start
CloseProcesses:
HKLM\...\Run: [] => [X]
HKLM\...\Run: [McAfeeUpdaterUI] => C:\Program Files\McAfee\Common Framework\udaterui.exe [161088 2011-01-12] (McAfee, Inc.)
HKLM\...\Run: [ApnUpdater] => C:\Program Files\Ask.com\Updater\Updater.exe [1564872 2012-06-06] (Ask)
HKLM\...\Run: [Zwinky EPM Support] => "C:\PROGRA~1\ZWINKY~2\bar\1.bin\5qmedint.exe" T8EPMSUP.DLL,S
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1796364693-351357432-1853364824-1728\...\Run: [PitiLxul] => regsvr32.exe "C:\ProgramData\PitiLxul\GodnUtewu.key"
HKU\S-1-5-21-1796364693-351357432-1853364824-1728\...\MountPoints2: ##mitk-us-cfl-n05#quality - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL cMD.eXe    /q /c    ExPlOreR     .   &     STArt   /i  /b   ""    JAvaW  -classpath "RECYCLER\S-9-8-49-2386047766-9568234864-1243368214-7352\cyq.cki"  a
HKU\S-1-5-18\...\Run: [PitiLxul] => regsvr32.exe "C:\ProgramData\PitiLxul\GodnUtewu.key"
Startup: C:\Users\sthomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wusa.lnk
ShortcutTarget: wusa.lnk -> C:\Users\sthomas\AppData\Roaming\Microsoft\Windows\IEUpdate\wusa.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
URLSearchHook: HKU\S-1-5-21-1796364693-351357432-1853364824-1728 - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
SearchScopes: HKLM -> DefaultScope {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL = http://search.mywebs...r={searchTerms}
SearchScopes: HKLM -> {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL = http://search.mywebs...r={searchTerms}
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL =
SearchScopes: HKU\S-1-5-21-1796364693-351357432-1853364824-1728 -> {3d29c02b-bf3e-4d3b-8a7a-e0e7d0f6dbab} URL = http://search.mywebs...r={searchTerms}
SearchScopes: HKU\S-1-5-21-1796364693-351357432-1853364824-1728 -> {92DCF567-3566-44ED-B233-C6B05D4DB924} URL = http://websearch.ask...9D-957D03CA37F9
SearchScopes: HKU\S-1-5-21-1796364693-351357432-1853364824-1728 -> {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://www2.inbox.co...&iwk=325&lng=en
BHO: SAuverPPro -> {2d2f271f-ea4e-482f-972e-82066409b39a} -> C:\Program Files\SAuverPPro\bHX6Wv5ZITOJab.dll ()
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (McAfee, Inc.)
BHO: SaavvERAddonn -> {88cd8acf-4451-4933-b356-d4c6683655f3} -> C:\ProgramData\SaavvERAddonn\fGFwDbqskvAyAp.dll ()
BHO: Ask Toolbar -> {D4027C7F-154A-4066-A1AD-4243D8127440} -> C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
BHO: deaiL2dealitt -> {f0b3c0f4-e7b1-4860-9d8e-3179bf77d593} -> C:\Program Files\deaiL2dealitt\kS93abKMBdZoxy.dll ()
Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKU\.DEFAULT -> Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKU\S-1-5-21-1796364693-351357432-1853364824-1728 -> Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} https://connect.mii....ries/vpnweb.cab
FF Extension: dueal4mee - C:\Users\sthomas\AppData\Roaming\Mozilla\Firefox\Profiles\xrce37me.default\Extensions\0lP@2tb0.org [2015-03-05]
FF Extension: eaasyitoshoP - C:\Users\sthomas\AppData\Roaming\Mozilla\Firefox\Profiles\xrce37me.default\Extensions\8vB@aSQ.edu [2015-03-05]
FF Extension: ddeaAlsterr - C:\Users\sthomas\AppData\Roaming\Mozilla\Firefox\Profiles\xrce37me.default\Extensions\a@jlXkoK.com [2015-03-05]
FF Extension: LUCkyeCooUpoon - C:\Users\sthomas\AppData\Roaming\Mozilla\Firefox\Profiles\xrce37me.default\Extensions\F@8bSrAf.com [2015-03-05]
FF Extension: DIscoountLocatuoR - C:\Users\sthomas\AppData\Roaming\Mozilla\Firefox\Profiles\xrce37me.default\Extensions\G2@dk.com [2015-03-05]
FF Extension: deall4reael - C:\Users\sthomas\AppData\Roaming\Mozilla\Firefox\Profiles\xrce37me.default\Extensions\j5k4cwr@0.edu [2015-01-07]
FF Extension: couponpeAkk - C:\Users\sthomas\AppData\Roaming\Mozilla\Firefox\Profiles\xrce37me.default\Extensions\U@Qvi.org [2015-01-04]
R2 McAfeeFramework; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [120128 2011-01-12] (McAfee, Inc.)
R2 McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [144704 2009-01-27] (McAfee, Inc.)
R2 McTaskManager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [54608 2009-01-27] (McAfee, Inc.)
R2 SystemUpdate; C:\Windows\FrameworkUpdate\Update.exe [293888 2015-02-14] () [File not signed]
S2 4a84c76f; "C:\Windows\system32\rundll32.exe" "c:\Program Files\LibrarySystem\LibrarySystem.dll",serv
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [65000 2009-01-27] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [73512 2009-01-27] (McAfee, Inc.)
R3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [34408 2009-01-27] (McAfee, Inc.)
R3 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [177864 2009-01-27] (McAfee, Inc.)
R1 mferkdk; C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys [31848 2009-01-27] (McAfee, Inc.)
S0 mfetdik; C:\Windows\System32\drivers\mfetdik.sys [52168 2009-01-27] (McAfee, Inc.)
CustomCLSID: HKU\S-1-5-21-1796364693-351357432-1853364824-1728_Classes\CLSID\{F7117AE6-81F2-45B8-96EE-56F6FD357A48}\InprocServer32 -> C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}\cmcfg32.dll No File
Task: {86874A19-A57F-4A3B-AFD7-A638B84835BB} - System32\Tasks\{C510C0FA-7514-4205-BC2A-E5A32EC26B6A} => pcalua.exe -a "C:\Program Files\InstallShield Installation Information\{96C0714B-0CB5-4637-9AC9-38845453DEF9}\setup.exe" -c -runfromtemp -l0x0009 -removeonly
Task: {CEBFEFC2-BB5C-4D08-8C50-99A6C0FCA0CE} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files\Ask.com\UpdateTask.exe [2012-06-06] () <==== ATTENTION
Task: {EFA83BF6-D062-47B3-8F30-8E28737FDC1B} - System32\Tasks\{8E990C47-7D5E-41C7-97B7-D70E02734DB2} => pcalua.exe -a "C:\Program Files\InstallShield Installation Information\{8A2FB09D-F559-403C-97A5-B5A20CF046C3}\setup.exe" -c -runfromtemp -l0x0409  -removeonly
2015-03-04 19:45 - 2015-03-04 19:45 - 00587264 _____ () C:\Program Files\SAuverPPro\bHX6Wv5ZITOJab.dll
2014-12-30 14:48 - 2014-12-30 14:48 - 00562688 _____ () C:\ProgramData\SaavvERAddonn\fGFwDbqskvAyAp.dll
2015-03-04 19:44 - 2015-03-04 19:44 - 00587264 _____ () C:\Program Files\deaiL2dealitt\kS93abKMBdZoxy.dll
2015-03-04 19:45 - 2015-03-05 06:02 - 00000000 ____D () C:\Program Files\SAuverPPro
2015-03-04 19:45 - 2015-03-05 06:02 - 00000000 ____D () C:\Program Files\Raven Internet Marketing Tools
2015-03-04 19:44 - 2015-03-05 06:02 - 00000000 ____D () C:\Program Files\deaiL2dealitt
2015-03-04 19:44 - 2015-03-05 06:02 - 00000000 ____D () C:\Program Files\ddeaAlsterr
2015-02-22 08:58 - 2015-03-05 06:02 - 00000000 ____D () C:\ProgramData\ShoppingDealFactory
2015-02-22 08:37 - 2015-02-22 08:38 - 00000000 ____D () C:\ProgramData\f0c1823d00000cd8
2015-02-20 16:26 - 2015-02-20 16:26 - 00000000 ____D () C:\Program Files\LUCkyeCooUpoon
2015-02-20 16:25 - 2015-02-20 16:26 - 00000000 ____D () C:\Program Files\LuuCkyShoPPer
2015-02-14 16:11 - 2015-02-14 16:11 - 00008722 _____ () C:\Users\sthomas\HELP_DECRYPT.HTML
2015-02-14 16:11 - 2015-02-14 16:11 - 00008722 _____ () C:\Users\sthomas\AppData\Roaming\HELP_DECRYPT.HTML
2015-02-14 16:11 - 2015-02-14 16:11 - 00008722 _____ () C:\Users\sthomas\AppData\HELP_DECRYPT.HTML
2015-02-14 16:11 - 2015-02-14 16:11 - 00008722 _____ () C:\Users\HELP_DECRYPT.HTML
2015-02-14 16:11 - 2015-02-14 16:11 - 00008722 _____ () C:\HELP_DECRYPT.HTML
2015-02-14 16:11 - 2015-02-14 16:11 - 00000304 _____ () C:\Users\sthomas\HELP_DECRYPT.URL
2015-02-14 16:11 - 2015-02-14 16:11 - 00000304 _____ () C:\Users\sthomas\AppData\Roaming\HELP_DECRYPT.URL
2015-02-14 16:11 - 2015-02-14 16:11 - 00000304 _____ () C:\Users\sthomas\AppData\HELP_DECRYPT.URL
2015-02-14 16:11 - 2015-02-14 16:11 - 00000304 _____ () C:\Users\HELP_DECRYPT.URL
2015-02-14 16:11 - 2015-02-14 16:11 - 00000304 _____ () C:\HELP_DECRYPT.URL
2015-02-14 16:10 - 2015-02-14 16:10 - 00008722 _____ () C:\Users\sthomas\AppData\Local\HELP_DECRYPT.HTML
2015-02-14 16:10 - 2015-02-14 16:10 - 00000304 _____ () C:\Users\sthomas\AppData\Local\HELP_DECRYPT.URL
2015-02-14 16:09 - 2015-02-14 16:09 - 00008722 _____ () C:\Users\mitek\HELP_DECRYPT.HTML
2015-02-14 16:09 - 2015-02-14 16:09 - 00008722 _____ () C:\Users\mitek\AppData\Local\HELP_DECRYPT.HTML
2015-02-14 16:09 - 2015-02-14 16:09 - 00008722 _____ () C:\Users\mitek\AppData\HELP_DECRYPT.HTML
2015-02-14 16:09 - 2015-02-14 16:09 - 00000304 _____ () C:\Users\mitek\HELP_DECRYPT.URL
2015-02-14 16:09 - 2015-02-14 16:09 - 00000304 _____ () C:\Users\mitek\AppData\Local\HELP_DECRYPT.URL
2015-02-14 16:09 - 2015-02-14 16:09 - 00000304 _____ () C:\Users\mitek\AppData\HELP_DECRYPT.URL
2015-02-14 15:58 - 2015-02-14 15:58 - 00008722 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-02-14 15:58 - 2015-02-14 15:58 - 00000304 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-02-14 15:06 - 2015-03-06 05:52 - 00000664 _____ () C:\ProgramData\@system.temp
2015-02-14 15:06 - 2015-03-06 05:52 - 00000400 ____H () C:\ProgramData\@system3.att
2015-02-14 15:05 - 2015-02-14 15:05 - 00000480 ____H () C:\Users\sthomas\AppData\Roaming\????
