Fix result of Farbar Recovery Scan Tool (x64) Version: 01.09.2018 03
Ran by STEVEN_DESKTOP (05-09-2018 19:13:46) Run:1
Running from E:\~tools for windows
Loaded Profiles: STEVEN_DESKTOP (Available Profiles: STEVEN_DESKTOP & Guest)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Virustotal: C:\Program Files (x86)\Dethroned\Millisecond.exe
Virustotal: C:\Program Files (x86)\riggers\Faiths.exe
HKLM\...\Run: [Retailing] => "C:\Program Files (x86)\Dethroned\Millisecond.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKLM\...\Run: [Istiklal] => "C:\Program Files (x86)\riggers\Faiths.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKLM\...\Run: [Pasta] => "C:\Program Files (x86)\Cuckolding\Millisecond.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKLM-x32\...\Run: [Lempira] => "C:\Program Files (x86)\Dethroned\Millisecond.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKLM-x32\...\Run: [Inflammatory] => "C:\Program Files (x86)\riggers\Faiths.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKLM-x32\...\Run: [Cultivable] => "C:\Program Files (x86)\Cuckolding\Millisecond.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\...\Run: [Violeta] => "C:\Program Files (x86)\Dethroned\Millisecond.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\...\Run: [Convey] => "C:\Program Files (x86)\riggers\Faiths.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\...\Run: [Oriole] => "C:\Program Files (x86)\Cuckolding\Millisecond.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\...\Run: [Cormac] => "C:\Program Files (x86)\Dethroned\Millisecond.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\...\Run: [Beards] => "C:\Program Files (x86)\riggers\Faiths.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\...\Run: [Formally] => "C:\Program Files (x86)\Cuckolding\Millisecond.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\...\Run: [extruded] => "C:\Program Files (x86)\orthopedics\extruded.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\...\Run: [meretricious] => "C:\Program Files (x86)\Dethroned\Millisecond.exe" okzadwokzadwokzadwokzad.okzadzokzadnokzadgokzad.okzadpokzadwokzad/okzadde2zj0zj1zokzadj8zj0sz9szokzad0de5dezjhtokzadmlLohSt3HXokzad6Y7IR7Cv5Cokzadd1
Startup: C:\Users\STEVEN_DESKTOP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\preening.lnk [2018-09-05]
ShortcutTarget: preening.lnk -> C:\Program Files (x86)\Dethroned\Millisecond.exe (No File)
Startup: C:\Users\STEVEN_DESKTOP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\preeningpreening.lnk [2018-09-05]
ShortcutTarget: preeningpreening.lnk -> C:\Program Files (x86)\riggers\Faiths.exe (No File)
FF Plugin-x32: @videolan.org/vlc,version=2.0.6 -> S:\Program Files (x86)\VLC\npvlc.dll [No File]
S2 GlassWire; "S:\Program Files (x86)\Glasswire\GWCtlSrv.exe" [X]
S2 HiPatchService; S:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [X]
S2 mxssvr; "S:\Program Files (x86)\National Instruments\MAX\nimxs.exe" [X]
S2 NIApplicationWebServer; "S:\Program Files (x86)\National Instruments\Shared\NI WebServer\ApplicationWebServer.exe" -user [X]
S2 NIDomainService; "S:\Program Files (x86)\National Instruments\Shared\Security\nidmsrv.exe" [X]
S3 NILM License Manager; "S:\Program Files (x86)\National Instruments\Shared\License Manager\Bin\lmgrd.exe" [X]
S2 nimDNSResponder; "S:\Program Files (x86)\National Instruments\Shared\mDNS Responder\nimdnsResponder.exe" [X]
S2 NINetworkDiscovery; "S:\Program Files (x86)\National Instruments\Shared\NI Network Discovery\niDiscSvc.exe" [X]
S2 NiSvcLoc; S:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s [X]
S2 NISystemWebServer; "S:\Program Files (x86)\National Instruments\Shared\NI WebServer\SystemWebServer.exe" -system [X]
S2 NITaggerService; "S:\Program Files (x86)\National Instruments\Shared\Tagger\tagsrv.exe" [X]
S2 Siemens PLM License Server; S:\Program Files (x86)\Siemens\PLMLicenseServer\lmgrd.exe [X]
S3 catchme; \??\C:\C0mb0F1x\catchme.sys [X]
S3 cpuz143; \??\C:\Windows\temp\cpuz143\cpuz143_x64.sys [X]
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {DD319708-A14F-43A9-8347-8F096ECA0B76} - System32\Tasks\{F4F60C81-14E5-40AA-AB3A-80CD7E3340AF} => C:\Windows\system32\pcalua.exe -a C:\Users\STEVEN_DESKTOP\Downloads\setup_en.exe -d C:\Users\STEVEN_DESKTOP\Downloads
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1752262018-2004630284-3030787665-1000Core.job => C:\Users\STEVEN_DESKTOP\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1752262018-2004630284-3030787665-1000UA.job => C:\Users\STEVEN_DESKTOP\AppData\Local\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task b43940ce-84ed-41fc-b4e8-98a75112eb43.job => C:\Program Files\SUPERAntiSpyware\SASTask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task d9e9253f-662b-41b0-b98b-843d4fd4e249.job => C:\Program Files\SUPERAntiSpyware\SASTask.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
AlternateDataStreams: C:\ProgramData\Temp:4FC01C57 [134]
AlternateDataStreams: C:\Users\Guest\Desktop\let1.png:3or4kl4x13tuuug3Byamue2s4b [81]
AlternateDataStreams: C:\Users\Guest\Desktop\let1.png:com.dropbox.attributes [168]
AlternateDataStreams: C:\Users\Guest\Desktop\let1.png:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0]
FirewallRules: [{986DF414-B6E8-4295-BDCA-5653D0280F99}] => (Allow) C:\Program Files (x86)\Dethroned\Millisecond.exe
FirewallRules: [{530CF72C-34B9-44E4-94AB-8A4248F6AC7C}] => (Allow) C:\Program Files (x86)\Cuckolding\Millisecond.exe
FirewallRules: [{E2EC9539-BC46-4206-846F-38B62B155989}] => (Allow) C:\Program Files (x86)\riggers\Faiths.exe
FirewallRules: [{2E8B4988-26DF-45C3-A91B-EFBE19F60C62}] => (Allow) C:\Program Files (x86)\Cuckolding\Faiths.exe
FirewallRules: [TCP Query User{1C4B87ED-EFA1-4AE1-997A-6FF011C54D9C}C:\program files (x86)\google\chrome\application\chromecrewe.exe] => (Block) C:\program files (x86)\google\chrome\application\chromecrewe.exe
FirewallRules: [UDP Query User{FC605F88-8621-487F-894B-F8A027F8E304}C:\program files (x86)\google\chrome\application\chromecrewe.exe] => (Block) C:\program files (x86)\google\chrome\application\chromecrewe.exe
C:\Program Files (x86)\SpringFiles
C:\Program Files (x86)\riggers
C:\Program Files (x86)\Dethroned
C:\Program Files (x86)\Cuckolding
C:\Program Files (x86)\orthopedics
Hosts:
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
Reboot:













*****************

"VirusTotal: C:\Program Files (x86)\Dethroned\Millisecond.exe" => not found
"VirusTotal: C:\Program Files (x86)\riggers\Faiths.exe" => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Retailing" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Istiklal" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Pasta" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Lempira" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Inflammatory" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Cultivable" => removed successfully
"HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Violeta" => removed successfully
"HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Convey" => removed successfully
"HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Oriole" => removed successfully
"HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Cormac" => removed successfully
"HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Beards" => removed successfully
"HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Formally" => removed successfully
"HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\Software\Microsoft\Windows\CurrentVersion\Run\\extruded" => removed successfully
"HKU\S-1-5-21-1752262018-2004630284-3030787665-1000\Software\Microsoft\Windows\CurrentVersion\Run\\meretricious" => removed successfully
C:\Users\STEVEN_DESKTOP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\preening.lnk => moved successfully
"C:\Program Files (x86)\Dethroned\Millisecond.exe" => not found
C:\Users\STEVEN_DESKTOP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\preeningpreening.lnk => moved successfully
"C:\Program Files (x86)\riggers\Faiths.exe" => not found
"HKLM\Software\Wow6432Node\MozillaPlugins\@videolan.org/vlc,version=2.0.6" => removed successfully
"HKLM\System\CurrentControlSet\Services\GlassWire" => removed successfully
GlassWire => service removed successfully
"HKLM\System\CurrentControlSet\Services\HiPatchService" => removed successfully
