start CloseProcesses: CreateRestorePoint: HKLM-x32\...\Run: [] => [X] HKU\S-1-5-18\...\Run: [] => 0 SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X] R1 NetUtils2016; C:\WINDOWS\system32\drivers\NetUtils2016.sys [909944 2017-02-15] () <==== ATTENTION 2017-02-07 18:49 - 2017-02-07 18:49 - 00021582 _____ C:\WINDOWS\System32\Tasks\GTFAVENUE 2017-02-07 18:48 - 2017-02-14 22:00 - 00000000 ____D C:\Program Files (x86)\GTFAVENUE 2017-02-07 18:40 - 2017-02-07 19:03 - 00000354 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job 2017-02-07 18:40 - 2017-02-07 19:03 - 00000354 _____ C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job 2017-02-16 21:11 - 2016-11-21 07:27 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-01-25 03:32 - 2016-03-24 13:06 - 00000424 _____ C:\WINDOWS\Tasks\WpsNotifyTask_Administrator.job 2017-01-24 21:28 - 2016-03-24 13:06 - 00000424 _____ C:\WINDOWS\Tasks\WpsUpdateTask_Administrator.job 2017-02-07 18:50 - 2017-02-07 18:50 - 0126464 _____ () C:\Users\Linda M\AppData\Roaming\lobby.dat 2017-02-07 18:50 - 2017-02-07 18:50 - 1195716 _____ (Pidul ) C:\Users\Linda M\AppData\Local\Temp\2C8.tmp.exe 2017-02-07 19:34 - 2017-02-07 19:34 - 1195716 _____ (Pidul ) C:\Users\Linda M\AppData\Local\Temp\DAD7.tmp.exe Task: {1892A2C9-A0CE-41EC-AE91-C0116EB7EDAE} - System32\Tasks\psv_Medron => cmd.exe /c regedit.exe /s "C:\ProgramData\Hotfresh\Lotity.reg" & del "C:\ProgramData\Hotfresh\Lotity.reg" & SCHTASKS /Delete /TN "psv_Medron" /F <==== ATTENTION Task: {550D63C4-348B-4A71-AAFB-E8FFA996413C} - System32\Tasks\psv_Dancof => cmd.exe /c regedit.exe /s "C:\ProgramData\Hotfresh\Fincof.reg" & del "C:\ProgramData\Hotfresh\Fincof.reg" & SCHTASKS /Delete /TN "psv_Dancof" /F <==== ATTENTION Task: {5D03734F-DC91-4E45-AE52-4C3FE94BDA69} - System32\Tasks\Traffic Exchange v2 - 3 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION Task: {68E94824-088F-4CBF-BFB5-CD7C8CAAD230} - System32\Tasks\SMW_UpdateTask_Time_3531393934333931362d375b553441415045575a4a6c => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION Task: {79EECFB3-0CC6-4DF1-BD73-CE6899B569EF} - System32\Tasks\Traffic Exchange v2 - 2 => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION Task: {A4719989-FF7E-433A-B3D5-400AD175F911} - System32\Tasks\psv_Hat-Dex => cmd.exe /c regedit.exe /s "C:\ProgramData\Hotfresh\Blueflex.reg" & del "C:\ProgramData\Hotfresh\Blueflex.reg" & SCHTASKS /Delete /TN "psv_Hat-Dex" /F <==== ATTENTION Task: {AEF3136D-A346-47A4-9626-3239C3C1092A} - System32\Tasks\GTFAVENUE => gtfavenue.exe Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 2.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Traffic Exchange v2 - 3.job => C:\Program Files (x86)\Microleaves\Traffic Exchange\OnlineGuardian-v2.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\WpsNotifyTask_Administrator.job => C:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.5247\wtoolex\wpsnotify.exe Task: C:\WINDOWS\Tasks\WpsUpdateTask_Administrator.job => C:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.5247\wtoolex\wpsupdate.exe EmptyTemp: end