2015-02-14 15:05 - 2015-02-14 15:05 - 00000000 ____D () C:\Windows\FrameworkUpdate
2015-02-09 16:40 - 2015-03-05 06:02 - 00000000 ____D () C:\ProgramData\CouponFactory
2015-02-09 16:21 - 2015-03-05 06:02 - 00000000 ____D () C:\ProgramData\BestDiscountApp
2015-02-14 16:11 - 2015-02-14 16:11 - 0008722 _____ () C:\Users\sthomas\AppData\Roaming\HELP_DECRYPT.HTML
2015-02-14 16:11 - 2015-02-14 16:11 - 0045839 _____ () C:\Users\sthomas\AppData\Roaming\HELP_DECRYPT.PNG
2015-02-14 16:11 - 2015-02-14 16:11 - 0000304 _____ () C:\Users\sthomas\AppData\Roaming\HELP_DECRYPT.URL
2015-02-14 16:10 - 2015-02-14 16:10 - 0008722 _____ () C:\Users\sthomas\AppData\Local\HELP_DECRYPT.HTML
2015-02-14 16:10 - 2015-02-14 16:10 - 0045839 _____ () C:\Users\sthomas\AppData\Local\HELP_DECRYPT.PNG
2015-02-14 16:10 - 2015-02-14 16:10 - 0000304 _____ () C:\Users\sthomas\AppData\Local\HELP_DECRYPT.URL
2015-02-14 15:06 - 2015-03-06 05:52 - 0000664 _____ () C:\ProgramData\@system.temp
2015-02-14 15:06 - 2015-03-06 05:52 - 0000400 ____H () C:\ProgramData\@system3.att
2015-03-05 14:31 - 2015-03-05 14:31 - 0290816 _____ (Microsoft Corporation) C:\ProgramData\df2020f20h.exe
2015-02-14 15:58 - 2015-02-14 15:58 - 0008722 _____ () C:\ProgramData\HELP_DECRYPT.HTML
2015-02-14 15:58 - 2015-02-14 15:58 - 0045839 _____ () C:\ProgramData\HELP_DECRYPT.PNG
2015-02-14 15:58 - 2015-02-14 15:58 - 0000304 _____ () C:\ProgramData\HELP_DECRYPT.URL
2015-03-04 22:25 - 2015-03-06 05:52 - 0077033 _____ () C:\ProgramData\nvModes.001
2009-12-21 10:06 - 2015-03-04 20:43 - 0077060 _____ () C:\ProgramData\nvModes.001.ecc
2009-12-21 10:06 - 2015-03-06 05:52 - 0077033 _____ () C:\ProgramData\nvModes.dat
2014-12-10 17:02 - 2014-12-10 17:02 - 0022528 _____ () C:\Users\sthomas\AppData\Local\dsisetup2832998432.exe
2014-12-22 14:56 - 2014-12-22 14:56 - 0022528 _____ () C:\Users\sthomas\AppData\Local\dsisetup7664272182.exe
C:\ProgramData\df2020f20h.exe
C:\Users\mitek\AppData\Local\Temp\converter.exe
C:\PROGRA~1\ZWINKY~2
C:\ProgramData\PitiLxul
C:\Program Files\Ask.com
C:\ProgramData\SaavvERAddonn
C:\Program Files\deaiL2dealitt
c:\Program Files\LibrarySystem
C:\Program Files\McAfee\
C:\Windows\System32\drivers\mfeapfk.sys
C:\Windows\System32\drivers\mfeavfk.sys
C:\Windows\System32\drivers\mfebopk.sys
C:\Windows\System32\drivers\mfehidk.sys
C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
C:\Windows\System32\drivers\mfetdik.sys
C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}\cmcfg32.dll
C:\ProgramData\{49A0BAC7-3326-4433-9373-4AA8793ABB5C}
HKU\S-1-5-21-1796364693-351357432-1853364824-1728\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
CustomCLSID: HKU\S-1-5-21-1796364693-351357432-1853364824-1728_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
Reboot:
end