
Otwórz notatnik systemowy i wklej:

Task: {1AE59923-AB16-4FA7-9D3E-79FF1F305D1C} - System32\Tasks\{B568FEAD-4175-A9EA-1C3F-E6AEADC22EE1} => C:\Program Files (x86)\Common Files\IigXa.exe
Task: {5B8357E9-7AE8-4D9E-BB6B-213C29892C4B} - System32\Tasks\XeRTeJCMKPYXWyYqW2 => rundll32 "C:\Program Files (x86)\FpyEWGzDFWVVpLycIFR\npznTSI.dll",#1
Task: {A38893CB-9B74-4C7F-8444-4903540804A3} - System32\Tasks\{CBD49FD6-6CE8-2997-351F-2A2D48A66E64} => C:\Users\Barton\AppData\Roaming\YXybXO.exe <==== UWAGA
Task: {CE485209-6733-4564-B9FB-8B276E59B426} - System32\Tasks\xRZOrQVCBWPMscb2 => rundll32 "C:\Program Files (x86)\muZPPgwvU\hIlOCS.dll",#1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
HKU\S-1-5-21-1938867963-3865347035-3135603491-1001\...\RunOnce: [Application Restart #6] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe  --flag-switches-begin --flag-switches-end --restore-last-session hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D?publisher=APSFW (dane wartości zawierają 138 znaków więcej).
HKU\S-1-5-21-1938867963-3865347035-3135603491-1001\...\MountPoints2: {c252912e-ef48-11e7-9bc4-806e6f6e6963} - "explorer.exe" index.html
HKU\S-1-5-21-1938867963-3865347035-3135603491-1001\...\Command Processor: @mode 20,5 & tasklist /FI "IMAGENAME eq SoundMixer.exe" 2>NUL | find /I /N "SoundMixer.exe">NUL && exit & if exist "C:\Users\Barton\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe" ( start /MIN "" "C:\Users\Barton\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) <==== UWAGA
HKU\S-1-5-21-1938867963-3865347035-3135603491-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04092018112520440\...\RunOnce: [Application Restart #6] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe  --flag-switches-begin --flag-switches-end --restore-last-session hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D?publisher=APSFW (dane wartości zawierają 138 znaków więcej).
HKU\S-1-5-21-1938867963-3865347035-3135603491-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04092018112520440\...\MountPoints2: {c252912e-ef48-11e7-9bc4-806e6f6e6963} - "explorer.exe" index.html
HKU\S-1-5-21-1938867963-3865347035-3135603491-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04092018112520440\...\Command Processor: @mode 20,5 & tasklist /FI "IMAGENAME eq SoundMixer.exe" 2>NUL | find /I /N "SoundMixer.exe">NUL && exit & if exist "C:\Users\Barton\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe" ( start /MIN "" "C:\Users\Barton\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) <==== UWAGA
GroupPolicy: Ograniczenia - Chrome <==== UWAGA
SearchScopes: HKLM-x32 -> DefaultScope - brak wartości
SearchScopes: HKU\S-1-5-21-1938867963-3865347035-3135603491-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE15
SearchScopes: HKU\S-1-5-21-1938867963-3865347035-3135603491-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE15
SearchScopes: HKU\S-1-5-21-1938867963-3865347035-3135603491-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04092018112520440 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE15
SearchScopes: HKU\S-1-5-21-1938867963-3865347035-3135603491-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04092018112520440 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02&pc=UE15
CHR HKLM-x32\...\Chrome\Extension: [ofoeigeaodhbjogdigckajfhjbonaofg] - hxxps://clients2.google.com/service/update2/crx
OPR Extension: (Adblocker for Youtube™) - C:\Users\Barton\AppData\Roaming\Opera Software\Opera Stable\Extensions\kjmiajamiimndhpicnkbijomngkocnfn [2018-04-09]
OPR Extension: (Google Sheets Offline) - C:\Users\Barton\AppData\Roaming\Opera Software\Opera Stable\Extensions\ofpildlcjjkilljbnahopghpeppbphgm [2018-04-09]
S1 hhtctgmu; \??\C:\WINDOWS\system32\drivers\hhtctgmu.sys [X]
2018-04-09 10:58 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files (x86)\IUpWUBcycmhgC
2018-04-09 10:58 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files (x86)\GYHHaWMnbkQU2
2018-04-09 10:58 - 2018-04-09 10:58 - 000000000 ____D C:\Program Files (x86)\FpyEWGzDFWVVpLycIFR
2018-04-09 10:57 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files\P06I5M7EX8
2018-04-09 10:57 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files (x86)\VjljmRaTOaUn
2018-04-09 10:57 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files (x86)\oPjpQbAMIIE
2018-04-09 10:57 - 2018-04-09 10:57 - 000002006 _____ C:\Users\Barton\Desktop\PandaViewer.lnk
2018-04-09 10:57 - 2018-04-09 10:57 - 000000000 ____D C:\Program Files (x86)\PandaViewer
2018-04-09 10:57 - 2018-04-09 10:57 - 000000000 ____D C:\Program Files (x86)\muZPPgwvU
2018-04-09 09:57 - 2018-04-09 11:24 - 000000000 ____D C:\Users\Barton\AppData\Roaming\5tgpcuyvlyx
2018-04-09 09:57 - 2018-04-09 09:58 - 000000000 ____D C:\Users\Barton\AppData\Roaming\gplyra
2018-04-09 09:57 - 2018-04-09 09:57 - 000000000 ____D C:\Users\Barton\AppData\Roaming\FastDataX
2018-04-09 09:27 - 2018-04-09 09:27 - 000004036 _____ C:\WINDOWS\System32\Tasks\Opera scheduled Autoupdate 1523258845
2018-04-09 09:27 - 2018-04-09 09:27 - 000001222 _____ C:\Users\Public\Desktop\Przeglądarka Opera.lnk
2018-04-09 09:27 - 2018-04-09 09:27 - 000001222 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Przeglądarka Opera.lnk
2018-04-09 00:30 - 2018-04-09 03:01 - 000000000 ____D C:\Users\Barton\AppData\LocalLow\gwnxXYQfvfqza
2018-04-09 00:20 - 2018-04-09 11:24 - 000000000 ____D C:\Users\Barton\AppData\Roaming\chot0qbbnyc
2018-04-09 00:20 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files\9R919UZ60M
2018-04-08 10:51 - 2018-04-09 10:58 - 000003034 _____ C:\WINDOWS\System32\Tasks\XeRTeJCMKPYXWyYqW2
2018-04-08 10:50 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files\NHL1LDMNAC
2018-04-08 10:39 - 2018-04-09 11:23 - 000000000 ____D C:\ProgramData\10b45edb-3473-4b10-b57e-0ad402f4c858
2018-04-08 10:39 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files\0LQUJLWOZ0
2018-04-08 10:39 - 2018-04-09 10:57 - 000003008 _____ C:\WINDOWS\System32\Tasks\xRZOrQVCBWPMscb2
2018-04-08 10:35 - 2018-04-09 10:05 - 000000000 ____D C:\AdwCleaner
2018-04-08 10:10 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files\L3DORIH8TV
2018-04-08 10:10 - 2018-04-08 10:37 - 000000000 ____D C:\Users\Barton\AppData\Roaming\cclghwvmpvi
2018-04-07 22:54 - 2018-04-09 11:23 - 000000000 ____D C:\Windat
2018-04-07 22:54 - 2018-04-09 11:23 - 000000000 ____D C:\Program Files\X4RAF2VH48
2018-04-07 22:54 - 2018-04-09 11:19 - 000000000 ____D C:\Disk
2018-04-07 22:54 - 2018-04-09 10:11 - 000000000 ____D C:\Dapp
2018-04-07 22:54 - 2018-04-08 10:31 - 000929792 _____ C:\Users\Barton\AppData\Local\sham.db
2018-04-07 22:54 - 2018-04-07 22:54 - 000140800 _____ C:\Users\Barton\AppData\Local\installer.dat
2018-04-07 22:53 - 2018-04-09 11:24 - 000000000 ____D C:\Program Files (x86)\frgtrh
2018-04-07 22:53 - 2018-04-07 22:53 - 000003812 _____ C:\WINDOWS\System32\Tasks\{B568FEAD-4175-A9EA-1C3F-E6AEADC22EE1}
2018-04-07 22:53 - 2018-04-07 22:53 - 000003608 _____ C:\WINDOWS\System32\Tasks\{CBD49FD6-6CE8-2997-351F-2A2D48A66E64}
2018-04-07 22:53 - 2018-04-07 22:53 - 000000003 _____ C:\Users\Barton\AppData\Local\wbem.ini
2018-04-07 22:53 - 2017-09-29 15:42 - 000174592 ____N (Microsoft Corporation) C:\Users\Barton\AppData\Local\TOgVOod.exe
2018-04-07 22:54 - 2018-04-07 22:54 - 000140800 _____ () C:\Users\Barton\AppData\Local\installer.dat
EmptyTemp:

Plik zapisz pod nazwą fixlist.txt i umieść obok FRST w tym samym folderze. 
Uruchom jako administrator FRST i kliknij w Fix/Napraw.