CloseProcesses: CreateRestorePoint: HKLM-x32\...\Run: [] => [X] CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-334e1111 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-334e1111 HKU\S-1-5-21-460736838-1080885726-4207931419-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-334e1111 HKU\S-1-5-21-460736838-1080885726-4207931419-1002\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://ca.msn.com/ SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fremkfs_16_30¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzzzyyE0FyCtByD0D0FtB0EtBtBtCyEtN0D0Tzu0StCyCyCyBtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDtA0F0CtBtGyDzytB0BtGyB0CyEzztGyD0EtB0CtG0C0Czz0FyDzz0D0EzztD0DtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzytBtDtCyDyDyDyCtG0E0BzytAtGyE0DyEyCtG0ByB0FtAtGtAyDzztCtDyByDtD0AyC0DtB2QtN0A0LzuyE%26cr%3D419674973%26a%3Dwbf_fremkfs_16_30%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms} SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fremkfs_16_30¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzzzyyE0FyCtByD0D0FtB0EtBtBtCyEtN0D0Tzu0StCyCyCyBtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDtA0F0CtBtGyDzytB0BtGyB0CyEzztGyD0EtB0CtG0C0Czz0FyDzz0D0EzztD0DtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzytBtDtCyDyDyDyCtG0E0BzytAtGyE0DyEyCtG0ByB0FtAtGtAyDzztCtDyByDtD0AyC0DtB2QtN0A0LzuyE%26cr%3D419674973%26a%3Dwbf_fremkfs_16_30%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fremkfs_16_30¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzzzyyE0FyCtByD0D0FtB0EtBtBtCyEtN0D0Tzu0StCyCyCyBtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDtA0F0CtBtGyDzytB0BtGyB0CyEzztGyD0EtB0CtG0C0Czz0FyDzz0D0EzztD0DtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzytBtDtCyDyDyDyCtG0E0BzytAtGyE0DyEyCtG0ByB0FtAtGtAyDzztCtDyByDtD0AyC0DtB2QtN0A0LzuyE%26cr%3D419674973%26a%3Dwbf_fremkfs_16_30%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms} SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fremkfs_16_30¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzzzyyE0FyCtByD0D0FtB0EtBtBtCyEtN0D0Tzu0StCyCyCyBtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDtA0F0CtBtGyDzytB0BtGyB0CyEzztGyD0EtB0CtG0C0Czz0FyDzz0D0EzztD0DtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzytBtDtCyDyDyDyCtG0E0BzytAtGyE0DyEyCtG0ByB0FtAtGtAyDzztCtDyByDtD0AyC0DtB2QtN0A0LzuyE%26cr%3D419674973%26a%3Dwbf_fremkfs_16_30%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms} SearchScopes: HKU\S-1-5-21-460736838-1080885726-4207931419-1002 -> DefaultScope {AAE01011-C803-40C8-B932-1F086BF9BBFD} URL = hxxps://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fremkfs_16_30¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzzzyyE0FyCtByD0D0FtB0EtBtBtCyEtN0D0Tzu0StCyCyCyBtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDtA0F0CtBtGyDzytB0BtGyB0CyEzztGyD0EtB0CtG0C0Czz0FyDzz0D0EzztD0DtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzytBtDtCyDyDyDyCtG0E0BzytAtGyE0DyEyCtG0ByB0FtAtGtAyDzztCtDyByDtD0AyC0DtB2QtN0A0LzuyE%26cr%3D419674973%26a%3Dwbf_fremkfs_16_30%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms} SearchScopes: HKU\S-1-5-21-460736838-1080885726-4207931419-1002 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxps://www.google.com/search?q={searchTerms} SearchScopes: HKU\S-1-5-21-460736838-1080885726-4207931419-1002 -> {AAE01011-C803-40C8-B932-1F086BF9BBFD} URL = hxxps://ca.