Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Gregory (27-03-2017 17:56:45) Run:1
Running from C:\Users\Gregory\Desktop
Loaded Profiles: Gregory (Available Profiles: Gregory & Control)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
Unlock: C:\Users\Gregory\AppData\Local\ntuserlitelist\cpx
HKLM-x32\...\Run: [cpx] => "C:\Users\Gregory\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <===== ATTENTION
Unlock: C:\Users\Gregory\AppData\Local\ntuserlitelist\svcvmx
HKLM-x32\...\Run: [svcvmx] => "C:\Users\Gregory\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup
R2 windowsmanagementservice; C:\Users\Gregory\AppData\Local\Temp\20170323\ct.exe [851456 2017-03-23] () [File not signed] <==== ATTENTION <==== ATTENTION
Unlock: C:\Users\Gregory\AppData\Local\Temp\20170323
Unlock: C:\PROGRA~2\dataup
S2 Dataup; C:\PROGRA~2\dataup\dataup.exe [X] <==== ATTENTION
Unlock: C:\WINDOWS\system32\Drivers\drmkpro64.sys
C:\WINDOWS\system32\Drivers\drmkpro64.sys
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f
unlock: C:\Program Files\IFY9AWM283 
unlock: C:\Program Files\IFY9AWM283\IFY9AWM28.exe
HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\Run: [OF49QM3R9T] => "C:\Program Files\IFY9AWM283\IFY9AWM28.exe"
C:\Program Files\IFY9AWM283
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
AppInit_DLLs: C:\WINDOWS\Tattvamasi\WUpdate64.dll => C:\WINDOWS\Tattvamasi\WUpdate64.dll [347648 2017-03-23] ()
C:\WINDOWS\Tattvamasi
FF NewTab: Mozilla\Firefox\Profiles\o6ab7k15.default-1469343213980 -> about:newtab
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\o6ab7k15.default-1469343213980 -> Yahoo! Powered
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\o6ab7k15.default-1469343213980 -> Yahoo! Powered
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
2017-03-17 18:08 - 2017-03-17 18:08 - 02894522 _____ C:\WINDOWS\569d9de8acff0aeffe7aeac31f85918a.exe
2017-03-24 00:55 - 2017-03-24 00:55 - 0000480 ____H () C:\Users\Gregory\AppData\Roaming\@con.bin
2016-06-14 19:37 - 2017-03-27 11:25 - 0000164 _____ () C:\Users\Gregory\AppData\Roaming\sp_data.sys
2017-03-24 00:55 - 2017-03-24 00:55 - 0000008 ____H () C:\Users\Gregory\AppData\Local\@000001.dat
2017-03-24 00:55 - 2017-03-24 12:17 - 0000888 ____H () C:\Users\Gregory\AppData\Local\@system.temp
2017-03-24 00:55 - 2017-03-24 12:17 - 0000624 ____H () C:\Users\Gregory\AppData\Local\mode3.bin
2017-03-25 15:42 - 2016-11-11 06:13 - 1886344 _____ (Microsoft Corporation) C:\Users\Gregory\AppData\Local\Temp\dllnt_dump.dll
2017-03-24 01:41 - 2017-03-24 01:41 - 0016880 _____ () C:\Users\Gregory\AppData\Local\Temp\E7I3BQ0R30H2.exe
2017-03-23 23:48 - 2017-03-23 23:48 - 1743360 _____ () C:\Users\Gregory\AppData\Local\Temp\Hotspot_2626_setup.exe
2017-01-11 04:53 - 2017-01-11 04:53 - 0762992 _____ () C:\Users\Gregory\AppData\Local\Temp\InstallHelper.exe
2017-03-24 12:39 - 2017-03-24 12:39 - 13414504 _____ (Reimage) C:\Users\Gregory\AppData\Local\Temp\ReimagePackage.exe
2017-03-23 23:44 - 2017-03-23 23:45 - 0425674 _____ (WeMonetize                                                  ) C:\Users\Gregory\AppData\Local\Temp\TKSGPIQ.exe
2017-03-15 13:40 - 2017-03-15 13:40 - 14456872 _____ (Microsoft Corporation) C:\Users\Gregory\AppData\Local\Temp\vc_redist.x86.exe
2017-03-23 04:40 - 2017-03-23 04:40 - 2978648 _____ (Lead IT) C:\Users\Gregory\AppData\Local\Temp\wctnLIyu-prog.exe
2017-03-24 00:00 - 2017-03-24 00:00 - 00000000 ____D C:\Program Files (x86)\Qejisyfank_
2017-03-23 23:59 - 2017-03-23 23:59 - 00003686 _____ C:\WINDOWS\System32\Tasks\System Healer Task
2017-03-23 23:58 - 2017-03-23 23:58 - 00831488 ____N C:\WINDOWS\system32\tprdpw32.exe
2017-03-23 23:51 - 2017-03-23 23:51 - 00000000 ____D C:\WINDOWS\system32\SSL
2017-03-23 23:48 - 2017-03-23 23:48 - 00000000 ____D C:\WINDOWS\SysWOW64\sstmp
2017-03-23 23:48 - 2017-03-23 23:48 - 00000000 ____D C:\WINDOWS\system32\sstmp
2017-03-23 23:46 - 2017-03-24 13:00 - 00000000 ____D C:\Program Files\IFY9AWM283
2017-03-23 23:45 - 2017-03-24 19:52 - 00000000 ____D C:\Users\Gregory\AppData\Local\Browser
2017-03-23 23:42 - 2017-03-23 23:44 - 00000000 ____D C:\WINDOWS\Tattvamasi
2017-03-24 00:55 - 2017-03-24 12:17 - 00000888 ____H C:\Users\Gregory\AppData\Local\@system.temp
2017-03-24 00:55 - 2017-03-24 12:17 - 00000624 ____H C:\Users\Gregory\AppData\Local\mode3.bin
2017-03-24 00:55 - 2017-03-24 00:55 - 00000480 ____H C:\Users\Gregory\AppData\Roaming\@con.bin
2017-03-24 00:55 - 2017-03-24 00:55 - 00000008 ____H C:\Users\Gregory\AppData\Local\@000001.dat
2017-03-24 00:50 - 2017-03-24 00:50 - 00000164 _____ C:\Users\Control\AppData\Roaming\sp_data.sys
Task: {A3B3E189-4694-42C5-BEF4-433AD4F07F86} - \Reasodom -> No File <==== ATTENTION
Task: {47E56DE5-BBE7-4800-8A69-25F8ACA28D3A} - System32\Tasks\System Healer Task => C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE  <==== ATTENTION
Shortcut: C:\Users\Gregory\Desktop\Ultimа PSОВВ.lnk -> C:\Ultima PSOBB\Launcher.bat ()
Shortcut: C:\Users\Gregory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnеt Ехplоrеr.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) <===== Cyrillic
Shortcut: C:\Users\Gregory\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Gregory\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Моzillа Firеfох.lnk -> [LFPO :i+00] <===== Cyrillic
2017-03-23 23:59 - 2017-03-23 23:59 - 00851456 ____N () C:\Users\Gregory\AppData\Local\Temp\20170323\ct.exe
MSCONFIG\Services: windowsmanagementservice => 
S1 HWifiNetPro; \??\C:\Program Files (x86)\Hotspot\HWifiNetPro64.SYS [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
HKLM\...\StartupApproved\Run32: => "isa"
HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "OpenTrafficB"
HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "MNQB0RUZUJ"
HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "OF49QM3R9T"
HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "XU1VF3FEKF"
HKU\S-1-5-21-3538670314-229490412-194736154-1001\...\StartupApproved\Run: => "X23F2ICD2E"
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:
*****************

Processes closed successfully.
Error: (0) Failed to create a restore point.
"C:\Users\Gregory\AppData\Local\ntuserlitelist\cpx" => not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value could not remove.
"C:\Users\Gregory\AppData\Local\ntuserlitelist\svcvmx" => not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value could not remove.
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
"C:\Users\Gregory\AppData\Local\Temp\20170323" => was unlocked
"C:\PROGRA~2\dataup" => was unlocked
Dataup => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
"C:\WINDOWS\system32\Drivers\drmkpro64.sys" => could not be unlocked
Could not move "C:\WINDOWS\system32\Drivers\drmkpro64.sys" => Scheduled to move on reboot.
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" => key was unlocked

========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f =========

ERROR: Access is denied.


========= End of Reg: =========

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" => key was unlocked

========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f =========

ERROR: Access is denied.


========= End of Reg: =========

"C:\Program Files\IFY9AWM283" => was unlocked
"C:\Program Files\IFY9AWM283\IFY9AWM28.exe" => not found.
HKU\S-1-5-21-3538670314-229490412-194736154-1001\Software\Microsoft\Windows\CurrentVersion\Run\\OF49QM3R9T => value removed successfully
C:\Program Files\IFY9AWM283 => moved successfully
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore => key removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
"C:\WINDOWS\Tattvamasi\WUpdate64.dll" => Value data removed successfully.
C:\WINDOWS\Tattvamasi => moved successfully
Firefox "newtab" removed successfully
Firefox DefaultSearchEngine removed successfully
Firefox SelectedSearchEngine removed successfully
HKLM\System\CurrentControlSet\Services\ZAM => key removed successfully
ZAM => service removed successfully
C:\WINDOWS\569d9de8acff0aeffe7aeac31f85918a.exe => moved successfully
C:\Users\Gregory\AppData\Roaming\@con.bin => moved successfully
C:\Users\Gregory\AppData\Roaming\sp_data.sys => moved successfully
C:\Users\Gregory\AppData\Local\@000001.dat => moved successfully
C:\Users\Gregory\AppData\Local\@system.temp => moved successfully
C:\Users\Gregory\AppData\Local\mode3.bin => moved successfully
C:\Users\Gregory\AppData\Local\Temp\dllnt_dump.dll => moved successfully
C:\Users\Gregory\AppData\Local\Temp\E7I3BQ0R30H2.exe => moved successfully
C:\Users\Gregory\AppData\Local\Temp\Hotspot_2626_setup.exe => moved successfully
C:\Users\Gregory\AppData\Local\Temp\InstallHelper.exe => moved successfully
C:\Users\Gregory\AppData\Local\Temp\ReimagePackage.exe => moved successfully
C:\Users\Gregory\AppData\Local\Temp\TKSGPIQ.exe => moved successfully
C:\Users\Gregory\AppData\Local\Temp\vc_redist.x86.exe => moved successfully
C:\Users\Gregory\AppData\Local\Temp\wctnLIyu-prog.exe => moved successfully
C:\Program Files (x86)\Qejisyfank_ => moved successfully
C:\WINDOWS\System32\Tasks\System Healer Task => moved successfully
Could not move "C:\WINDOWS\system32\tprdpw32.exe" => Scheduled to move on reboot.
C:\WINDOWS\system32\SSL => moved successfully
C:\WINDOWS\SysWOW64\sstmp => moved successfully
C:\WINDOWS\system32\sstmp => moved successfully
"C:\Program Files\IFY9AWM283" => not found.
C:\Users\Gregory\AppData\Local\Browser => moved successfully
"C:\WINDOWS\Tattvamasi" => not found.
"C:\Users\Gregory\AppData\Local\@system.temp" => not found.
"C:\Users\Gregory\AppData\Local\mode3.bin" => not found.
"C:\Users\Gregory\AppData\Roaming\@con.bin" => not found.
"C:\Users\Gregory\AppData\Local\@000001.dat" => not found.
C:\Users\Control\AppData\Roaming\sp_data.sys => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A3B3E189-4694-42C5-BEF4-433AD4F07F86} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A3B3E189-4694-42C5-BEF4-433AD4F07F86} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Reasodom => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{47E56DE5-BBE7-4800-8A69-25F8ACA28D3A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47E56DE5-BBE7-4800-8A69-25F8ACA28D3A} => key removed successfully
C:\WINDOWS\System32\Tasks\System Healer Task => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Healer Task => key removed successfully
C:\Users\Gregory\Desktop\Ultimа PSОВВ.lnk => moved successfully
C:\Users\Gregory\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Intеrnеt Ехplоrеr.lnk => moved successfully
C:\Users\Gregory\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Gооglе Сhrоmе.lnk => moved successfully
C:\Users\Gregory\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооglе Сhrоmе.lnk => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Gооglе Сhrоmе.lnk => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Моzillа Firеfох.lnk => moved successfully
Could not move "C:\Users\Gregory\AppData\Local\Temp\20170323\ct.exe" => Scheduled to move on reboot.
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\MSCONFIG\Services: windowsmanagementservice => => key not found. 
HKLM\System\CurrentControlSet\Services\MSCONFIG\Services: windowsmanagementservice => => key not found. 
HKLM\System\CurrentControlSet\Services\HWifiNetPro => key removed successfully
HWifiNetPro => service removed successfully
ZAM => service not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32\\isa => value removed successfully
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\isa => value removed successfully
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\OpenTrafficB => value removed successfully
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\OpenTrafficB => value not found.
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\MNQB0RUZUJ => value removed successfully
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MNQB0RUZUJ => value not found.
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\OF49QM3R9T => value removed successfully
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\OF49QM3R9T => value not found.
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\XU1VF3FEKF => value removed successfully
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\XU1VF3FEKF => value not found.
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\\X23F2ICD2E => value removed successfully
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\X23F2ICD2E => value not found.

========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to connect to BITS - 0x80070422
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.


========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3538670314-229490412-194736154-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 35185093 B
Java, Flash, Steam htmlcache => 32677763 B
Windows/system/drivers => 58168769 B
Edge => 129262515 B
Chrome => 13806070 B
Firefox => 84230082 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 10772 B
NetworkService => 44990 B
Gregory => 723359447 B
Control => 23348 B

RecycleBin => 49152290 B
EmptyTemp: => 1 GB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 27-03-2017 18:00:18)

"C:\WINDOWS\system32\Drivers\drmkpro64.sys" => Could not move
"C:\WINDOWS\system32\tprdpw32.exe" => Could not move
"C:\Users\Gregory\AppData\Local\Temp\20170323\ct.exe" => Could not move

Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected

==== End of Fixlog 18:00:18 ====