Fix result of Farbar Recovery Scan Tool (x64) Version:13-12-2015 Ran by tomicher (2015-12-14 20:16:17) Run:1 Running from C:\Users\tomicher\Desktop Loaded Profiles: tomicher (Available Profiles: tomicher) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: R2 IhPul; C:\Users\tomicher\AppData\Roaming\TSv\TSvr.exe [580752 2015-12-08] (tsvr.com) R2 SSFK; C:\Program Files (x86)\SFK\SSFK.exe [170144 2015-11-27] (TODO: ) R2 WdMan; C:\ProgramData\iWdMi\WdMan.exe [333312 2015-12-04] (TFuns LIMITED) [File not signed] ShortcutWithArgument: C:\Users\tomicher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C <==== ATTENTION ShortcutWithArgument: C:\Users\tomicher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C <==== ATTENTION ShortcutWithArgument: C:\Users\tomicher\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C <==== ATTENTION ShortcutWithArgument: C:\Users\tomicher\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C <==== ATTENTION ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C <==== ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms} HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.bing.com/search?q={searchTerms} HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://www.bing.com/search?q={searchTerms} HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.yoursites123.com/?type=hp&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://www.bing.com/search?q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKU\S-1-5-21-4200013936-444429621-2781623297-1000 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKU\S-1-5-21-4200013936-444429621-2781623297-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.yoursites123.com/web/?type=ds&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C&q={searchTerms} SearchScopes: HKU\S-1-5-21-4200013936-444429621-2781623297-1000 -> {ielnksrch} URL = hxxp://www.bing.com/search?q={searchTerms} StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C FF HKLM-x32\...\Firefox\Extensions: [default_newtabff@gmail.com] - C:\Users\tomicher\AppData\Roaming\Mozilla\Firefox\Profiles\mc66johb.default\extensions\default_newtabff@gmail.com FF HKLM-x32\...\Firefox\Extensions: [yahooprotected@gmail.com] - C:\Users\tomicher\AppData\Roaming\Mozilla\Firefox\Profiles\mc66johb.default\extensions\yahooprotected@gmail.com StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.yoursites123.com/?type=sc&ts=1449716520&z=f0d52473151e5b71e4d75e2gbz0z1t9mdg6q9wbgfz&from=ient07021&uid=KINGSTONXSH103S3120G_50026B724C0A6B3C HKU\S-1-5-21-4200013936-444429621-2781623297-1000\...\Run: [AdobeBridge] => [X] Task: {A62E85D1-C694-4B85-BE5C-661C6B6B8AAC} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => C:\Program Files (x86)\Lenovo\Customer Feedback Program\Lenovo.TVT.CustomerFeedback.Agent.exe [2015-07-08] (Lenovo) Task: {F6517F2F-4C90-41C3-BFE4-8F4B27BABBA4} - System32\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} => C:\Users\tomicher\AppData\Local\Temp\is-RBU16.tmp\XRD Manager.exe <==== ATTENTION Task: C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job => C:\Users\tomicher\AppData\Local\Temp\is-RBU16.tmp\XRD Manager.exe?/exenoupdates /exelang 0 /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE B:\ AI_PREREQFILES=C:\Users\tomicher\AppData\Local\Temp\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}\drivers64.msi AI_PREREQDIRS=C:\Users\tomicher\AppData\Local\Temp AI_SETUPEXEPATH=C:\Users\tomicher\AppData\Local\Temp\is-RBU16.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\tomicher\AppData\Local\Temp\is-RBU16.tmp <==== ATTENTION AlternateDataStreams: C:\Users\tomicher\Local Settings:zhhH3GwtGql4nb023w AlternateDataStreams: C:\Users\tomicher\AppData\Local:zhhH3GwtGql4nb023w AlternateDataStreams: C:\Users\tomicher\AppData\Local\Application Data:zhhH3GwtGql4nb023w AlternateDataStreams: C:\Users\tomicher\AppData\Local\Temporary Internet Files:ZwIF55s4FoSaLBgyRBV62vD0 DeleteKey: HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I DeleteKey: HKCU\Software\dobreprogramy DeleteKey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo DeleteKey: HKLM\SOFTWARE\Wow6432Node\yoursites123Software RemoveDirectory: C:\Program Files (x86)\Lenovo RemoveDirectory: C:\Program Files (x86)\SFK RemoveDirectory: C:\ProgramData\iWdMi RemoveDirectory: C:\ProgramData\XWMiniProX RemoveDirectory: C:\Users\tomicher\AppData\Local\Lenovo RemoveDirectory: C:\Users\tomicher\AppData\Roaming\eCyber RemoveDirectory: C:\Users\tomicher\AppData\Roaming\TSv RemoveDirectory: C:\Users\tomicher\Desktop\FRST-OlderVersion RemoveDirectory: C:\Windows\System32\Tasks\Lenovo C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat C:\ProgramData\T23J7 C:\ProgramData\V93GE C:\Users\tomicher\Desktop\SpyHunter-installer.exe C:\Windows\SysWOW64\pl.html Hosts: EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. IhPul => service removed successfully SSFK => Service stopped successfully. SSFK => service removed successfully WdMan => service removed successfully C:\Users\tomicher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully. C:\Users\tomicher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => Shortcut argument restored successfully C:\Users\tomicher\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Shortcut argument removed successfully. C:\Users\tomicher\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Mozilla Firefox.lnk => Shortcut argument removed successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully. HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main\\Search Bar => value removed successfully HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main\\SearchAssistant => value removed successfully HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}" => key removed successfully HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ielnksrch" => key removed successfully HKCR\Wow6432Node\CLSID\ielnksrch => key not found. "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}" => key removed successfully HKCR\Wow6432Node\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found. HKU\S-1-5-21-4200013936-444429621-2781623297-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully "HKU\S-1-5-21-4200013936-444429621-2781623297-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}" => key removed successfully HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found. "HKU\S-1-5-21-4200013936-444429621-2781623297-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}" => key removed successfully HKCR\CLSID\{ielnksrch} => key not found. HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\default_newtabff@gmail.com => value removed successfully HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\yahooprotected@gmail.com => value removed successfully HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\\Default => value restored successfully HKU\S-1-5-21-4200013936-444429621-2781623297-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A62E85D1-C694-4B85-BE5C-661C6B6B8AAC}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A62E85D1-C694-4B85-BE5C-661C6B6B8AAC}" => key removed successfully C:\Windows\System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo\Lenovo Customer Feedback Program 64" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F6517F2F-4C90-41C3-BFE4-8F4B27BABBA4}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F6517F2F-4C90-41C3-BFE4-8F4B27BABBA4}" => key removed successfully C:\Windows\System32\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}" => key removed successfully C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job => moved successfully "C:\Users\tomicher\Local Settings" => ":zhhH3GwtGql4nb023w" ADS not found. C:\Users\tomicher\AppData\Local => ":zhhH3GwtGql4nb023w" ADS removed successfully. "C:\Users\tomicher\AppData\Local\Application Data" => ":zhhH3GwtGql4nb023w" ADS not found. "C:\Users\tomicher\AppData\Local\Temporary Internet Files" => ":ZwIF55s4FoSaLBgyRBV62vD0" ADS not found. HKCU\Software\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I => key removed successfully HKCU\Software\dobreprogramy => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo => key removed successfully HKLM\SOFTWARE\Wow6432Node\yoursites123Software => could not remove at first attempt (ErrorCode: C0000121), see next line. HKLM\SOFTWARE\Wow6432Node\yoursites123Software => key removed successfully "C:\Program Files (x86)\Lenovo" => removed successfully. "C:\Program Files (x86)\SFK" => removed successfully. "C:\ProgramData\iWdMi" => removed successfully. "C:\ProgramData\XWMiniProX" => removed successfully. "C:\Users\tomicher\AppData\Local\Lenovo" => removed successfully. "C:\Users\tomicher\AppData\Roaming\eCyber" => removed successfully. "C:\Users\tomicher\AppData\Roaming\TSv" => removed successfully. "C:\Users\tomicher\Desktop\FRST-OlderVersion" => removed successfully. "C:\Windows\System32\Tasks\Lenovo" => removed successfully. C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat => moved successfully C:\ProgramData\T23J7 => moved successfully C:\ProgramData\V93GE => moved successfully C:\Users\tomicher\Desktop\SpyHunter-installer.exe => moved successfully C:\Windows\SysWOW64\pl.html => moved successfully C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. EmptyTemp: => 1.9 GB temporary data Removed. The system needed a reboot. ==== End of Fixlog 20:23:04 ====