CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [cpx] => C:\Program Files (x86)\cpx\cpx.exe [1172992 2015-07-03] ()
HKLM-x32\...\Run: [msrtn32] => C:\Program Files (x86)\msrtn32\msrtn32.exe [1221120 2015-08-06] ()
HKLM\...\Run: [prtstart] => C:\Program Files\shopperz080920151129\dr_inst.exe url=aHR0cDovL2Nkcy5zNm01bTlkNy5od2Nkbi5uZXQvYWRkb24vcHIvMDgwOTIwMTUvL3ByYzY0LmV4ZQ== lpath=QzpcUHJvZ3JhbSBGaWxlc1xzaG9wcGVyejA4MDkyMDE1MTEyOVxwcmMuZXh (the data entry has 24 more characters).
C:\Program Files\shopperz080920151129
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-56948544-175400317-1807394744-1001\...\Run: [DV] => C:\ProgramData\DataFile\Downloads\DV.exe [277504 2015-09-04] ()
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-56948544-175400317-1807394744-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: [S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-425977601-1203083412-1631309457-2457533047-3321749933] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-80-997390408-2153310517-3119169589-2253446180-2226563786] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-56948544-175400317-1807394744-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-56948544-175400317-1807394744-1001 -> {2582021E-73A4-4BB1-B89D-025F48C938D1} URL =
SearchScopes: HKU\S-1-5-21-56948544-175400317-1807394744-1001 -> {DF4E90BD-B786-4FF1-9EA9-E74A05ACFC3F} URL = hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=502468&p={searchTerms}
SearchScopes: HKU\S-1-5-21-56948544-175400317-1807394744-1001 -> {E0A72E9A-7D26-4DF6-AE45-C188B2A9D7E5} URL =
FF HKLM\...\Firefox\Extensions: [{A9BD0126-107A-4CE4-8DAF-23F7D903078A}] - C:\Program Files\shopperz090920150628\Firefox
FF HKLM\...\Firefox\Extensions: [{0C297AD1-F730-4FE3-9753-2E03841998C1}] - C:\Program Files\shopperz080920151129\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{A9BD0126-107A-4CE4-8DAF-23F7D903078A}] - C:\Program Files\shopperz090920150628\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{0C297AD1-F730-4FE3-9753-2E03841998C1}] - C:\Program Files\shopperz080920151129\Firefox
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2015-08-06] () [File not signed] <==== ATTENTION
R2 QPYYKZHuUjY; C:\ProgramData\lpADmp\QPYYKZHuUjY.exe [2732800 2015-09-10] (Valid Applications)
C:\ProgramData\lpADmp
R2 UdvdPork; C:\ProgramData\1441770685\s9.exe [404480 2015-04-07] () [File not signed]
2015-09-09 21:50 - 2015-09-12 22:44 - 00000000 ____D C:\Program Files (x86)\cpx
2015-09-09 21:50 - 2015-09-12 21:58 - 00000000 ____D C:\Users\PAM\AppData\Local\mstrn32
2015-09-09 21:50 - 2015-09-10 19:15 - 00000000 ____D C:\Users\PAM\AppData\Local\cpx
2015-09-09 21:50 - 2015-09-09 21:50 - 00000000 ____D C:\Program Files (x86)\regtool
2015-09-09 21:50 - 2015-09-09 21:50 - 00000000 ____D C:\Program Files (x86)\msrtn32
2015-09-09 21:50 - 2015-09-09 21:50 - 00000000 ____D C:\Program Files (x86)\dataup
2015-09-09 20:02 - 2015-09-09 20:10 - 00000000 ____D C:\ProgramData\DataFile
2015-09-09 20:02 - 2015-09-09 20:08 - 00004752 _____ C:\Windows\SysWOW64\Oemupfahdh.ini
2015-09-09 20:02 - 2015-09-09 20:08 - 00002472 _____ C:\Windows\SysWOW64\OemupfahdhOff.ini
2015-09-09 20:02 - 2015-09-09 20:08 - 00002472 _____ C:\Windows\system32\OemupfahdhOff.ini
2015-09-09 20:02 - 2015-09-09 20:02 - 00000000 ____D C:\Windows\system32\phbo
2015-09-09 20:02 - 2015-09-08 01:32 - 00353632 _____ C:\Windows\system32\Oemupfahdh64.dll
2015-09-09 20:02 - 2015-09-08 01:32 - 00283488 _____ C:\Windows\SysWOW64\Oemupfahdh.dll
2015-09-09 20:01 - 2015-09-13 23:07 - 00000372 ____H C:\Windows\Tasks\AXCINCXHMDOCGGXC.job
2015-09-09 20:01 - 2015-09-09 20:01 - 00003384 _____ C:\Windows\System32\Tasks\AXCINCXHMDOCGGXC
2015-09-09 20:01 - 2015-09-09 20:01 - 00000000 ____D C:\ProgramData\Service1291
2015-09-08 20:55 - 2015-08-03 21:03 - 00000854 _____ C:\Windows\system32\Drivers\etc\hp.bak
2015-09-08 20:54 - 2015-09-09 20:03 - 00000000 ____D C:\Users\PAM\AppData\Local\Tempfolder
2015-09-08 20:54 - 2015-09-08 21:08 - 00004792 _____ C:\Windows\SysWOW64\Ufiodnukb.ini
2015-09-08 20:54 - 2015-09-08 21:08 - 00002504 _____ C:\Windows\SysWOW64\UfiodnukbOff.ini
2015-09-08 20:54 - 2015-09-08 21:08 - 00002504 _____ C:\Windows\system32\UfiodnukbOff.ini
2015-09-08 20:54 - 2015-09-08 20:54 - 00000903 _____ C:\Windows\SysWOW64\${LOGFILE}
2015-09-08 20:54 - 2015-09-08 20:54 - 00000000 ____D C:\Windows\system32\tak
2015-09-08 20:54 - 2015-09-08 20:54 - 00000000 ____D C:\Users\PAM\AppData\Roaming\ortmp
2015-09-08 20:54 - 2015-09-08 20:31 - 00353648 _____ C:\Windows\system32\Ufiodnukb64.dll
2015-09-08 20:54 - 2015-09-08 20:31 - 00283504 _____ C:\Windows\SysWOW64\Ufiodnukb.dll
2015-09-08 20:51 - 2015-09-08 20:51 - 00000000 ____D C:\Users\PAM\AppData\Roaming\c
2015-09-08 20:51 - 2015-09-08 20:51 - 00000000 ____D C:\ProgramData\u4c
2015-09-08 20:51 - 2015-09-08 20:51 - 00000000 ____D C:\ProgramData\1441770685
2015-09-08 20:48 - 2015-09-08 20:48 - 00003490 _____ C:\Windows\System32\Tasks\ZIYBY
2015-09-08 20:48 - 2015-09-08 20:48 - 00000000 ____D C:\ProgramData\Service0561
2015-09-10 18:42 - 2015-09-13 23:25 - 00000488 _____ C:\Windows\Tasks\CIMT_S-1-5-21-56948544-175400317-1807394744-1001.job
2015-09-10 18:42 - 2015-09-10 18:47 - 00000522 _____ C:\Windows\Tasks\CIMT_daily_S-1-5-21-56948544-175400317-1807394744-1001.job
2015-09-10 18:42 - 2015-09-10 18:42 - 00003582 _____ C:\Windows\System32\Tasks\CIMT_daily_S-1-5-21-56948544-175400317-1807394744-1001
2015-09-10 18:42 - 2015-09-10 18:42 - 00003472 _____ C:\Windows\System32\Tasks\CIMT_S-1-5-21-56948544-175400317-1807394744-1001
2015-09-10 18:42 - 2015-09-10 18:42 - 00000000 ____D C:\Program Files (x86)\Setup Support for Consumer Input
2015-09-10 18:38 - 2015-09-10 18:38 - 03378936 _____ C:\Windows\SysWOW64\ins_smk.exe
2015-09-10 18:38 - 2015-09-10 18:38 - 00520704 _____ C:\Windows\SysWOW64\ins_U501EXE.exe
2015-09-10 18:38 - 2015-09-10 18:38 - 00000000 ____D C:\Users\PAM\AppData\Local\CrashRpt
Task: {232B4B1F-209A-4A92-9DB7-D85E04C5E823} - System32\Tasks\CIMT_daily_S-1-5-21-56948544-175400317-1807394744-1001 => C:\Program Files (x86)\Consumer Input\Monitoring\dca-monitoring.exe <==== ATTENTION
Task: {50C56041-C617-4549-9335-F30686641862} - System32\Tasks\ZIYBY => C:\ProgramData\Service0561\Service0561.exe [2015-09-08] () <==== ATTENTION
Task: {50EEC17B-B283-4377-A325-112C4C095C2B} - System32\Tasks\Cienaueo => C:\ProgramData\Cienaueo\1.0.5.1\fnenniuu.exe [2015-09-10] ()
Task: {C6FB1B92-6CD9-4AB4-9523-90FC8E1BE5D8} - System32\Tasks\AXCINCXHMDOCGGXC => C:\ProgramData\Service1291\Service1291.exe [2015-09-09] () <==== ATTENTION
Task: {F6D79D7A-4736-4038-8DC0-1EA797DE8912} - System32\Tasks\CIMT_S-1-5-21-56948544-175400317-1807394744-1001 => C:\Program Files (x86)\Consumer Input\Monitoring\dca-monitoring.exe <==== ATTENTION
Task: C:\Windows\Tasks\AXCINCXHMDOCGGXC.job => C:\ProgramData\Service1291\Service1291.exe <==== ATTENTION
Task: C:\Windows\Tasks\CIMT_daily_S-1-5-21-56948544-175400317-1807394744-1001.job => C:\Program Files (x86)\Consumer Input\Monitoring\dca-monitoring.exe <==== ATTENTION
Task: C:\Windows\Tasks\CIMT_S-1-5-21-56948544-175400317-1807394744-1001.job => C:\Program Files (x86)\Consumer Input\Monitoring\dca-monitoring.exe <==== ATTENTION
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
HKU\S-1-5-21-56948544-175400317-1807394744-1001\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
C:\Program Files (x86)\Itibiti Soft Phone
FirewallRules: [{6768C145-A81F-4D64-A59C-32428AE86FDB}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶獜瑩扥潲敫屲楳整牢歯牥攮數
FirewallRules: [{6DEDF643-C034-4842-BCC5-B10A7BD49C28}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶獜瑩扥潲敫屲敲瑳楳整牢歯牥攮數
FirewallRules: [{9CB76E26-4374-43AA-9F8F-CBB21B0426E1}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶獜瑩扥潲敫屲楳整牢歯牥⹟硥e
FirewallRules: [{630960C3-3696-464A-AC9D-13A2D2FDB71D}] => (Allow) 㩃停潲牧浡䘠汩獥⠠㡸⤶獜瑩扥潲敫屲敲瑳楳整牢歯牥⹟硥e
FirewallRules: [{BBDEA156-5F74-4ADC-B174-AFDC5BB6D746}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
FirewallRules: [{4F4B680C-8967-463E-ABD0-E29BD867BB7C}] => (Allow) C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on/off
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartupApproved" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartupApproved" /F
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
cmd: sfc /scanfile=C:\Windows\system32\dnsapi.dll