CloseProcesses: CreateRestorePoint: SearchScopes: HKLM -> {26080cad-4adc-49ac-8c63-eda16e595cbd} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=elm&hsimp=yhs-001&type=hdr_s_16_44_wcb_ir_16_35¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dhodor%26cd%3D2XzuyEtN2Y1L1QzuyBtDyD0AtD0FtBtByD0DtBtCyB0EyDtBtN0D0Tzu0StCyByCyBtN1L2XzutAtFtByEtFtCtBtFyDtBtN1L1Czu1M1Q1CtByDtFtCtFtCtN1L1G1B1V1N2Y1L1Qzu2SyEyB0E0BtBzy0D0AtGtCzyyCtDtG0Ezy0BzztGyEyC0B0CtGyEtBtCyByEyEzztC0A0AyByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEtA0BtD0CtCyC0DtGtDtC0E0EtGyEyEzz0AtG0B0F0D0DtGtDzy0F0AyEyE0A0F0ByCtC0C2QtN0A0LzuyE%26cr%3D670971015%26a%3Dhdr_s_16_44_wcb_ir_16_35%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms} SearchScopes: HKLM -> {f7bb050c-e116-44da-89c2-6f2b68c54836} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-c77d62fb&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-d5dc1718&q={searchTerms} SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-d5dc1718&q={searchTerms} SearchScopes: HKLM-x32 -> {26080cad-4adc-49ac-8c63-eda16e595cbd} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=elm&hsimp=yhs-001&type=hdr_s_16_44_wcb_ir_16_35¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dhodor%26cd%3D2XzuyEtN2Y1L1QzuyBtDyD0AtD0FtBtByD0DtBtCyB0EyDtBtN0D0Tzu0StCyByCyBtN1L2XzutAtFtByEtFtCtBtFyDtBtN1L1Czu1M1Q1CtByDtFtCtFtCtN1L1G1B1V1N2Y1L1Qzu2SyEyB0E0BtBzy0D0AtGtCzyyCtDtG0Ezy0BzztGyEyC0B0CtGyEtBtCyByEyEzztC0A0AyByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEtA0BtD0CtCyC0DtGtDtC0E0EtGyEyEzz0AtG0B0F0D0DtGtDzy0F0AyEyE0A0F0ByCtC0C2QtN0A0LzuyE%26cr%3D670971015%26a%3Dhdr_s_16_44_wcb_ir_16_35%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms} SearchScopes: HKLM-x32 -> {f7bb050c-e116-44da-89c2-6f2b68c54836} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-c77d62fb&q={searchTerms} SearchScopes: HKU\S-1-5-21-2430580443-1646431325-2133495863-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-d5dc1718&q={searchTerms} SearchScopes: HKU\S-1-5-21-2430580443-1646431325-2133495863-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-d5dc1718&q={searchTerms} SearchScopes: HKU\S-1-5-21-2430580443-1646431325-2133495863-1001 -> {26080cad-4adc-49ac-8c63-eda16e595cbd} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=elm&hsimp=yhs-001&type=hdr_s_16_44_wcb_ir_16_35¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dhodor%26cd%3D2XzuyEtN2Y1L1QzuyBtDyD0AtD0FtBtByD0DtBtCyB0EyDtBtN0D0Tzu0StCyByCyBtN1L2XzutAtFtByEtFtCtBtFyDtBtN1L1Czu1M1Q1CtByDtFtCtFtCtN1L1G1B1V1N2Y1L1Qzu2SyEyB0E0BtBzy0D0AtGtCzyyCtDtG0Ezy0BzztGyEyC0B0CtGyEtBtCyByEyEzztC0A0AyByB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEtA0BtD0CtCyC0DtGtDtC0E0EtGyEyEzz0AtG0B0F0D0DtGtDzy0F0AyEyE0A0F0ByCtC0C2QtN0A0LzuyE%26cr%3D670971015%26a%3Dhdr_s_16_44_wcb_ir_16_35%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms} CHR NewTab: Default -> Not-active:"chrome-extension://kgpcmjeckonpfoaacknfdaaehpjbflhl/stubby.html", Active:"chrome-extension://icgmhdpmdghobfppgncpanbehbecdhpb/stubby.html", Active:"chrome-extension://kmeplklncpfkhbkdogjognkoafdnpmha/newtab/newtab.html", Active:"chrome-extension://ianibjjlmopilahjckdaimnghbdlngkh/stubby.html", Active:"chrome-extension://kgdipifddaiedehdphnflapcinbndgmb/stubby.html", Not-active:"chrome-extension://ijjnmdphpnlnelhbhefnfmimenjgbfcn/stubby.html", Not-active:"chrome-extension://hjfmdccpchjbocfcmenkfmkcbmoldfee/stubby.html" CHR DefaultSearchURL: Default -> hxxp://search.tb.ask.com/search/GGmain.jhtml?searchfor={searchTerms}&redirect=CPC CHR DefaultSearchKeyword: Default -> askwebsearch CHR DefaultSuggestURL: Default -> hxxp://ss.search.ask.com/ss?li=ff&sstype=prefix&limit=10&hl=en&q={searchTerms} GroupPolicy: Restriction <======= ATTENTION S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X] C:\Windows\Tasks\{162CBFFF-FBB6-0460-4EB2-502E03141E52}.job C:\Windows\Tasks\{1FC15B2D-3674-CA95-514E-5241279BA123}.job Task: {0C57387C-9D69-4083-BADA-24D6B2ADA18A} - System32\Tasks\{162CBFFF-FBB6-0460-4EB2-502E03141E52} => C:\Users\bubbl\AppData\Roaming\{5E666~1\SYNHEL~1.EXE [2013-04-11] () <==== ATTENTION Task: {CE78FECC-058A-4767-AB55-03B208A04860} - System32\Tasks\Bing Powered Search ridid => Wscript.exe "C:\ProgramData\{C5DA00B9-4F98-8A7F-C95E-143D531C9FF3}\sita.txt" "687474703a2f2f79786870612e636f6d" "433a5c50726f6772616d446174615c7b43354441303042392d344639382d384137462d433935452d3134334435333143394646337d5c6e6f6369646f" "433a5c50726f6772616d446174615c7b43354441303042392d344639382d384137462d433935 (the data entry has 78 more characters). Task: C:\WINDOWS\Tasks\Bing Powered Search ridid.job => Wscript.exe C:\ProgramData\{C5DA00B9-4F98-8A7F-C95E-143D531C9FF3}\sita.txt <==== ATTENTION C:\WINDOWS\Tasks\Bing Powered Search ridid.job Task: C:\WINDOWS\Tasks\{1FC15B2D-3674-CA95-514E-5241279BA123}.job => C:\Users\bubbl\AppData\Local\{8D97B~1\Helper.exe <==== ATTENTION C:\Users\bubbl\AppData\Local\{8D97B~1\Helper.exe AlternateDataStreams: C:\ProgramData\Temp:27C9AEEC [152] AlternateDataStreams: C:\ProgramData\Temp:2CB9631F [134] AlternateDataStreams: C:\ProgramData\Temp:3310F70A [374] AlternateDataStreams: C:\ProgramData\Temp:6F1F66C0 [106] AlternateDataStreams: C:\ProgramData\Temp:7929462F [144] C:\ProgramData\{C5DA00B9-4F98-8A7F-C95E-143D531C9FF3} Task: C:\WINDOWS\Tasks\{162CBFFF-FBB6-0460-4EB2-502E03141E52}.job => C:\Users\bubbl\AppData\Roaming\{5E666~1\SYNHEL~1.EXE [2013-04-11] CMD: bitsadmin /reset /allusers CMD: ipconfig /flushdns Emptytemp: