start CloseProcesses: CreateRestorePoint: C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\6\Plugin.exe C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\3\Plugin.exe C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\4\Plugin.exe C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\5\Plugin.exe C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\2\Plugin.exe C:\ProgramData\c716fd70-872c-4aaa-a07f-e248365d7f56\plugins\8\Plugin.exe GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sweet-page.com/?type=hp&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sweet-page.com/?type=hp&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sweet-page.com/?type=hp&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sweet-page.com/?type=hp&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} SearchScopes: HKLM -> OldSearch URL = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://fr.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_secureddownload_15_21¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dfr%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FtDyBzyyDzyzztC0B0F0DtByByE0AtCtN0D0Tzu0StCtBtAzytN1L2XzutAtFtCtDtFtCtDtFtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StByEzzyBzy0F0DtBtGyC0FyEyEtGyE0CzytDtGtAtAzzzztGyCyB0Bzz0EyDtAyBzyyDtBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0DyByEyB0CtDyEtG0FtD0E0FtGyEyEtCtBtGzyzyzz0AtG0FtD0AyEtC0CtA0F0DyCtBtA2QtN0A0LzuyE%26cr%3D1612253123%26a%3Dwncy_secureddownload_15_21%26os%3DWindows 8.1&p={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} SearchScopes: HKU\S-1-5-21-3157952996-1925456827-2438661710-1001 -> OldSearch URL = http://fr.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_secureddownload_15_21¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dfr%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0FtDyBzyyDzyzztC0B0F0DtByByE0AtCtN0D0Tzu0StCtBtAzytN1L2XzutAtFtCtDtFtCtDtFtDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StByEzzyBzy0F0DtBtGyC0FyEyEtGyE0CzytDtGtAtAzzzztGyCyB0Bzz0EyDtAyBzyyDtBtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0A0DyByEyB0CtDyEtG0FtD0E0FtGyEyEtCtBtGzyzyzz0AtG0FtD0AyEtC0CtA0F0DyCtBtA2QtN0A0LzuyE%26cr%3D1612253123%26a%3Dwncy_secureddownload_15_21%26os%3DWindows 8.1&p={searchTerms} SearchScopes: HKU\S-1-5-21-3157952996-1925456827-2438661710-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.sweet-page.com/web/?type=ds&ts=1429879288&from=corfr&uid=ST1000LM024XHN-M101MBB_S32XJ9BF991428&q={searchTerms} CHR HKU\S-1-5-21-3157952996-1925456827-2438661710-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfecnpmgnlnbmipaogfhoacoioifjgko] - http://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [kfecnpmgnlnbmipaogfhoacoioifjgko] - http://clients2.google.com/service/update2/crx R2 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [7410024 2015-01-14] (ReimageĀ®) 2015-06-18 16:36 - 2015-06-18 16:36 - 00000000 ____H C:\Users\Roland\AppData\Local\BITA47.tmp 2015-06-18 16:34 - 2015-04-23 02:24 - 00000093 _____ C:\Users\Roland\AppData\Roaming\sp_data.sys 2015-04-23 02:24 - 2015-06-18 16:34 - 0000093 _____ () C:\Users\Roland\AppData\Roaming\sp_data.sys 2014-10-29 08:25 - 2009-07-22 12:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe 2014-10-29 08:25 - 2012-09-07 13:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS C:\ProgramData\SetStretch.exe C:\ProgramData\SetStretch.VBS Reimage Protector (HKLM\...\Reimage Protector) (Version: - Reimage) <==== ATTENTION Task: {C164FA8C-6C2C-4DDC-9AC1-30B636257601} - System32\Tasks\LaunchPreSignup => C:\Program Files (x86)\OLBPre\OLBPre.exe <==== ATTENTION Task: {E678C35E-39DB-49E2-85E2-D1DA4C3DD416} - \ReimageUpdater No Task File <==== ATTENTION EmptyTemp: end