Fix result of Farbar Recovery Scan Tool (x64) Version:12-07-2015 Ran by Forma at 2015-07-13 18:52:57 Run:1 Running from C:\Users\Forma\Downloads Loaded Profiles: Forma (Available Profiles: Forma) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: S4 mailUpdate; C:\ProgramData\MailUpdate\mailUpdate.exe [820736 2015-07-10] (Skytech Co., Ltd.) [File not signed] R1 wsafd_1_10_0_19; C:\Windows\System32\drivers\wsafd_1_10_0_19.sys [61312 2015-06-16] (Word Surfer) S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X] S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X] S3 NTIOLib_1_0_C; \??\E:\NTIOLib_X64.sys [X] Task: {802C3B20-BFA1-40C0-947A-F03103E28F03} - System32\Tasks\vXP876ljsOm => C:\Users\Forma\AppData\Roaming\vXP876ljsOm.exe <==== ATTENTION Task: {816184CE-16F4-41D0-8F6F-9A57B5408574} - System32\Tasks\Steam-S-1-8-22-9865GUI => C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\steam.exe [2015-07-13] () <==== ATTENTION Task: {8C09839F-6440-4FE6-8A0F-D018AEAEEDE9} - System32\Tasks\WordSurfer Auto Updater 1.10.0.19 Pending Update => C:\Program Files (x86)\WordSurfer_1.10.0.19\Update\WordSurferAutoUpdateClient.exe Task: {B61FCB50-C923-4B21-B098-A380100B9969} - System32\Tasks\WordSurfer Auto Updater 1.10.0.19 Core => C:\Program Files (x86)\WordSurfer_1.10.0.19\Update\WordSurferAutoUpdateClient.exe Task: {E169DCBC-7500-4CE3-B56A-133DD2DF9897} - System32\Tasks\SpeakMore => c:\programdata\{9d1cd31f-1db7-437a-9d1c-cd31f1db4c7c}\sevensetup.exe [2015-07-13] () <==== ATTENTION Task: {F477CA07-D3A1-4B63-B688-E10C543039DB} - \SmartWeb Upgrade Trigger Task No Task File <==== ATTENTION Task: C:\Windows\Tasks\SpeakMore.job => c:\programdata\{9d1cd31f-1db7-437a-9d1c-cd31f1db4c7c}\sevensetup.exe <==== ATTENTION Task: C:\Windows\Tasks\vXP876ljsOm.job => C:\Users\Forma\AppData\Roaming\vXP876ljsOm.exe <==== ATTENTION ShortcutWithArgument: C:\Users\Forma\Desktop\Opera.lnk -> C:\Users\Forma\AppData\Local\Programs\Opera\launcher.exe (Opera Software) -> hxxp://www.mystartsearch.com/?type=sc&ts=1436799223&z=e9875a49d823e609b5bfec5g2z8c1q8m4tetco7edm&from=cmi&uid=ST1000DM003-1ER162_Z4Y3XFPJXXXXZ4Y3XFPJ ShortcutWithArgument: C:\Users\Forma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.mystartsearch.com/?type=sc&ts=1436799223&z=e9875a49d823e609b5bfec5g2z8c1q8m4tetco7edm&from=cmi&uid=ST1000DM003-1ER162_Z4Y3XFPJXXXXZ4Y3XFPJ ShortcutWithArgument: C:\Users\Forma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Opera.lnk -> C:\Users\Forma\AppData\Local\Programs\Opera\launcher.exe (Opera Software) -> hxxp://www.mystartsearch.com/?type=sc&ts=1436799223&z=e9875a49d823e609b5bfec5g2z8c1q8m4tetco7edm&from=cmi&uid=ST1000DM003-1ER162_Z4Y3XFPJXXXXZ4Y3XFPJ ShortcutWithArgument: C:\Users\Forma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.mystartsearch.com/?type=sc&ts=1436799223&z=e9875a49d823e609b5bfec5g2z8c1q8m4tetco7edm&from=cmi&uid=ST1000DM003-1ER162_Z4Y3XFPJXXXXZ4Y3XFPJ ShortcutWithArgument: C:\Users\Forma\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.mystartsearch.com/?type=sc&ts=1436799223&z=e9875a49d823e609b5bfec5g2z8c1q8m4tetco7edm&from=cmi&uid=ST1000DM003-1ER162_Z4Y3XFPJXXXXZ4Y3XFPJ CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = www.google.com HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com SearchScopes: HKU\S-1-5-21-871434758-139634626-509111008-1000 -> DefaultScope {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = Toolbar: HKU\S-1-5-21-871434758-139634626-509111008-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File StartMenuInternet: IEXPLORE.EXE - iexplore.exe C:\Program Files (x86)\5e7a51f3-1bd9-4eae-aad0-38c415393cca C:\Program Files (x86)\ 1Button App for Chrome C:\Program Files (x86)\CCutThePricce C:\Program Files (x86)\globalUpdate C:\Program Files (x86)\Google\Chrome C:\ProgramData\{9d1cd31f-1db7-437a-9d1c-cd31f1db4c7c} C:\ProgramData\17927770879032528778 C:\ProgramData\MailUpdate C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome C:\Users\Forma\AppData\Local\30175 C:\Users\Forma\AppData\Local\Google\Chrome C:\Users\Forma\AppData\Local\globalUpdate C:\Users\Forma\AppData\Local\SmartWeb C:\Users\Forma\AppData\Roaming\vXP876ljsOm C:\Users\Forma\AppData\Roaming\cpuminer C:\Users\Forma\AppData\Roaming\MailUpdate C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\steam.exe C:\Users\Forma\Desktop\Continue Games Desktop.lnk C:\Users\Forma\Downloads\*(*)-dp*.exe C:\Windows\hgfs.sys C:\Windows\prleth.sys C:\Windows\pss\crossbrowse.lnk.Startup C:\Windows\pss\SmartWeb.lnk.Startup C:\Windows\system32\cpuminer-conf.json C:\Windows\System32\drivers\wsafd_1_10_0_19.sys C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7 Folder: C:\Users\Forma\AppData\Roaming\Microsoft\Reversed CMD: type C:\Windows\system32\Drivers\etc\hp.bak Reg: reg delete HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I /f Reg: reg delete HKCU\Software\dobreprogramy /f Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\globalUpdate" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\globalUpdatem" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\gopibeko" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\IHProtect Service" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\mailUpdate" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\nilewohe" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\vicoqudu" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\wsasvc_1.10.0.19" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\zejytose" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder" /f Reg: reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /f CMD: netsh advfirewall reset EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. mailUpdate => Service removed successfully wsafd_1_10_0_19 => Unable to stop service. wsafd_1_10_0_19 => Service removed successfully gupdate => Service removed successfully gupdatem => Service removed successfully NTIOLib_1_0_C => Service removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{802C3B20-BFA1-40C0-947A-F03103E28F03}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802C3B20-BFA1-40C0-947A-F03103E28F03}" => key removed successfully C:\Windows\System32\Tasks\vXP876ljsOm => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\vXP876ljsOm" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{816184CE-16F4-41D0-8F6F-9A57B5408574}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{816184CE-16F4-41D0-8F6F-9A57B5408574}" => key removed successfully C:\Windows\System32\Tasks\Steam-S-1-8-22-9865GUI => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Steam-S-1-8-22-9865GUI" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8C09839F-6440-4FE6-8A0F-D018AEAEEDE9}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8C09839F-6440-4FE6-8A0F-D018AEAEEDE9}" => key removed successfully C:\Windows\System32\Tasks\WordSurfer Auto Updater 1.10.0.19 Pending Update => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WordSurfer Auto Updater 1.10.0.19 Pending Update" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B61FCB50-C923-4B21-B098-A380100B9969}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B61FCB50-C923-4B21-B098-A380100B9969}" => key removed successfully C:\Windows\System32\Tasks\WordSurfer Auto Updater 1.10.0.19 Core => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WordSurfer Auto Updater 1.10.0.19 Core" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E169DCBC-7500-4CE3-B56A-133DD2DF9897}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E169DCBC-7500-4CE3-B56A-133DD2DF9897}" => key removed successfully C:\Windows\System32\Tasks\SpeakMore => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SpeakMore" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F477CA07-D3A1-4B63-B688-E10C543039DB}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F477CA07-D3A1-4B63-B688-E10C543039DB}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SmartWeb Upgrade Trigger Task" => key removed successfully C:\Windows\Tasks\SpeakMore.job => moved successfully. C:\Windows\Tasks\vXP876ljsOm.job => moved successfully. C:\Users\Forma\Desktop\Opera.lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.. C:\Users\Forma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.. C:\Users\Forma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Opera.lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.. C:\Users\Forma\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.. C:\Users\Forma\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Could not remove or repair shortcut argument. The shortcut could be damaged.. "HKLM\SOFTWARE\Policies\Google" => key removed successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully HKU\S-1-5-21-871434758-139634626-509111008-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully HKU\S-1-5-21-871434758-139634626-509111008-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully "HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => key removed successfully HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully C:\Program Files (x86)\5e7a51f3-1bd9-4eae-aad0-38c415393cca => moved successfully. C:\Program Files (x86)\ 1Button App for Chrome => moved successfully. C:\Program Files (x86)\CCutThePricce => moved successfully. C:\Program Files (x86)\globalUpdate => moved successfully. "C:\Program Files (x86)\Google\Chrome" => File/Folder not found. C:\ProgramData\{9d1cd31f-1db7-437a-9d1c-cd31f1db4c7c} => moved successfully. C:\ProgramData\17927770879032528778 => moved successfully. C:\ProgramData\MailUpdate => moved successfully. "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome" => File/Folder not found. C:\Users\Forma\AppData\Local\30175 => moved successfully. "C:\Users\Forma\AppData\Local\Google\Chrome" => File/Folder not found. C:\Users\Forma\AppData\Local\globalUpdate => moved successfully. C:\Users\Forma\AppData\Local\SmartWeb => moved successfully. C:\Users\Forma\AppData\Roaming\vXP876ljsOm => moved successfully. C:\Users\Forma\AppData\Roaming\cpuminer => moved successfully. C:\Users\Forma\AppData\Roaming\MailUpdate => moved successfully. C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\steam.exe => moved successfully. "C:\Users\Forma\Desktop\Continue Games Desktop.lnk" => File/Folder not found. C:\Users\Forma\Downloads\*(*)-dp*.exe => moved successfully. C:\Windows\hgfs.sys => moved successfully. C:\Windows\prleth.sys => moved successfully. C:\Windows\pss\crossbrowse.lnk.Startup => moved successfully. C:\Windows\pss\SmartWeb.lnk.Startup => moved successfully. C:\Windows\system32\cpuminer-conf.json => moved successfully. C:\Windows\System32\drivers\wsafd_1_10_0_19.sys => moved successfully. C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7 => moved successfully. ========================= Folder: C:\Users\Forma\AppData\Roaming\Microsoft\Reversed ======================== 2015-07-13 16:46 - 2015-07-13 18:50 - 0003020 _____ () C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\config.xml 2015-07-13 16:46 - 2015-07-13 16:46 - 0626176 _____ (The cURL library, http://curl.haxx.se/) C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\libcurl.dll 2015-07-13 16:46 - 2015-07-13 16:46 - 1704448 _____ (The OpenSSL Project, http://www.openssl.org/) C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\libeay32.dll 2015-07-13 16:46 - 2015-07-13 16:46 - 0279955 _____ () C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\libidn-11.dll 2015-07-13 16:46 - 2015-07-13 16:46 - 0148760 _____ () C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\libpdcurses.dll 2015-07-13 16:46 - 2015-07-13 16:46 - 0094300 _____ (Open Source Software community LGPL) C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\pthreadGC2.dll 2015-07-13 16:46 - 2015-07-13 16:46 - 0364544 _____ (The OpenSSL Project, http://www.openssl.org/) C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\ssleay32.dll 2015-07-13 16:46 - 2015-07-13 16:46 - 2531786 _____ () C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\steam.comp 2015-07-13 16:46 - 2015-07-13 16:46 - 0113166 _____ () C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\zlib1.dll 2015-07-13 16:46 - 2015-07-13 16:46 - 0000000 ____D () C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\kernel 2015-07-13 16:46 - 2015-07-13 16:46 - 0282759 _____ () C:\Users\Forma\AppData\Roaming\Microsoft\Reversed\kernel\x11mod.cl ====== End of Folder: ====== ========= type C:\Windows\system32\Drivers\etc\hp.bak ========= # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost ========= End of CMD: ========= ========= reg delete HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete HKCU\Software\dobreprogramy /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\globalUpdate" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\globalUpdatem" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\gopibeko" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\IHProtect Service" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\mailUpdate" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\nilewohe" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\vicoqudu" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\wsasvc_1.10.0.19" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\zejytose" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= reg delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /f ========= The operation completed successfully. ========= End of Reg: ========= ========= netsh advfirewall reset ========= Ok. ========= End of CMD: ========= EmptyTemp: => 5.7 GB temporary data Removed. The system needed a reboot.. ==== End of Fixlog 18:53:19 ====