﻿Fix result of Farbar Recovery Scan Tool (x64) Version:25-08-2015 01
Ran by Freizi (2015-08-28 12:27:48) Run:1
Running from C:\Users\Freizi\Desktop
Loaded Profiles: Freizi (Available Profiles: Freizi)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:

HKLM-x32\...\Run: [liandianqi] => C:\Program Files (x86)\Cok Software\Cok Free Auto Clicker\AutoClicker.exe
HKLM-x32\...\Run: [NCUpdateHelper] => C:\Program Files (x86)\NCWest\NCLauncher\NCUpdateHelper.exe [526240 2015-07-04] (NCSOFT Corporation)
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Freizi\AppData\Local\Akamai\netsession_win.exe [4691384 2015-07-23] (Akamai Technologies, Inc.)
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\...\Run: [Overwolf] => C:\Program Files (x86)\Overwolf\Overwolf.exe [41200 2015-07-19] (Overwolf LTD)
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\...\Run: [apphide] => C:\Program Files (x86)\baidu\pps.exe [77824 2015-08-12] ()
AppInit_DLLs: C:\ProgramData\ExtTag\NewToing.dll => C:\ProgramData\ExtTag\NewToing.dll [135680 2015-08-25] ()
AppInit_DLLs-x32: C:\ProgramData\ExtTag\Mathtondox.dll => C:\ProgramData\ExtTag\Mathtondox.dll [121344 2015-08-25] ()



HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... uvDLMbf&q={searchTerms}
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F. ... 5OZ77jeT0E
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... uvDLMbf&q={searchTerms}
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... uvDLMbf&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = 
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... uvDLMbf&q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3703730259-3164073539-163999450-1000 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... uvDLMbf&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3703730259-3164073539-163999450-1000 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73 ... uvDLMbf&q={searchTerms}

FF SearchPlugin: C:\Users\Freizi\AppData\Roaming\Mozilla\Firefox\Profiles\gbhl6ikg.default\searchplugins\findit.xml [2015-08-25]



CHR HKLM-x32\...\Chrome\Extension: [dnligehkhogpcngalffdoomehjcbecna] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gehmndecgbcffhmfjkenpamdgechcgpe] - https://clients2.google.com/service/update2/crx

R2 dwwnioad; C:\Users\Freizi\AppData\Local\Saoranity.exe [50688 2015-08-24] () [File not signed]
R2 ExtTag; C:\ProgramData\ExtTag\ExtTag.exe [34816 2015-08-23] () [File not signed]
R2 HiSuiteOuc64.exe; C:\ProgramData\HiSuiteOuc\HiSuiteOuc64.exe [138544 2015-05-20] ()
R2 HuaweiHiSuiteService64.exe; C:\ProgramData\HandSetService\HuaweiHiSuiteService64.exe [192304 2015-05-20] ()
R2 NixSrv; C:\Program Files\NixSrv\NixSrv.exe [379392 2015-08-23] () [File not signed]
S3 OverwolfUpdater; C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [1001200 2015-07-19] (Overwolf LTD)


C:\Program Files\NixSrv\
C:\Program Files (x86)\Overwolf
C:\ProgramData\HandSetService
C:\ProgramData\HiSuiteOuc

2015-08-25 14:16 - 2015-08-25 14:16 - 00000000 ____D C:\ProgramData\ExtTags
2015-08-25 14:15 - 2015-08-25 14:16 - 00000000 ____D C:\ProgramData\ExtTag


2015-08-25 12:35 - 2015-08-25 12:35 - 00613255 _____ (CMI Limited) C:\Users\Freizi\AppData\Local\nsxED10.tmp
2015-08-25 12:29 - 2015-08-25 14:16 - 00000990 _____ C:\Windows\Tasks\squBHSz.job
2015-08-25 12:29 - 2015-08-25 12:29 - 00004020 _____ C:\Windows\System32\Tasks\squBHSz
2015-08-25 12:28 - 2015-08-25 13:08 - 00000000 ____D C:\ProgramData\update
2015-08-25 12:28 - 2015-08-25 13:05 - 00000004 _____ C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-08-25 12:28 - 2015-08-25 12:29 - 00000000 ____D C:\ProgramData\QWinManProQ
2015-08-25 12:28 - 2015-08-25 12:28 - 00000124 _____ C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
2015-08-25 12:28 - 2015-08-25 12:28 - 00000000 ____D C:\Users\Public\QiYi
2015-08-25 12:26 - 2015-08-25 12:26 - 00000217 _____ C:\task.vbs
2015-08-25 12:26 - 2015-08-25 12:26 - 00000000 ____D C:\Program Files (x86)\baidu
2015-04-14 18:28 - 2015-04-14 18:28 - 0004387 _____ () C:\Users\Freizi\AppData\Roaming\PPZHYZ0
2015-04-14 18:28 - 2015-04-14 18:28 - 0004387 _____ () C:\Users\Freizi\AppData\Roaming\squBHSz
2015-04-20 16:05 - 2015-04-20 16:05 - 1246720 _____ () C:\Users\Freizi\AppData\Roaming\squBHSz.exe
2015-08-24 11:34 - 2015-08-24 11:34 - 0050688 _____ () C:\Users\Freizi\AppData\Local\Saoranity.exe
2015-08-24 11:34 - 2015-08-24 11:34 - 0000187 _____ () C:\Users\Freizi\AppData\Local\Saoranity.exe.config