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fremkfs_16_30¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzzzyyE0FyCtByD0D0FtB0EtBtBtCyEtN0D0Tzu0StCyCyCyBtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDtA0F0CtBtGyDzytB0BtGyB0CyEzztGyD0EtB0CtG0C0Czz0FyDzz0D0EzztD0DtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzytBtDtCyDyDyDyCtG0E0BzytAtGyE0DyEyCtG0ByB0FtAtGtAyDzztCtDyByDtD0AyC0DtB2QtN0A0LzuyE%26cr%3D419674973%26a%3Dwbf_fremkfs_16_30%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro&p={searchTerms} BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-08-09] (Microsoft Corporation) BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File FF Homepage: hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_fremkfs_16_30¶m1=1¶m2=f%3D1%26b%3DFirefox%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0EzzzyyE0FyCtByD0D0FtB0EtBtBtCyEtN0D0Tzu0StCyCyCyBtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StCyCyCtDtA0F0CtBtGyDzytB0BtGyB0CyEzztGyD0EtB0CtG0C0Czz0FyDzz0D0EzztD0DtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SzytBtDtCyDyDyDyCtG0E0BzytAtGyE0DyEyCtG0ByB0FtAtGtAyDzztCtDyByDtD0AyC0DtB2QtN0A0LzuyE%26cr%3D419674973%26a%3Dwbf_fremkfs_16_30%26os_ver%3D10.0%26os%3DWindows%2B10%2BPro CHR DefaultSearchURL: Default -> hxxp://srch.bar/{searchTerms} CHR DefaultSuggestURL: Default -> hxxp://srch.bar/?s={searchTerms} U3 idsvc; no ImagePath C:\Windows\Tasks\{74A9F5F3-7B8F-F503-BA05-2BAACE3A64FF}.job Task: {04601ED0-20CA-46E9-A6F5-8A0B598B6B15} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION Task: {05344639-00AA-460E-AC60-5ED54116871F} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {0D371FB2-D67C-41BE-89BC-015B57EB9010} - \CCleanerSkipUAC -> No File <==== ATTENTION Task: {33701670-AFE4-4927-96CC-760C515FFCF7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {34BC0C3F-8224-4FB8-AA62-E802401D5A2A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {45EC807C-9A04-46CE-A3AD-9C525C97612D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {7933B59A-D8C4-4D18-9A72-446FD6584436} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {AAE89895-09FC-4157-ADCC-A56DEE0208FA} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {AB1D7B70-EC74-4857-B665-1E96CE3CAB3C} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {E1FFC7BC-FEE4-4630-B3ED-E12383FEFC42} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {EE1F73FD-079D-4350-94A2-6763D198CC52} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {FB1668FE-C138-4853-A1C9-45DD0317ED57} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {FFD2F104-E0AD-4E36-92E9-DF54E65B9961} - System32\Tasks\{74A9F5F3-7B8F-F503-BA05-2BAACE3A64FF} => C:\Users\Eva\AppData\Roaming\{7CE34~1\SyncTask.exe [2013-04-25] () <==== ATTENTION C:\Users\Eva\AppData\Roaming\{7CE34~1\ Task: C:\WINDOWS\Tasks\Yahoo! Powered titil.job => Wscript.exe C:\ProgramData\{15FCD09F-9FBE-5A59-1978-C41B833A4FD5}\fida.txt <==== ATTENTION Task: C:\WINDOWS\Tasks\{74A9F5F3-7B8F-F503-BA05-2BAACE3A64FF}.job => C:\Users\Eva\AppData\Roaming\{7CE34~1\SyncTask.exe <==== ATTENTION C:\ProgramData\{15FCD09F-9FBE-5A59-1978-C41B833A4FD5} C:\Users\Eva\AppData\Roaming\{7CE34~1\SyncTask.exe 2016-07-24 22:11 - 2016-08-15 00:11 - 00000992 _____ C:\WINDOWS\Tasks\Yahoo! Powered titil.job 2016-07-24 22:11 - 2016-08-15 00:11 - 00000000 ____D C:\ProgramData\{15FCD09F-9FBE-5A59-1978-C41B833A4FD5} 2016-07-24 22:11 - 2016-08-10 19:11 - 00000000 ____D C:\Users\Eva\AppData\Roaming\{7CE34A58-59B1-272E-3287-00FCEE55FDC2} 2016-07-24 22:11 - 2016-07-24 22:11 - 00004066 _____ C:\WINDOWS\System32\Tasks\Yahoo! Powered titil CMD: bitsadmin /reset /allusers Emptytemp: