HKLM\...\Run: [pcreg] => C:\Program Files\pcreg\service.exe
C:\Program Files\pcreg
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\oxnlwag-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\oxnlwag.dll ()
Winlogon\Notify\oxnmkag-x32: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\oxnmkag.dll ()
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\oxnlwag.dll
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\oxnmkag.dll
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-21-2418151325-680678365-4071922823-1001\...\Run: [Sebuyfpipe] => C:\Users\Daddy\AppData\Roaming\Uzucxe\kaitma.exe
HKU\S-1-5-21-2418151325-680678365-4071922823-1001\...\Run: [Yhsise] => C:\Users\Daddy\AppData\Roaming\Maavty\uqfatyu.exe
HKU\S-1-5-21-2418151325-680678365-4071922823-1001\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-2418151325-680678365-4071922823-1001\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-18\...\Run: [MasgAteri] => regsvr32.exe "C:\ProgramData\MasgAteri\MasgAteri.dat"
C:\ProgramData\MasgAteri
HKU\S-1-5-18\...\Run: [HonudZuwwo] => regsvr32.exe "C:\ProgramData\HonudZuwwo\HonudZuwwo.dat"
C:\ProgramData\HonudZuwwo
HKU\S-1-5-18\...\Run: [oxnmkag] => rundll32 "C:\Windows\system32\config\systemprofile\AppData\Local\oxnmkag.dll",oxnmkag <===== ATTENTION
C:\Windows\system32\config\systemprofile\AppData\Local\oxnmkag.dll
HKU\S-1-5-18\...\Run: [rdrmemptylst] => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IEUpdate\rdrmemptylst.exe [134656 2014-03-04] ()
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IEUpdate\rdrmemptylst.exe
HKU\S-1-5-18\...\RunOnce: [rdrmemptylst] => C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IEUpdate\rdrmemptylst.exe [134656 2014-03-04] ()
HKU\S-1-5-18\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-18\...\Policies\Explorer: [TaskbarNoNotification] 0
HKU\S-1-5-18\...\Policies\Explorer: [Run] "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IEUpdate\rdrmemptylst.exe"
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hivoug.exe (Anubisel Corporatu)
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hivoug.exe
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hivoug.exe (Anubisel Corporatu)
C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hivoug.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\.DEFAULT\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2418151325-680678365-4071922823-1001\Software\Microsoft\Internet Explorer\Main,bProtector Start Page = http://search.babylo...000d4856418c280
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.v9.com...q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.v9.com/?t...=WDCXWD1001FAES
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.v9.com/?t...=WDCXWD1001FAES
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.v9.com...q={searchTerms}
SearchScopes: HKLM -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {33532E57-ED6E-4D55-A0B4-A91A2D3A7A46} URL = http://www.ask.com/w...}&l=dis&o=ushpd
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.v9.com/we...q={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {33532E57-ED6E-4D55-A0B4-A91A2D3A7A46} URL = http://www.ask.com/w...}&l=dis&o=ushpd
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.v9.com/we...q={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {EDCF6BB3-29DA-4EE9-A8C0-055D31AAB204} URL =
SearchScopes: HKU\S-1-5-21-2418151325-680678365-4071922823-1001 -> DefaultScope 50DA95C4697B43C9AA069B8051E4B6C2 URL = http://search.babylo...000d4856418c280
SearchScopes: HKU\S-1-5-21-2418151325-680678365-4071922823-1001 -> bProtectorDefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
SearchScopes: HKU\S-1-5-21-2418151325-680678365-4071922823-1001 -> URL http://search.condui...rchTerms}&SSPV= 
SearchScopes: HKU\S-1-5-21-2418151325-680678365-4071922823-1001 -> SuggestionsURL_JSON http://suggest.searc...x={searchTerms}
SearchScopes: HKU\S-1-5-21-2418151325-680678365-4071922823-1001 -> 50DA95C4697B43C9AA069B8051E4B6C2 URL = http://search.babylo...000d4856418c280
SearchScopes: HKU\S-1-5-21-2418151325-680678365-4071922823-1001 -> {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKU\S-1-5-21-2418151325-680678365-4071922823-1001 -> {33532E57-ED6E-4D55-A0B4-A91A2D3A7A46} URL =
SearchScopes: HKU\S-1-5-21-2418151325-680678365-4071922823-1001 -> {FCA087C2-F14C-4F8F-B004-F2EDA8BA0EE5} URL =
BHO: Start Savin BHO -> {181F2C09-56DD-4F98-86D7-59BA2BC59B5A} -> C:\Program Files (x86)\Start Savin\FrameworkBHO64.dll No File
C:\Program Files (x86)\Start Savin
BHO: YoutubeAdBlocke -> {6c74318f-cf02-41c3-b044-f44006112093} -> C:\Program Files (x86)\YoutubeAdBlocke\2hnE6l2EEaexfW.x64.dll ()
C:\Program Files (x86)\YoutubeAdBlocke
FF SearchEngineOrder.1: Search the web (Babylon)
FF Homepage: hxxp://www.v9.com/?type=hp&ts=1415423197&from=cor&uid=WDCXWD1001FAES
FF user.js: detected! => C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\nurj2h8b.default\user.js
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
FF SearchPlugin: C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\nurj2h8b.default\searchplugins\ask-search.xml
FF SearchPlugin: C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\nurj2h8b.default\searchplugins\babylon1.xml
FF SearchPlugin: C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\nurj2h8b.default\searchplugins\bing-zugo.xml
FF SearchPlugin: C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\nurj2h8b.default\searchplugins\google-default.xml
FF Extension: Coupons.com CouponBar - C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\nurj2h8b.default\Extensions\Coupons.com [2013-12-05]
FF Extension: Babylon Toolbar - C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\nurj2h8b.default\Extensions\ffxtlbr@babylon.com [2012-12-08]
FF Extension: GoSave - C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\nurj2h8b.default\Extensions\UGP@B.com [2014-11-10]
FF Extension: YoutubeAdBlocke - C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\nurj2h8b.default\Extensions\YB@d.edu [2014-11-10]
FF HKLM-x32\...\Firefox\Extensions: [{1C43BAF1-00C2-40A8-A09E-F84CFD79546D}] - C:\Program Files (x86)\Coupons.com CouponBar\firefox\{1C43BAF1-00C2-40A8-A09E-F84CFD79546D}\Coupons.com.xpi
C:\Program Files (x86)\Coupons.com CouponBar
S4 IHProtect Service; C:\Program Files (x86)\STab\ProtectService.exe [158864 2014-11-05] (TODO: <Company name>)
C:\Program Files (x86)\STab
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [cnpkmcjgpcihgfnkcjapiaabbbplkcmf] - C:\Program Files (x86)\Coupons.com CouponBar\chrome\Coupons.com.crx []
CHR HKLM-x32\...\Chrome\Extension: [lcnnhcneegeeojhgpfijnlnocjdmlaon] - C:\ProgramData\ValueApps\CH\ValueApps.crx [2014-01-10]
C:\ProgramData\ValueApps
S4 fc67e7a0; [X]
S4 pcregservice; [X]
S1 yiiuobyi; \??\C:\Windows\system32\drivers\yiiuobyi.sys [X]
C:\Windows\system32\drivers\yiiuobyi.sys
C:\ProgramData\HeciBawuw
2014-11-25 01:28 - 2014-11-25 01:28 - 00000806 _____ () C:\Windows\Tasks\Security Center Update - 2042579260.job
2014-11-25 01:27 - 2014-12-05 22:00 - 00000800 _____ () C:\Windows\Tasks\Security Center Update - 3197449427.job
2014-11-25 01:27 - 2014-11-25 01:27 - 00003808 _____ () C:\Windows\System32\Tasks\Security Center Update - 3197449427
2014-11-07 23:42 - 2014-12-06 23:26 - 00000476 ____H () C:\Windows\Tasks\GS_Booster-S-576482620.job
C:\ProgramData\GoSave
C:\ProgramData\YoutubeAdBlocke
C:\ProgramData\1f2ee141e8770edc
C:\Users\HomeGroupUser$\AppData\Local\Torch
C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser
C:\Users\Guest\AppData\Local\Torch
C:\Users\Guest\AppData\Local\Chromatic Browser
C:\Users\Administrator\AppData\Local\Torch
C:\Users\Administrator\AppData\Local\Chromatic Browser
C:\ProgramData\BoostSoftware
C:\Users\Daddy\AppData\Roaming\DigitalSites
C:\ProgramData\IHProtectUpDate
CustomCLSID: HKU\S-1-5-21-2418151325-680678365-4071922823-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\umpo.dll (Microsoft Corporation)
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
Task: {3C374920-A6E0-43FE-AF59-DB57BDCD7CAC} - \GS_Booster-S-576482620 No Task File <==== ATTENTION
Task: {7EF272F8-BF45-407F-8EA8-491BCF10484D} - System32\Tasks\Security Center Update - 1470752179 => C:\Users\Daddy\AppData\Roaming\Uzucxe\kaitma.exe <==== ATTENTION
C:\Users\Daddy\AppData\Roaming\Uzucxe
Task: {8C751A7C-F4D8-4570-8A12-3EBDA148E924} - System32\Tasks\Security Center Update - 3197449427 => C:\Users\Daddy\AppData\Roaming\Maavty\uqfatyu.exe <==== ATTENTION
C:\Users\Daddy\AppData\Roaming\Maavty\
Task: {A0D0A5BB-5AF7-4E81-938D-2720378935B8} - System32\Tasks\BitGuard => Sc.exe start BitGuard <==== ATTENTION
Task: {A667FD9A-6B0D-419D-8982-CE22A6BA1662} - \pcreg No Task File <==== ATTENTION
Task: {C18B431B-201D-41CE-AB6D-403F5C03E34A} - \AdobeFlashPlayerUpdate No Task File <==== ATTENTION
Task: {D09D2C62-5BB7-4BCD-8677-8334474090BA} - System32\Tasks\{A1BE5E4B-F6ED-47AD-8BAF-E027EE4DBA62} => C:\Windows\system32\mvugsv.dll [2014-10-13] ()
C:\Windows\system32\mvugsv.dll
Task: C:\Windows\Tasks\GS_Booster-S-576482620.job => c:\programdata\trusted publisher\gs_booster\GS_Booster.exe <==== ATTENTION
c:\programdata\trusted publisher\
Task: C:\Windows\Tasks\Security Center Update - 1470752179.job => C:\Users\Daddy\AppData\Roaming\Uzucxe\kaitma.exe <==== ATTENTION
Task: C:\Windows\Tasks\Security Center Update - 2042579260.job => C:\Users\Daddy\AppData\Roaming\Sedoimry\eqrygi.exe <==== ATTENTION
Task: C:\Windows\Tasks\Security Center Update - 3197449427.job => C:\Users\Daddy\AppData\Roaming\Maavty\uqfatyu.exe <==== ATTENTION
C:\Users\Daddy\AppData\Roaming\Sedoimry
C:\Users\Daddy\AppData\Roaming\Maavty
Hosts:
cmd:ipconfig /flushdns
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services" /F
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
cmd:type c:\combofix.txt
cmd:bitsadmin /reset /allusers