
Otwórz notatnik systemowy i wklej:

CloseProcesses:
Task: {599E82B8-D789-4F16-9A12-C9F92DA9C484} - System32\Tasks\{513EE0BA-408A-448F-99C3-2E2385119AC4} => C:\Windows\system32\pcalua.exe -a D:\d\call\1\Mafia\mafia.exe -d D:\d\call\1\Mafia
Task: {629A09E5-E9C2-4B12-89A1-3CAB51C689BC} - System32\Tasks\{6DBBCAF7-ED92-427B-A744-3831A426ABC7} => C:\Windows\system32\pcalua.exe -a "C:\Users\Tomek\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe" -c /uninstall
Task: {80CD9417-A491-4EDF-9742-E12954077206} - System32\Tasks\csrss => C:\Windows\rss\csrss.exe [2017-09-03] () <==== UWAGA
Task: {82A1BDE8-14A0-4AC2-891F-F70E7B32D614} - System32\Tasks\{0E790D47-0E09-0A04-7E11-087F7E7F117A} => C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAAgACAAIAA7ACAAOwAgACAAIAA7ACAAOwA7ADsAOwAgADsAOwAgACAAOwA7ACAAIAAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQA (dane wartości zawierają 9968 znaków więcej). <==== UWAGA
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
KU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [on3f1c3jwi5] => "C:\Users\Tomek\AppData\Roaming\fng3ammect4\zw2bw0bc1v5.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [iyoh3yencby] => "C:\Users\Tomek\AppData\Roaming\1mnyobt23do\vvl5cvrxs5d.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [K5NNX2J9LHGZ4RJ] => "C:\Program Files\8A7KCHW0XC\MHJSCOO4L.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [g0tdt0qwxh5] => "C:\Users\Tomek\AppData\Roaming\s3i4kqqj3ku\k2yoqhzaal4.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [dctis5jevdt] => "C:\Users\Tomek\AppData\Roaming\c2d4jnmhenw\xfddpxpzrbl.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [IGU2XSH5UI3169J] => "C:\Program Files\D9XAU4M10O\X2SB27OMT.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [gw64-core2 save settings] => "C:\Users\Tomek\AppData\Roaming\isMiner\minerstart.vbs"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [qrqnkf0w3os] => "C:\Users\Tomek\AppData\Roaming\4ngqvmda5xc\ibm0vzxnjk2.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [ZQLY33ALITFFR65] => "C:\Program Files\UP9GUVJJPD\UP9GUVJJP.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [qnod4hhloph] => "C:\Users\Tomek\AppData\Roaming\owxkdvmcxd0\f42jjogenlt.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [LittleHaze] => C:\Windows\rss\csrss.exe [4602880 2017-09-03] () <==== UWAGA
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [lvzeuwwpgl1] => "C:\Users\Tomek\AppData\Roaming\ayyuwp3ke53\1fpvysxpvdt.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [HC00M4RLRS1DHGW] => "C:\Program Files\4IEY1D11CY\4IEY1D11C.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [AJHONPMFNKNBU0I] => "C:\Program Files\H3F8JN6V2K\H3F8JN6V2.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [u4loubbsuwk] => "C:\Users\Tomek\AppData\Roaming\1upctjwyfha\3ywiw5gbmuj.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [JLQHXGEF754O4FZ] => "C:\Program Files\ACF4M44MYW\8CMETEZBF.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [ygd5hzk1rgm] => "C:\Users\Tomek\AppData\Roaming\vvndzg1lb01\ddifkhl2goq.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [ik5qu0vzrur] => "C:\Users\Tomek\AppData\Roaming\cey2muphv01\hezu5b4diim.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [2LCR2O9AV8BBEO7] => "C:\Program Files\P86AZRTKZT\LQ7QFT26S.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [RSAIZZPCQUE49PG] => "C:\Program Files\82O5Z0I1I2\F6CRZ3ELC.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [zasxmnrgaxu] => "C:\Users\Tomek\AppData\Roaming\2oquqheqtcf\zrebufnjbx3.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [7AQ9DSKH16HN4R8] => "C:\Program Files\80QUJRBTMI\CLGWZWGZ8.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [1pfdagkm4qj] => "C:\Users\Tomek\AppData\Roaming\dwhrs5jucoe\n1wriuqoxnp.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [OCTACKB92G1XEJP] => C:\Program Files\RLBDO0Y59X\RLBDO0Y59.exe [1208320 2017-09-04] ()
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [1kvfkom1mnd] => "C:\Users\Tomek\AppData\Roaming\sloc4d5c13b\erlapa3omce.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [WEYP1B2N48ZV1NG] => "C:\Program Files\S2UIN36URS\IG7C32IWQ.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [odr3llyvcrj] => "C:\Users\Tomek\AppData\Roaming\xempzpe3ry4\u0wxvisdx3t.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [ka2vmxgv1wy] => "C:\Users\Tomek\AppData\Roaming\lbszcje53i0\ifmzr2bixkf.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [b3xnqcokvyp] => "C:\Users\Tomek\AppData\Roaming\iab5zkn0jdw\1y3szo23mru.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\Run: [kfdl0kcgxms] => "C:\Users\Tomek\AppData\Roaming\1evalye2rea\alraayfd2af.exe"
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\MountPoints2: {5225d3a7-ee06-11e6-8a08-806e6f6e6963} - E:\ZToolBar.exe
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\...\MountPoints2: {ad666b2a-ee9f-11e6-aeb2-bc5ff47c6761} - F:\m.exe
AppInit_DLLs: C:\ProgramData\Voyasollam\S-light.dll => Brak pliku
AppInit_DLLs-x32: C:\ProgramData\Voyasollam\Y-touch.dll => Brak pliku
GroupPolicy: Ograniczenia - Chrome <==== UWAGA
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxldvM_sEGJZAe-CxDx_iciSYWgpVmtODLvBznCkry5b_0kh6FB4AJfxtv9n_YIsX3b_9sTZ2dX0LcJuRDMRRVHTQMfPz3URaCK9UrmmBo1JhAAQBRGzUx0a6BdBfj0ac0N_jpPO4qtMrjf62BqD6AAIG4jWRThwUGvPhKJeUow,,&q={searchTerms}
HKU\S-1-5-21-4185380531-2055773481-192677435-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRHOjYN9_5EdL7qPpMxldvM_sEGJZAe-CxDx_iciSYWgpVmtODLvBznCkry5b_0kh6FB4AJfxtv9n_YIsX3b_9sTZ2dX0LcJuduwBQtNVf-xdIpKPhsqN0fSrqJ2jr1ojlZOAAsYkSYaXaqaQaKT7NSFmmPq-eUyVoyAMIQMa-UyDPA2hSz6skmnFbCg,,
SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
BHO-x32: YoutubeAdBlock -> {C0D38E5A-7CF8-4105-8FE8-31B81443A114} -> C:\Program Files (x86)\QYERbvxRHIE\kcEh0LrZ.dll => Brak pliku
FF Extension: (Adblocker for Youtube™) - C:\Program Files\Mozilla Firefox\browser\features\{5C3FD6D1-9185-4195-B5E1-FAB622427F59} [2017-09-04] [Brak podpisu cyfrowego]
CHR Extension: (Adblocker for Youtube™) - C:\Users\Tomek\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmhomipkklckpomafalojobppmmidlgl [2017-09-04]
S2 WinDefender; C:\Windows\windefender.exe [X]
2017-09-04 19:09 - 2017-09-04 21:45 - 000000000 ____D C:\Program Files\93328ONT5B
2017-09-04 19:09 - 2017-09-04 19:09 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\1evalye2rea
2017-09-04 18:55 - 2017-09-04 21:45 - 000000000 ____D C:\Program Files\HMYCFYVI9T
2017-09-04 18:55 - 2017-09-04 21:45 - 000000000 ____D C:\Program Files\BMJEOYU81X
2017-09-04 18:55 - 2017-09-04 18:55 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\iab5zkn0jdw
2017-09-04 18:54 - 2017-09-04 19:32 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\lbszcje53i0
2017-09-04 18:53 - 2017-09-04 21:45 - 000000000 ____D C:\Program Files\CWK6ZK7DYE
2017-09-04 18:53 - 2017-09-04 18:53 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\xempzpe3ry4
2017-09-04 08:26 - 2017-09-04 08:26 - 000024256 _____ C:\Windows\System32\Tasks\{0E790D47-0E09-0A04-7E11-087F7E7F117A}
2017-09-04 08:24 - 2017-09-04 19:32 - 000000000 ____D C:\Program Files\S2UIN36URS
2017-09-04 08:24 - 2017-09-04 08:24 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\sloc4d5c13b
2017-09-04 08:23 - 2017-09-04 19:31 - 000000000 ____D C:\Program Files\80QUJRBTMI
2017-09-04 08:23 - 2017-09-04 08:24 - 000000000 ____D C:\Program Files\RLBDO0Y59X
2017-09-04 08:23 - 2017-09-04 08:23 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\dwhrs5jucoe
2017-09-04 08:23 - 2017-09-04 08:23 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\2oquqheqtcf
2017-09-04 08:20 - 2017-09-04 19:06 - 000000000 ____D C:\AdwCleaner
2017-09-04 08:14 - 2017-09-04 08:14 - 000003166 _____ C:\Windows\System32\Tasks\{6DBBCAF7-ED92-427B-A744-3831A426ABC7}
2017-09-04 08:10 - 2017-09-04 19:31 - 000000000 ____D C:\Program Files\P86AZRTKZT
2017-09-04 08:10 - 2017-09-04 19:31 - 000000000 ____D C:\Program Files\82O5Z0I1I2
2017-09-04 08:10 - 2017-09-04 08:10 - 000000266 __RSH C:\Users\Tomek\ntuser.pol
2017-09-04 08:10 - 2017-09-04 08:10 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\vvndzg1lb01
2017-09-04 08:10 - 2017-09-04 08:10 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\cey2muphv01
2017-09-04 08:09 - 2017-09-04 19:31 - 000000000 ____D C:\Program Files\ACF4M44MYW
2017-09-04 08:09 - 2017-09-04 08:09 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\1upctjwyfha
2017-09-03 15:42 - 2017-09-04 19:31 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\owxkdvmcxd0
2017-09-03 15:42 - 2017-09-04 19:31 - 000000000 ____D C:\Program Files\H3F8JN6V2K
2017-09-03 15:42 - 2017-09-04 19:31 - 000000000 ____D C:\Program Files\4IEY1D11CY
2017-09-03 15:42 - 2017-09-04 19:30 - 000003190 _____ C:\Windows\System32\Tasks\csrss
2017-09-03 15:42 - 2017-09-03 15:42 - 007327744 _____ C:\Users\Tomek\AppData\Local\agent.dat
2017-09-03 15:42 - 2017-09-03 15:42 - 001900814 _____ C:\Users\Tomek\AppData\Local\Saostock.tst
2017-09-03 15:42 - 2017-09-03 15:42 - 001895382 _____ C:\Users\Tomek\AppData\Local\VivaIng.bin
2017-09-03 15:42 - 2017-09-03 15:42 - 000278509 _____ C:\Users\Tomek\AppData\Local\Duoplus.bin
2017-09-03 15:42 - 2017-09-03 15:42 - 000126464 _____ C:\Users\Tomek\AppData\Local\noah.dat
2017-09-03 15:42 - 2017-09-03 15:42 - 000070800 _____ C:\Users\Tomek\AppData\Local\Config.xml
2017-09-03 15:42 - 2017-09-03 15:42 - 000009352 _____ C:\Windows\system32\Drivers\Winmon.sys
2017-09-03 15:42 - 2017-09-03 15:42 - 000005568 _____ C:\Users\Tomek\AppData\Local\md.xml
2017-09-03 15:42 - 2017-09-03 15:42 - 000002700 __RSH C:\ProgramData\ntuser.pol
2017-09-03 15:42 - 2017-09-03 15:42 - 000000000 ____D C:\Windows\rss
2017-09-03 15:42 - 2017-09-03 15:42 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\ayyuwp3ke53
2017-09-03 15:42 - 2017-09-03 15:41 - 002554368 _____ (TODO: <Company name>) C:\Users\Tomek\AppData\Local\Saostock.exe
2017-09-03 15:40 - 2017-09-04 19:31 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\4ngqvmda5xc
2017-09-03 15:40 - 2017-09-04 19:31 - 000000000 ____D C:\Program Files\UP9GUVJJPD
2017-09-03 12:59 - 2017-09-04 19:31 - 000000000 ____D C:\Program Files\D9XAU4M10O
2017-09-03 12:59 - 2017-09-04 19:30 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\s3i4kqqj3ku
2017-09-03 12:59 - 2017-09-04 19:30 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\c2d4jnmhenw
2017-09-03 12:59 - 2017-09-03 12:59 - 000140800 _____ C:\Users\Tomek\AppData\Local\installer.dat
2017-09-03 12:59 - 2017-09-03 12:59 - 000000000 ____D C:\Program Files\R50ODERWZW
2017-09-03 12:58 - 2017-09-04 19:30 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\1mnyobt23do
2017-09-03 12:58 - 2017-09-04 19:30 - 000000000 ____D C:\Program Files\8A7KCHW0XC
2017-09-03 12:57 - 2017-09-04 19:30 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\fng3ammect4
2017-09-03 12:57 - 2017-09-04 19:30 - 000000000 ____D C:\Program Files (x86)\t1esgai42uq
2017-09-03 12:57 - 2017-09-03 12:57 - 000177152 _____ C:\Windows\svchost.exe
2017-09-03 12:57 - 2017-09-03 12:57 - 000073216 _____ C:\Windows\taskmgr.exe
2017-09-03 12:57 - 2017-09-03 12:57 - 000000000 ____D C:\Windows\Azart
2017-09-03 12:57 - 2017-09-03 12:57 - 000000000 ____D C:\Users\Tomek\AppData\Roaming\jhs2pvoajbg
2017-09-03 12:57 - 2017-09-03 12:57 - 000000000 ____D C:\Program Files\BA0KWHAXQB
2017-09-03 12:57 - 2017-09-03 12:57 - 000000000 ____D C:\Program Files\6GYMPOIZ1M
C:\Windows\rss\csrss.exe
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze. 
Uruchom jako administrator FRST i kliknij w Fix/Napraw.