Task: {0A4D33C2-E2A0-466E-A212-C8C407C033E2} - System32\Tasks\upyateupda => C:\Windows\system32\config\systemprofile\AppData\Local\San-Phase [2015-08-24] ()
Task: {5A9CCAB2-03E2-419F-9C09-EA4196D1BC8E} - System32\Tasks\Overwolf Updater Task => C:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [2015-07-19] (Overwolf LTD)
Task: {5BBA69A9-CB56-42C9-844A-B8E11DC7B261} - System32\Tasks\PPZHYZ0 => C:\Users\Freizi\AppData\Roaming\PPZHYZ0.exe <==== ATTENTION
Task: {BE91E10E-4B2D-4C94-839D-1A66FFF2012E} - System32\Tasks\squBHSz => C:\Users\Freizi\AppData\Roaming\squBHSz.exe [2015-04-20] () <==== ATTENTION
Task: {C158BE88-ACE2-4C8C-8DA7-D0D2BCEF8BD5} - System32\Tasks\{6656F9C8-10D6-4623-8ABF-7B6031D73393} => pcalua.exe -a C:\Windows\DIIUnin.exe -c C:\Windows\DIIUnin.dat
Task: C:\Windows\Tasks\PPZHYZ0.job => C:\Users\Freizi\AppData\Roaming\PPZHYZ0.exe <==== ATTENTION
Task: C:\Windows\Tasks\squBHSz.job => C:\Users\Freizi\AppData\Roaming\squBHSz.exe <==== ATTENTION

EmptyTemp:

End
*****************

Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\liandianqi => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\NCUpdateHelper => value removed successfully
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Akamai NetSession Interface => value removed successfully
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Overwolf => value removed successfully
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Windows\CurrentVersion\Run\\apphide => value removed successfully
"C:\ProgramData\ExtTag\NewToing.dll" => Value data removed successfully.
"C:\ProgramData\ExtTag\Mathtondox.dll" => Value data removed successfully.
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Internet Explorer\Main\\Search Bar => value removed successfully
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\Software\Microsoft\Internet Explorer\Main\\SearchAssistant => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ielnksrch" => key removed successfully
HKCR\Wow6432Node\CLSID\ielnksrch => key not found. 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-3703730259-3164073539-163999450-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-3703730259-3164073539-163999450-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}" => key removed successfully
HKCR\CLSID\{ielnksrch} => key not found. 
C:\Users\Freizi\AppData\Roaming\Mozilla\Firefox\Profiles\gbhl6ikg.default\searchplugins\findit.xml => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\dnligehkhogpcngalffdoomehjcbecna" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gehmndecgbcffhmfjkenpamdgechcgpe" => key removed successfully
dwwnioad => Service stopped successfully.
dwwnioad => service removed successfully
ExtTag => service removed successfully
HiSuiteOuc64.exe => service removed successfully
HuaweiHiSuiteService64.exe => service removed successfully
NixSrv => Unable to stop service.
NixSrv => service removed successfully
OverwolfUpdater => service removed successfully
C:\Program Files\NixSrv => moved successfully
C:\Program Files (x86)\Overwolf => moved successfully
C:\ProgramData\HandSetService => moved successfully
C:\ProgramData\HiSuiteOuc => moved successfully
C:\ProgramData\ExtTags => moved successfully
C:\ProgramData\ExtTag => moved successfully
C:\Users\Freizi\AppData\Local\nsxED10.tmp => moved successfully
C:\Windows\Tasks\squBHSz.job => moved successfully
C:\Windows\System32\Tasks\squBHSz => moved successfully
C:\ProgramData\update => moved successfully
C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7 => moved successfully
C:\ProgramData\QWinManProQ => moved successfully
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat => moved successfully
C:\Users\Public\QiYi => moved successfully
C:\task.vbs => moved successfully
C:\Program Files (x86)\baidu => moved successfully
C:\Users\Freizi\AppData\Roaming\PPZHYZ0 => moved successfully
C:\Users\Freizi\AppData\Roaming\squBHSz => moved successfully
C:\Users\Freizi\AppData\Roaming\squBHSz.exe => moved successfully
C:\Users\Freizi\AppData\Local\Saoranity.exe => moved successfully
C:\Users\Freizi\AppData\Local\Saoranity.exe.config => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0A4D33C2-E2A0-466E-A212-C8C407C033E2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0A4D33C2-E2A0-466E-A212-C8C407C033E2}" => key removed successfully
C:\Windows\System32\Tasks\upyateupda => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\upyateupda" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5A9CCAB2-03E2-419F-9C09-EA4196D1BC8E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A9CCAB2-03E2-419F-9C09-EA4196D1BC8E}" => key removed successfully
C:\Windows\System32\Tasks\Overwolf Updater Task => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Overwolf Updater Task" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5BBA69A9-CB56-42C9-844A-B8E11DC7B261}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5BBA69A9-CB56-42C9-844A-B8E11DC7B261}" => key removed successfully
C:\Windows\System32\Tasks\PPZHYZ0 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PPZHYZ0" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{BE91E10E-4B2D-4C94-839D-1A66FFF2012E}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE91E10E-4B2D-4C94-839D-1A66FFF2012E}" => key removed successfully
C:\Windows\System32\Tasks\squBHSz not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\squBHSz" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C158BE88-ACE2-4C8C-8DA7-D0D2BCEF8BD5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C158BE88-ACE2-4C8C-8DA7-D0D2BCEF8BD5}" => key removed successfully
C:\Windows\System32\Tasks\{6656F9C8-10D6-4623-8ABF-7B6031D73393} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{6656F9C8-10D6-4623-8ABF-7B6031D73393}" => key removed successfully
C:\Windows\Tasks\PPZHYZ0.job => moved successfully
C:\Windows\Tasks\squBHSz.job not found.
EmptyTemp: => 13.9 GB temporary data Removed.


The system needed a reboot.. 

==== End of Fixlog 12:29:22 ====