CreateRestorePoint: CloseProcesses: Unlock: C:\WINDOWS\System32\drivers\drmkpro64.sys unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64 reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f () C:\Windows\Microsoft\svchost.exe () C:\Windows\Microsoft\svchost.exe.exe () C:\Users\jayhooks\AppData\Local\Temp\3223.tmp.exe () C:\Users\jayhooks\AppData\Local\wmipr\wmipr.exe HKLM-x32\...\Run: [cpx] => "C:\Program Files\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION HKLM-x32\...\Run: [svcvmx] => "C:\Program Files\ntuserlitelist\svcvmx\svcvmx.exe" -starup <==== ATTENTION HKLM-x32\...\Run: [AnonymizerGadget] => "C:\Users\jayhooks\AppData\Roaming\AGData\bin\AnonymizerLauncher.exe" /S /startup --ppapi-flash-path=./pepflashplayer.dll /source:1721 /subsource: <==== ATTENTION HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== ATTENTION HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== ATTENTION HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== ATTENTION HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== ATTENTION HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== ATTENTION HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== ATTENTION HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== ATTENTION HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== ATTENTION HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== ATTENTION HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== ATTENTION HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== ATTENTION HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== ATTENTION HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== ATTENTION HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== ATTENTION HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== ATTENTION HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== ATTENTION HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== ATTENTION HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== ATTENTION HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== ATTENTION HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== ATTENTION HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== ATTENTION HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== ATTENTION HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== ATTENTION HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== ATTENTION HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== ATTENTION HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== ATTENTION HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== ATTENTION HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== ATTENTION HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== ATTENTION HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== ATTENTION HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== ATTENTION HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== ATTENTION HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== ATTENTION HKU\S-1-5-21-4042677840-2483703146-3127757777-1001\...\Run: [MCUNKANWNS.exe] => C:\Program Files\L07MIH5D7L\GRNJBWVNFI\MCUNKANWNS.exe [653312 2017-10-22] () HKU\S-1-5-21-4042677840-2483703146-3127757777-1001\...\Run: [g4link] => rundll32.exe "C:\Users\jayhooks\AppData\Local\g4link.dll",g4link <==== ATTENTION HKU\S-1-5-21-4042677840-2483703146-3127757777-1001\...\Run: [TBHYQOQJGY.exe] => C:\Users\jayhooks\AppData\Roaming\9cecf9e697aa49f788db4ea21a209ae1\TBHYQOQJGY.exe HKU\S-1-5-21-4042677840-2483703146-3127757777-1001\...\Run: [IGKZBMXNHK.exe] => C:\Users\jayhooks\AppData\Roaming\528c97a8d4f5494fb1187f6bf90329d8\IGKZBMXNHK.exe HKU\S-1-5-21-4042677840-2483703146-3127757777-1001\...\Run: [cvyalsreso] => explorer "hxxp://granena.ru/?utm_source=uoua03n&utm_content=e739009bccd5f1e6d71a91bff5994529&utm_term=9CE792A7557E2098807C4F67D646CD91&utm_d=20171023" <==== ATTENTION GroupPolicy: Restriction - Chrome <==== ATTENTION GroupPolicy\User: Restriction <==== ATTENTION SearchScopes: HKLM -> DefaultScope value is missing SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM -> {0CE02FFA-A6B0-46F6-BA2F-BD32C3630126} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wny_btrnt_17_32¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwinyahoo%26cd%3D2XzuyEtN2Y1L1Qzu0BzztB0AyBtB0B0AyB0FyC0E0CyCtB0BtN0D0Tzu0StBtDyDtCtN1L2XzuyEtFtCtDtFtDtFyDtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StDzytC0DtCtBzztBtGyDyEyCyEtGtAzzyD0CtGtB0F0D0BtG0CtAyE0DyE0AyC0FtDzzzzyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S1T1OtDtDtC1TtAyDtGtCtAyEzztGyEtCzzyCtG1Szy1RyBtGyDzzzyzz1R1Q1Szz1PyC1S1R2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtAyBzyyBtN1Q2Z1B1P1RzutCyDtDtByCtAyEzytBzz%26cr%3D1027367271%26a%3Dwny_btrnt_17_32%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms} SearchScopes: HKLM -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = SearchScopes: HKLM-x32 -> {0CE02FFA-A6B0-46F6-BA2F-BD32C3630126} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_ir_17_15_ssg03¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0BzztB0AyBtB0B0AyB0FyC0E0CyCtB0BtN0D0Tzu0StCzytAtBtN1L2XzutAtFtBzytFtAtFyDtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyDtA0EyB0Bzz0CtCtGyCyDtB0FtGyB0CzyyCtGyC0E0FzztGyD0DyB0DtC0BtDtAtD0DyBzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0D0B0FyEyD0B0CtGtCtB0EzytGyEzyzyyEtG0A0Bzy0FtGyDtBtCzyyD0B0CyBtC0ByCyB2QtN0A0LzuyE%26cr%3D526840001%26a%3Dwbf_ir_17_15_ssg03%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms} SearchScopes: HKU\S-1-5-21-4042677840-2483703146-3127757777-1001 -> {0CE02FFA-A6B0-46F6-BA2F-BD32C3630126} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wny_btrnt_17_32¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwinyahoo%26cd%3D2XzuyEtN2Y1L1Qzu0BzztB0AyBtB0B0AyB0FyC0E0CyCtB0BtN0D0Tzu0StBtDyDtCtN1L2XzuyEtFtCtDtFtDtFyDtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StDzytC0DtCtBzztBtGyDyEyCyEtGtAzzyD0CtGtB0F0D0BtG0CtAyE0DyE0AyC0FtDzzzzyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S1T1OtDtDtC1TtAyDtGtCtAyEzztGyEtCzzyCtG1Szy1RyBtGyDzzzyzz1R1Q1Szz1PyC1S1R2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtAyBzyyBtN1Q2Z1B1P1RzutCyDtDtByCtAyEzytBzz%26cr%3D1027367271%26a%3Dwny_btrnt_17_32%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms} SearchScopes: HKU\S-1-5-21-4042677840-2483703146-3127757777-1001 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = SearchScopes: HKU\S-1-5-21-4042677840-2483703146-3127757777-1001 -> {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL = hxxp://go.mail.ru/distib/ep/?q={searchTerms}&fr=ntg&product_id=%7B783F0A1D-100E-435F-9C37-1701E5D66859%7D&gp=811014 BHO: YoutubeAdBlock -> {C0D38E5A-7CF8-4105-8FE8-31B81443A114} -> C:\Program Files (x86)\ZfJRwqLPhIE\tPllhnPh.dll [2017-10-22] () BHO-x32: Search@Mail.Ru -> {8E8F97CD-60B5-456F-A201-73065652D099} -> C:\Users\jayhooks\AppData\Local\Mail.Ru\Sputnik\ie_addon_dll.dll [2017-10-22] (Mail.Ru) BHO-x32: YoutubeAdBlock -> {C0D38E5A-7CF8-4105-8FE8-31B81443A114} -> C:\Program Files (x86)\ZfJRwqLPhIE\krtu1nr.dll [2017-10-22] () R2 AdsService; C:\Users\jayhooks\AppData\Local\AdService\AdService.dll [781312 2017-10-22] () [File not signed] S2 Dataup; C:\Users\jayhooks\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION R2 SvcHost Service Host; C:\Windows\Microsoft\svchost.exe [0 ] () <==== ATTENTION (zero byte File/Folder) S2 windowsmanagementservice; C:\Users\jayhooks\AppData\Local\fuuzbem\bvtdcd\ct.exe [X] <==== ATTENTION R1 4a94989c673654521c40ccb6ab2aeb6b; C:\WINDOWS\system32\drivers\4a94989c673654521c40ccb6ab2aeb6b.sys [115336 2017-10-20] (CU37R1) <==== ATTENTION Task: {039D54BE-3712-4E90-BA77-9DCCF7B8DA79} - System32\Tasks\zjwPaeaadZaNwF => rundll32 "C:\Program Files (x86)\JIdcnntTvnKU2\VHHEuuxfkAvry.dll",#1 Task: {0E35DAD4-7596-467D-A16A-CDB0B8B312AE} - System32\Tasks\GoogleUpdateSecurityTaskMachine_NP => C:\Users\jayhooks\AppData\Roaming\9cecf9e697aa49f788db4ea21a209ae1\chipset.exe exec hide TBHYQOQJGY.cmd <==== ATTENTION Task: {1BBEE8CD-B376-46F9-B60E-AA82528E864F} - System32\Tasks\GoogleUpdateSecurityTaskMachine_DO => C:\Users\jayhooks\AppData\Local\Temp\4d77ba52b4a249ed8245ca7025a911b0\chipset.exe exec hide MMSOTUVFOR.cmd <==== ATTENTION Task: {2D8B565D-95D4-4621-8D45-A19F41C17D40} - System32\Tasks\GoogleUpdateSecurityTaskMachine_AB => C:\Users\jayhooks\AppData\Roaming\528c97a8d4f5494fb1187f6bf90329d8\chipset.exe exec hide IGKZBMXNHK.cmd <==== ATTENTION Task: {3A0A7E58-43C3-40FD-9D13-805730E51F08} - System32\Tasks\Simple Giga => C:\WINDOWS\system32\rundll32.exe "C:\Program Files\Simple Giga\Simple Giga.dll",ApbDpQFeN <==== ATTENTION Task: {3B6D1D1C-1503-4A6B-B2D1-F7C5B0606265} - \LaunchPreSignup -> No File <==== ATTENTION Task: {3FCAEA86-8B2A-4DDC-91E7-5599CB7DB9EA} - System32\Tasks\GoogleUpdateSecurityTaskMachine_KP => C:\Users\jayhooks\AppData\Local\935b845965f14e518271229e50212345\chipset.exe exec hide TWBPTJVILS.cmd <==== ATTENTION Task: {7631081A-08D1-4261-8CF7-9EE5DB4489D6} - System32\Tasks\PjDfytumxbayONn2 => rundll32 "C:\Program Files (x86)\kqEuPYMaU\HEufAr.dll",#1 Task: {C4BEE5CC-1AAD-448F-B002-832F500C6260} - System32\Tasks\wmipr => C:\Users\jayhooks\AppData\Local\wmipr\wmipr.exe [2017-10-27] () <==== ATTENTION Task: {C943B759-E84C-4CC0-9538-F5B2ACF5FE3C} - System32\Tasks\GoogleUpdateSecurityTaskMachine_HM => C:\Users\jayhooks\AppData\Roaming\adaf2a586c6c4167a5955460e2885d84\chipset.exe exec hide FCHSADMBSN.cmd <==== ATTENTION Task: {CBBA9BCE-CB23-4E5D-9C59-8F7E3E355A8C} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2017-09-11] (ReimageŽ) <==== ATTENTION Task: {DA787D0B-273B-41E3-97D4-50EC14C3779C} - System32\Tasks\AGProxyCheck => C:\Program [Argument = Files (x86)\AnonymizerGadget\AGService.exe /recove] Task: {E29BB469-38ED-4341-BD93-731CC251F605} - System32\Tasks\PjDfytumxbayONn => rundll32 "C:\Program Files (x86)\kqEuPYMaU\HEufAr.dll",#1 Task: C:\WINDOWS\Tasks\PjDfytumxbayONn.job => C:\Program Files (x86)\kqEuPYMaU\HEufAr.dll 2017-10-27 15:01 - 2017-10-27 21:41 - 000799728 _____ () C:\Users\jayhooks\AppData\Local\wmipr\wmipr.exe 2017-10-22 22:09 - 2017-10-22 22:09 - 000781312 _____ () c:\users\jayhooks\appdata\local\adservice\adservice.dll 2017-10-28 19:51 - 2017-10-27 21:41 - 000799728 ____N () C:\Users\jayhooks\AppData\Local\Temp\7B2E.tmp.exe EmptyTemp: