HKLM-x32\...\Run: [SearchProtection] => C:\ProgramData\Search Protection\_run.bat [168 2013-04-19] ()
C:\ProgramData\Search Protection
HKU\S-1-5-21-85754399-600786846-177285140-1000\...\RunOnce: [WSE_Astromenda] => wscript /E:vbscript /B "C:\Users\Gabriel\AppData\Roaming\WSE_Astromenda\UpdateProc\bkup.dat"
HKU\S-1-5-21-85754399-600786846-177285140-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://astromenda.co...=1469331246&ir=
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2456} URL = http://search.fantas...q={searchTerms}
SearchScopes: HKLM - {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = 
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2456} URL = http://search.fantas...q={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2456} URL = http://search.fantas...q={searchTerms}
SearchScopes: HKCU - DefaultScope {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = http://astromenda.co...=1469331246&ir=
SearchScopes: HKCU - {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = http://lavasoft.blek...q={searchTerms}
SearchScopes: HKCU - {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = http://astromenda.co...=1469331246&ir=
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2456} URL = http://search.fantas...q={searchTerms}
Toolbar: HKLM-x32 - No Name - {b278d9f8-0fa9-465e-9938-0c392605d8e3} -  No File
Toolbar: HKLM-x32 - No Name - {b4de90bb-150d-4b33-95fe-6baac97e1c21} -  No File
FF SelectedSearchEngine: Astromenda
FF Homepage: hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_44_ch&cd=2XzuyEtN2Y1L1Qzu0ByEzyzy0B0A0FyCtBtAyD0B0E0FtDyDtN0D0Tzu0StCtDtAtBtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0DyB0EyBtD0FtCtG0BtBzztDtGyCzzzyyEtG0CyCtAyDtGyEtAyDyD0AtC0EyCyC0ByDzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0BzytB0ByB0D0EtGtDyD0C0AtGyE0BzztDtG0BtB0AyDtGtC0D0DtA0EtA0CyByC0ByDzy2Q&cr=1469331246&ir=
FF SearchPlugin: C:\Users\Gabriel\AppData\Roaming\Mozilla\Firefox\Profiles\3ugwyb0t.default\searchplugins\Astromenda.xml
CHR HomePage: Default -> hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_44_ch&cd=2XzuyEtN2Y1L1Qzu0ByEzyzy0B0A0FyCtBtAyD0B0E0FtDyDtN0D0Tzu0StCtDtAtBtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0DyB0EyBtD0FtCtG0BtBzztDtGyCzzzyyEtG0CyCtAyDtGyEtAyDyD0AtC0EyCyC0ByDzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0BzytB0ByB0D0EtGtDyD0C0AtGyE0BzztDtG0BtB0AyDtGtC0D0DtA0EtA0CyByC0ByDzy2Q&cr=1469331246&ir=
CHR StartupUrls: Default -> "hxxp://astromenda.com/?f=7&a=ast_dnldstr_14_44_ch&cd=2XzuyEtN2Y1L1Qzu0ByEzyzy0B0A0FyCtBtAyD0B0E0FtDyDtN0D0Tzu0StCtDtAtBtN1L2XzutAtFyDtFtCtFyEtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StC0DyB0EyBtD0FtCtG0BtBzztDtGyCzzzyyEtG0CyCtAyDtGyEtAyDyD0AtC0EyCyC0ByDzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0BzytB0ByB0D0EtGtDyD0C0AtGyE0BzztDtG0BtB0AyDtGtC0D0DtA0EtA0CyByC0ByDzy2Q&cr=1469331246&ir=", "hxxp://securesearch.lavasoft.com/?source=f439e2c0&tbp=homepage&toolbarid=adawaretb&v=2_5&u=B1384838A6993FC70BA53F5170CF5620", "hxxp://www.google.com/"
CHR DefaultSearchKeyword: Default -> astromenda.com
CHR DefaultSearchURL: Default -> http://astromenda.co...=1469331246&ir=
C:\Windows\Tasks\WSE_Astromenda.job
C:\Windows\System32\Tasks\WSE_Astromenda
C:\Users\Gabriel\AppData\Roaming\WSE_Astromenda
C:\ProgramData\Search Protection
Folder: C:\Windows\Branding
CustomCLSID: HKU\S-1-5-21-85754399-600786846-177285140-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {C1CC89D9-3783-458A-9434-231BBCCE6D56} - System32\Tasks\WSE_Astromenda => C:\Users\Gabriel\AppData\Roaming\WSE_AS~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\WSE_Astromenda.job => C:\Users\Gabriel\AppData\Roaming\WSE_AS~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION