Fix result of Farbar Recovery Scan Tool (x64) Version: 06-05.2019
Ran by SLR (06-05-2019 18:28:37) Run:2
Running from C:\Users\SLR\Desktop
Loaded Profiles: SLR (Available Profiles: defaultuser0 & SLR)
Boot Mode: Normal
==============================================

fixlist content:
*****************
tart

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
Task: {12304551-6028-4738-9B75-B9593811BF89} - System32\Tasks\refereesreferees => C:\Program Files (x86)\surrey\surrey.exe
Task: {5FFA52DE-1CF5-4DF2-A6F0-7B56F0EE115D} - System32\Tasks\nizar_harbin => C:\Program Files (x86)\Solid\Mazes.exe
Task: {7589701C-A3C6-405F-9839-B344316FA994} - System32\Tasks\nizar_harbinnizar_harbin => C:\Program Files (x86)\Solid\Mazes.exe
Task: {7BC83271-2BF5-4C6D-92EF-1D6311F1B30E} - System32\Tasks\jotted-patna => C:\Program Files (x86)\rounders\Cahners.exe
Task: {81555F06-4F4F-4033-88B3-B97D3875B80D} - System32\Tasks\rapp ruhl => C:\Program Files (x86)\Solid\Cahners.exe
Task: {9E5145E0-97FF-4835-A028-DBF25FA90898} - System32\Tasks\referees => C:\Program Files (x86)\surrey\surrey.exe
Task: {C31CD62B-D117-4E64-8D90-DC75BDC8716A} - System32\Tasks\jotted-patnajotted-patna => C:\Program Files (x86)\rounders\Cahners.exe
Task: {D4612FF3-FED6-49D5-85BF-0ED0904F88EC} - System32\Tasks\rapp ruhlrapp ruhl => C:\Program Files (x86)\Solid\Cahners.exe
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [No File]
S4 ipaonst; System32\drivers\scbnokpi.sys [X]
S1 rwptx; \??\C:\Users\SLR\AppData\Local\Temp\wmkvrasd.sys [X] <==== ATTENTION
S1 upylqahn; \??\C:\WINDOWS\system32\drivers\upylqahn.sys [X]
S1 xpyyvxrh; \??\C:\WINDOWS\system32\drivers\xpyyvxrh.sys [X]
2019-05-01 12:54 - 2019-05-02 19:01 - 000000000 ____D C:\Program Files\Reimage
2019-04-24 13:57 - 2019-05-01 17:16 - 000000000 ____D C:\Users\SLR\AppData\Local\nirusow
2019-04-24 13:55 - 2019-05-06 19:51 - 000000000 ____D C:\Users\SLR\AppData\Local\dtdwagx
2019-04-24 13:55 - 2019-04-24 13:55 - 000000000 ____D C:\Users\SLR\AppData\Local\vdrulge
2019-04-24 13:54 - 2019-05-06 15:39 - 002930176 _____ C:\WINDOWS\system32\simtulnsvc.exe
2019-04-24 13:54 - 2019-04-24 13:57 - 000000000 ____D C:\WINDOWS\system32\pselvno
2019-04-24 13:54 - 2019-04-24 13:54 - 000000000 ____D C:\WINDOWS\SysWOW64\pselvno
2019-04-24 13:53 - 2019-04-24 13:53 - 000000000 ____D C:\Users\SLR\AppData\Roaming\et
2019-04-24 13:52 - 2019-04-24 13:52 - 000004136 _____ C:\WINDOWS\System32\Tasks\jotted-patna
2019-04-24 13:52 - 2019-04-24 13:52 - 000004126 _____ C:\WINDOWS\System32\Tasks\nizar_harbin
2019-04-24 13:52 - 2019-04-24 13:52 - 000004124 _____ C:\WINDOWS\System32\Tasks\rapp ruhl
2019-04-24 13:52 - 2019-04-24 13:52 - 000004122 _____ C:\WINDOWS\System32\Tasks\referees
2019-04-24 13:52 - 2019-04-24 13:52 - 000004006 _____ C:\WINDOWS\System32\Tasks\jotted-patnajotted-patna
2019-04-24 13:52 - 2019-04-24 13:52 - 000003996 _____ C:\WINDOWS\System32\Tasks\nizar_harbinnizar_harbin
2019-04-24 13:52 - 2019-04-24 13:52 - 000003988 _____ C:\WINDOWS\System32\Tasks\rapp ruhlrapp ruhl
2019-04-24 13:52 - 2019-04-24 13:52 - 000003984 _____ C:\WINDOWS\System32\Tasks\refereesreferees
2019-04-24 13:52 - 2019-04-24 13:52 - 000000012 _____ C:\WINDOWS\b79640158
2019-04-24 13:52 - 2019-04-24 13:52 - 000000000 ____D C:\Users\SLR\AppData\Roaming\AGData
2019-04-24 13:51 - 2019-04-24 14:16 - 000000000 ____D C:\WINDOWS\SysWOW64\SSL
2019-04-24 13:50 - 2019-04-24 13:50 - 000000000 ____D C:\Users\SLR\AppData\Local\AdvinstAnalytics
2019-04-24 06:39 - 2019-04-24 06:39 - 000098229 _____ C:\WINDOWS\uninstaller.dat
2019-04-29 11:33 - 2019-04-29 11:33 - 000001194 _____ () C:\Users\SLR\AppData\Roaming\SAS7_000.DAT

ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
AlternateDataStreams: C:\ProgramData\TEMP:0FF263E8 [261]
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [155]
AlternateDataStreams: C:\Users\SLR\AppData\Local\Temp:DfOsjn53tx8EiT31wQhbDe [2114]
AlternateDataStreams: C:\Users\SLR\AppData\Local\UU1roKagF8:xLTI5MZOtLbH10eO7GOiGf0Pqm [1844]
FirewallRules: [{4F04EEF7-0239-47EC-A10D-0F5110594664}] => (Allow) LPort=51001
FirewallRules: [{413162FD-37AF-483D-811A-7EFEDD091CF0}] => (Allow) LPort=2078
FirewallRules: [{9797FA22-02C2-4DD8-A0FC-B4C62CAC132F}] => (Allow) LPort=7935
FirewallRules: [{45271757-2057-42FA-859E-874EB71B2B4E}] => (Allow) LPort=51001

C:\Program Files (x86)\surrey
C:\Program Files (x86)\Solid
C:\Program Files (x86)\rounders

Hosts:
VirusTotal: C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
VirusTotal: C:\Users\SLR\AppData\Roaming\inst.exe
VirusTotal: C:\Program Files\Common Files\Common Desktop Agent\CDASrvPS.dll

End
*****************

tart => Error: No automatic fix found for this entry.
Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{12304551-6028-4738-9B75-B9593811BF89}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{12304551-6028-4738-9B75-B9593811BF89}" => removed successfully
C:\WINDOWS\System32\Tasks\refereesreferees => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\refereesreferees" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5FFA52DE-1CF5-4DF2-A6F0-7B56F0EE115D}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5FFA52DE-1CF5-4DF2-A6F0-7B56F0EE115D}" => removed successfully
C:\WINDOWS\System32\Tasks\nizar_harbin => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nizar_harbin" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7589701C-A3C6-405F-9839-B344316FA994}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7589701C-A3C6-405F-9839-B344316FA994}" => removed successfully
C:\WINDOWS\System32\Tasks\nizar_harbinnizar_harbin => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nizar_harbinnizar_harbin" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7BC83271-2BF5-4C6D-92EF-1D6311F1B30E}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7BC83271-2BF5-4C6D-92EF-1D6311F1B30E}" => removed successfully
C:\WINDOWS\System32\Tasks\jotted-patna => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\jotted-patna" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{81555F06-4F4F-4033-88B3-B97D3875B80D}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{81555F06-4F4F-4033-88B3-B97D3875B80D}" => removed successfully
C:\WINDOWS\System32\Tasks\rapp ruhl => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\rapp ruhl" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9E5145E0-97FF-4835-A028-DBF25FA90898}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9E5145E0-97FF-4835-A028-DBF25FA90898}" => removed successfully
C:\WINDOWS\System32\Tasks\referees => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\referees" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C31CD62B-D117-4E64-8D90-DC75BDC8716A}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C31CD62B-D117-4E64-8D90-DC75BDC8716A}" => removed successfully
C:\WINDOWS\System32\Tasks\jotted-patnajotted-patna => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\jotted-patnajotted-patna" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D4612FF3-FED6-49D5-85BF-0ED0904F88EC}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D4612FF3-FED6-49D5-85BF-0ED0904F88EC}" => removed successfully
C:\WINDOWS\System32\Tasks\rapp ruhlrapp ruhl => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\rapp ruhlrapp ruhl" => removed successfully
HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect => removed successfully
HKLM\System\CurrentControlSet\Services\ipaonst => removed successfully
ipaonst => service removed successfully
HKLM\System\CurrentControlSet\Services\rwptx => removed successfully
rwptx => service removed successfully
HKLM\System\CurrentControlSet\Services\upylqahn => removed successfully
upylqahn => service removed successfully
HKLM\System\CurrentControlSet\Services\xpyyvxrh => removed successfully
xpyyvxrh => service removed successfully
C:\Program Files\Reimage => moved successfully
C:\Users\SLR\AppData\Local\nirusow => moved successfully
C:\Users\SLR\AppData\Local\dtdwagx => moved successfully
C:\Users\SLR\AppData\Local\vdrulge => moved successfully
C:\WINDOWS\system32\simtulnsvc.exe => moved successfully
C:\WINDOWS\system32\pselvno => moved successfully
C:\WINDOWS\SysWOW64\pselvno => moved successfully
C:\Users\SLR\AppData\Roaming\et => moved successfully
"C:\WINDOWS\System32\Tasks\jotted-patna" => not found
"C:\WINDOWS\System32\Tasks\nizar_harbin" => not found
"C:\WINDOWS\System32\Tasks\rapp ruhl" => not found
"C:\WINDOWS\System32\Tasks\referees" => not found
"C:\WINDOWS\System32\Tasks\jotted-patnajotted-patna" => not found
"C:\WINDOWS\System32\Tasks\nizar_harbinnizar_harbin" => not found
"C:\WINDOWS\System32\Tasks\rapp ruhlrapp ruhl" => not found
"C:\WINDOWS\System32\Tasks\refereesreferees" => not found
C:\WINDOWS\b79640158 => moved successfully
C:\Users\SLR\AppData\Roaming\AGData => moved successfully
C:\WINDOWS\SysWOW64\SSL => moved successfully
C:\Users\SLR\AppData\Local\AdvinstAnalytics => moved successfully
C:\WINDOWS\uninstaller.dat => moved successfully
C:\Users\SLR\AppData\Roaming\SAS7_000.DAT => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => removed successfully
HKLM\Software\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => removed successfully
HKLM\Software\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => removed successfully
HKLM\Software\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => removed successfully
HKLM\Software\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => removed successfully
HKLM\Software\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => removed successfully
HKLM\Software\Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => not found
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => removed successfully
HKLM\Software\Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7 => removed successfully
HKLM\Software\Wow6432Node\Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} => not found
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found
C:\ProgramData\TEMP => ":0FF263E8" ADS removed successfully
C:\ProgramData\TEMP => ":1CE11B51" ADS removed successfully
C:\Users\SLR\AppData\Local\Temp => ":DfOsjn53tx8EiT31wQhbDe" ADS removed successfully
C:\Users\SLR\AppData\Local\UU1roKagF8 => ":xLTI5MZOtLbH10eO7GOiGf0Pqm" ADS removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4F04EEF7-0239-47EC-A10D-0F5110594664}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{413162FD-37AF-483D-811A-7EFEDD091CF0}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9797FA22-02C2-4DD8-A0FC-B4C62CAC132F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{45271757-2057-42FA-859E-874EB71B2B4E}" => removed successfully
"C:\Program Files (x86)\surrey" => not found
"C:\Program Files (x86)\Solid" => not found
"C:\Program Files (x86)\rounders" => not found
Hosts restored successfully.
VirusTotal: C:\WINDOWS\SysWOW64\FlashPlayerApp.exe => https://www.virustotal.com/file/ef9346f85ffef2c6b66e2d4a3cc9412865f82b6fd7366f01e99097b14a340f60/analysis/1556917021/
VirusTotal: C:\Users\SLR\AppData\Roaming\inst.exe => https://www.virustotal.com/file/124f3710c7c8979724b40f129d99b3d6caabc865c2948db52641c33a1fc4d072/analysis/1555521861/
VirusTotal: C:\Program Files\Common Files\Common Desktop Agent\CDASrvPS.dll => https://www.virustotal.com/file/a5e44911d75f9afc72dd97543879b3bf8fb5b2276afe502fa4e4bdbe2c9ea0e6/analysis/1553664964/

=========== EmptyTemp: ==========

BITS transfer queue => 11296768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 67593491 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 5710449 B
Edge => 606476 B
Chrome => 0 B
Firefox => 357718420 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 91 B
systemprofile32 => 130 B
LocalService => 54544 B
LocalService => 0 B
NetworkService => 249692 B
NetworkService => 0 B
defaultuser0 => 6656 B
SLR => 23060738 B

RecycleBin => 0 B
EmptyTemp: => 444.7 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 18:30:36 ====