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\page-context-inject.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\script_loader.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\statistics.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\stop_autoplay.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\Users\Antofima\AppData\Local\Google\Chrome\User Data\Default\Extensions\phahnhbgfdhgobenebnjbgmacgpbfaag\2.4.0.18_0\youtube_ad_remover.js, Usunięcie-po-restarcie, [4832], [373185],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\PROGRAMDATA\NTUSER.POL, Usunięcie-po-restarcie, [4832], [-1],0.0.0
PUP.Optional.FastestTube.ChrPRST, C:\USERS\ANTOFIMA\NTUSER.POL, Usunięcie-po-restarcie, [4832], [-1],0.0.0
PUP.Optional.FastestTube.ChrPRST, C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\REGISTRY.POL, Usunięcie-po-restarcie, [4832], [-1],0.0.0
PUP.Optional.FastestTube.ChrPRST, C:\WINDOWS\SYSTEM32\GROUPPOLICY\MACHINE\REGISTRY.POL, Usunięcie-po-restarcie, [4832], [-1],0.0.0
RiskWare.HeuristicsReservedWordExploit, C:\USERS\ANTOFIMA\DESKTOP\USERINIT.EXE, Usunięcie-po-restarcie, [17885], [293556],1.0.1394
RiskWare.HeuristicsReservedWordExploit, C:\USERS\ANTOFIMA\DESKTOP\WINLOGON.EXE, Usunięcie-po-restarcie, [17885], [293558],1.0.1394
HackTool.CheatEngine, C:\PROGRAM FILES (X86)\CHEAT ENGINE 6.2\CHEATENGINE-I386.EXE, Brak akcji, [1374], [118005],1.0.1394
PUP.Optional.Conduit, C:\USERS\ANTOFIMA\APPDATA\LOCAL\TEMP\{907A1104-E812-4B5C-959B-E4DAB37A96AB}\CUNINSTALLERZA.EXE, Usunięcie-po-restarcie, [716], [111936],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\USERS\ANTOFIMA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\chrome-extension_phahnhbgfdhgobenebnjbgmacgpbfaag_0.localstorage, Usunięcie-po-restarcie, [4832], [373198],1.0.1394
PUP.Optional.FastestTube.ChrPRST, C:\USERS\ANTOFIMA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\LOCAL STORAGE\chrome-extension_phahnhbgfdhgobenebnjbgmacgpbfaag_0.localstorage-journal, Usunięcie-po-restarcie, [4832], [373198],1.0.1394
PUP.Optional.StartPage.USACVAR, C:\USERS\ANTOFIMA\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\PREFERENCES, Zastąpiono, [2293], [353172],1.0.1394
 
Sektor fizyczny: 0
(Nie wykryto zagrożeń)
 
 
(end)
 
====================================================================================================================================
 
What now?


#10 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 01 March 2017 - 04:38 PM

Good :thumbup2:

 

Please do this:

 

Step 1:

Please be sure to run our tools with administrator rights.

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Step 1:

Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 Antofima

Antofima
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 01 March 2017 - 05:27 PM

ComboFix 17-02-24.01 - Antofima 2017-03-01  22:46:52.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1250.48.1045.18.7634.5835 [GMT 1:00]
Uruchomiony z: c:\users\Antofima\Desktop\ComboFix.exe
AV: Malwarebytes *Disabled/Updated* {23007AD3-69FE-687C-2629-D584AFFAF72B}
SP: Malwarebytes *Disabled/Updated* {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
c:\users\Antofima\AppData\Roaming\inst.exe
c:\users\Antofima\Desktop\Setup.exe
c:\windows\IsUn0415.exe
c:\windows\iun6002.exe
c:\windows\msdownld.tmp
c:\windows\SysWow64\sysdir
c:\windows\SysWow64\sysdir\sycd6.dll
c:\windows\SysWow64\tmp583F.tmp
c:\windows\SysWow64\tmp5A62.tmp
c:\windows\SysWow64\tmp6319.tmp
c:\windows\SysWow64\tmp6D47.tmp
c:\windows\SysWow64\tmpA52.tmp
c:\windows\SysWow64\tmpCE40.tmp
c:\windows\SysWow64\tmpFD55.tmp
c:\windows\SysWow64\tmpFDF2.tmp
c:\windows\SysWow64\tmpFEFA.tmp
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Pliki utworzone od 2017-02-01 do 2017-03-01  )))))))))))))))))))))))))))))))
.
.
2017-03-01 21:51 . 2017-03-01 21:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2017-03-01 17:12 . 2017-03-01 18:53 176584 ----a-w- c:\windows\system32\drivers\MBAMChameleon.sys
2017-03-01 17:12 . 2017-03-01 18:53 110536 ----a-w- c:\windows\system32\drivers\farflt.sys
2017-03-01 17:12 . 2017-03-01 17:34 81696 ----a-w- c:\windows\system32\drivers\mwac.sys
2017-03-01 17:11 . 2017-03-01 18:53 43968 ----a-w- c:\windows\system32\drivers\mbam.sys
2017-03-01 17:11 . 2017-03-01 18:53 251848 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-03-01 17:11 . 2017-01-20 06:47 77416 ----a-w- c:\windows\system32\drivers\mbae64.sys
2017-03-01 17:11 . 2017-03-01 17:11 -------- d-----w- c:\programdata\Malwarebytes
2017-03-01 17:11 . 2017-03-01 17:11 -------- d-----w- c:\program files\Malwarebytes
2017-02-28 20:26 . 2017-03-01 17:43 -------- d-----w- C:\FRST
2017-02-28 11:07 . 2017-02-28 11:07 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2103D0E4-ADB0-4EAC-91FE-D35BD2A8E4A7}\offreg.3200.dll
2017-02-22 12:39 . 2017-02-22 12:39 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2103D0E4-ADB0-4EAC-91FE-D35BD2A8E4A7}\offreg.3672.dll
2017-02-16 14:52 . 2017-02-16 14:52 -------- d-----w- c:\users\Antofima\AppData\Roaming\uplay
2017-01-31 01:33 . 2017-01-09 12:45 12229912 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2103D0E4-ADB0-4EAC-91FE-D35BD2A8E4A7}\mpengine.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-03-01 18:53 . 2013-02-16 23:23 25640 ----a-w- c:\windows\gdrv.sys
2017-03-01 18:52 . 2016-10-20 19:41 65536 ----a-w- c:\windows\system32\spu_storage.bin
2017-02-15 14:04 . 2013-02-16 18:57 802904 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2017-02-15 14:04 . 2013-02-16 18:57 144472 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2017-01-23 21:28 . 2013-02-17 09:37 110144 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2017-01-09 15:16 . 2012-07-17 13:37 24800 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-05-04 07:04 . 2012-05-04 07:04 2174976 ----a-w- c:\program files (x86)\Common Files\atimpenc.dll
.
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~2\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"DAEMON Tools Pro Agent"="d:\program files\DAEMON Tools Pro\DTAgent.exe" [2012-10-23 3108480]
"Rainlendar2"="d:\program files\Rainlendar2\Rainlendar2.exe" [2012-12-29 4359680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2012-08-09 5263504]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2012-02-29 56088]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-05-20 291648]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe" [2012-09-23 3477640]
"SSDMonitor"="c:\program files (x86)\Symantec\Norton Utilities 16\sMonitor\SSDMonitor.exe" [2012-09-29 104480]
"CloneCDTray"="d:\program files\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2012-10-25 421888]
"TkBellExe"="d:\program files\RealPlayer\Update\realsched.exe" [2013-02-23 295072]
"KiesTrayAgent"="d:\program files\Samsung\Kies\KiesTrayAgent.exe" [2016-01-08 318248]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2016-12-12 587288]
.
c:\users\Antofima\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ClearPrefetch.lnk - d:\program files\Skrypt PREFETCH\ClearPrefetch.bat [2013-2-14 30]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService]
@="Service"
.
R2 AxAutoMntSrv;Alcohol Virtual Drive Auto-mount Service;c:\program files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe;c:\program files (x86)\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [x]
R2 HuaweiHiSuiteService64.exe;HuaweiHiSuiteService64.exe;c:\programdata\HandSetService\HuaweiHiSuiteService64.exe;c:\programdata\HandSetService\HuaweiHiSuiteService64.exe [x]
R2 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe [x]
R2 port_nt;port_nt;c:\windows\system32\drivers\port_nt.sys;c:\windows\SYSNATIVE\drivers\port_nt.sys [x]
R2 SkypeUpdate;Skype Updater;d:\program files\Skype\Updater\Updater.exe;d:\program files\Skype\Updater\Updater.exe [x]
R3 AndNetDiag;LGE AndroidNet USB Serial Port;c:\windows\system32\DRIVERS\lgandnetdiag64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetdiag64.sys [x]
R3 ANDNetModem;LGE AndroidNet USB Modem;c:\windows\system32\DRIVERS\lgandnetmodem64.sys;c:\windows\SYSNATIVE\DRIVERS\lgandnetmodem64.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe;c:\windows\SYSNATIVE\AppleChargerSrv.exe [x]
R3 CEDRIVER60;CEDRIVER60;c:\program files (x86)\Cheat Engine 6.2\dbk64.sys;c:\program files (x86)\Cheat Engine 6.2\dbk64.sys [x]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssudbus.sys [x]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys;c:\windows\SYSNATIVE\drivers\dgderdrv.sys [x]
R3 DiskDoctorService;Norton Disk Doctor Service;c:\program files (x86)\Symantec\Norton Utilities 16\Tools\Disk Doctor\DiskDoctorSrv.exe;c:\program files (x86)\Symantec\Norton Utilities 16\Tools\Disk Doctor\DiskDoctorSrv.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 etdrv;etdrv;c:\windows\etdrv.sys;c:\windows\etdrv.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [x]
R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys;c:\windows\GVTDrv64.sys [x]
R3 SpeedDiskService;Norton SpeedDisk Service;c:\program files (x86)\Symantec\Norton Utilities 16\Tools\SpeedDisk\SpeedDiskSrv.exe;c:\program files (x86)\Symantec\Norton Utilities 16\Tools\SpeedDisk\SpeedDiskSrv.exe [x]
R3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssudmdm.sys [x]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys;c:\windows\SYSNATIVE\Drivers\TFsExDisk.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Usługa Technologie aktywacji systemu Windows;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
S0 iusb3hcs;Sterownik przełącznika kontrolera hosta Intel® USB 3.0;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AppleCharger.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys;c:\windows\SYSNATIVE\DRIVERS\dtsoftbus01.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 Autodesk Content Service;Autodesk Content Service;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe;c:\program files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [x]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 NU16StartManagerSvc;Norton Utilities 16 Start Manager Service;c:\program files (x86)\Symantec\Norton Utilities 16\sMonitor\StartManSvc.exe;c:\program files (x86)\Symantec\Norton Utilities 16\sMonitor\StartManSvc.exe [x]
S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [x]
S2 ss_conn_service;SAMSUNG Mobile Connectivity Service;d:\program files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe;d:\program files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe;c:\windows\SYSNATIVE\viakaraokesrv.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [x]
S3 iusb3hub;Sterownik koncentratora Intel® USB 3.0;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Sterownik kontrolera hosta Intel® USB 3.0 eXtensible;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 L1C;NDIS Miniport Driver for Qualcomm Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys;c:\windows\SYSNATIVE\Drivers\pcouffin.sys [x]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\DRIVERS\teamviewervpn.sys;c:\windows\SYSNATIVE\DRIVERS\teamviewervpn.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys;c:\windows\SYSNATIVE\drivers\viahduaa.sys [x]
S3 VirtuWDDM;VirtuWDDM;c:\windows\system32\DRIVERS\VirtuWDDM.sys;c:\windows\SYSNATIVE\DRIVERS\VirtuWDDM.sys [x]
S3 VUSB3HUB;VIA USB 3 Root Hub Service;c:\windows\system32\DRIVERS\ViaHub3.sys;c:\windows\SYSNATIVE\DRIVERS\ViaHub3.sys [x]
S3 xhcdrv;VIA USB eXtensible Host Controller Service;c:\windows\system32\DRIVERS\xhcdrv.sys;c:\windows\SYSNATIVE\DRIVERS\xhcdrv.sys [x]
.
.
--- Inne Usługi/Sterowniki w Pamięci ---
.
*NewlyCreated* - ESPROTECTIONDRIVER
*Deregistered* - ESProtectionDriver
.
Zawartość folderu 'Zaplanowane zadania'
.
2017-03-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-16 14:04]
.
2017-03-01 c:\windows\Tasks\NUAutoUpdate.job
- c:\program files (x86)\Symantec\Norton Utilities 16\SULauncher.exe [2013-02-18 21:49]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45d30484-7ded-43d9-957a-d2fd1f046511}]
2010-11-21 03:23 444752 ----a-w- c:\windows\System32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay1]
@="{E68D0A50-3C40-4712-B90D-DCFA93FF2534}"
[HKEY_CLASSES_ROOT\CLSID\{E68D0A50-3C40-4712-B90D-DCFA93FF2534}]
2012-06-05 09:42 2023936 ----a-w- c:\programdata\GG\ggdrive\ggdrive-overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay2]
@="{E68D0A51-3C40-4712-B90D-DCFA93FF2534}"
[HKEY_CLASSES_ROOT\CLSID\{E68D0A51-3C40-4712-B90D-DCFA93FF2534}]
2012-06-05 09:42 2023936 ----a-w- c:\programdata\GG\ggdrive\ggdrive-overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay3]
@="{E68D0A52-3C40-4712-B90D-DCFA93FF2534}"
[HKEY_CLASSES_ROOT\CLSID\{E68D0A52-3C40-4712-B90D-DCFA93FF2534}]
2012-06-05 09:42 2023936 ----a-w- c:\programdata\GG\ggdrive\ggdrive-overlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GGDriveOverlay4]
@="{E68D0A53-3C40-4712-B90D-DCFA93FF2534}"
[HKEY_CLASSES_ROOT\CLSID\{E68D0A53-3C40-4712-B90D-DCFA93FF2534}]
2012-06-05 09:42 2023936 ----a-w- c:\programdata\GG\ggdrive\ggdrive-overlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VIAxHCUtl"="c:\via_xhci\usb3Monitor.exe" [2011-07-12 331776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-12-14 172144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-12-14 399984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-12-14 441968]
"VIRTU MVP"="c:\program files\Lucidlogix Technologies\VIRTU MVP\MVPControlPanel.Exe" [2012-06-17 3110728]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-09-20 444904]
"Autodesk Sync"="c:\program files\Autodesk\Autodesk Sync\AdSync.exe" [2012-02-05 415680]
"StartCN"="c:\program files\AMD\CNext\CNext\RadeonSettings.exe" [2016-10-17 8029576]
"Malwarebytes TrayApp"="c:\program files\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe" [2017-01-20 2780112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"RPMKickstart"="c:\program files\GIGABYTE\SmartRecovery2_x64\RPMKickstart.exe" [2012-09-06 2422272]
.
------- Skan uzupełniający -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = 
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Dołącz do istniejącego pliku PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Dołącz obiekt docelowy łącza do istniejącego pliku PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&ksportuj do programu Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Konwertuj do Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Konwertuj obiekt docelowy łącza na plik Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
TCP: DhcpNameServer = 62.179.1.60 62.179.1.61
FF - ProfilePath - c:\users\Antofima\AppData\Roaming\Mozilla\Firefox\Profiles\1snx07mr.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.pl/
FF - ExtSQL: !HIDDEN! 2013-02-17 22:34; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - user.js: extensions.zonealarm.id - 04c07d90000000000000902b34d39f88
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 15753
FF - user.js: extensions.zonealarm.vrsn - 1.8.11.6
FF - user.js: extensions.zonealarm.vrsni - 1.8.11.6
FF - user.js: extensions.zonealarm.vrsnTs - 1.8.11.620:38
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1043
FF - user.js: extensions.zonealarm.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base2013
FF - user.js: extensions.zonealarm.instlRef - ZLN116865559700270-1043
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.ffxUnstlRst - false
FF - user.js: extensions.zonealarm.admin - false
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm.rvrt - false
FF - user.js: extensions.zonealarm.newTab - false
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
Wow6432Node-HKCU-Run-KiesTrayAgent - (no file)
Wow6432Node-HKCU-Run-KiesAirMessage - d:\program files\Samsung\Kies\KiesAirMessage.exe
Wow6432Node-HKLM-Run-ACSW15EN - d:\program files\ACD Systems\ACDSee\15.0\ACDSee15InTouch2.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-Alcohol 120% - d:\program files\Alcohol 120\uninst.exe
AddRemove-Ancient Quest Of Saqqarah - c:\program files (x86)\Alawar.pl\Ancient Quest Of Saqqarah\Uninstall.exe
AddRemove-Chicken Invaders 2 - c:\windows\iun6002.exe
AddRemove-Excel 2007 - praktyczny kurs obsługi (poziom podstawowy i średni) - c:\windows\IsUn0415.exe
AddRemove-Excel 2007 - praktyczny kurs obsługi (poziom zaawansowany) - c:\windows\IsUn0415.exe
AddRemove-Magiczny artefakt - c:\program files (x86)\Alawar.pl\Land Of Runes\Uninstall.exe
AddRemove-MegaTrainer eXperience_is1 - e:\gry\MegaDev\MD-Trainers\MT-X\unins000.exe
AddRemove-Modny Butik - c:\program files (x86)\Fajnagra.pl\Fashion Season\Uninstall.exe
AddRemove-{7353BAE6-5E49-46C4-A9B5-8A269A313789} - c:\users\Antofima\AppData\Local\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}\setup.exe
.
.
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.032"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.abr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.abr"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.apd"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.arw"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.bay"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.bmp"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.bw"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.cr2"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.crw"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.cs1"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.dcr"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.dcx"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.dib"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.djv"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.djvu"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dng\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.dng"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.emf\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.emf"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eps\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.eps"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.erf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.erf"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.fff"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.gif"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hdr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.hdr"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icl\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.icl"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.icn"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
@Denied: (2) (LocalSystem)
"Progid"="Winamp.File.iff"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.ilbm"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.int"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.inta"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.iw4"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.j2c"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.j2k"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.jbr"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.jfif"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.jif"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.jp2"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.jpc"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpe\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.jpe"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.jpeg"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.jpg"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.jpk"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.jpx"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.kdc"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.lbm"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.mef"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mos\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.mos"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mrw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.mrw"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.nef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.nef"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.orf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.orf"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.pbm"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.pbr"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.pcd"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.pct"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcx\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.pcx"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.pef"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.pgm"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.pic"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.pict"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.png"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.ppm"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psd\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.psd"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.psp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.psp"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.pspbrush"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.pspimage"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.raf"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.ras"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice]
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
@Denied: (2) (LocalSystem)
"Progid"="Winamp.File.raw"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.rgb"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.rgba"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rle\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.rle"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.rsb"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.rw2"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.rwl"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.sgi"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.sr2"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srf\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.srf"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.srw"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tga\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.tga"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.thm"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.tif"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.tiff"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v15o\UserChoice]
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.v15o"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v15p\UserChoice]
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.v15p"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v15pf\UserChoice]
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.v15pf"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.wbm"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.wbmp"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmf\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.wmf"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.xbm"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
"Progid"="ACDSee 15.xif"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (S-1-5-21-2595044450-1527691396-1111390530-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.xmp"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee 15.xpm"
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:16,c9,f5,e0,f0,d5,82,81,54,0c,0a,72,27,22,cd,df,1f,41,22,a6,7c,c7,a4,
   fd,d9,6a,68,30,38,c3,41,b2,2c,e2,a7,09,2a,5e,bd,c4,5c,28,1b,3f,85,82,1e,39,\
"??"=hex:b3,5f,64,e7,98,09,99,ee,d1,b4,d5,c5,eb,ca,a9,4a
.
[HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\SecuROM\License information*]
"datasecu"=hex:e5,e7,94,78,61,93,6d,8f,f0,72,c4,c8,f4,af,e0,59,21,b9,b9,68,a1,
   a7,d4,97,08,b9,df,6a,58,cf,b4,3f,f9,75,4a,84,f8,e4,56,89,cf,70,30,a0,f8,34,\
"rkeysecu"=hex:1e,77,b1,60,ac,6d,29,2d,ef,ee,13,6e,6c,f1,d4,05
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_24_0_0_221_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_24_0_0_221_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_24_0_0_221_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_24_0_0_221_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_24_0_0_221.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.24"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_24_0_0_221.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_24_0_0_221.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_24_0_0_221.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Czas ukończenia: 2017-03-01  22:53:33
ComboFix-quarantined-files.txt  2017-03-01 21:53
.
Przed: 138 449 043 456 bajtów wolnych
Po: 138 532 413 440 bajtów wolnych
.
- - End Of File - - 75E7498C4204BDF6E5573D41D8EB1836


#12 Antofima

Antofima
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 01 March 2017 - 05:28 PM

RogueKiller V12.9.9.0 (x64) [Feb 27 2017] (wersja darmowa) od Adlice Software
 
System operacyjny : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Tryb rozruchu : Tryb normalny
Użytkownik : Antofima [Administrator]
Lokalizacja programu : C:\Program Files\RogueKiller\RogueKiller64.exe
Tryb : Skanowanie -- Data : 03/01/2017 23:00:50 (Duration : 00:20:16)
 
¤¤¤ Procesy : 0 ¤¤¤
 
¤¤¤ Rejestr : 17 ¤¤¤
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{E68D0A55-3C40-4712-B90D-DCFA93FF2534} (C:\Users\Antofima\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll) -> Wykryto
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Wykryto
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Wykryto
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Wykryto
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Wykryto
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 1  -> Wykryto
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Wykryto
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Wykryto
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Wykryto
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Wykryto
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Wykryto
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Wykryto
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Wykryto
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyComputer : 1  -> Wykryto
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0  -> Wykryto
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Wykryto
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2595044450-1527691396-1111390530-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowSetProgramAccessAndDefaults : 0  -> Wykryto
 
¤¤¤ Zaplanowane zadania : 0 ¤¤¤
 
¤¤¤ Pliki : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Plik hosts : 0 ¤¤¤
 
¤¤¤ Rootkity : 0 (Driver: załadowano) ¤¤¤
 
¤¤¤ Przeglądarki : 0 ¤¤¤
 
¤¤¤ Sprawdzenie MBR : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AZRX-00A8LB0 +++++
--- User ---
[MBR] 0e770d371205926e3d9d09396a77d43f
[BSP] 8000156a6cb6970e57547320cb4d1894 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 199899 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600000 | Size: 130000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 675840000 | Size: 146939 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


#13 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 02 March 2017 - 05:52 AM

Hello,

Loocks clean. Any issue ?

Firefox:
Clean the Firefox Cache.
https://kb.wisc.edu/page.php?id=15141

Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
---


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#14 Antofima

Antofima
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 02 March 2017 - 08:37 AM

Hello

 

So far so good. Many thanks.

Should or can I uninstal Malwarebytes? And turn on NOD?



#15 olgun52

olgun52

  • Malware Response Team
  • 3,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 PM

Posted 02 March 2017 - 11:42 AM

If you want, you can  run ESET NOD32 Antivirus software.

===========

I think you can always use MalwareBytes software. It is a quality and reputable software.

============

You're welcome. Congratulations
 
Thank you for your patience.  Please do the following:
Uninstall Combofix:

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

next.....
In any case please download delfix to your desktop.

  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

You can do fllowing:
 
The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

to remove all but the most recently created Restore Point.

  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista. and Disk cleanup in Windows 10

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
 
Please take the time to carefully review this info contained below. Its invaluable.
Answers to common security questions - Best Practices
How Malware Spreads - How your system gets infected
Best Practices for Safe Computing - Prevention of Malware Infection
 
Some safety suggestions !

Best regards. :hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users