CloseProcesses: CreateRestorePoint: Unlock: C:\Users\Gregory\AppData\Local\ntuserlitelist\cpx HKLM-x32\...\Run: [cpx] => "C:\Users\Gregory\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <===== ATTENTION Unlock: C:\Users\Gregory\AppData\Local\ntuserlitelist\svcvmx HKLM-x32\...\Run: [svcvmx] => "C:\Users\Gregory\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup R2 windowsmanagementservice; C:\Users\Gregory\AppData\Local\Temp\20170323\ct.exe [851456 2017-03-23] () [File not signed] <==== ATTENTION <==== ATTENTION Unlock: C:\Users\Gregory\AppData\Local\Temp\20170323 Unlock: C:\PROGRA~2\dataup S2 Dataup; C:\PROGRA~2\dataup\dataup.exe [X] <==== ATTENTION Unlock: C:\WINDOWS\system32\Drivers\drmkpro64.sys C:\WINDOWS\system32\Drivers\drmkpro64.sys unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64 reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f unlock: C:\Program Files\IFY9AWM283 unlock: C:\Program Files\IFY9AWM283\IFY9AWM28.exe HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\Run: [OF49QM3R9T] => "C:\Program Files\IFY9AWM283\IFY9AWM28.exe" C:\Program Files\IFY9AWM283 HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File GroupPolicy: Restriction <======= ATTENTION SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = StartMenuInternet: IEXPLORE.EXE - iexplore.exe AppInit_DLLs: C:\WINDOWS\Tattvamasi\WUpdate64.dll => C:\WINDOWS\Tattvamasi\WUpdate64.dll [347648 2017-03-23] () C:\WINDOWS\Tattvamasi FF NewTab: Mozilla\Firefox\Profiles\o6ab7k15.default-1469343213980 -> about:newtab FF DefaultSearchEngine: Mozilla\Firefox\Profiles\o6ab7k15.default-1469343213980 -> Yahoo! Powered FF SelectedSearchEngine: Mozilla\Firefox\Profiles\o6ab7k15.default-1469343213980 -> Yahoo! Powered S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X] 2017-03-17 18:08 - 2017-03-17 18:08 - 02894522 _____ C:\WINDOWS\569d9de8acff0aeffe7aeac31f85918a.exe 2017-03-24 00:55 - 2017-03-24 00:55 - 0000480 ____H () C:\Users\Gregory\AppData\Roaming\@con.bin 2016-06-14 19:37 - 2017-03-27 11:25 - 0000164 _____ () C:\Users\Gregory\AppData\Roaming\sp_data.sys 2017-03-24 00:55 - 2017-03-24 00:55 - 0000008 ____H () C:\Users\Gregory\AppData\Local\@000001.dat 2017-03-24 00:55 - 2017-03-24 12:17 - 0000888 ____H () C:\Users\Gregory\AppData\Local\@system.temp 2017-03-24 00:55 - 2017-03-24 12:17 - 0000624 ____H () C:\Users\Gregory\AppData\Local\mode3.bin 2017-03-25 15:42 - 2016-11-11 06:13 - 1886344 _____ (Microsoft Corporation) C:\Users\Gregory\AppData\Local\Temp\dllnt_dump.dll 2017-03-24 01:41 - 2017-03-24 01:41 - 0016880 _____ () C:\Users\Gregory\AppData\Local\Temp\E7I3BQ0R30H2.exe 2017-03-23 23:48 - 2017-03-23 23:48 - 1743360 _____ () C:\Users\Gregory\AppData\Local\Temp\Hotspot_2626_setup.exe 2017-01-11 04:53 - 2017-01-11 04:53 - 0762992 _____ () C:\Users\Gregory\AppData\Local\Temp\InstallHelper.exe 2017-03-24 12:39 - 2017-03-24 12:39 - 13414504 _____ (Reimage) C:\Users\Gregory\AppData\Local\Temp\ReimagePackage.exe 2017-03-23 23:44 - 2017-03-23 23:45 - 0425674 _____ (WeMonetize ) C:\Users\Gregory\AppData\Local\Temp\TKSGPIQ.exe 2017-03-15 13:40 - 2017-03-15 13:40 - 14456872 _____ (Microsoft Corporation) C:\Users\Gregory\AppData\Local\Temp\vc_redist.x86.exe 2017-03-23 04:40 - 2017-03-23 04:40 - 2978648 _____ (Lead IT) C:\Users\Gregory\AppData\Local\Temp\wctnLIyu-prog.exe 2017-03-24 00:00 - 2017-03-24 00:00 - 00000000 ____D C:\Program Files (x86)\Qejisyfank_ 2017-03-23 23:59 - 2017-03-23 23:59 - 00003686 _____ C:\WINDOWS\System32\Tasks\System Healer Task 2017-03-23 23:58 - 2017-03-23 23:58 - 00831488 ____N C:\WINDOWS\system32\tprdpw32.exe 2017-03-23 23:51 - 2017-03-23 23:51 - 00000000 ____D C:\WINDOWS\system32\SSL 2017-03-23 23:48 - 2017-03-23 23:48 - 00000000 ____D C:\WINDOWS\SysWOW64\sstmp 2017-03-23 23:48 - 2017-03-23 23:48 - 00000000 ____D C:\WINDOWS\system32\sstmp 2017-03-23 23:46 - 2017-03-24 13:00 - 00000000 ____D C:\Program Files\IFY9AWM283 2017-03-23 23:45 - 2017-03-24 19:52 - 00000000 ____D C:\Users\Gregory\AppData\Local\Browser 2017-03-23 23:42 - 2017-03-23 23:44 - 00000000 ____D C:\WINDOWS\Tattvamasi 2017-03-24 00:55 - 2017-03-24 12:17 - 00000888 ____H C:\Users\Gregory\AppData\Local\@system.temp 2017-03-24 00:55 - 2017-03-24 12:17 - 00000624 ____H C:\Users\Gregory\AppData\Local\mode3.bin 2017-03-24 00:55 - 2017-03-24 00:55 - 00000480 ____H C:\Users\Gregory\AppData\Roaming\@con.bin 2017-03-24 00:55 - 2017-03-24 00:55 - 00000008 ____H C:\Users\Gregory\AppData\Local\@000001.dat 2017-03-24 00:50 - 2017-03-24 00:50 - 00000164 _____ C:\Users\Control\AppData\Roaming\sp_data.sys Task: {A3B3E189-4694-42C5-BEF4-433AD4F07F86} - \Reasodom -> No File <==== ATTENTION Task: {47E56DE5-BBE7-4800-8A69-25F8ACA28D3A} - System32\Tasks\System Healer Task => C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE <==== ATTENTION Shortcut: C:\Users\Gregory\Desktop\Ultimа PSОВВ.lnk -> C:\Ultima PSOBB\Launcher.bat () Shortcut: C:\Users\Gregory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnеt Ехplоrеr.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) <===== Cyrillic Shortcut: C:\Users\Gregory\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File) Shortcut: C:\Users\Gregory\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File) Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Моzillа Firеfох.lnk -> [LFPO :i+00] <===== Cyrillic 2017-03-23 23:59 - 2017-03-23 23:59 - 00851456 ____N () C:\Users\Gregory\AppData\Local\Temp\20170323\ct.exe MSCONFIG\Services: windowsmanagementservice => S1 HWifiNetPro; \??\C:\Program Files (x86)\Hotspot\HWifiNetPro64.SYS [X] S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X] HKLM\...\StartupApproved\Run32: => "isa" HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "OpenTrafficB" HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "MNQB0RUZUJ" HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "OF49QM3R9T" HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "XU1VF3FEKF" HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "X23F2ICD2E" CMD: bitsadmin /reset /allusers CMD: netsh winsock reset catalog CMD: ipconfig /flushdns RemoveProxy: hosts: Emptytemp: