HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {20c1b7c7-a7ee-11e6-89f6-fcaa14c2fb92} - L:\Setup.exe HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {696585ce-d229-11e3-961a-806e6f6e6963} - E:\Run.exe HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {75480ec5-23ec-11e7-bc40-fcaa14c2fb92} - K:\Setup.exe HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {75480f11-23ec-11e7-bc40-fcaa14c2fb92} - K:\Setup.exe HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {75480f62-23ec-11e7-bc40-fcaa14c2fb92} - K:\setup.exe -a HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {98507fb2-4a79-11e7-8dc1-fcaa14c2fb92} - K:\Setup.exe HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {ad504ddb-2ab0-11e5-883e-806e6f6e6963} - "P:\WD SmartWare.exe" autoplay=true HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {c38be7d2-8209-11e4-99ab-806e6f6e6963} - F:\Run.exe HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {d4c2d37b-a551-11e5-899c-001b10002aec} - K:\Startme.exe HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {ea572361-749b-11e5-8398-001b10002aec} - K:\Setup.exe HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\...\MountPoints2: {f2f63f40-5221-11e6-be00-fcaa14c2fb92} - O:\Setup.exe S2 AppmallosayoV; no ImagePath S2 MxService; C:\Program Files (x86)\Maxthon\Bin\MxService.exe [X] S2 system_http_dll; C:\ProgramData\9e153da59d\e7b640f780.exe [X] S3 cpuz134; \??\C:\Users\admin\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X] <==== ATTENTION S3 dbx; system32\DRIVERS\dbx.sys [X] S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X] S3 gdrv; \??\C:\Windows\gdrv.sys [X] S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X] S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X] ShellIconOverlayIdentifiers: [0TheftProtectionDll] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} => -> No File ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File ContextMenuHandlers5: [Run] -> {2559A1F3−21D7−11D4−BDAF−00C04F60B9F0} => -> No File ContextMenuHandlers5: [Search] -> {2559A1F0−21D7−11D4−BDAF−00C04F60B9F0} => -> No File ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File Task: {4120B6CA-8F1B-4B45-898E-88DB55ED0E1E} - \AVG-SSU_0317tb_DELETE -> No File <==== ATTENTION Task: {F5684CF2-9853-4E68-9845-2CEE01990AA5} - System32\Tasks\AVG EUpdate Task => avgsetupx.exe Task: C:\Windows\Tasks\CTServiceInstaller.job => C:\Program Files (x86)\Cold Turkey\CTServiceInstaller.exe Task: C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe Task: C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe AlternateDataStreams: C:\Users\admin\AppData\Local\CW8MKdOz3eydkEX:A4VMR1bqMZky8uETs6ODdus [2630] AlternateDataStreams: C:\ProgramData\Microsoft:mTcPzRjTPWDZYLSQyfTA3D [2718] AlternateDataStreams: C:\ProgramData\Microsoft:vHezHRZxxwHTn3Tbuctt8zz [2420] AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [163] AlternateDataStreams: C:\ProgramData\TEMP:58A5270D [376] AlternateDataStreams: C:\ProgramData\TEMP:CB0AACC9 [308] HKU\S-1-5-21-3425645261-2527552339-4145300971-1000\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION MSCONFIG\startupreg: Chromium => c:\users\admin\appdata\local\chromium\application\chrome.exe --auto-launch-at-startup --profile-directory=Default --restore-last-session FirewallRules: [{37ECEAC0-AB95-4B56-AD1A-EE9570DCE75A}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe FirewallRules: [{8C582BA6-1710-4C25-AED4-2AC80D8ADB35}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\MxUp.exe FirewallRules: [{BFF466DD-9B89-44E0-B440-08357C4DD189}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\MxUp.exe FirewallRules: [{1C18BD99-8C85-4006-A3A8-EF4F572E3854}] => (Allow) C:\Program Files (x86)\Maxthon\Bin\Maxthon.exe FirewallRules: [{BD284F0E-8D77-4C28-88A4-62AC559620A9}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{E3B785F7-0B8C-4C58-84FB-7F8F345C4DBA}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{A93D5526-2BC3-4EE9-ABE1-287A30E2AF3D}] => (Allow) C:\Users\admin\AppData\Local\Temp\nsc7F4E.tmp\Installer-76048000.exe FirewallRules: [{8C5102AA-7C1E-4CD7-8190-C78EB42B4AF3}] => (Allow) C:\Users\admin\AppData\Local\Temp\nsc7F4E.tmp\Installer-76048000.exe FirewallRules: [{C86264C2-35E1-485F-8B60-4BBF5D3A4E5B}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe FirewallRules: [{48E2E7E4-2EF3-43ED-982E-6564D98EBD7B}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe C:\Program Files (x86)\AVG CMD: Type C:\Ruby22-x64\bin\irb.bat CMD: type C:\Ruby22-x64\bin\setrbvars.bat CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" Reboot: