Fix result of Farbar Recovery Scan Tool (x64) Version: 22-01-2017 Ran by Piotr (22-01-2017 13:49:07) Run:1 Running from D:\Program Files\FRST Loaded Profiles: Piotr (Available Profiles: Piotr) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1 HKLM\...\Providers\kkez28a6: C:\Program Files (x86)\Phikaty Nodifier\local64spl.dll [292352 2017-01-16] () C:\Program Files (x86)\Phikaty Nodifier ShellExecuteHooks: No Name - {41B7E29A-DB94-11E6-A96D-64006A5CFC23} - -> No File ShellExecuteHooks: No Name - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} - -> No File ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File StartMenuInternet: IEXPLORE.EXE - iexplore.exe R3 iThemes5; C:\Program Files (x86)\Common Files\Services\iThemes.dll [583680 2017-01-19] () [File not signed] <==== ATTENTION R2 Archer; C:\Program Files (x86)\WinArcher\Archer.dll [417280 2017-01-19] () [File not signed] R2 GubedZL; C:\Program Files (x86)\Gubed\GubedZL.dll [124416 2017-01-19] () [File not signed] R2 WinSAPSvc; C:\ProgramData\WinSAPSvc\WinSAP.dll [509440 2017-01-19] () [File not signed] C:\Program Files (x86)\WinArcher C:\Program Files (x86)\Gubed C:\ProgramData\WinSAPSvc U0 aswVmm; no ImagePath S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X] U3 kxldapow; \??\C:\Windows\TEMP\kxldapow.sys [X] Task: {9E7F1F9F-F51A-4D10-8D34-559C35B38501} - \WPD\SqmUpload_S-1-5-21-1787938467-411497002-959167669-1001 -> No File <==== ATTENTION Task: {C89EB585-F412-4E54-A7AF-DE78E63D567C} - \Optimize Start Menu Cache Files-S-1-5-21-1787938467-411497002-959167669-1001 -> No File <==== ATTENTION Task: C:\Windows\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION C:\Program Files (x86)\UCBrowser WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION ShortcutWithArgument: C:\Users\Piotr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://fanli90.cn/ ShortcutWithArgument: C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Piotr\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/ ShortcutWithArgument: C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://fanli90.cn/ ShortcutWithArgument: C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Piotr\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/ ShortcutWithArgument: C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://fanli90.cn/ ShortcutWithArgument: C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 2" ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Piotr\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/ ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --load-extension="C:\Users\Piotr\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" hxxp://fanli90.cn/ DeleteKey: HKCU\Software\Mozilla DeleteKey: HKCU\Software\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Mozilla DeleteKey: HKLM\SOFTWARE\MozillaPlugins DeleteKey: HKLM\SOFTWARE\Wow6432Node\Mozilla DeleteKey: HKLM\SOFTWARE\Wow6432Node\mozilla.org DeleteKey: HKLM\SOFTWARE\Wow6432Node\MozillaPlugins C:\Users\Piotr\AppData\Local\Mozilla C:\Users\Piotr\AppData\Roaming\Mozilla C:\Users\Piotr\AppData\Roaming\Profiles C:\Users\Piotr\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk Reg: reg query HKLM\SYSTEM\CurrentControlSet\Services\Themes /s EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\EnableShellExecuteHooks => value removed successfully HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\kkez28a6 => key removed successfully HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\\order kkez28a6 => removed successfully C:\Program Files (x86)\Phikaty Nodifier => moved successfully HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{41B7E29A-DB94-11E6-A96D-64006A5CFC23} => value removed successfully HKCR\CLSID\{41B7E29A-DB94-11E6-A96D-64006A5CFC23} => key not found. HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} => value removed successfully HKCR\CLSID\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} => key not found. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully HKLM\System\CurrentControlSet\Services\iThemes5 => key removed successfully iThemes5 => service removed successfully HKLM\System\CurrentControlSet\Services\Themes\\DependOnService => value removed successfully HKLM\System\CurrentControlSet\Services\Archer => key removed successfully Archer => service removed successfully HKLM\System\CurrentControlSet\Services\GubedZL => key removed successfully GubedZL => service removed successfully WinSAPSvc => Unable to stop service. HKLM\System\CurrentControlSet\Services\WinSAPSvc => key removed successfully WinSAPSvc => service removed successfully C:\Program Files (x86)\WinArcher => moved successfully C:\Program Files (x86)\Gubed => moved successfully "C:\ProgramData\WinSAPSvc" folder move: Could not move "C:\ProgramData\WinSAPSvc" => Scheduled to move on reboot. HKLM\System\CurrentControlSet\Services\aswVmm => key removed successfully aswVmm => service removed successfully HKLM\System\CurrentControlSet\Services\MBAMSwissArmy => key removed successfully MBAMSwissArmy => service removed successfully kxldapow => service not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9E7F1F9F-F51A-4D10-8D34-559C35B38501} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9E7F1F9F-F51A-4D10-8D34-559C35B38501} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-1787938467-411497002-959167669-1001 => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C89EB585-F412-4E54-A7AF-DE78E63D567C} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C89EB585-F412-4E54-A7AF-DE78E63D567C} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimize Start Menu Cache Files-S-1-5-21-1787938467-411497002-959167669-1001 => key removed successfully C:\Windows\Tasks\UCBrowserUpdater.job => moved successfully "C:\Program Files (x86)\UCBrowser" => not found. WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION => removed successfully C:\Users\Piotr\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully. C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully. C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Shortcut argument removed successfully. C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => Shortcut argument removed successfully. C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk => Shortcut argument removed successfully. C:\Users\Piotr\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk => Shortcut argument removed successfully. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully. C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully. HKCU\Software\Mozilla => key not found. HKCU\Software\MozillaPlugins => key removed successfully HKLM\SOFTWARE\Mozilla => key not found. HKLM\SOFTWARE\MozillaPlugins => key removed successfully HKLM\SOFTWARE\Wow6432Node\Mozilla => key not found. HKLM\SOFTWARE\Wow6432Node\mozilla.org => key not found. HKLM\SOFTWARE\Wow6432Node\MozillaPlugins => key removed successfully "C:\Users\Piotr\AppData\Local\Mozilla" => not found. "C:\Users\Piotr\AppData\Roaming\Mozilla" => not found. C:\Users\Piotr\AppData\Roaming\Profiles => moved successfully "C:\Users\Piotr\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" => not found. ========= reg query HKLM\SYSTEM\CurrentControlSet\Services\Themes /s ========= HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes Start REG_DWORD 0x2 DisplayName REG_SZ @%SystemRoot%\System32\themeservice.dll,-8192 ErrorControl REG_DWORD 0x1 Group REG_SZ ProfSvc_Group ImagePath REG_EXPAND_SZ %SystemRoot%\System32\svchost.exe -k netsvcs Type REG_DWORD 0x20 Description REG_SZ @%SystemRoot%\System32\themeservice.dll,-8193 ObjectName REG_SZ LocalSystem RequiredPrivileges REG_MULTI_SZ SeAssignPrimaryTokenPrivilege\0SeDebugPrivilege\0SeImpersonatePrivilege FailureActions REG_BINARY 80510100000000000000000003000000140000000100000060EA00000100000060EA00000000000000000000 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes\Parameters ServiceDllUnloadOnStop REG_DWORD 0x1 ServiceMain REG_SZ ThemeServiceMain ServiceDll REG_EXPAND_SZ %SystemRoot%\system32\themeservice.dll ========= End of Reg: ========= =========== EmptyTemp: ========== BITS transfer queue => 16777216 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 17148895 B Java, Flash, Steam htmlcache => 74323855 B Windows/system/drivers => 774604764 B Edge => 0 B Chrome => 488061911 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 8054 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 2519963 B systemprofile32 => 23140256 B LocalService => 0 B NetworkService => 0 B Piotr => 45158951 B RecycleBin => 885151870 B EmptyTemp: => 2.2 GB temporary data Removed. ================================ Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 22-01-2017 13:54:04) C:\ProgramData\WinSAPSvc => Is moved successfully ==== End of Fixlog 13:54:05 ====