CloseProcesses: CreateRestorePoint: HKLM-x32\...\RunOnce: [Natesug] => C:\WINDOWS\SysWoW64\wscript.exe /E:vbscript /B "C:\Users\Rich\AppData\Roaming\Heginab" HKLM-x32\...\RunOnce: [Hebobata] => C:\WINDOWS\SysWoW64\wscript.exe /E:vbscript /B "C:\Users\Rich\AppData\Roaming\Pakunapuci" HKU\S-1-5-21-2378730425-1505431104-4289691418-1001\...\Run: [Chromium] => c:\users\rich\appdata\local\chromium\application\chrome.exe [1035264 2016-03-17] (The Chromium Authors) HKU\S-1-5-18\...\Run: [] => [X] c:\users\rich\appdata\local\chromium GroupPolicy: Restriction <======= ATTENTION SearchScopes: HKLM -> DefaultScope {AE4D2230-7F89-4110-8671-AE3A9C1B34B5} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=zxy_254016dc6fd1d62588¶m1=ArFaIWJoNqArQGMVHFFoNqAqBbFaITwrQGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8wVQ3vqYXwVRdJqYVvFM4J6IWwVNdIWYWvmk4ICIVNVM9GqYVNUI3wGYGwVM3vmIYvFI9GqUNNos3wCIYwVA9JmoVwVA9J6ITvFI9ISILNFdcJ6k8wV5cGWUSNFRcEqULNopcGWUIvmFbF6IVwVNdJ6oXvFI9JaYXvFM9I6oVwVI4J6oWwVxdIqYXwVM9JmISwVVdJ6k4vmo9I6oWNVA3vCk3wVJdISoUNVJdJaYTNVBdJGQIwV5cGGUTNFRbDqUDNF5bDGUNNEU3wGQGNVQ9JCIWNVBdJaYVvFI4JmISvmo9J6k4NVE9I6oUvFE9ISIWwVw3vmoWNVRdICISvFE9JaYXvmo3vCIXNVE3vCoUvFFdImIYNoU9GqYYNVc3wCoUwV5cJqQzNEBcEWUGNF43wCIWwVM4ISIVwVJoNqAqxrFaIWN4LWF4MWRcLXFbMnVoN9I4ATsux81cM81dNo0gzDRoNqAex807ACRoN9JcNX5dQGR7y6NoN9ICzD4py6waQGQXNGZoNpQRy78o¶m2=NGN6NWFbMqx4Md%3D%3D&p={searchTerms} SearchScopes: HKLM -> {AE4D2230-7F89-4110-8671-AE3A9C1B34B5} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=zxy_254016dc6fd1d62588¶m1=ArFaIWJoNqArQGMVHFFoNqAqBbFaITwrQGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8wVQ3vqYXwVRdJqYVvFM4J6IWwVNdIWYWvmk4ICIVNVM9GqYVNUI3wGYGwVM3vmIYvFI9GqUNNos3wCIYwVA9JmoVwVA9J6ITvFI9ISILNFdcJ6k8wV5cGWUSNFRcEqULNopcGWUIvmFbF6IVwVNdJ6oXvFI9JaYXvFM9I6oVwVI4J6oWwVxdIqYXwVM9JmISwVVdJ6k4vmo9I6oWNVA3vCk3wVJdISoUNVJdJaYTNVBdJGQIwV5cGGUTNFRbDqUDNF5bDGUNNEU3wGQGNVQ9JCIWNVBdJaYVvFI4JmISvmo9J6k4NVE9I6oUvFE9ISIWwVw3vmoWNVRdICISvFE9JaYXvmo3vCIXNVE3vCoUvFFdImIYNoU9GqYYNVc3wCoUwV5cJqQzNEBcEWUGNF43wCIWwVM4ISIVwVJoNqAqxrFaIWN4LWF4MWRcLXFbMnVoN9I4ATsux81cM81dNo0gzDRoNqAex807ACRoN9JcNX5dQGR7y6NoN9ICzD4py6waQGQXNGZoNpQRy78o¶m2=NGN6NWFbMqx4Md%3D%3D&p={searchTerms} SearchScopes: HKLM -> {f79e5d1c-5148-469e-9f98-a11d8d7863f4} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3a149f73&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=zxy_254016dc6fd1d62588¶m1=ArFaIWJoNqArQGMVHFFoNqAqBbFaITwrQGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8wVQ3vqYXwVRdJqYVvFM4J6IWwVNdIWYWvmk4ICIVNVM9GqYVNUI3wGYGwVM3vmIYvFI9GqUNNos3wCIYwVA9JmoVwVA9J6ITvFI9ISILNFdcJ6k8wV5cGWUSNFRcEqULNopcGWUIvmFbF6IVwVNdJ6oXvFI9JaYXvFM9I6oVwVI4J6oWwVxdIqYXwVM9JmISwVVdJ6k4vmo9I6oWNVA3vCk3wVJdISoUNVJdJaYTNVBdJGQIwV5cGGUTNFRbDqUDNF5bDGUNNEU3wGQGNVQ9JCIWNVBdJaYVvFI4JmISvmo9J6k4NVE9I6oUvFE9ISIWwVw3vmoWNVRdICISvFE9JaYXvmo3vCIXNVE3vCoUvFFdImIYNoU9GqYYNVc3wCoUwV5cJqQzNEBcEWUGNF43wCIWwVM4ISIVwVJoNqAqxrFaIWN4LWF4MWRcLXFbMnVoN9I4ATsux81cM81dNo0gzDRoNqAex807ACRoN9JcNX5dQGR7y6NoN9ICzD4py6waQGQXNGZoNpQRy78o¶m2=NGN6NWFbMqx4Md%3D%3D&p={searchTerms} SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=zxy_254016dc6fd1d62588¶m1=ArFaIWJoNqArQGMVHFFoNqAqBbFaITwrQGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8wVQ3vqYXwVRdJqYVvFM4J6IWwVNdIWYWvmk4ICIVNVM9GqYVNUI3wGYGwVM3vmIYvFI9GqUNNos3wCIYwVA9JmoVwVA9J6ITvFI9ISILNFdcJ6k8wV5cGWUSNFRcEqULNopcGWUIvmFbF6IVwVNdJ6oXvFI9JaYXvFM9I6oVwVI4J6oWwVxdIqYXwVM9JmISwVVdJ6k4vmo9I6oWNVA3vCk3wVJdISoUNVJdJaYTNVBdJGQIwV5cGGUTNFRbDqUDNF5bDGUNNEU3wGQGNVQ9JCIWNVBdJaYVvFI4JmISvmo9J6k4NVE9I6oUvFE9ISIWwVw3vmoWNVRdICISvFE9JaYXvmo3vCIXNVE3vCoUvFFdImIYNoU9GqYYNVc3wCoUwV5cJqQzNEBcEWUGNF43wCIWwVM4ISIVwVJoNqAqxrFaIWN4LWF4MWRcLXFbMnVoN9I4ATsux81cM81dNo0gzDRoNqAex807ACRoN9JcNX5dQGR7y6NoN9ICzD4py6waQGQXNGZoNpQRy78o¶m2=NGN6NWFbMqx4Md%3D%3D&p={searchTerms} SearchScopes: HKLM-x32 -> {26080cad-4adc-49ac-8c63-eda16e595cbd} URL = hxxp://www.bing.com/search?FORM=INCOH2&PC=IC05&PTAG=ICO-3a149f73&q={searchTerms} SearchScopes: HKU\S-1-5-21-2378730425-1505431104-4289691418-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=zxy_254016dc6fd1d62588¶m1=ArFaIWJoNqArQGMVHFFoNqAqBbFaITwrQGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8wVQ3vqYXwVRdJqYVvFM4J6IWwVNdIWYWvmk4ICIVNVM9GqYVNUI3wGYGwVM3vmIYvFI9GqUNNos3wCIYwVA9JmoVwVA9J6ITvFI9ISILNFdcJ6k8wV5cGWUSNFRcEqULNopcGWUIvmFbF6IVwVNdJ6oXvFI9JaYXvFM9I6oVwVI4J6oWwVxdIqYXwVM9JmISwVVdJ6k4vmo9I6oWNVA3vCk3wVJdISoUNVJdJaYTNVBdJGQIwV5cGGUTNFRbDqUDNF5bDGUNNEU3wGQGNVQ9JCIWNVBdJaYVvFI4JmISvmo9J6k4NVE9I6oUvFE9ISIWwVw3vmoWNVRdICISvFE9JaYXvmo3vCIXNVE3vCoUvFFdImIYNoU9GqYYNVc3wCoUwV5cJqQzNEBcEWUGNF43wCIWwVM4ISIVwVJoNqAqxrFaIWN4LWF4MWRcLXFbMnVoN9I4ATsux81cM81dNo0gzDRoNqAex807ACRoN9JcNX5dQGR7y6NoN9ICzD4py6waQGQXNGZoNpQRy78o¶m2=NGN6NWFbMqx4Md%3D%3D&p={searchTerms} SearchScopes: HKU\S-1-5-21-2378730425-1505431104-4289691418-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=zxy_254016dc6fd1d62588¶m1=ArFaIWJoNqArQGMVHFFoNqAqBbFaITwrQGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8wVQ3vqYXwVRdJqYVvFM4J6IWwVNdIWYWvmk4ICIVNVM9GqYVNUI3wGYGwVM3vmIYvFI9GqUNNos3wCIYwVA9JmoVwVA9J6ITvFI9ISILNFdcJ6k8wV5cGWUSNFRcEqULNopcGWUIvmFbF6IVwVNdJ6oXvFI9JaYXvFM9I6oVwVI4J6oWwVxdIqYXwVM9JmISwVVdJ6k4vmo9I6oWNVA3vCk3wVJdISoUNVJdJaYTNVBdJGQIwV5cGGUTNFRbDqUDNF5bDGUNNEU3wGQGNVQ9JCIWNVBdJaYVvFI4JmISvmo9J6k4NVE9I6oUvFE9ISIWwVw3vmoWNVRdICISvFE9JaYXvmo3vCIXNVE3vCoUvFFdImIYNoU9GqYYNVc3wCoUwV5cJqQzNEBcEWUGNF43wCIWwVM4ISIVwVJoNqAqxrFaIWN4LWF4MWRcLXFbMnVoN9I4ATsux81cM81dNo0gzDRoNqAex807ACRoN9JcNX5dQGR7y6NoN9ICzD4py6waQGQXNGZoNpQRy78o¶m2=NGN6NWFbMqx4Md%3D%3D&p={searchTerms} StartMenuInternet: IEXPLORE.EXE - iexplore.exe FF NewTab: Mozilla\Firefox\Profiles\1yxbpzh6.default -> about:newtab FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\1yxbpzh6.default -> Secure Search FF Keyword.URL: Mozilla\Firefox\Profiles\1yxbpzh6.default -> user_pref("keyword.URL", true); R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X] S3 dbx; system32\DRIVERS\dbx.sys [X] S3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X] C:\Windows\Tasks\{366020EE-389F-B149-8A83-5B4EDA93D3C4}.job C:\Windows\Tasks\{45F029EF-05A1-556B-0B91-05478F3DD462}.job 1997-10-03 11:14 - 1997-10-03 11:14 - 0287232 _____ (Microsoft Corp.) C:\Users\Rich\AppData\Local\Temp\setup.exe 1997-10-01 13:30 - 1997-10-01 13:30 - 0338432 _____ (Microsoft Corporation) C:\Users\Rich\AppData\Local\Temp\setupenu.dll Task: {0DBED186-56DD-48CC-8819-16090ABDEB78} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {1976BFCE-FAA8-4446-958D-A99549B4ED8F} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {283A4571-0D77-46DB-94BE-724979CBFDDD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {296A2CE9-539B-4C6C-8454-CFE5E761FD9E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {52C3B19C-1DEA-4F19-8EF8-B763766AB1AF} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {8999DFA6-9247-46EA-BC52-0157776147CA} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {B12FC165-8CFB-42EA-A3AA-B357F12E41F3} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION Task: {B513B9A2-5D99-4578-A2BC-666F0F9651D8} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {BE3EB0EA-CD3F-4601-BE64-0577F50653D9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {C4424FB2-169E-4B6B-9473-E700CA130EFE} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {C4621EB0-0C39-4CCE-A869-FE78B11F8B1B} - System32\Tasks\{366020EE-389F-B149-8A83-5B4EDA93D3C4} => C:\Users\Rich\AppData\Local\{8F5FB~1\UPDATE~1.EXE <==== ATTENTION Task: {C8D0D553-8933-413C-BCB4-E6C1E012FA0E} - System32\Tasks\Bing Search Engine moser => Wscript.exe "C:\ProgramData\{544C912F-DE0E-1BE9-58C8-85ABC28A0E65}\como.txt" "687474703a2f2f77617662736c792e636f6d" "433a5c50726f6772616d446174615c7b35343443393132462d444530452d314245392d353843382d3835414243323841304536357d5c6c696465666f" "433a5c50726f6772616d446174615c7b35343443393132462d444530452d314245392d35 (the data entry has 82 more characters). Task: {F9F1CEA7-A594-4439-98A7-FF0C714448B0} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: C:\WINDOWS\Tasks\Bing Search Engine moser.job => Wscript.exe C:\ProgramData\{544C912F-DE0E-1BE9-58C8-85ABC28A0E65}\como.txt <==== ATTENTION Task: C:\WINDOWS\Tasks\{366020EE-389F-B149-8A83-5B4EDA93D3C4}.job => C:\Users\Rich\AppData\Local\{8F5FB~1\UPDATE~1.EXE <==== ATTENTION Task: C:\WINDOWS\Tasks\{45F029EF-05A1-556B-0B91-05478F3DD462}.job => C:\Users\Rich\AppData\Roaming\45F029~1\synctask.exe <==== ATTENTION CMD: bitsadmin /reset /allusers CMD: netsh winsock reset catalog CMD: ipconfig /flushdns RemoveProxy: hosts: Emptytemp: