start CloseProcesses: CreateRestorePoint: GroupPolicy: Restriction <==== ATTENTION SearchScopes: HKLM -> {26080cad-4adc-49ac-8c63-eda16e595cbd} URL = hxxps://it.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=xy_9ae4fc5a¶m1=ArFaIWJoNqArQGMVHFFoNqAqBbFaITo9QGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8wVNdJ6IYvmo4ICoXNVRdJ6IWwVNdIqYYNVQ3vqYUNVM9GqYVNUI3wGYGwVM3vmIWwVU9GqUNNos3wCIYwVA9JmoUwVA3vCITvFI4ICILNFdcJ6k8wV5cGWUSNFRcEqULNopcGWUIvmFbF6IYvFFdISIXvFI9JaYTwVM9I6IWvmk9JCk4wVxdJGYXvmldICISvFNdICoUwVI9I6IXNVRdJmoWvFI4Jmk3vFQ4Jmk3vmo4IWQIwV5cGGUTNFRbDqUDNF5bDGUNNEU3wGQGvFQ3vqYTwVI9IWYVvmk4JmISNVFdISoVwVQ9I6oUvmo3vCIYwVw3vqYYNVU9JmISNVNdIqYWNVVdJqYTNVI9IWYTvFI9ISIVNoU9GqYYNVc3wCoUQGR7B6RoN9JbNGJ8LGB4NqVaQGR7BHFaISopzU0aCaV7CaFdC78kBrFbMn0aC6AoxrFaIWVdOqZoNqAexbFaIUwkynIew6NoNpRcNXFbJpseyDF%3D¶m2=NGB8NGNdMqtcMt%3D%3D&p={searchTerms} SearchScopes: HKLM-x32 -> {26080cad-4adc-49ac-8c63-eda16e595cbd} URL = hxxps://it.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=xy_9ae4fc5a¶m1=ArFaIWJoNqArQGMVHFFoNqAqBbFaITo9QGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8wVNdJ6IYvmo4ICoXNVRdJ6IWwVNdIqYYNVQ3vqYUNVM9GqYVNUI3wGYGwVM3vmIWwVU9GqUNNos3wCIYwVA9JmoUwVA3vCITvFI4ICILNFdcJ6k8wV5cGWUSNFRcEqULNopcGWUIvmFbF6IYvFFdISIXvFI9JaYTwVM9I6IWvmk9JCk4wVxdJGYXvmldICISvFNdICoUwVI9I6IXNVRdJmoWvFI4Jmk3vFQ4Jmk3vmo4IWQIwV5cGGUTNFRbDqUDNF5bDGUNNEU3wGQGvFQ3vqYTwVI9IWYVvmk4JmISNVFdISoVwVQ9I6oUvmo3vCIYwVw3vqYYNVU9JmISNVNdIqYWNVVdJqYTNVI9IWYTvFI9ISIVNoU9GqYYNVc3wCoUQGR7B6RoN9JbNGJ8LGB4NqVaQGR7BHFaISopzU0aCaV7CaFdC78kBrFbMn0aC6AoxrFaIWVdOqZoNqAexbFaIUwkynIew6NoNpRcNXFbJpseyDF%3D¶m2=NGB8NGNdMqtcMt%3D%3D&p={searchTerms} SearchScopes: HKU\S-1-5-21-2456348864-149053691-2700751086-1001 -> {f79e5d1c-5148-469e-9f98-a11d8d7863f4} URL = hxxps://it.search.yahoo.com/yhs/search?hspart=arh&hsimp=yhs-001&type=xy_9ae4fc5a¶m1=ArFaIWJoNqArQGMVHFFoNqAqBbFaITo9QGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8wVNdJ6IYvmo4ICoXNVRdJ6IWwVNdIqYYNVQ3vqYUNVM9GqYVNUI3wGYGwVM3vmIWwVU9GqUNNos3wCIYwVA9JmoUwVA3vCITvFI4ICILNFdcJ6k8wV5cGWUSNFRcEqULNopcGWUIvmFbF6IYvFFdISIXvFI9JaYTwVM9I6IWvmk9JCk4wVxdJGYXvmldICISvFNdICoUwVI9I6IXNVRdJmoWvFI4Jmk3vFQ4Jmk3vmo4IWQIwV5cGGUTNFRbDqUDNF5bDGUNNEU3wGQGvFQ3vqYTwVI9IWYVvmk4JmISNVFdISoVwVQ9I6oUvmo3vCIYwVw3vqYYNVU9JmISNVNdIqYWNVVdJqYTNVI9IWYTvFI9ISIVNoU9GqYYNVc3wCoUQGR7B6RoN9JbNGJ8LGB4NqVaQGR7BHFaISopzU0aCaV7CaFdC78kBrFbMn0aC6AoxrFaIWVdOqZoNqAexbFaIUwkynIew6NoNpRcNXFbJpseyDF%3D¶m2=NGB8NGNdMqtcMt%3D%3D&p={searchTerms} CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X] U1 lpsport; no ImagePath 2017-05-12 00:32 - 2017-05-12 00:32 - 00000000 ____D C:\ProgramData\SWCUTemp Task: {F0835428-F686-4782-8BC6-6F97804FED69} - System32\Tasks\Bing Search Engine narin => C:\WINDOWS\system32\wscript.exe "C:\ProgramData\{68ACADCF-E2EE-2709-6428-B94BFE6A3285}\tafa.txt" "687474703a2f2f77617662736c792e636f6d" "433a5c50726f6772616d446174615c7b36384143414443462d453245452d323730392d363432382d4239344246453641333238357d5c72656c69726f" "433a5c50726f6772616d446174615c7b36384143414443462d453245452d323730392d36 (the data entry has 82 more characters). <==== ATTENTION Task: {F4E3BCF8-3786-4991-818B-AEC14FE96E10} - System32\Tasks\Search Provided by Bing narin => C:\WINDOWS\system32\wscript.exe "C:\ProgramData\{B8007D63-3242-F7A5-B484-69E72EC6E229}\tafa.txt" "687474703a2f2f79786870612e636f6d" "433a5c50726f6772616d446174615c7b42383030374436332d333234322d463741352d423438342d3639453732454336453232397d5c72656c69726f" "433a5c50726f6772616d446174615c7b42383030374436332d333234322d463741352d423438 (the data entry has 78 more characters). <==== ATTENTION Task: C:\WINDOWS\Tasks\Bing Search Engine narin.job => Wscript.exe C:\ProgramData\{68ACADCF-E2EE-2709-6428-B94BFE6A3285}\tafa.txt <==== ATTENTION Task: C:\WINDOWS\Tasks\Search Provided by Bing narin.job => Wscript.exe C:\ProgramData\{B8007D63-3242-F7A5-B484-69E72EC6E229}\tafa.txt <==== ATTENTION EmptyTemp: end