HiPatchService => service removed successfully
"HKLM\System\CurrentControlSet\Services\mxssvr" => removed successfully
mxssvr => service removed successfully
"HKLM\System\CurrentControlSet\Services\NIApplicationWebServer" => removed successfully
NIApplicationWebServer => service removed successfully
"HKLM\System\CurrentControlSet\Services\NIDomainService" => removed successfully
NIDomainService => service removed successfully
"HKLM\System\CurrentControlSet\Services\NILM License Manager" => removed successfully
NILM License Manager => service removed successfully
"HKLM\System\CurrentControlSet\Services\nimDNSResponder" => removed successfully
nimDNSResponder => service removed successfully
"HKLM\System\CurrentControlSet\Services\NINetworkDiscovery" => removed successfully
NINetworkDiscovery => service removed successfully
"HKLM\System\CurrentControlSet\Services\NiSvcLoc" => removed successfully
NiSvcLoc => service removed successfully
"HKLM\System\CurrentControlSet\Services\NISystemWebServer" => removed successfully
NISystemWebServer => service removed successfully
"HKLM\System\CurrentControlSet\Services\NITaggerService" => removed successfully
NITaggerService => service removed successfully
"HKLM\System\CurrentControlSet\Services\Siemens PLM License Server" => removed successfully
Siemens PLM License Server => service removed successfully
"HKLM\System\CurrentControlSet\Services\catchme" => removed successfully
catchme => service removed successfully
"HKLM\System\CurrentControlSet\Services\cpuz143" => removed successfully
cpuz143 => service removed successfully
"HKLM\System\CurrentControlSet\Services\RSUSBSTOR" => removed successfully
RSUSBSTOR => service removed successfully
"HKLM\System\CurrentControlSet\Services\VGPU" => removed successfully
VGPU => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DD319708-A14F-43A9-8347-8F096ECA0B76}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD319708-A14F-43A9-8347-8F096ECA0B76}" => removed successfully
C:\Windows\System32\Tasks\{F4F60C81-14E5-40AA-AB3A-80CD7E3340AF} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{F4F60C81-14E5-40AA-AB3A-80CD7E3340AF}" => removed successfully
C:\Windows\Tasks\Adobe Flash Player Updater.job => moved successfully
C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1752262018-2004630284-3030787665-1000Core.job => moved successfully
C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1752262018-2004630284-3030787665-1000UA.job => moved successfully
C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task b43940ce-84ed-41fc-b4e8-98a75112eb43.job => moved successfully
C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task d9e9253f-662b-41b0-b98b-843d4fd4e249.job => moved successfully
C:\ProgramData\Temp => ":4FC01C57" ADS removed successfully
C:\Users\Guest\Desktop\let1.png => ":3or4kl4x13tuuug3Byamue2s4b" ADS could not remove.
C:\Users\Guest\Desktop\let1.png => ":com.dropbox.attributes" ADS removed successfully
C:\Users\Guest\Desktop\let1.png => ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" ADS removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{986DF414-B6E8-4295-BDCA-5653D0280F99}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{530CF72C-34B9-44E4-94AB-8A4248F6AC7C}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E2EC9539-BC46-4206-846F-38B62B155989}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2E8B4988-26DF-45C3-A91B-EFBE19F60C62}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{1C4B87ED-EFA1-4AE1-997A-6FF011C54D9C}C:\program files (x86)\google\chrome\application\chromecrewe.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{FC605F88-8621-487F-894B-F8A027F8E304}C:\program files (x86)\google\chrome\application\chromecrewe.exe" => removed successfully
"C:\Program Files (x86)\SpringFiles" => not found
"C:\Program Files (x86)\riggers" => not found
"C:\Program Files (x86)\Dethroned" => not found
"C:\Program Files (x86)\Cuckolding" => not found
"C:\Program Files (x86)\orthopedics" => not found
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========


========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog 19:13:57 ====