start HKU\S-1-5-21-563202287-1717114301-743867805-1000\...\Run: [Ihrsoft] => regsvr32.exe C:\Users\TeamTkac\AppData\Local\Ihrsoft\AsusDevinf32.dll <===== ATTENTION HKU\S-1-5-21-563202287-1717114301-743867805-1000\...\Run: [Egqtion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\TeamTkac\AppData\Local\Ascbworks\QSCEula.dll HKU\S-1-5-21-563202287-1717114301-743867805-1000\...A8F59079A8D5}\localserver32: <==== ATTENTION! CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKU\S-1-5-21-563202287-1717114301-743867805-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File FF Plugin-x32: @ei.MarineAquarium3Free_57.com/Plugin -> C:\Program Files (x86)\MarineAquarium3Free_57EI\Installr\1.bin\NP57EISB.dll No File HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x{voidguid} 2014-11-09 16:12 - 2014-11-09 17:15 - 00000000 ____D () C:\Users\TeamTkac\AppData\Local\Ascbworks 2014-11-09 16:12 - 2014-11-09 16:12 - 00000000 ____D () C:\Users\TeamTkac\AppData\Local\Ihrsoft 2014-11-09 12:44 - 2014-11-09 12:44 - 00008542 _____ () C:\Users\TeamTkac\DECRYPT_INSTRUCTION.HTML 2014-11-09 12:44 - 2014-11-09 12:44 - 00004214 _____ () C:\Users\TeamTkac\DECRYPT_INSTRUCTION.TXT 2014-11-09 12:32 - 2014-11-09 12:32 - 00008542 _____ () C:\Users\TeamTkac\Downloads\DECRYPT_INSTRUCTION.HTML 2014-11-09 12:32 - 2014-11-09 12:32 - 00004214 _____ () C:\Users\TeamTkac\Downloads\DECRYPT_INSTRUCTION.TXT 2014-11-09 12:14 - 2014-11-09 12:14 - 00008542 _____ () C:\Users\TeamTkac\Documents\DECRYPT_INSTRUCTION.HTML 2014-11-09 12:14 - 2014-11-09 12:14 - 00004214 _____ () C:\Users\TeamTkac\Documents\DECRYPT_INSTRUCTION.TXT 2014-11-09 11:36 - 2014-11-09 11:36 - 00008542 _____ () C:\Users\TeamTkac\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-11-09 11:36 - 2014-11-09 11:36 - 00008542 _____ () C:\Users\TeamTkac\AppData\DECRYPT_INSTRUCTION.HTML 2014-11-09 11:36 - 2014-11-09 11:36 - 00004214 _____ () C:\Users\TeamTkac\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-11-09 11:36 - 2014-11-09 11:36 - 00004214 _____ () C:\Users\TeamTkac\AppData\DECRYPT_INSTRUCTION.TXT 2014-11-09 11:35 - 2014-11-09 11:35 - 00008542 _____ () C:\Users\TeamTkac\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-11-09 11:35 - 2014-11-09 11:35 - 00008542 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML 2014-11-09 11:35 - 2014-11-09 11:35 - 00008542 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-11-09 11:35 - 2014-11-09 11:35 - 00004214 _____ () C:\Users\TeamTkac\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-11-09 11:35 - 2014-11-09 11:35 - 00004214 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT 2014-11-09 11:35 - 2014-11-09 11:35 - 00004214 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT Task: {48BC6D37-0DD8-4BD9-8E6D-5AD8AB3E226F} - System32\Tasks\IHSelfDeleteTASK => CMD Task: {6BFF9752-60D9-46C4-BC68-A495AB920B53} - System32\Tasks\IHUninstallTrackingTASK => CMD C:\Users\TeamTkac\AppData\Roaming\ShopAtHome C:\ProgramData\Windows Genuine Advantage\{2BEAD886-D9B8-45DE-855F-8AF1FBBCA8F4}\msiexec.exe C:\ProgramData\Windows Genuine Advantage\{695DD13D-3AF4-48FE-AD68-AA0EC8D6C90C}\msiexec.exe C:\Users\TeamTkac\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.HTML C:\Users\TeamTkac\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_INSTRUCTION.TXT C:\Users\TeamTkac\Desktop\DECRYPT_INSTRUCTION.HTML C:\Users\TeamTkac\Desktop\DECRYPT_INSTRUCTION.TXT C:\Users\TeamTkac\AppData\LocalLow\utctlfd.dll CloseProcesses: emtytemp: end