start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Tcpip\..\Interfaces\{b2f35a97-89d0-494a-a4a2-78b4450f2c62}: [NameServer] 82.163.142.7 95.211.158.134
Tcpip\..\Interfaces\{b2f35a97-89d0-494a-a4a2-78b4450f2c62}: [DhcpNameServer] 82.163.142.7
Tcpip\..\Interfaces\{bfd5d2ba-228c-490d-a091-c7be20023ed9}: [NameServer] 82.163.142.7 95.211.158.134
Tcpip\..\Interfaces\{bfd5d2ba-228c-490d-a091-c7be20023ed9}: [DhcpNameServer] 82.163.142.7
Tcpip\Parameters: [NameServer] 82.163.142.7 95.211.158.134
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about
:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about
:blank
HKU\S-1-5-21-131674589-2647457900-2010738365-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_sumalq_16_29¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzuyEtB0Bzzzy0AtAtAzz0AyD0ByEyEtA0BtN0D0Tzu0StCyCyCyDtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StByDtCyD0CyE0D0CtGyE0F0EzytG0DtBtBtBtGtBtB0F0BtGtBtD0C0BtD0EtB0CzytC0Fzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0D0DtBtA0B0FtCyBtGtD0EzyzztGyEtByB0AtG0Azz0CzztGtCyDyE0AyD0FtAzyyEtDyB0B2QtN0A0LzuyE%26cr%3D1733299904%26a%3Dwnf_sumalq_16_29%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfQAMAg4UGVBBbQldV11cFQ0bIhQBVgtIDANGcgBeAwhGEgxHeR9aFQQTSEcFME0FCFwEURNNfWpdAEsSSWJKLl1XFg==&q={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfQAMAg4UGVBBbQldV11cFQ0bIhQBVgtIDANGcgBeAwhGEgxHeR9aFQQTSEcFME0FCFwEURNNfWpdAEsSSWJKLl1XFg==&q={searchTerms}
SearchScopes: HKLM-x32 -> {7A300DCF-1B3F-4F0F-8419-159ECDBBA379} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-131674589-2647457900-2010738365-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_sumalq_16_29¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzuyEtB0Bzzzy0AtAtAzz0AyD0ByEyEtA0BtN0D0Tzu0StCyCyCyDtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StByDtCyD0CyE0D0CtGyE0F0EzytG0DtBtBtBtGtBtB0F0BtGtBtD0C0BtD0EtB0CzytC0Fzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0D0DtBtA0B0FtCyBtGtD0EzyzztGyEtByB0AtG0Azz0CzztGtCyDyE0AyD0FtAzyyEtDyB0B2QtN0A0LzuyE%26cr%3D1733299904%26a%3Dwnf_sumalq_16_29%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-131674589-2647457900-2010738365-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wnf_sumalq_16_29¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzuyEtB0Bzzzy0AtAtAzz0AyD0ByEyEtA0BtN0D0Tzu0StCyCyCyDtN1L2XzutAtFtBtAtFtCtFtAtN1L1Czu1ByEtN1L1G1B1V1N2Y1L1Qzu2StByDtCyD0CyE0D0CtGyE0F0EzytG0DtBtBtBtGtBtB0F0BtGtBtD0C0BtD0EtB0CzytC0Fzy2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0D0DtBtA0B0FtCyBtGtD0EzyzztGyEtByB0AtG0Azz0CzztGtCyDyE0AyD0FtAzyyEtDyB0B2QtN0A0LzuyE%26cr%3D1733299904%26a%3Dwnf_sumalq_16_29%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-131674589-2647457900-2010738365-1001 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = hxxp://www.bing.com/search?pc=COSP&ptag=D062216-A60FA26CFB78147A880F&form=CONBDF&conlogo=CT3332038&q={searchTerms}
SearchScopes: HKU\S-1-5-21-131674589-2647457900-2010738365-1001 -> {7A300DCF-1B3F-4F0F-8419-159ECDBBA379} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/hm?eq=U0EeCFZVBB8SRggadFoPBAEUQxgTJQ9cTA1JGVcOeQ4KWBRHRAcaJlsJVgpIRQwFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlEmSFtHL04="
C:\Windows\Tasks\{7F1172F2-5468-791A-58C2-09E03F90AD5F}.job
C:\Users\Karen\AppData\Local\Temp\03d83b11-e82c-45a0-ac21-c4bfd7104e37.exe
C:\Users\Karen\AppData\Local\Temp\McCSPInstall.dll
C:\Users\Karen\AppData\Local\Temp\mccspuninstall.exe
CustomCLSID: HKU\S-1-5-21-131674589-2647457900-2010738365-1001_Classes\CLSID\{67F4D210-BFC2-4ADD-9A2A-C9B9E1F42C4F}\InprocServer32 -> C:\Program Files (x86)\Kingsoft\WPS Office\9.1.0.5236\office6\qingshellext64.dll => No File
Task: {804F7EB4-A3F4-4CC0-806E-B50965A14CEC} - System32\Tasks\{05BABB39-CC5D-2A67-A134-DFE4858CE059} => Regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\a98d27c7\d2d8117a.dll" <==== ATTENTION
Task: {83E44DD9-EA59-41BF-A275-26030C4C05ED} - System32\Tasks\Yahoo! Powered dadad => Wscript.exe "C:\ProgramData\{73D3B6B0-F991-3C76-7F57-A234E51529FA}\rati.txt" "687474703a2f2f7761676e672e636f6d" "433a5c50726f6772616d446174615c7b37334433423642302d463939312d334337362d374635372d4132333445353135323946417d5c636563617461" "433a5c50726f6772616d446174615c7b37334433423642302d463939312d334337362d374635 (the data entry has 78 more characters).
Task: {8BA35C5C-A64D-420B-A325-7FF03F00058F} - System32\Tasks\{7F1172F2-5468-791A-58C2-09E03F90AD5F} => C:\Users\Karen\AppData\Local\{1ACC2~1\PRODUC~1.EXE [2013-05-01] () <==== ATTENTION
Task: {A5F8CF84-9D3A-42AE-A7DF-33D522C4EE68} - System32\Tasks\{790D0F47-7E0F-0C0E-0B11-0F7E0F0D1108} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4AZwBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AJABzAGMAOwAkAFAAcgBvAGcA (the data entry has 9360 more characters). <==== ATTENTION
Task: C:\WINDOWS\Tasks\Yahoo! Powered dadad.job => Wscript.exe C:\ProgramData\{73D3B6B0-F991-3C76-7F57-A234E51529FA}\rati.txt <==== ATTENTION
ShortcutWithArgument: C:\Users\Karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\AmazonShopping.lnk -> C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe () -> hxxp://www.amazon.com/gp/bit/amazonbookmark.html?tag=hp2-desktop-us-20&partner=HP
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Priceline.com.lnk -> C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe () -> hxxp://www.priceline.com/?refid=PLHBC6240OPQ&refclickid=square
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
EmptyTemp:
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
End