Elektroda.pl
Elektroda.pl
X
CControls
Proszę, dodaj wyj±tek www.elektroda.pl do Adblock.
Dzięki temu, że ogl±dasz reklamy, wspierasz portal i użytkowników.

Prawdopodobny ransomware - pro¶ba o sprawdzenie logów

DashingPunisher 05 Sie 2018 00:54 147 5
  • #1 05 Sie 2018 00:54
    DashingPunisher
    Poziom 2  

    Na wstępie chciałbym powitać serdecznie wszystkich użytkowników.

    Moja dziewczyna, nie wiem jakim cudem (prawdopodobnie poprzez instalacje programu) zainfekowała swój komputer. Nie jestem znawc± tematu, ale wygl±da mi to na ransomwara - jej pliki zostały zaszyfrowane, rozszerzenie .wallet + informacja o wpłacie okupu. (Hakerzy tak uroczy, że zaproponowali odblokowanie trzech plików do 1 mb za darmo, jednak nie skorzystali¶my ;) )

    Nic na komputerze nie działało - żaden antywirus, próbowałem z trybami awaryjnymi, ale niestety - malwarebytes nie chciał się zainstalować. Zdarzenie miało miejsce 15.01. Jako że dziewczyna zmieniała akurat laptopa, ten poszedł "do szafy". Dzisiaj sobie o nim przypomniałem, i postanowiłem o niego zawalczyć - postęp jest taki, że malwarebytes zainstalował się, ale nie można go otworzyć - zadziałał avast, ale avast nie bardzo jest w stanie co¶ wyszukać. Przestały się również pojawiać komunikaty z groĽbami formatu i z ż±daniem okupu. Czy jest jaka¶ szansa, na odratowanie plików? (komputer jest i tak nie używany, ale pliki - warto¶ć sentymentalna, szczególnie napisany przez moj± dziewczynę tomik poezji)

    W zał±czniku logi

    Wydaje mi się, że sprawc± zamieszania jest program youtube adblocker czy jako¶ tak...ale to tylko przypuszczenie.

    0 5
  • CControls
  • #2 05 Sie 2018 03:04
    dt1
    Moderator - Komputery Serwis

    Witaj. Dziewczyna chyba klika zupełnie wszystko co popadnie. A może to nie dziewczyna, bo na przykład program imituj±cy antywirusa (Bytefence) został zainstalowany w sierpniu :)

    W pierwszej kolejno¶ci do odinstalowania na piechotę (z panelu sterowania):

    Code:
    ByteFence Anti-Malware
    
    CCleaner
    foxydeal
    Norton Online Backup - to akurat nie jest szkodliwe, ale prawdopodobnie zbędne - zostawić, je¶li jest używane.
    Spybot - Search & Destroy
    YTD Video Downloader 4.8.1


    W drugiej kolejno¶ci fixlist do użycia w FRST:
    Code:
    CloseProcesses:
    
    HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13191824 2012-08-10] (Realtek Semiconductor)
    HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [277504 2012-07-09] (Intel Corporation)
    HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2994880 2012-08-15] (Symantec Corporation)
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35736 2012-04-04] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-04] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [97392 2012-08-15] (CyberLink Corp.)
    HKLM-x32\...\Run: [CLMLServer_For_P2G8] => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111120 2012-06-08] (CyberLink)
    HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-12] (CyberLink Corp.)
    HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-13] (Intel Corporation)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== UWAGA
    HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== UWAGA




    HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== UWAGA
    HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== UWAGA
    HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== UWAGA
    HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== UWAGA
    HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== UWAGA
    HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== UWAGA
    HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== UWAGA
    HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== UWAGA
    HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== UWAGA
    HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== UWAGA
    HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== UWAGA
    HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== UWAGA
    HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== UWAGA
    HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== UWAGA
    HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== UWAGA
    HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== UWAGA
    HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== UWAGA
    HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== UWAGA
    HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== UWAGA
    HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== UWAGA
    HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== UWAGA
    HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== UWAGA
    HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== UWAGA
    HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== UWAGA
    HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== UWAGA
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\Run: [GoogleChromeAutoLaunch_8F565A32BAECB19C7D7D690497291DDE] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1592664 2018-01-03] (Google Inc.)
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8322328 2015-05-08] (Piriform Ltd)
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\Run: [MyPrintScreen] => "C:\Users\Romu¶\AppData\Roaming\Microsoft\Credentials\StarterModule.exe"
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\Run: [bz6gr3lp4o36k] => C:\Program Files\Internet Explorer\images\tu9fcnury\consystem.exe [4608 2018-01-15] (Microsoft Corporation)
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\Run: [gaszilanfofg] => C:\Users\Romu¶\gaszilanfofg.exe
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\Run: [Regedit32] => C:\WINDOWS\system32\regedit.exe
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\Run: [1payday] => C:\Users\Romu¶\AppData\Roaming\payday.hta [13794 2018-01-16] ()
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\Run: [2baby] => C:\Users\Romu¶\AppData\Roaming\payday.hta [13794 2018-01-16] ()
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\...\MountPoints2: {c7677040-fda1-11e4-bf54-20898411ac80} - "F:\Startme.exe"
    HKU\S-1-5-18\...\Run: [hpu8nqf] => C:\Program Files\AVAST Software\nudg3ch92\hostsys.exe [620032 2018-01-15] (Microsoft Corporation)
    HKU\S-1-5-18\...\Run: [6bvk1a26] => "C:\Users\EasySurvey\i5uecq\consystem.exe"
    AppInit_DLLs: C:\ProgramData\Voyasollam\DongDincore.dll => C:\ProgramData\Voyasollam\DongDincore.dll [342528 2018-01-15] ()
    AppInit_DLLs-x32: C:\ProgramData\Voyasollam\StatZunfax.dll => C:\ProgramData\Voyasollam\StatZunfax.dll [460800 2018-01-15] ()
    Startup: C:\Users\Romu¶\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lollipop_06141606.lnk [2014-06-16]
    BootExecute: autocheck autochk * sdnclean64.exeaswBoot.exe /M:2290a79e /wow /dir:"C:\Program Files\AVAST Software\Avast"
    GroupPolicy: Ograniczenia - Chrome <==== UWAGA
    Tcpip\..\Interfaces\{6FECDAE4-EE46-4393-9E77-8ADEB7751C71}: [DhcpNameServer] 31.11.202.254 37.8.214.2

    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.delta-homes.com/?type=hp&ts=1433084460&z=063380da983a9854cc05cd1gfz2c0c9e8b7zbz6q7g&from=wpm052932&uid=HitachiXHTS547575A9E384_J1140021D98ZLJD98ZLJX
    hxxp://securityresponse.symantec.com/avcenter/fix_homepage
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.delta-homes.com/?type=hp&ts=1433084460&z=063380da983a9854cc05cd1gfz2c0c9e8b7zbz6q7g&from=wpm052932&uid=HitachiXHTS547575A9E384_J1140021D98ZLJD98ZLJX
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxldvM_sEGJZAe-C-11ifaYUWes4H_77MSCEjPrAmXTrouwOWJA4aMkyzFkWtqH2B0-CLPGI8j_6kJHt9PPUoqLAf6t-IHUtJHXttoG5tq3VXZ1E690Tx-K3Hiyz_7qK8LT_KeD1cUi56QXBRCCmtFx1oVjpzSTTPk8wj2Hk,&q={searchTerms}
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxldvM_sEGJZAe-C-11ifaYUWes4H_77MSCEjPrAmXTrouwOWJA4aMkyzFkWtqH2B0-CLPGI8j_6kJHtxY2hKKqIjw0E398KehaZ0CaWECOsnucreL0V9dDoEDf6ftqZZrGM39VuoCxLh9X-CXYAoVrW89SXvGsxUAXF8EN4,
    HKU\S-1-5-21-1292469835-3904043757-2447316924-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://isearch.web/?type=dspp&q={searchTerms}
    SearchScopes: HKLM -> DefaultScope {425ED333-6083-428a-92C9-0CFC28B9D1BF} URL =
    SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1422113531&from=cor&uid=HitachiXHTS547575A9E384_J1140021D98ZLJD98ZLJX&q={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxldvM_sEGJZAe-C-11ifaYUWes4H_77MSCEjPrAmXTrouwOWJA4aMkyzFkWtqH2B0-CLPGI8j_6kJHt9PPUoqLAf6t-IHUtJHXttoG5tq3VXZ1E690Tx-K3Hiyz_7qK8LT_KeD1cUi56QXBRCCmtFx1oVjpzSTTPk8wj2Hk,&q={searchTerms}
    SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://isearch.web/?type=dspp&q={searchTerms}
    SearchScopes: HKLM-x32 -> {E9410C70-B6AE-41FF-AB71-32F4B279EA5F} URL = hxxps://www.google.com/search?trackid=sp-006&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001 -> {F2E48B17-78B7-406A-BE47-7FB63603E514} URL =
    SearchScopes: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxldvM_sEGJZAe-C-11ifaYUWes4H_77MSCEjPrAmXTrouwOWJA4aMkyzFkWtqH2B0-CLPGI8j_6kJHt9PPUoqLAf6t-IHUtJHXttoG5tq3VXZ1E690Tx-K3Hiyz_7qK8LT_KeD1cUi56QXBRCCmtFx1oVjpzSTTPk8wj2Hk,&q={searchTerms}
    BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll [2017-12-12] (Microsoft Corporation)
    BHO: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2018-01-04] (McAfee, Inc.)
    BHO: YoutubeAdBlock -> {C0D38E5A-7CF8-4105-8FE8-31B81443A114} -> C:\Program Files (x86)\GBeMZXQZBIE\tN34x7oF.dll [2018-01-16] ()
    BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll [2017-08-24] (Microsoft Corporation)
    BHO-x32: Brak nazwy -> {51D26BB4-4D2C-4AE4-9873-5FF41B6DED1F} -> Brak pliku
    BHO-x32: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2018-01-04] (McAfee, Inc.)
    BHO-x32: YoutubeAdBlock -> {C0D38E5A-7CF8-4105-8FE8-31B81443A114} -> C:\Program Files (x86)\GBeMZXQZBIE\k0Vs2Mg.dll [2018-01-16] ()
    BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL [2017-02-23] (Microsoft Corporation)
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2018-01-04] (McAfee, Inc.)
    Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2018-01-04] (McAfee, Inc.)
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2018-01-04] (McAfee, Inc.)
    Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2018-01-04] (McAfee, Inc.)

    FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\e10ssaffplg.xpi
    FF Extension: (McAfee WebAdvisor) - C:\Program Files (x86)\McAfee\SiteAdvisor\e10ssaffplg.xpi [2018-01-11]
    FF HKLM-x32\...\Firefox\Extensions: [ext@MediaViewV1alpha5844.net] - C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha5844\ff => nie znaleziono
    FF HKLM-x32\...\Firefox\Extensions: [ext@MediaViewV1alpha8637.net] - C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha8637\ff => nie znaleziono
    FF HKLM-x32\...\Firefox\Extensions: [ext@MediaWatchV1home347.net] - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home347\ff => nie znaleziono
    FF HKLM-x32\...\Firefox\Extensions: [ext@MediaBuzzV1mode3433.net] - C:\Program Files (x86)\MediaBuzzV1\MediaBuzzV1mode3433\ff => nie znaleziono
    FF HKLM-x32\...\Firefox\Extensions: [ext@RichMediaViewV1release1183.net] - C:\Program Files (x86)\RichMediaViewV1\RichMediaViewV1release1183\ff => nie znaleziono
    FF HKLM-x32\...\Firefox\Extensions: [ext@TrustMediaViewerV1alpha2798.net] - C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha2798\ff => nie znaleziono
    FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\e10ssaffplg.xpi
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-07] (Intel Corporation)
    FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-07] (Intel Corporation)
    FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [Brak pliku]
    FF Plugin-x32: @real.com/nppl3260;version=6.0.12.450 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nppl3260.dll [2010-02-15] (RealNetworks, Inc.)
    FF Plugin-x32: @real.com/nprpjplug;version=6.0.12.448 -> C:\Program Files (x86)\Real Alternative\browser\plugins\nprpjplug.dll [2010-02-15] (RealNetworks, Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-08-05] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.17\npGoogleUpdate3.dll [2018-08-05] (Google Inc.)

    CHR Extension: (Adblock dla serwisu Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2017-06-20]
    CHR Extension: (Speed Dial) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpdioedihjhncjafcpgbbjdpbbkikmi [2014-11-04]
    CHR Extension: (McAfee® WebAdvisor) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2018-08-05]
    CHR Extension: (Wpisuj±c słowo gra) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkoognbonphplmfhlabdhfgnkpkooiel [2018-01-07]
    CHR Extension: (AdBlock) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2018-08-05]
    CHR Extension: (StudyStack) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\nboldpjijadohjhnkadkdbonjlgbjadd [2014-11-04]
    CHR Extension: (Gmail offline) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejidjjhkpiempkbhmpbfngldlkglhimk [2014-11-04]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\noebonbkfkpobdnfhjbhafgmllaooicg [2018-01-15]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\npielheglhjmemlcbbdamaopkadoefac [2018-01-16]
    CHR Extension: (Endomondo) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\pdflgmiefajmanaegnkjcjdcicalgiof [2014-11-04]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bejnhdlplbjhffionohbdnpcbobfejcc [2014-11-04]
    CHR Extension: (YouTube) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-04]
    CHR Extension: (Adblock for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\cmedhionkhpnakcndndgjdbohmhepckk [2014-11-04]
    CHR Extension: (Google Search) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-04]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dgpdioedihjhncjafcpgbbjdpbbkikmi [2014-11-04]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dlfienamagdnkekbbbocojppncdambda [2014-11-04] [UpdateUrl: hxxp://www.predictad.com/update/chrome/?si=42586&ver=1.1] <==== UWAGA
    CHR Extension: (Gmail Offline) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ejidjjhkpiempkbhmpbfngldlkglhimk [2014-11-04]
    CHR Extension: (Google Calendar) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn [2014-11-04]
    CHR Extension: (Google Sheets) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-11-04]
    CHR Extension: (Marlies Dekkers) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fepnljgdbelppefncogilfbjikmnbhjm [2014-11-04]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ffloojginepgmidbalckpngcejjihfek [2014-11-04]
    CHR Extension: (Typing Word Game) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fkoognbonphplmfhlabdhfgnkpkooiel [2014-11-04]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-11-04]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-11-04]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd [2014-11-04]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nboldpjijadohjhnkadkdbonjlgbjadd [2014-11-04]
    CHR Extension: (Google Wallet) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-04]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\noebonbkfkpobdnfhjbhafgmllaooicg [2018-01-15]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nolaoepfijmdgihjmdfmlcejmlghgkem [2018-01-16]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\npielheglhjmemlcbbdamaopkadoefac [2018-01-16]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\oacpegaegonlmnobkoeiiegdccgcmpnj [2018-01-16]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pdflgmiefajmanaegnkjcjdcicalgiof [2014-11-04]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkdkkfmncihmolmdjjkfglphbjipccpk [2014-11-04]
    CHR Extension: (YouTube) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-08-05]
    CHR Extension: (McAfee® WebAdvisor) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2018-08-05]
    CHR Extension: (Dokumenty Google offline) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-08-05]
    CHR Extension: (Bazz Search) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\nmeinlfojlcegblpogpjbhipmonclejh [2018-08-05]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\noebonbkfkpobdnfhjbhafgmllaooicg [2018-01-15]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\nolaoepfijmdgihjmdfmlcejmlghgkem [2018-01-16]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\npielheglhjmemlcbbdamaopkadoefac [2018-01-15]
    CHR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\oacpegaegonlmnobkoeiiegdccgcmpnj [2018-01-16]
    CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [fhbfphapcbdlhimnkenpfjihebcoonhh] - C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha5844\ch\MediaViewV1alpha5844.crx <nie znaleziono>
    CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [hacmnfeokcepddodlofbhilmgceicnee] - C:\Program Files (x86)\MediaWatchV1\MediaWatchV1home347\ch\MediaWatchV1home347.crx <nie znaleziono>
    CHR HKLM-x32\...\Chrome\Extension: [iemjkcikjbjfdjpgbgelgahjmbfeafjp] - C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha8637\ch\MediaViewV1alpha8637.crx <nie znaleziono>

    OPR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Roaming\Opera Software\Opera Stable\Extensions\cfbfnocdaibehndeopiafaanjdgggdpb [2018-01-15]
    OPR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Roaming\Opera Software\Opera Stable\Extensions\fpaneejencmpllfhjmcgaochdekpbgac [2018-01-16]
    OPR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Roaming\Opera Software\Opera Stable\Extensions\gidhogahpghmmcmpncmbjdnhoohgfphc [2018-01-16]
    OPR Extension: (Adblocker for Youtube™) - C:\Users\Romu¶\AppData\Roaming\Opera Software\Opera Stable\Extensions\hohmamkolobghdoebckefbemhjeichlf [2018-01-16]

    R2 ByteFenceService; C:\Program Files\ByteFence\ByteFenceService.exe [157000 2018-05-29] (Byte Technologies LLC)
    R2 rtop; C:\Program Files\ByteFence\rtop\bin\rtop_svc.exe [302920 2017-08-28] ()
    R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.) [Brak podpisu cyfrowego]
    R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [4088608 2016-09-21] (Safer-Networking Ltd.) [Brak podpisu cyfrowego]
    R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.) [Brak podpisu cyfrowego]
    R2 SWUpdateService; C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe [3018800 2013-10-21] (Samsung Electronics CO., LTD.)
    R2 tiser; C:\ProgramData\tiser\run.exe [14848 2017-11-06] () [Brak podpisu cyfrowego]
    S3 updater; C:\Program Files (x86)\System Native\Main Services\updater.exe [571648 2018-01-11] (System Native) <==== UWAGA
    S2 hoadkpv; C:\WINDOWS\SysWOW64\hoadkpv\rvcmmakg.exe [X]

    2018-08-05 01:29 - 2017-01-14 17:57 - 000000000 ____D C:\Program Files\ByteFence
    2018-08-05 00:56 - 2018-01-15 23:16 - 000000000 ____D C:\Program Files (x86)\TgoXglOHDXBU2
    2018-08-05 00:52 - 2018-01-16 23:44 - 000000000 ____D C:\Users\Romu¶\AppData\Roaming\wwi0x2x25yn
    2018-08-05 00:52 - 2018-01-16 23:44 - 000000000 ____D C:\Users\Romu¶\AppData\Roaming\dorst4s4gii
    2018-08-05 00:52 - 2018-01-16 23:31 - 000000000 ____D C:\Users\Romu¶\AppData\Roaming\pobfvtr0lvx
    2018-08-05 00:52 - 2018-01-16 23:31 - 000000000 ____D C:\Users\Romu¶\AppData\Roaming\3nosqsf5wld
    2018-08-05 00:52 - 2018-01-15 23:11 - 000000000 ____D C:\Users\Romu¶\AppData\Roaming\xdvlxzcspx1
    2018-08-05 00:52 - 2018-01-15 23:11 - 000000000 ____D C:\Users\Romu¶\AppData\Roaming\5ytuk4hp1tx

    2018-01-15 23:14 - 2018-01-15 23:14 - 000266330 _____ () C:\ProgramData\_tmp.exe
    2018-01-15 23:13 - 2018-01-15 23:13 - 000000000 _____ () C:\Program Files (x86)\9Y4ZiXWQXaGRxvp.db
    2014-05-17 20:36 - 2018-01-16 23:20 - 000099564 _____ () C:\Users\Romu¶\AppData\Roaming\inst.exe.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-16 23:10 - 2018-01-16 23:26 - 000013794 _____ () C:\Users\Romu¶\AppData\Roaming\payday.hta
    2014-05-17 20:36 - 2018-01-16 23:19 - 000008044 _____ () C:\Users\Romu¶\AppData\Roaming\pcouffin.cat.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2014-05-17 20:36 - 2018-01-16 23:19 - 000001340 _____ () C:\Users\Romu¶\AppData\Roaming\pcouffin.inf.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2014-05-17 20:36 - 2018-01-16 23:19 - 000000236 _____ () C:\Users\Romu¶\AppData\Roaming\pcouffin.log.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2014-05-17 20:36 - 2018-01-16 23:19 - 000083004 _____ () C:\Users\Romu¶\AppData\Roaming\pcouffin.sys.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-15 23:13 - 007563264 _____ () C:\Users\Romu¶\AppData\Local\agent.dat
    2018-01-15 23:13 - 2018-01-15 23:13 - 000070800 _____ () C:\Users\Romu¶\AppData\Local\Config.xml
    2018-01-15 23:12 - 2018-01-16 23:23 - 000278684 _____ () C:\Users\Romu¶\AppData\Local\Hatair.bin.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:11 - 2018-01-16 23:23 - 000016268 _____ () C:\Users\Romu¶\AppData\Local\InstallationConfiguration.xml.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:11 - 2018-01-16 23:23 - 000140988 _____ () C:\Users\Romu¶\AppData\Local\installer.dat.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:23 - 000018620 _____ () C:\Users\Romu¶\AppData\Local\Main.dat.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:23 - 000005756 _____ () C:\Users\Romu¶\AppData\Local\md.xml.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:23 - 000126652 _____ () C:\Users\Romu¶\AppData\Local\noah.dat.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:11 - 2018-01-16 23:21 - 000931004 _____ () C:\Users\Romu¶\AppData\Local\po.db.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:21 - 001895564 _____ () C:\Users\Romu¶\AppData\Local\S-lax.bin.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:21 - 000032220 _____ () C:\Users\Romu¶\AppData\Local\uninstall_temp.ico.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:21 - 001815740 _____ () C:\Users\Romu¶\AppData\Local\Villatop.exe.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:21 - 001983772 _____ () C:\Users\Romu¶\AppData\Local\Villatop.tst.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2014-06-16 13:27 - 2018-01-16 23:21 - 000000188 _____ () C:\Users\Romu¶\AppData\Local\{F15E3FE9-3EC1-4D31-B405-9AEC9A576274}.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet

    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> "C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\Dropbox.exe" /autoplay => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{E68D0A55-3C40-4712-B90D-DCFA93FF2534}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314EE1-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FB314EE2-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    CustomCLSID: HKU\S-1-5-21-1292469835-3904043757-2447316924-1001_Classes\CLSID\{FBC9D74C-AF55-4309-9FB2-C426E071637F}\InprocServer32 -> C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll => Brak pliku
    ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2014-06-24] (Safer-Networking Ltd.)
    ContextMenuHandlers1: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2014-06-24] (Safer-Networking Ltd.)
    ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} =>  -> Brak pliku
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> Brak pliku
    ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} =>  -> Brak pliku
    ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2014-06-24] (Safer-Networking Ltd.)
    ContextMenuHandlers6: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2014-06-24] (Safer-Networking Ltd.)
    ContextMenuHandlers1_S-1-5-21-1292469835-3904043757-2447316924-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll -> Brak pliku
    ContextMenuHandlers1_S-1-5-21-1292469835-3904043757-2447316924-1001: [GGDriveMenu] -> {E68D0A55-3C40-4712-B90D-DCFA93FF2534} => C:\Users\Romu¶\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll -> Brak pliku
    ContextMenuHandlers4_S-1-5-21-1292469835-3904043757-2447316924-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll -> Brak pliku
    ContextMenuHandlers4_S-1-5-21-1292469835-3904043757-2447316924-1001: [GGDriveMenu] -> {E68D0A55-3C40-4712-B90D-DCFA93FF2534} => C:\Users\Romu¶\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll -> Brak pliku
    ContextMenuHandlers5_S-1-5-21-1292469835-3904043757-2447316924-1001: [DropboxExt] -> {ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C} => C:\Users\Romu¶\AppData\Roaming\Dropbox\bin\DropboxExt64.19.0.dll -> Brak pliku
    ContextMenuHandlers5_S-1-5-21-1292469835-3904043757-2447316924-1001: [GGDriveMenu] -> {E68D0A55-3C40-4712-B90D-DCFA93FF2534} => C:\Users\Romu¶\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll -> Brak pliku

    Task: {0C897FC9-CFEA-4266-9F99-F921C6C41DF5} - \Program aktualizacji online firmy Adobe. -> Brak pliku <==== UWAGA
    Task: {0D8CBCFC-BD72-4A4B-94C1-8069DD438270} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
    Task: {1B928CDF-D7C3-4251-A77F-E4A2C67C160A} - System32\Tasks\fBcjFmudyEGmbQl2 => rundll32 "C:\Program Files (x86)\EOJNgZqKU\kNEuwC.dll",#1
    Task: {1D94E854-50D7-45DA-8E10-7920CEEB2617} - System32\Tasks\fBcjFmudyEGmbQl => rundll32 "C:\Program Files (x86)\EOJNgZqKU\kNEuwC.dll",#1
    Task: {24205B8F-AF0D-42AE-98BD-4F2A28CFED32} - System32\Tasks\LaCieS => C:\Disk\WebService.exe [2017-11-22] (TODO: <Company name>)
    Task: {28597BD1-A169-4A80-97D6-AF60E969A1A0} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Internet Security\Upgrade.exe [2015-07-27] (Symantec Corporation)
    Task: {36415407-3216-4000-B849-C5F13B896CAB} - System32\Tasks\ByteFence => C:\Program Files\ByteFence\ByteFence.exe [2018-05-29] (Byte Technologies LLC) <==== UWAGA
    Task: {6000DAD3-D1CB-49A6-9613-DA7B22515706} - System32\Tasks\Guard => C:\Program Files (x86)\System Native\Main Services\Guard.exe [2018-01-11] () <==== UWAGA
    Task: {8A3FAD4C-1DA1-42AE-96CD-C9DE62AE7EBB} - System32\Tasks\{E407F739-B370-4A70-88B4-63896E3E9294} => C:\WINDOWS\system32\pcalua.exe -a "C:\Program Files (x86)\foxydeal\uninstall.exe"
    Task: {95175789-C05E-4136-B7E7-35032DAD1D5D} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2016-03-21] (Safer-Networking Ltd.)
    Task: {A02C3793-2C0C-474B-929D-BD332845D9ED} - System32\Tasks\pnIxobGIUDXdNt => rundll32 "C:\Program Files (x86)\TwPufLOWyrxU2\CCSgckPTIkKJa.dll",#1
    Task: {B626D0F7-7157-4C8C-8D3D-4951ED00D19A} - System32\Tasks\SystemHealer Task => C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE <==== UWAGA
    Task: {C19EABDF-4ABE-40D4-AEDB-9A31DA1BC7BF} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation)
    Task: {C451EF1F-2D17-4DC2-9C66-8D56E897505A} - System32\Tasks\{7A050A47-7E04-057F-7E11-7F7F7A7A1108} => C:\WINDOWS\system32\WindowsPowershell\v1.0\powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAAgADsAIAA7ACAAIAAgACAAOwAgADsAIAAgACAAIAAgACAAIAA7ACAAIAAgADsAOwAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AIgBzAHQAbwBwACIAOwAkAHMAYwA9ACIAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAiADsAJABXAGEA (dane warto¶ci zawieraj± 9976 znaków więcej). <==== UWAGA
    Task: {D43D141A-3B02-4791-A190-D71BDEC84A93} - System32\Tasks\updater => C:\Program Files (x86)\System Native\Main Services\updater.exe [2018-01-11] (System Native) <==== UWAGA
    Task: {DD210B28-E477-49AD-A7F5-9AB92F480A26} - System32\Tasks\BcyoMZkjXMgFaPP2 => rundll32 "C:\Program Files (x86)\umkISPBbU\CgkTkJ.dll",#1
    Task: {DE256699-C502-41F0-86C2-243541453F44} - System32\Tasks\ByteFence Scan => C:\Program Files\ByteFence\ByteFence.exe [2018-05-29] (Byte Technologies LLC) <==== UWAGA
    Task: {DEC0403F-DD8C-42F5-8A11-AAA80B03B45D} - System32\Tasks\avastBCLRestartS-1-5-21-1292469835-3904043757-2447316924-1001 => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    Task: {E2B2E4C1-38B9-4AB5-8F84-6B8A4AE05E91} - System32\Tasks\SUPatchForW10Up => C:\ProgramData\Samsung\SamsungUpdatePatch\SUPatchForW10Up.exe [2015-08-18] (Samsung Electronics CO., LTD.)
    Task: {E4B0B3AB-99AF-4388-9111-B97E49FAD910} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.)
    Task: {E52603C0-D7FC-4E3C-AB7B-CFA026602807} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-05-08] (Piriform Ltd)
    Task: {FC0C66CA-588B-4519-91D8-6458F8B36CA6} - System32\Tasks\WLANStartup => C:\Program Files (x86)\Samsung\Easy Settings\WLANStartup.exe
    Task: {FC517F0F-478E-49F8-BB21-362D03013602} - System32\Tasks\BcyoMZkjXMgFaPP => rundll32 "C:\Program Files (x86)\umkISPBbU\pmeaMK.dll",#1
    Task: {FD418BF9-C6F9-4364-B20D-57BD977B8FBD} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-22] (Microsoft Corporation)
    Task: C:\WINDOWS\Tasks\BcyoMZkjXMgFaPP.job => C:\Program Files (x86)\umkISPBbU\pmeaMK.dll
    Task: C:\WINDOWS\Tasks\fBcjFmudyEGmbQl.job => C:\Program Files (x86)\EOJNgZqKU\kNEuwC.dll

    ShortcutWithArgument: C:\Users\Romu¶\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> %SNP%
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> %SNP%

    FirewallRules: [{A38E57B8-8BE3-4FD4-8F93-14123EDAF287}] => (Allow) C:\Program Files (x86)\System Native\Main Services\Guard.exe
    FirewallRules: [{3824483F-4706-4AF3-9346-07FB3A210482}] => (Allow) C:\Program Files (x86)\System Native\Main Services\service_box.exe
    FirewallRules: [{B3070CBD-501F-44D6-BB93-FE17DA0857DA}] => (Allow) C:\Windows\System32\rundll32.exe
    FirewallRules: [{85D91BFF-A58E-4FD3-89FA-54F54BB04150}] => (Allow) C:\Windows\System32\rundll32.exe
    FirewallRules: [{74A0F113-9301-442F-9E0D-4A5DC16D7D1A}] => (Allow) C:\Windows\System32\rundll32.exe
    FirewallRules: [{7730C0DB-5DBA-4383-92B4-02930DBDEBDD}] => (Allow) C:\Windows\System32\rundll32.exe
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

    RemoveDirectory: C:\Program Files (x86)\System Native\
    RemoveDirectory: C:\Program Files (x86)\EOJNgZqKU
    EmptyTemp:


    Po restarcie zrób ponowny skan w FRST i wrzuć nowe wyniki.

    0
  • CControls
  • #4 05 Sie 2018 06:05
    krzychupar
    Poziom 41  

    Wykonaj to:

    Odinstaluj:

    McAfee WebAdvisor
    WarThunder (HKLM-x32\...\WarThunder) (Version: - ) <==== UWAGA

    Otwórz notatnik systemowy i wklej:
    CloseProcesses:
    Hosts:
    FirewallRules: [{FEDFA3CD-D285-44CC-BBAF-CA05C31072D2}] => (Block) C:\Program Files (x86)\System Native\Main Services\service_box.exe
    FirewallRules: [{15B2028D-083C-4E69-98B5-296175620944}] => (Block) C:\Program Files\ByteFence\ByteFence.exe
    (McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
    (McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\saUI.exe
    HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== UWAGA
    HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== UWAGA
    HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== UWAGA
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
    HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    CHR Extension: (McAfee® WebAdvisor) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2018-08-05]
    CHR Extension: (Brak nazwy) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\dlfienamagdnkekbbbocojppncdambda [2014-11-04] [UpdateUrl: hxxp://www.predictad.com/update/chrome/?si=42586&ver=1.1] <==== UWAGA
    CHR Extension: (McAfee® WebAdvisor) - C:\Users\Romu¶\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2018-08-05]
    R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [604312 2018-01-04] (McAfee, Inc.)
    R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [111608 2017-02-14] (McAfee, Inc.)
    S3 BTATH_LWFLT; \SystemRoot\system32\DRIVERS\btath_lwflt.sys [X]
    Error(1) reading file: "C:\WINDOWS\System32\Tasks\Program aktualizacji online firmy Adobe."
    2018-08-05 05:05 - 2016-12-11 12:34 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2018-08-05 05:00 - 2018-01-16 23:45 - 000000000 ____D C:\Program Files (x86)\GBeMZXQZBIE
    2018-08-05 04:56 - 2016-12-11 12:34 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2018-08-05 04:56 - 2014-02-22 09:51 - 000000085 _____ C:\WINDOWS\wininit.ini
    2018-08-05 04:53 - 2017-01-14 18:08 - 000000000 ____D C:\ProgramData\ByteFence
    2018-08-05 04:46 - 2018-01-16 23:45 - 000000000 ____D C:\Program Files (x86)\TwPufLOWyrxU2
    2016-12-11 14:04 - 2016-12-11 14:04 - 000009214 _____ () C:\ProgramData\SMRResults501.dat
    2014-05-17 20:36 - 2018-01-16 23:20 - 000099564 _____ () C:\Users\Romu¶\AppData\Roaming\inst.exe.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-16 23:10 - 2018-01-16 23:26 - 000013794 _____ () C:\Users\Romu¶\AppData\Roaming\payday.hta
    2014-05-17 20:36 - 2018-01-16 23:19 - 000008044 _____ () C:\Users\Romu¶\AppData\Roaming\pcouffin.cat.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2014-05-17 20:36 - 2018-01-16 23:19 - 000001340 _____ () C:\Users\Romu¶\AppData\Roaming\pcouffin.inf.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2014-05-17 20:36 - 2018-01-16 23:19 - 000000236 _____ () C:\Users\Romu¶\AppData\Roaming\pcouffin.log.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2014-05-17 20:36 - 2018-01-16 23:19 - 000083004 _____ () C:\Users\Romu¶\AppData\Roaming\pcouffin.sys.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-15 23:13 - 007563264 _____ () C:\Users\Romu¶\AppData\Local\agent.dat
    2018-01-15 23:13 - 2018-01-15 23:13 - 000070800 _____ () C:\Users\Romu¶\AppData\Local\Config.xml
    2018-01-15 23:12 - 2018-01-16 23:23 - 000278684 _____ () C:\Users\Romu¶\AppData\Local\Hatair.bin.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:11 - 2018-01-16 23:23 - 000016268 _____ () C:\Users\Romu¶\AppData\Local\InstallationConfiguration.xml.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:11 - 2018-01-16 23:23 - 000140988 _____ () C:\Users\Romu¶\AppData\Local\installer.dat.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:23 - 000018620 _____ () C:\Users\Romu¶\AppData\Local\Main.dat.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:23 - 000005756 _____ () C:\Users\Romu¶\AppData\Local\md.xml.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:23 - 000126652 _____ () C:\Users\Romu¶\AppData\Local\noah.dat.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:11 - 2018-01-16 23:21 - 000931004 _____ () C:\Users\Romu¶\AppData\Local\po.db.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:21 - 001895564 _____ () C:\Users\Romu¶\AppData\Local\S-lax.bin.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:21 - 000032220 _____ () C:\Users\Romu¶\AppData\Local\uninstall_temp.ico.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:21 - 001815740 _____ () C:\Users\Romu¶\AppData\Local\Villatop.exe.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2018-01-15 23:13 - 2018-01-16 23:21 - 001983772 _____ () C:\Users\Romu¶\AppData\Local\Villatop.tst.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    2014-06-16 13:27 - 2018-01-16 23:21 - 000000188 _____ () C:\Users\Romu¶\AppData\Local\{F15E3FE9-3EC1-4D31-B405-9AEC9A576274}.[unlocksupp@airmail.cc or BM-2cTVHx6b7RYhJ9gGKZn6yTuBpBBq3LHRkz(malpa)bitmessage.ch]-id-718.wallet
    EmptyTemp:

    Plik zapisz pod nazw± fixlist.txt i umie¶ć w folderze, gdzie masz FRST.exe.
    Uruchom FRST i kliknij w Fix/Napraw.

    Na odblokowanie plików tutaj żaden skrypt nie pomoże i żeby odzyskać pliki trzeba będzie chyba ponie¶ć jakie¶ koszty.

    0
  • #5 05 Sie 2018 07:49
    safbot1st
    Poziom 43  

    Przeskanuj jeszcze ten PC za pomoc± TDSSKiller.
    Uruchom bootowalny linux. Pod nim możesz szukać danych za pomoc± DMDE ale to już koniec pomysłów na chałupniczy odzysk danych.

    0
  • #6 07 Sie 2018 21:28
    Wojtek001
    Poziom 15  

    DashingPunisher napisał:
    Dziękuje za odpowiedĽ :) zrobiłem wszystko, komputer się zresetował, pliki jednak dalej zablokowane :( przesyłam logi po naprawie

    To bardzo Ľle że komputer się zresetował, bo pierwsze co powiniene¶ zrobić to zrzut pamięci ram

    Co do plików jeżeli kryptografia została zaimplementowana poprawnie to nie ma innego sposobu na odzyskanie danych niż zapłata autorom ransomwaru

    Tylko co to za ransomware ? Jaka nazwa ? Jak wygl±dała tre¶ć notki o okup ?

    czasami pojawiaj± się darmowe deskryptory jeżeli kryptografia nie została zaimplementowana poprawnie (np. wczene wersje Princess Ransomware) lub je¶li z jakich¶ względów zostały upublicznione klucze (np. Petya, Vortex, niektóre wersje CryptoLockera)

    1