cjoint

Publicité


Publicité

Format du document : text/plain

Prévisualisation

~ Report of ZHPDiag v2014.1.12.13 - Nicolas Coolman (1/12/2014)
~ Launched by MASTER (1/14/2014 1:56:18 AM)
~ Web site address : http://nicolascoolman.webs.com
~ Free support forums for disinfection : http://nicolascoolman.webs.com/apps/links/
~ Translated by
~ Version State :
~ White List : Activate by program
~ Elevation of privilege : OK
~ User Account Control : Activate by user


---\\ Internet browsers
MSIE: Internet Explorer v11.0.9600.16476

---\\ Windows product information
~ Langage: Anglais
Windows 8.1 Enterprise, 64-bit (Build 9600)
Windows Server License Manager Script : OK
~ ion: Windows(R) Operating System, VOLUME_KMSCLIENT channel
Software Protection Service (Protection logicielle) : OK
Windows Automatic Updates : OK
Windows Activation Technologies : OK

---\\ System protection software
Windows Defender W8

---\\ System optimization software

---\\ Sharing software PeerToPeer

---\\ Surveillance software
Adobe Flash Player 11 Plugin
Java 7 Update 45

---\\ Information on the system
~ Processor: Intel64 Family 6 Model 37 Stepping 2, GenuineIntel
~ Operating System: 64 Bits
Boot mode: Normal (Normal boot)
Total RAM: 3957.2 MB (59% free)
System Restore: Activé (Enable)
System drive C: has 23 GB (19%) free of 119 GB

---\\ Connection to the system mode
~ Computer Name: ASUS-ROG
~ User Name: MASTER
~ All Users Names: MASTER, Guest, Administrator,
~ Unselected Option: O45,O61
Logged in as Administrator

---\\ Environment variables
~ System Unit : C:\
~ %AppZHP% : C:\Users\MASTER\AppData\Roaming\ZHP\
~ %AppData% : C:\Users\MASTER\AppData\Roaming\
~ %Desktop% : C:\Users\MASTER\Desktop\
~ %Favorites% : C:\Users\MASTER\Favorites\
~ %LocalAppData% : C:\Users\MASTER\AppData\Local\
~ %StartMenu% : C:\Users\MASTER\AppData\Roaming\Microsoft\Windows\Start Menu\
~ %Windir% : C:\Windows\
~ %System% : C:\Windows\System32\

---\\ Enumeration of the disk units
C: Hard drive, Flash drive, Thumb drive (Free 23 Go of 119 Go)
D: Hard drive, Flash drive, Thumb drive (Free 85 Go of 315 Go)
E: CD-ROM drive (Not Inserted)
F: CD-ROM drive (Not Inserted)



---\\ State of the Windows Security Center
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
~ Security Center: 41 Legitimates Filtered in 00mn AMs



---\\ Search Generic System Files
[MD5.63DC38C3E4564B2405D562855643ABA2] - (.Microsoft Corporation - Windows Explorer.) (.10/22/2013 - 7:55:27 AM.) -- C:\Windows\Explorer.exe [2328872]
[MD5.48CFA7BE561A7BE144C29BB912055016] - (.Microsoft Corporation - Windows Start-Up Application.) (.8/22/2013 - 9:58:29 AM.) -- C:\Windows\System32\Wininit.exe [144384]
[MD5.9B6678DB9C6A232C5A84D2FDFFF8B0E1] - (.Microsoft Corporation - Internet Extensions for Win32.) (.11/26/2013 - 7:07:57 AM.) -- C:\Windows\System32\wininet.dll [2334208]
[MD5.7C94FDA3809015B8F2208D2E1C221F17] - (.Microsoft Corporation - Windows Logon Application.) (.8/22/2013 - 9:55:08 AM.) -- C:\Windows\System32\Winlogon.exe [564736]
[MD5.2F18065618E39AA2E656EE737B71E791] - (.Microsoft Corporation - Software Licensing Library.) (.8/22/2013 - 10:39:40 AM.) -- C:\Windows\System32\sppcomapi.dll [447488]
[MD5.239268BAB58EAE9A3FF4E08334C00451] - (.Microsoft Corporation - Ancillary Function Driver for WinSock.) (.8/22/2013 - 1:25:35 PM.) -- C:\Windows\system32\Drivers\AFD.sys [567296]
[MD5.74B14192CF79A72F7536B27CB8814FBD] - (.Microsoft Corporation - ATAPI IDE Miniport Driver.) (.8/22/2013 - 12:43:41 PM.) -- C:\Windows\system32\Drivers\atapi.sys [26464]
[MD5.2FA6510E33F7DEFEC03658B74101A9B9] - (.Microsoft Corporation - CD-ROM File System Driver.) (.8/22/2013 - 11:40:15 AM.) -- C:\Windows\system32\Drivers\Cdfs.sys [88576]
[MD5.C6796EA22B513E3457514D92DCDB1A3D] - (.Microsoft Corporation - SCSI CD-ROM Driver.) (.8/22/2013 - 8:46:35 AM.) -- C:\Windows\system32\Drivers\Cdrom.sys [164352]
[MD5.5DB26D7E0216D0BF364A81D3829AD7B9] - (.Microsoft Corporation - DFS Namespace Client Driver.) (.8/22/2013 - 11:38:00 AM.) -- C:\Windows\system32\Drivers\DfsC.sys [134656]
[MD5.03909BDBFF0DCACCABF2B2D4ADEE44DC] - (.Microsoft Corporation - High Definition Audio Bus Driver.) (.8/22/2013 - 11:38:38 AM.) -- C:\Windows\system32\Drivers\HDAudBus.sys [78336]
[MD5.84CFC5EFA97D0C965EDE1D56F116A541] - (.Microsoft Corporation - i8042 Port Driver.) (.8/22/2013 - 11:39:15 AM.) -- C:\Windows\system32\Drivers\i8042prt.sys [107520]
[MD5.E23D32BAF152FBE35F18C6A2AB8EF271] - (.Microsoft Corporation - IP Network Address Translator.) (.9/30/2013 - 4:18:52 AM.) -- C:\Windows\system32\Drivers\IpNat.sys [141824]
[MD5.6129EDB793A4255B1E2FB41773AC9D9A] - (.Microsoft Corporation - Windows NT SMB Minirdr.) (.9/30/2013 - 4:18:46 AM.) -- C:\Windows\system32\Drivers\MRxSmb.sys [404992]
[MD5.0217532E19A748F0E5D569307363D5FD] - (.Microsoft Corporation - MBT Transport driver.) (.8/22/2013 - 11:37:02 AM.) -- C:\Windows\system32\Drivers\netBT.sys [282624]
[MD5.4412D565C0278C401575E11072C7DCE3] - (.Microsoft Corporation - NT File System Driver.) (.8/22/2013 - 1:25:41 PM.) -- C:\Windows\system32\Drivers\ntfs.sys [2011488]
[MD5.764B1121867B2D9B31C491668AC72B2B] - (.Microsoft Corporation - Parallel Port Driver.) (.8/22/2013 - 11:40:02 AM.) -- C:\Windows\system32\Drivers\Parport.sys [94208]
[MD5.BBB6272B7F46C4640A8CDB8A70C3450F] - (.Microsoft Corporation - RAS L2TP mini-port/call-manager driver.) (.8/22/2013 - 11:35:51 AM.) -- C:\Windows\system32\Drivers\Rasl2tp.sys [120832]
[MD5.680C1DAE268B6FB67FA21B389A8B79EF] - (.Microsoft Corporation - Microsoft RDP Device redirector.) (.9/30/2013 - 4:00:32 AM.) -- C:\Windows\system32\Drivers\rdpdr.sys [195584]
[MD5.FFF28F9F6823EB1756C60F1649560BBF] - (.Microsoft Corporation - TDI Translation Driver.) (.8/22/2013 - 1:25:35 PM.) -- C:\Windows\system32\Drivers\tdx.sys [107520]
[MD5.9F9CE33B50611A1C61A46B8911E0B30B] - (.Microsoft Corporation - Volume Shadow Copy Driver.) (.8/22/2013 - 12:39:15 PM.) -- C:\Windows\system32\Drivers\volsnap.sys [312160]
~ Generic Processes: Scanned in 00mn AMs



---\\ Hidden files state (Hidden/Total)
~ Mes images (My Pictures) : 1/2
~ Mes Favoris (My Favorites) : 1/3
~ Mes Documents (My Documents) : 1/48
~ Mon Bureau (My Desktop) : 1/16
~ Menu demarrer (Programs) : 1/49
~ Hidden Files: Scanned in 00mn AMs



---\\ Process running
[MD5.97F60D16F052DA9CB619AB9A96CB2D4E] - (.No owner - Wireless Console 3.) -- C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe [1597440] [PID.1776]
[MD5.BE1DAE43DFBCA94FB6B4157C1B16923E] - (...) -- ysWOW64\rundll32.exe [0] [PID.3852]
[MD5.BD95E822E7A958BBCA842D078426A151] - (.Tonec Inc. - Internet Download Manager agent for click m.) -- C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe [269848] [PID.3784]
[MD5.5AEBF6FA9805C9101220AA4FB4FA17E7] - (.ASUS - HControlUser.) -- C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe [105016] [PID.4676]
[MD5.56774620E6A8AA93719B1763CF5E5766] - (.ASUS - ATKOSD2.) -- C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe [6937216] [PID.4688]
[MD5.5666955DC9FD455A003D86A21E0483A9] - (.ASUS - ATK Media.) -- C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe [170624] [PID.4708]
[MD5.F645990AEEBD0A3C596F0D5FE460A810] - (.Tonec Inc. - Internet Download Manager (IDM).) -- C:\Program Files (x86)\Internet Download Manager\IDMan.exe [3821136] [PID.1860]
[MD5.B3213AD88B74C5ABF52F977C1A79E6EC] - (.MPC-HC Team - MPC-HC.) -- C:\Program Files (x86)\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe [6097920] [PID.1756]
[MD5.8A86F41B857DA166033B1795FE69BF37] - (.Almico Software (www.almico.com) - No Comment.) -- C:\Program Files (x86)\SpeedFan\speedfan.exe [4683768] [PID.3944]
[MD5.B701AF0A693F2618428C575280E444C5] - (.Mozilla Corporation - Nightly.) -- C:\Program Files (x86)\Nightly\firefox.exe [291952] [PID.4504]
[MD5.4C9D9C380E70FF2103E5C33EDF7599AD] - (.Nicolas Coolman - ZHPDiag.) -- C:\Program Files (x86)\ZHPDiag\ZHPDiag.exe [8334336] [PID.4148]
~ Processes Running: Scanned in 00mn AMs



---\\ Internet Explorer, Proxy Management (R5)
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = no key
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyEnable = 0
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,MigrateProxy = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,EnableHttp1_1 = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigProxy = wininet.dll
~ Proxy management: Scanned in 00mn AMs



---\\ Line Analysis F0, F1, F2, F3 - IniFiles, Auto loading programs
F2 - REG:system.ini: USERINIT=C:\Windows\system32\userinit.exe,
F2 - REG:system.ini: Shell=C:\Windows\explorer.exe
F2 - REG:system.ini: VMApplet=C:\Windows\System32\SystemPropertiesPerformance.exe
~ Keys: Scanned in 00mn AMs



---\\ Hosts file redirection (O1)
~ Le fichier hosts est sain (The hosts file is clean).
~ Hosts File: Scanned in 00mn AMs
~ Nombre de lignes (Lines number): 23



---\\ Other User Links (O4)
O4 - GS\Desktop [Public]: BEIN SPORTS HD.lnk . (...) -- C:\Program Files (x86)\BEIN SPORTS HD\BEIN SPORTS HD.exe
O4 - GS\Desktop [Public]: REALTEK Wireless LAN Utility.lnk . (.Realtek - ReStart MFC Application.) -- C:\Program Files (x86)\REALTEK\Wireless LAN Utility\ReStart.exe
O4 - GS\Program [Public]: Batman Arkham Origins.lnk . (.WB Montréal Inc. - Batman™: Arkham Origins.) -- C:\Program Files (x86)\Batman Arkham Origins\SinglePlayer\Binaries\Win32\BatmanOrigins.exe
O4 - GS\Program [Public]: Desktop.lnk - Orphan key
O4 - GS\Program [Public]: Nightly.lnk . (.Mozilla Corporation - Nightly.) -- C:\Program Files (x86)\Nightly\firefox.exe
O4 - GS\QuickLaunch [MASTER]: Launch Internet Explorer Browser.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - GS\QuickLaunch [MASTER]: Viber.lnk . (...) -- C:\Users\MASTER\AppData\Local\Viber\Viber.exe
O4 - GS\TaskBar [MASTER]: Nightly.lnk . (.Mozilla Corporation - Nightly.) -- C:\Program Files (x86)\Nightly\firefox.exe
O4 - GS\TaskBar [MASTER]: On-Screen Keyboard.lnk . (.Microsoft Corporation - Accessibility On-Screen Keyboard.) -- C:\Windows\system32\osk.exe
O4 - GS\TaskBar [MASTER]: Viber.lnk . (...) -- C:\Users\MASTER\AppData\Local\Viber\Viber.exe
O4 - GS\Program [MASTER]: Bond.lnk . (...) -- C:\Program Files (x86)\James.Bound.B.S\Bond.exe
O4 - GS\Program [MASTER]: Internet Explorer.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - GS\Program [MASTER]: Nightly.lnk . (.Mozilla Corporation - Nightly.) -- C:\Program Files (x86)\Nightly\firefox.exe
O4 - GS\Program [MASTER]: transmission-qt.lnk . (...) -- C:\Program Files (x86)\Transmission\transmission-qt.exe (.not file.)
O4 - GS\Program [MASTER]: Viber.lnk . (...) -- C:\Users\MASTER\AppData\Local\Viber\Viber.exe
O4 - GS\SendTo [MASTER]: Bluetooth File Transfer.LNK . (.Microsoft Corporation - No Comment.) -- C:\Windows\System32\fsquirt.exe
O4 - GS\Desktop [MASTER]: Viber.lnk . (...) -- C:\Users\MASTER\AppData\Local\Viber\Viber.exe
~ Global Startup: 45 Legitimates Filtered in 01mn AMs



---\\ Auto loading programs from Registry and folders (O4)
O4 - HKLM\..\Run: [egui] . (.ESET - ESET Main GUI.) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
O4 - HKLM\..\Run: [RtHDVCpl] . (.Realtek Semiconductor - Realtek HD Audio Manager.) -- C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
O4 - HKCU\..\Run: [IDMan] . (.Tonec Inc. - Internet Download Manager (IDM).) -- C:\Program Files (x86)\Internet Download Manager\IDMan.exe
O4 - HKCU\..\Run: [Skype] . (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe =>.Skype Technologies S.A.
O4 - HKCU\..\Run: [tsiVideo] . (...) -- C:\Users\MASTER\AppData\Local\Temp\mdi064.dll
O4 - HKLM\..\Wow6432Node\Run: [HControlUser] . (.ASUS - HControlUser.) -- C:\Program Files (x86)\ASUS\ATK Hotkey\HControlUser.exe
O4 - HKLM\..\Wow6432Node\Run: [ATKOSD2] . (.ASUS - ATKOSD2.) -- C:\Program Files (x86)\ASUS\ATKOSD2\ATKOSD2.exe
O4 - HKLM\..\Wow6432Node\Run: [ATKMEDIA] . (.ASUS - ATK Media.) -- C:\Program Files (x86)\ASUS\ATK Media\DMedia.exe
O4 - HKLM\..\Wow6432Node\Run: [DivXMediaServer] . (.DivX, LLC - DivX DLNA Media Server.) -- C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe
O4 - HKUS\S-1-5-21-1781801285-217770639-349241330-1001\..\Run: [IDMan] . (.Tonec Inc. - Internet Download Manager (IDM).) -- C:\Program Files (x86)\Internet Download Manager\IDMan.exe
O4 - HKUS\S-1-5-21-1781801285-217770639-349241330-1001\..\Run: [Skype] . (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe =>.Skype Technologies S.A.
O4 - HKUS\S-1-5-21-1781801285-217770639-349241330-1001\..\Run: [tsiVideo] . (...) -- C:\Users\MASTER\AppData\Local\Temp\mdi064.dll
~ Application: Scanned in 00mn AMs



---\\ Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu (O9)
O9 - Extra button: &Envoyer à OneNote [64Bits] - {2670000A-7350-4f3c-8081-5663EE0C6C49} . (.Microsoft Corporation - Microsoft OneNote Internet Explorer Add-in.) -- C:\Program Files (x86)\MICROS~1\Office15\ONBttnIE.dll =>.Microsoft Corporation
O9 - Extra button: Cliquer pour appeler Lync [64Bits] - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} . (.Microsoft Corporation - Microsoft Lync.) -- C:\Program Files\Microsoft Office\Office15\lync.exe
O9 - Extra button: Notes &liées OneNote [64Bits] - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} . (.Microsoft Corporation - Microsoft OneNote Internet Explorer Add-in.) -- C:\Program Files (x86)\MICROS~1\Office15\ONBTTN~1.dll =>.Microsoft Corporation
~ IE Extra Buttons: Scanned in 00mn AMs



---\\ Lop.com/Domain Hijackers (O17)
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9C6CD96-64CD-41E9-BA46-36FB8AB1F13B}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{D9C6CD96-64CD-41E9-BA46-36FB8AB1F13B}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
~ Domain: Scanned in 00mn AMs



---\\ Extra protocols (O18)
O18 - Handler: vbscript [64Bits] - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} . (.Microsoft Corporation - Microsoft (R) HTML Viewer.) -- C:\Windows\System32\mshtml.dll
O18 - Filter: text/xml [64Bits] - {807583E5-5146-11D5-A672-00B0D022E945} . (.Microsoft Corporation - Microsoft Office XML MIME Filter.) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.dll =>.Microsoft Corporation
~ Protocole Additionnel: Scanned in 00mn AMs



---\\ Non Microsoft non disabled Windows XP/NT/2000 Services (O23)
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) . (.No owner - GFNEXSrv.) - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: VMware Workstation Server (VMwareHostd) . (...) - C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe =>.VMware, Inc
~ Services: 13 Legitimates Filtered in 03mn AMs



---\\ Task Planned Automatically (039)
[MD5.0F94B4386D8D5E2FD028954684A6464E] [APT] [AutoPico Daily Restart] (...) -- C:\Program Files\KMSpico\AutoPico.exe [571904] =>PUP.KMSpico
[MD5.FB1A303207C1124C2B61A50E5A32AC21] [APT] [DivX online update program] (...) -- C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe [1861968]
[MD5.00000000000000000000000000000000] [APT] [{895B3712-BB5F-46EB-BFF9-B7D7DDE49E57}] (...) -- C:\Program Files (x86)\Pinnacle\Studio 16\programs\PinnacleStudio.exe (.not file.) [0]
~ Scheduled Task: 13 Legitimates Filtered in 03mn AMs



---\\ Software installed (O42)
O42 - Logiciel: BEIN SPORTS HD version 3 - (.daz-iptv.) [HKLM][64Bits] -- {42C332F7-C0C5-448B-9ED1-B46AB3F3FDA3}_is1
O42 - Logiciel: GI-Arabic Now - (.Global Integrated Solutions.) [HKLM][64Bits] -- GI-Arabic Now
O42 - Logiciel: KMSpico v9.0.3.20131029 (Beta) - (...) [HKLM][64Bits] -- KMSpico_is1 =>PUP.KMSpico
~ Logic: 5 Legitimates Filtered in 00mn AMs



---\\ HKCU & HKLM Software Keys
[HKCU\Software\23556fb1360f366337f97c924e76ead3]
[HKCU\Software\APN PIP]
[HKCU\Software\Conduit] =>Toolbar.Conduit
[HKCU\Software\KoshyJohn.com]
[HKCU\Software\Lowlevel Studios]
[HKCU\Software\PIP]
[HKLM\Software\Wow6432Node\PIP]
~ Key Software: 295 Legitimates Filtered in 00mn AMs



---\\ Contents of the Common Files folders (O43)
O43 - CFD: 12/23/2013 - 3:39:00 PM - [34.983] ----D C:\Program Files (x86)\1-click run
O43 - CFD: 1/13/2014 - 7:53:57 PM - [13.040] ----D C:\Program Files (x86)\BEIN SPORTS HD
O43 - CFD: 12/28/2013 - 2:22:14 PM - [-364.603] ----D C:\Program Files (x86)\James.Bound.B.S
O43 - CFD: 1/5/2014 - 10:20:30 PM - [0.015] ----D C:\Program Files (x86)\MyPC Backup =>PUP.MyPCBackup
O43 - CFD: 1/4/2014 - 3:38:25 AM - [0] ----D C:\Program Files (x86)\Pando Networks
O43 - CFD: 1/12/2014 - 10:15:14 PM - [0.001] ----D C:\ProgramData\Thinix
O43 - CFD: 1/6/2014 - 8:27:58 PM - [0] -SH-D C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C}
O43 - CFD: 12/24/2013 - 12:10:25 PM - [0.774] ----D C:\Users\MASTER\AppData\Roaming\KoshyJohn.com
O43 - CFD: 12/19/2013 - 12:42:57 AM - [0] -SH-D C:\Users\MASTER\AppData\Roaming\msgr
O43 - CFD: 12/19/2013 - 12:59:04 AM - [0] -SH-D C:\Users\MASTER\AppData\Roaming\msgre
O43 - CFD: 1/13/2014 - 2:18:51 AM - [0.075] ----D C:\Users\MASTER\AppData\Roaming\transmission
O43 - CFD: 1/3/2014 - 11:28:51 PM - [5.370] ----D C:\Users\MASTER\AppData\Local\Pando_Temp
O43 - CFD: 12/21/2013 - 1:48:53 AM - [0.113] ----D C:\Users\MASTER\AppData\Local\transmission
O43 - CFD: 12/23/2013 - 3:39:05 PM - [0.002] ----D C:\Users\MASTER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\1-click run
O43 - CFD: 12/24/2013 - 12:10:28 PM - [0.010] ----D C:\Users\MASTER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\KoshyJohn.com
~ Program Folder: 192 Legitimates Filtered in 25mn AMs



---\\ Last modified or created files under Windows and System32 (O44)
O44 - LFC:[MD5.4C1E9AA47383F2A9096C68A337F4BBE1] - 1/12/2014 - 10:15:05 PM ---A- . (...) -- C:\Windows\N64949GQ.ocx [3120]
O44 - LFC:[MD5.B1D3A7EA60B1D9856E0CC1A72D889D7E] - 1/13/2014 - 2:45:44 AM R-H-- . (...) -- C:\G60JX.BIN [2097152]
O44 - LFC:[MD5.AE43A39104B0AD85D2941DEFA0EEA221] - 1/4/2014 - 2:34:36 PM ---A- . (...) -- C:\Windows\DirectX.log [344585]
O44 - LFC:[MD5.82EFB9D498061EC2B80CD2689407D801] - 1/4/2014 - 2:42:39 PM ---A- . (...) -- C:\Windows\wmsetup.log [1126]
O44 - LFC:[MD5.9C630683D5736E68D335F07013FB660E] - 1/4/2014 - 2:43:02 PM ---A- . (...) -- C:\Windows\wininit.ini [210]
~ Files: 32 Legitimates Filtered in 49mn AMs



---\\ Local Security Authority-LSA Deny (O48)
~ LSA: 3 Legitimates Filtered in 00mn AMs



---\\ Image File Execution Options (IFEO) (O50)
O50 - IFEO:Image File Execution Options - autopico.exe - "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe"
O50 - IFEO:Image File Execution Options - kmseldi.exe - "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe"
O50 - IFEO:Image File Execution Options - skype.exe - "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe"
O50 - IFEO:Image File Execution Options - systemreport.exe - "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe"
O50 - IFEO:Image File Execution Options - trueimagelauncher.exe - "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe"
O50 - IFEO:Image File Execution Options - trueimagetools.exe - "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe"
O50 - IFEO:Image File Execution Options - uninshs.exe - "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe"
O50 - IFEO:Image File Execution Options - winpe_iso.exe - "C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe"
~ IFEO: Scanned in 00mn AMs



---\\ Microsoft Windows Policies System (MWPS) (O55)
O55 - MWPS:[HKLM\...\Policies\System] - "PromptOnSecureDesktop"=0
O55 - MWPS:[HKLM\...\Policies\System] - "EnableUIADesktopToggle"=0
O55 - MWPS:[HKLM\...\Policies\System] - "FilterAdministratorToken"=0
O55 - MWPS:[HKLM\...\Policies\System] - "EnableLinkedConnections"=1
~ MWPS: 18 Legitimates Filtered in 00mn AMs



---\\ Microsoft Windows Policies Explorer (MWPE) (O56)
O56 - MWPE:[HKLM\...\policies\Explorer] - "NoActiveDesktopChanges"=1
~ MWPE Keys: 3 Legitimates Filtered in 00mn AMs



---\\ System Drivers List (SDL) (O58)
O58 - SDL:[MD5.C1ABB0F7E3BEA48A0417BDF6FF14AB21] - 8/12/2013 - 11:25:46 PM ---A- . (.Windows (R) Win 7 DDK provider - BCM Function 2 Device Driver.) -- C:\Windows\System32\Drivers\bcmfn2.sys [17624]
O58 - SDL:[MD5.040FF3B09F26926A3792E047DB0F47DD] - 1/10/2014 - 11:46:10 PM ---A- . (.Connectify - NDIS filter driver.) -- C:\Windows\System32\Drivers\cnnctfy2.sys [31344]
O58 - SDL:[MD5.929DF302F15BFE24AC66EF45D858C413] - 11/28/2013 - 12:24:18 AM ---A- . (.Tonec Inc. - Internet Download Manager WFP Driver.) -- C:\Windows\System32\Drivers\idmwfp.sys [175480]
O58 - SDL:[MD5.0DF53A9649073CEBBC0988D6353FED6E] - 6/4/2009 - 10:44:48 PM ---A- . (.No owner - PU ACPI Utility.) -- C:\Windows\System32\Drivers\PuAcpi64.sys [15880]
O58 - SDL:[MD5.E20B1907FC72A3664ECE21E3C20FC63D] - 7/2/2009 - 7:54:52 AM ---A- . (.REDC - RICOH MS Driver.) -- C:\Windows\System32\Drivers\rimspe64.sys [60416]
O58 - SDL:[MD5.6A1CD4674505E6791390A1AB71DA1FBE] - 7/4/2009 - 6:27:02 PM ---A- . (.REDC - RICOH PCIe XD Driver.) -- C:\Windows\System32\Drivers\rixdpe64.sys [55808]
O58 - SDL:[MD5.366DEA74BBA65B362BCCFC6FC2ADFD8B] - 8/22/2013 - 12:43:32 PM ---A- . (.Promise Technology, Inc. - Promise SuperTrak EX Series Driver for Windows x64.) -- C:\Windows\System32\Drivers\stexstor.sys [31072]
O58 - SDL:[MD5.3C32FF010F869BC184DF71290477384E] - 12/16/2013 - 3:22:37 PM ---A- . (.The OpenVPN Project - TAP-Windows Virtual Network Driver.) -- C:\Windows\System32\Drivers\tap0901.sys [40664]
~ Drivers: 18 Legitimates Filtered in 03mn AMs



---\\ List all tools cleaner (LATC) (O63)
O63 - Logiciel: ZHPDiag 2014 - (.Nicolas Coolman.) [HKLM] -- ZHPDiag_is1 =>.Nicolas Coolman
~ ADS: Scanned in 00mn AMs



---\\ Start Menu Internet (SMI) (O68)
O68 - StartMenuInternet: [HKLM\..\Shell\open\Command] (.Mozilla Corporation - Nightly.) -- C:\Program Files (x86)\Nightly\firefox.exe
O68 - StartMenuInternet: [HKLM\..\Shell\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
~ Keys: Scanned in 00mn AMs



---\\ Search Browser Infection (SBI) (O69)
O69 - SBI: SearchScopes [HKCU] {0633EE93-D776-472f-A0FF-E1416B8B2E3A} [DefaultScope] - (Bing) - http://www.bing.com
~ Keys: Scanned in 00mn AMs



---\\ Crack & Keygen Files (CKF) (O82)
C:\Users\MASTER\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Keygen.exe.log
C:\Users\MASTER\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Keygen.exe.log
~ Files: Scanned in 19mn AMs



---\\ Search Particular Root Folder (SPRF) (O84)
[MD5.B3A840E05F27DC6AE773A5D622BFA994] [SPRF][9/11/2012] (.Ask.com - Offercast - APN Install Manager.) -- C:\Users\MASTER\AppData\Local\Temp\AskPIP_FF_.exe [783560]
[MD5.858D895AD40DE9779E78C39A116F9553] [SPRF][1/5/2014] (...) -- C:\Users\MASTER\AppData\Local\Temp\BackupSetup.exe [10355400]
[MD5.31109A247E5347770A891BD9B503B62F] [SPRF][1/12/2014] (...) -- C:\Users\MASTER\AppData\Local\Temp\dmu2dsre.dll [11264]
[MD5.19C634A18C99E2663EE01FCFBA71CC63] [SPRF][1/12/2014] (...) -- C:\Users\MASTER\AppData\Local\Temp\mdi064.dll [3997696]
[MD5.7E7EB7AFF595774E5E500B34058CC1A7] [SPRF][1/14/2014] (...) -- C:\Users\MASTER\AppData\Local\Temp\sfamcc00001.dll [192512]
[MD5.7E7EB7AFF595774E5E500B34058CC1A7] [SPRF][1/7/2014] (...) -- C:\Users\MASTER\AppData\Local\Temp\sfamcc00002.dll [192512]
[MD5.51151D3AD8DA0DFA0E7A681AA2FF8870] [SPRF][1/14/2014] (...) -- C:\Users\MASTER\AppData\Local\Temp\sfareca00001.dll [158720]
[MD5.51151D3AD8DA0DFA0E7A681AA2FF8870] [SPRF][1/7/2014] (...) -- C:\Users\MASTER\AppData\Local\Temp\sfareca00002.dll [158720]
~ Files: 12 Legitimates Filtered in 00mn AMs



---\\ Firewall Active Exception List (FirewallRules) (O87)
O87 - FAEL: "TCP Query User{2DAAFAD8-3261-4DD1-B3A7-C425BE9461E7}E:\soft\o.system\mtkv249\microsoft toolkit.exe" |In - Public - P6 - TRUE | .(...) -- E:\soft\o.system\mtkv249\microsoft toolkit.exe (.not file.)
O87 - FAEL: "UDP Query User{1C5943CB-AAE2-48A3-B293-9E3D22F7B214}E:\soft\o.system\mtkv249\microsoft toolkit.exe" |In - Public - P17 - TRUE | .(...) -- E:\soft\o.system\mtkv249\microsoft toolkit.exe (.not file.)
O87 - FAEL: "{3C746869-A1B6-455B-A644-D5AAD77BBCDF}" |In - Public - P6 - FALSE | .(...) -- C:\Program Files (x86)\Naver\LINE\Line.exe (.not file.)
O87 - FAEL: "{B5099C10-8484-4888-82C4-2F2FA6AF3BF3}" |In - Public - P17 - FALSE | .(...) -- C:\Program Files (x86)\Naver\LINE\Line.exe (.not file.)
O87 - FAEL: "{00393C5D-ACDD-4A74-B551-C17E1A11E767}" |In - Public - P6 - TRUE | .(...) -- C:\Program Files (x86)\Thinix\Thinix WiFi Hotspot\ThinixWiFiHotspot.exe (.not file.)
O87 - FAEL: "{EAA3436B-8BC9-4D60-9955-8E0F204EC39F}" |In - Public - P17 - TRUE | .(...) -- C:\Program Files (x86)\Thinix\Thinix WiFi Hotspot\ThinixWiFiHotspot.exe (.not file.)
~ Firewall: 227 Legitimates Filtered in 00mn AMs



---\\ Random Export Key (REK) (O91)
[HKCU\Software\23556fb1360f366337f97c924e76ead3]:US="@"
~ Export Key Software: Scanned in 00mn AMs



---\\ MyComputer Name Space (MNS) (O92)
O92 - MNS: - {1CF1260C-4DD0-4ebb-811F-33C572699FDE}
O92 - MNS: - {374DE290-123F-4565-9164-39C4925E467B}
O92 - MNS: - {3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}
O92 - MNS: - {A0953C92-50DC-43bf-BE83-3742FED03C9C}
O92 - MNS: - {A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}
O92 - MNS: - {B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
~ MNS: 6 Legitimates Filtered in 00mn AMs



---\\ General States of Services not Microsoft (EGS) (SR=Running, SS=Stopped)
SS - | Disabled 7/18/2013 1142584 | (AcrSch2Svc) . (.Acronis.) - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
SS - | Demand 12/18/2013 257416 | (AdobeFlashPlayerUpdateSvc) . (.Adobe Systems Incorporated.) - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
SS - | Disabled 12/18/2013 3873784 | (afcdpsrv) . (.Acronis.) - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
SS - | Demand 1/13/2014 119920 | (MozillaMaintenance) . (.Mozilla Foundation.) - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
SS - | Disabled 3/10/2010 189728 | (PSI_SVC_2) . (.Protexis Inc..) - c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
SS - | Disabled 10/29/2013 571392 | (Service KMSELDI) . (...) - C:\Program Files\KMSpico\Service_KMS.exe =>PUP.KMSpico
SS - | Disabled 10/23/2013 172192 | (SkypeUpdate) . (.Skype Technologies.) - C:\Program Files (x86)\Skype\Updater\Updater.exe
SS - | Disabled 10/22/2013 7142320 | (syncagentsrv) . (.Acronis.) - C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
SS - | Demand 7/10/1658 0 | (WMPNetworkSvc) . (...) - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe =>.Microsoft Corporation
SS - | Demand 8/22/2013 37768 | C:\Windows\System32\wuaueng.dll (wuauserv) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe

SR - | Auto 6/15/2009 84536 | (ASLDRService) . (.ASUS.) - C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
SR - | Auto 8/8/2007 94208 | (ATKGFNEXSrv) . (...) - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
SR - | Auto 5/8/2013 23552 | (CronService) . (.Fork Ltd..) - C:\Prey\platform\windows\cronsvc.exe
SR - | Auto 9/12/2013 1337752 | (ekrn) . (.ESET.) - C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
SR - | Auto 11/11/2013 922912 | (nvsvc) . (.NVIDIA Corporation.) - C:\Windows\system32\nvvsvc.exe
SR - | Auto 4/16/2010 36864 | (Realtek11nSU) . (.Realtek.) - C:\Program Files (x86)\REALTEK\Wireless LAN Utility\RtlService.exe
SR - | Auto 11/11/2013 414496 | (Stereo Service) . (.NVIDIA Corporation.) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
SR - | Auto 12/18/2013 2103096 | (TuneUp.UtilitiesSvc) . (.TuneUp Software.) - C:\Program Files (x86)\TuneUp Utilities 2014\TuneUpUtilitiesService64.exe
SR - | Auto 8/27/2013 86096 | (VMAuthdService) . (.VMware, Inc..) - C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe =>.VMware, Inc
SR - | Auto 7/10/1658 0 | (VMnetDHCP) . (.VMware, Inc..) - C:\Windows\system32\vmnetdhcp.exe
SR - | Auto 8/26/2013 904248 | (VMUSBArbService) . (.VMware, Inc..) - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe
SR - | Auto 7/10/1658 0 | (VMware NAT Service) . (.VMware, Inc..) - C:\Windows\system32\vmnat.exe
SR - | Auto 8/27/2013 14401104 | (VMwareHostd) . (...) - C:\Program Files (x86)\VMware\VMware Workstation\vmware-hostd.exe =>.VMware, Inc
SR - | Demand 7/10/1658 0 | (WdNisSvc) . (...) - C:\Program Files (x86)\Windows Defender\NisSrv.exe
SR - | Demand 7/10/1658 0 | (WinDefend) . (...) - C:\Program Files (x86)\Windows Defender\MsMpEng.exe

~ Services: Scanned in 27mn AMs



---\\ Search Master Boot Record Infection (MBR)(O80)
Run by MASTER at 1/14/2014 1:59:15 AM
~ OS 64 not supported by MBR tool

~ MBR: 0 Legitimates Filtered in 00mn AMs



---\\ Search Master Boot Record Infection (MBRCheck)(O80)
Written by ad13, http://ad13.geekstog
Run by MASTER at 1/14/2014 1:59:17 AM

********* Dump file Name *********
C:\PhysicalDisk0_MBR.bin

~ MBR: Scanned in 02mn AMs



---\\ Scan Additionnel (O88)
Database Version : 13022 - (1/12/2014)
Clés trouvées (Keys found) : 5
Valeurs trouvées (Values found) : 0
Dossiers trouvés (Folders found) : 2
Fichiers trouvés (Files found) : 2

[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\KMSpico_is1] =>PUP.KMSpico^
[HKCU\Software\APN PIP] =>Toolbar.Ask
[HKCU\Software\PIP] =>Toolbar.Ask
[HKLM\Software\Wow6432Node\PIP] =>Toolbar.Ask
[HKLM\SYSTEM\CurrentControlSet\Services\Service KMSELDI] =>PUP.KMSpico
C:\Program Files (x86)\MyPC Backup =>PUP.MyPCBackup^
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KMSpico =>PUP.KMSpico
C:\Program Files\KMSpico\AutoPico.exe =>PUP.KMSpico^
[HKCU\Software\Conduit] =>Toolbar.Conduit^
~ Additionnel Scan: 331418 Items scanned in 20mn AMs



---\\ Summary of the detections found on your workstation
~ http://nicolascoolman.webs.com/apps/blog/show/29633319-pup-kmspico =>PUP.KMSpico
~ http://nicolascoolman.webs.com/apps/blog/show/29507721-toolbar-conduit =>Toolbar.Conduit
~ http://nicolascoolman.webs.com/apps/blog/show/32174815-pup-mypcbackup =>PUP.MyPCBackup
~ http://nicolascoolman.webs.com/apps/blog/show/28927746-toolbar-ask =>Toolbar.Ask
~ MSI: 4 link(s) detected in 20mn AMs



~ 1001 Legitimates filtered by white list
End of the scan (472 lines in 20mn AMs)(2)

Publicité


Signaler le contenu de ce document

Publicité