Start CloseProcesses: CreateRestorePoint: C:\Windows\System32\spcwzonsvc.exe C:\Users\sean\AppData\Local\zabnsgh\zabnsgh.exe C:\Users\sean\AppData\Local\zabnsgh\zanwpbr.exe C:\Users\sean\AppData\Local\zabnsgh\zanwpbr.exe GroupPolicy: Restriction <==== ATTENTION GroupPolicy\User: Restriction <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION DeleteKey: HKLM\...\Run: [eighteenthnormalization] => "C:\Program Files (x86)\corn\ppr.exe" ceqsgiw DeleteKey: HKLM\...\Run: [eighteentheighteenth] => "C:\Program Files (x86)\Ence\Obese.exe" ceqsgiw DeleteKey: HKLM-x32\...\Run: [chatter] => "C:\Program Files (x86)\Brugge\Obese.exe" ceqsgiw DeleteKey: HKLM-x32\...\Run: [chatteroverreaching] => "C:\Program Files (x86)\corn\ppr.exe" ceqsgiw DeleteKey: HKLM-x32\...\Run: [chatterchatter] => "C:\Program Files (x86)\Ence\Obese.exe" ceqsgiw DeleteKey: HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [overreaching] => "C:\Program Files (x86)\Brugge\Obese.exe" ceqsgiw DeleteKey: HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [overreachingchatter] => "C:\Program Files (x86)\corn\ppr.exe" ceqsgiw DeleteKey: HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [overreachingoverreaching] => "C:\Program Files (x86)\Ence\Obese.exe" ceqsgiw DeleteKey: HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [normalization] => "C:\Program Files (x86)\Brugge\Obese.exe" ceqsgiw DeleteKey: HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [normalizationeighteenth] => "C:\Program Files (x86)\corn\ppr.exe" ceqsgiw DeleteKey: HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [normalizationnormalization] => "C:\Program Files (x86)\Ence\Obese.exe" ceqsgiw DeleteKey: HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [mouth] => "C:\Program Files (x86)\wimbush\mouth.exe" ceqsgiw DeleteKey: HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [neatest] => "C:\Program Files (x86)\Brugge\Obese.exe" ceqsgiw ShortcutTarget: munich.lnk -> C:\Program Files (x86)\Brugge\Obese.exe (No File) Startup: C:\Users\sean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\munichmunich.lnk [2018-05-02] ShortcutTarget: munichmunich.lnk -> C:\Program Files (x86)\corn\ppr.exe (No File) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION HKLM\SYSTEM\CurrentControlSet\Services\cxtodk <==== ATTENTION (Rootkit!) S3 mracsvc; C:\WINDOWS\System32\mracsvc.exe [8010968 2018-02-21] (LLC Mail.Ru) S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION S3 mracdrv; C:\WINDOWS\System32\drivers\mracdrv.sys [7238880 2018-02-21] (LLC Mail.Ru) S1 b7f2e32f9d0eb58776295c9d10ee0497; \??\C:\WINDOWS\system32\drivers\b7f2e32f9d0eb58776295c9d10ee0497.sys [X] S3 hloruy; system32\drivers\oruxbe.sys [X] 2018-05-04 20:27 - 2018-05-04 20:27 - 000000000 ____D C:\Users\sean\AppData\Local\wicdbvr 2018-05-04 01:16 - 2018-05-04 01:16 - 000000000 ____D C:\Users\sean\AppData\Local\rakgwch 2018-05-04 01:11 - 2018-05-04 01:11 - 000142672 ____N C:\WINDOWS\system32\Drivers\mbrbehlo.sys 2018-05-04 01:02 - 2018-05-04 01:02 - 000000328 _____ C:\Users\sean\AppData\Local\NetSupport.zip 2018-05-04 00:57 - 2018-05-04 20:25 - 000000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job 2018-05-02 19:01 - 2018-05-04 05:34 - 000000000 ____D C:\Users\sean\AppData\Local\cwizvhm 2018-05-02 19:01 - 2018-05-02 19:03 - 000000000 ____D C:\Users\sean\AppData\Local\wmcagent 2018-05-02 18:58 - 2018-05-04 21:16 - 000000000 ____D C:\Users\sean\AppData\Local\zabnsgh 2018-05-02 18:53 - 2018-05-02 18:53 - 000000580 ____H C:\WINDOWS\Tasks\RunBoosterUpdateTask.job 2018-05-02 18:53 - 2018-05-02 18:53 - 000000000 ____D C:\Users\sean\AppData\Local\NetSupport 2018-05-02 18:52 - 2018-05-02 19:01 - 000000000 ____D C:\Users\sean\Documents\Chameleon files 2018-05-02 18:52 - 2018-05-02 18:52 - 000000000 ____D C:\WINDOWS\SysWOW64\vdeplor 2018-05-02 18:52 - 2018-05-02 18:52 - 000000000 ____D C:\WINDOWS\system32\vdeplor 2018-05-02 18:52 - 2018-04-25 14:55 - 000043289 _____ C:\Users\sean\AppData\Roaming\DSAdaDSDA.js 2018-05-02 18:51 - 2018-05-02 18:51 - 000000282 _____ C:\WINDOWS\Tasks\marlinmarlin.job 2018-05-02 18:51 - 2018-05-02 18:51 - 000000268 _____ C:\WINDOWS\Tasks\untimelyuntimely.job 2018-05-02 18:51 - 2018-05-02 18:51 - 000000264 _____ C:\WINDOWS\Tasks\sealer leaderboard hiawathasealer leaderboard hiawatha.job 2018-05-02 18:51 - 2018-05-02 18:51 - 000000264 _____ C:\WINDOWS\Tasks\nonstop_kutchnonstop_kutch.job 2018-05-02 18:51 - 2018-05-02 18:51 - 000000260 _____ C:\WINDOWS\Tasks\nazar_enchantingnazar_enchanting.job 2018-05-02 18:51 - 2018-05-02 18:51 - 000000260 _____ C:\WINDOWS\Tasks\clyde-urieclyde-urie.job 2018-05-02 18:51 - 2018-05-02 18:51 - 000000260 _____ C:\WINDOWS\Tasks\baar substandardbaar substandard.job 2018-05-02 18:51 - 2018-05-02 18:51 - 000000012 _____ C:\WINDOWS\b71138719 2018-05-02 18:09 - 2018-05-02 18:09 - 000020992 _____ C:\WINDOWS\melnick.exe 2018-05-02 18:01 - 2018-05-04 20:39 - 002646894 _____ C:\WINDOWS\ntbtlog.txt 2018-05-02 17:32 - 2018-05-02 17:56 - 000000036 _____ C:\WINDOWS\progress.ini 2018-05-04 01:02 - 2018-05-04 01:02 - 000000328 _____ () C:\Users\sean\AppData\Local\NetSupport.zip 2018-04-14 23:34 - 2018-05-03 20:43 - 000000000 _____ () C:\Users\sean\AppData\Local\Temp\00e481b5e22dbe1f649fcddd505d3eb7.dll 2018-04-14 23:34 - 2018-05-03 20:43 - 000000017 _____ () C:\Users\sean\AppData\Local\Temp\0a72090ab23f8d000c164eb972d31f09.dll UnLock: C:\WINDOWS\system32\drivers\mbrbehlo.sys C:\WINDOWS\system32\drivers\mbrbehlo.sys Task: C:\WINDOWS\Tasks\baar substandardbaar substandard.job => C:\Program Files (x86)\Ence\ppr.exe Task: C:\WINDOWS\Tasks\clyde-urieclyde-urie.job => C:\Program Files (x86)\corn\ppr.exe Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe Task: C:\WINDOWS\Tasks\marlinmarlin.job => C:\Program Files (x86)\basically\basically.exe Task: C:\WINDOWS\Tasks\nazar_enchantingnazar_enchanting.job => C:\Users\sean\AppData\Local\ppr.exe Task: C:\WINDOWS\Tasks\nonstop_kutchnonstop_kutch.job => C:\Program Files (x86)\Ence\Obese.exe Task: C:\WINDOWS\Tasks\RunBoosterUpdateTask.job => C:\Program Files\RunBooster\RunBoosterUpdateTask64.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\sealer leaderboard hiawathasealer leaderboard hiawatha.job => C:\Users\sean\AppData\Local\Obese.exe Task: C:\WINDOWS\Tasks\untimelyuntimely.job => C:\Program Files (x86)\Brugge\Obese.exe Hosts: EmptyTemp: CMD: ipconfig /flushDNS end