cjoint

Publicité


Publicité

Format du document : text/plain

Prévisualisation

~ Report of ZHPDiag v2015.6.4.54 - Nicolas Coolman (5/31/2015)
~ Launched by mohamed (8/7/2015 11:36:08 PM)
~ Facebook : https://www.facebook.com/nicolascoolman1
~ Web forum address : http://forum.nicolascoolman.fr
~ Translated by
~ Version State : New version available
~ White List : Activate by program
~ Elevation of privilege : OK
~ User Account Control : Deactivate by program


---\\ Internet browsers
MSIE: Internet Explorer v8.0.7601.17514
MFIE: Mozilla Firefox 39.0
GCIE: Google Chrome v44.0.2403.130

---\\ Windows product information
~ Langage: Anglais
Windows Server License Manager Script : OK
~ Windows Operating System - Windows(R) 7, OEM_SLP channel
System Locked Preinstallation (OEM_SLP) : OK
Software Protection Service (Protection logicielle) : OK
Windows Automatic Updates : OK
Windows Activation Technologies : OK
Windows 7 Ultimate, 64-bit Service Pack 1 (Build 7601)

---\\ System protection software
avast! Free Antivirus v9.0.2021
Windows Defender W7 (Activate)

---\\ System optimization software

---\\ Sharing software PeerToPeer

---\\ Surveillance software
Adobe Flash Player 11 ActiveX & Plugin 64-bit
Adobe Reader XI

---\\ Information on the system
~ Processor: Intel64 Family 6 Model 37 Stepping 5, GenuineIntel
~ Operating System: 64 Bits
Boot mode: Normal (Normal boot)
Total RAM: 3950.1 MB (53% free)
System Restore: Activé (Enable)
System drive C: has 1 GB (1%) free of 103 GB

---\\ Connection to the system mode
~ Computer Name: MOHAMED-PC
~ User Name: mohamed
~ All Users Names: mohamed, Guest, Administrator,
~ Unselected Option: O45,O61,O62,O65,O66,O80,O82,O89
Logged in as Administrator

---\\ Environment variables
~ System Unit : C:\
~ %AppZHP% : C:\Users\mohamed\AppData\Roaming\ZHP\
~ %AppData% : C:\Users\mohamed\AppData\Roaming\
~ %Desktop% : C:\Users\mohamed\Desktop\
~ %Favorites% : C:\Users\mohamed\Favorites\
~ %LocalAppData% : C:\Users\mohamed\AppData\Local\
~ %StartMenu% : C:\Users\mohamed\AppData\Roaming\Microsoft\Windows\Start Menu\
~ %Windir% : C:\Windows\
~ %System% : C:\Windows\System32\

---\\ Enumeration of the disk units
C: Hard drive, Flash drive, Thumb drive (Free 1 Go of 103 Go)
D: Hard drive, Flash drive, Thumb drive (Free 157 Go of 195 Go)
E: CD-ROM drive (Not Inserted)
F: CD-ROM drive (Not Inserted)



---\\ State of the Windows Security Center
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
~ Security Center: 40 Legitimates Filtered in 00mn AMs



---\\ Search Generic System Files
[MD5.AC4C51EB24AA95B77F705AB159189E24] - (.Microsoft Corporation - Windows Explorer.) (.11/21/2010 - 3:24:11 AM.) -- C:\Windows\Explorer.exe [2872320]
[MD5.94355C28C1970635A31B3FE52EB7CEBA] - (.Microsoft Corporation - Windows Start-Up Application.) (.7/14/2009 - 1:39:52 AM.) -- C:\Windows\System32\Wininit.exe [129024]
[MD5.F6C5302E1F4813D552F41A0AC82455E5] - (.Microsoft Corporation - Internet Extensions for Win32.) (.11/21/2010 - 3:23:55 AM.) -- C:\Windows\System32\wininet.dll [1188864]
[MD5.1151B1BAA6F350B1DB6598E0FEA7C457] - (.Microsoft Corporation - Windows Logon Application.) (.11/21/2010 - 3:24:29 AM.) -- C:\Windows\System32\Winlogon.exe [390656]
[MD5.067FA52BFB59A56110A12312EF9AF243] - (.Microsoft Corporation - Software Licensing Library.) (.11/21/2010 - 3:24:16 AM.) -- C:\Windows\System32\sppcomapi.dll [232448]
[MD5.D31DC7A16DEA4A9BAF179F3D6FBDB38C] - (.Microsoft Corporation - Ancillary Function Driver for WinSock.) (.11/21/2010 - 3:24:08 AM.) -- C:\Windows\system32\Drivers\AFD.sys [499712]
[MD5.02062C0B390B7729EDC9E69C680A6F3C] - (.Microsoft Corporation - ATAPI IDE Miniport Driver.) (.7/14/2009 - 1:52:21 AM.) -- C:\Windows\system32\Drivers\atapi.sys [24128]
[MD5.B8BD2BB284668C84865658C77574381A] - (.Microsoft Corporation - CD-ROM File System Driver.) (.7/13/2009 - 11:19:47 PM.) -- C:\Windows\system32\Drivers\Cdfs.sys [92160]
[MD5.F036CE71586E93D94DAB220D7BDF4416] - (.Microsoft Corporation - SCSI CD-ROM Driver.) (.11/21/2010 - 3:23:47 AM.) -- C:\Windows\system32\Drivers\Cdrom.sys [147456]
[MD5.9BB2EF44EAA163B29C4A4587887A0FE4] - (.Microsoft Corporation - DFS Namespace Client Driver.) (.11/21/2010 - 3:24:32 AM.) -- C:\Windows\system32\Drivers\DfsC.sys [102400]
[MD5.97BFED39B6B79EB12CDDBFEED51F56BB] - (.Microsoft Corporation - High Definition Audio Bus Driver.) (.11/21/2010 - 3:23:47 AM.) -- C:\Windows\system32\Drivers\HDAudBus.sys [122368]
[MD5.FA55C73D4AFFA7EE23AC4BE53B4592D3] - (.Microsoft Corporation - i8042 Port Driver.) (.7/13/2009 - 11:19:57 PM.) -- C:\Windows\system32\Drivers\i8042prt.sys [105472]
[MD5.AF9B39A7E7B6CAA203B3862582E9F2D0] - (.Microsoft Corporation - IP Network Address Translator.) (.7/14/2009 - 12:10:03 AM.) -- C:\Windows\system32\Drivers\IpNat.sys [116224]
[MD5.FAF015B07E3A2874A790A39B7D2C579F] - (.Microsoft Corporation - Windows NT SMB Minirdr.) (.11/21/2010 - 3:24:03 AM.) -- C:\Windows\system32\Drivers\MRxSmb.sys [158208]
[MD5.09594D1089C523423B32A4229263F068] - (.Microsoft Corporation - MBT Transport driver.) (.11/21/2010 - 3:23:51 AM.) -- C:\Windows\system32\Drivers\netBT.sys [261632]
[MD5.05D78AA5CB5F3F5C31160BDB955D0B7C] - (.Microsoft Corporation - NT File System Driver.) (.11/21/2010 - 3:23:55 AM.) -- C:\Windows\system32\Drivers\ntfs.sys [1659776]
[MD5.0086431C29C35BE1DBC43F52CC273887] - (.Microsoft Corporation - Parallel Port Driver.) (.7/14/2009 - 12:00:41 AM.) -- C:\Windows\system32\Drivers\Parport.sys [97280]
[MD5.471815800AE33E6F1C32FB1B97C490CA] - (.Microsoft Corporation - RAS L2TP mini-port/call-manager driver.) (.11/21/2010 - 3:24:33 AM.) -- C:\Windows\system32\Drivers\Rasl2tp.sys [129536]
[MD5.1B6163C503398B23FF8B939C67747683] - (.Microsoft Corporation - Microsoft RDP Device redirector.) (.11/21/2010 - 3:25:07 AM.) -- C:\Windows\system32\Drivers\rdpdr.sys [165888]
[MD5.548260A7B8654E024DC30BF8A7C5BAA4] - (.Microsoft Corporation - SMB Transport driver.) (.7/14/2009 - 12:09:09 AM.) -- C:\Windows\system32\Drivers\smb.sys [93184]
[MD5.DDAD5A7AB24D8B65F8D724F5C20FD806] - (.Microsoft Corporation - TDI Translation Driver.) (.11/21/2010 - 3:24:32 AM.) -- C:\Windows\system32\Drivers\tdx.sys [119296]
[MD5.0D08D2F3B3FF84E433346669B5E0F639] - (.Microsoft Corporation - Volume Shadow Copy Driver.) (.11/21/2010 - 3:23:47 AM.) -- C:\Windows\system32\Drivers\volsnap.sys [295808]
~ Generic Processes: Scanned in 00mn AMs



---\\ Hidden files state (Hidden/Total)
~ Mes Videos (My Videos) : 1/3
~ Mes Favoris (My Favorites) : 1/22
~ Mes Documents (My Documents) : 1/14
~ Mon Bureau (My Desktop) : 3/16335
~ Menu demarrer (Programs) : 1/32
~ Hidden Files: Scanned in 04mn AMs



---\\ Process running
[MD5.F8C3B8761686BCBC80ACDB6A5317702B] - (.Cinema PlusV16.03 - CinemaP-1.9cV16.03 exe.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-10.exe [1480192] [PID.2168] =>PUP.CrossRider
[MD5.51138BEEA3E2C21EC44D0932C71762A8] - (...) -- ysWOW64\rundll32.exe [0] [PID.2468]
[MD5.1DB3300FE6EF0D52ECABBB903FCA6A41] - (.No owner - DRP Su Updater.) -- C:\Users\mohamed\AppData\Roaming\DRPSu\DrvUpdater.exe [195256] [PID.2584]
[MD5.E60175692913D7E0CD9F1FD1EC58EA0A] - (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe [28912256] [PID.3404]
[MD5.8EC2CDD9FC4460F197A6DE4215AD36A7] - (...) -- C:\Users\mohamed\AppData\Local\{A72B98D1-99CF-4602-A88E-BD21535FB1BE}\OffersWizard.exe [982016] [PID.3448] =>PUP.OffersWizard
[MD5.DFAE85572A4565A0B04B34F872EC58DB] - (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [813896] [PID.3516]
[MD5.1AE00E12D9A6C9AF6E7388C75478DB24] - (.Power Software Ltd - PowerISO Virtual Drive Manager.) -- C:\Program Files (x86)\PowerISO\PWRISOVM.exe [336992] [PID.2496]
[MD5.26B558B2D31C7425B455B00E562EAD93] - (.AVAST Software - avast! Antivirus.) -- C:\Program Files\Alwil Software\Avast5\avastui.exe [4085896] [PID.2332]
[MD5.1FC71A719B45A6A90BAFE2387EA07984] - (.No owner - HSDPALauncher MFC Application.) -- C:\Program Files (x86)\HSPA USB Modem\HSPALauncher.exe [233472] [PID.2252]
[MD5.12E2FC1F74265881402DE856D01EFFFE] - (.Nicolas Coolman - ZHPDiag.) -- C:\Program Files (x86)\ZHPDiag\ZHPDiag.exe [8214016] [PID.4828]
[MD5.73F5C13B431915BAE35254B4E95DFB71] - (.AVAST Software - avast! Service.) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [50344] [PID.1424]
[MD5.013697369EAFFA675D0671607F036020] - (.Adobe Systems Incorporated - Adobe Acrobat Update Service.) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [82128] [PID.2028]
[MD5.BA093B0EFDC06A2029E61123F8772AFA] - (.Cinema PlusV16.03 - CinemaP-1.9cV16.03 exe.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-6.exe [1474560] [PID.2160] =>PUP.CrossRider
[MD5.B23B61AF1349EAB73480714042C21518] - (.Cinema PlusV16.03 - CinemaP-1.9cV16.03 exe.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6.exe [1408512] [PID.2264] =>PUP.CrossRider
~ Processes Running: Scanned in 00mn AMs



---\\ Google Chrome, Start,Search,Extensions (G0,G1,G2)
C:\Users\mohamed\AppData\Local\Google\Chrome\User Data\Default\Preferences

---\\ Google Chrome Extension Folder
~ Google Lines Browser: 9 Legitimates Filtered in 00mn AMs



---\\ Mozilla Firefox,Plugins,Start,Search,Extensions (P2,M0,M1,M2,M3)
M2 - MFEP: Extension [mohamed - 1gaprq4q.default] ccf7276c-d388-480f-8835-5b680025e1ca@gmail.com
M2 - MFEP: Extension [mohamed - 1gaprq4q.default] {b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
P2 - FPN:Firefox Plugin Navigator . (...) -- C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\ddg.xml
~ Firefox Browser: 20 Legitimates Filtered in 00mn AMs



---\\ Internet Explorer Extensions, Start, Search (R4,R3,R0,R1)
R0 - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com =>PUP.Babylon
R1 - HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs,Tabs = http://search.babylon.com =>PUP.Babylon
~ IE Browser: 19 Legitimates Filtered in 00mn AMs



---\\ Internet Explorer, Proxy Management (R5)
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = no key
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyEnable = 0
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,MigrateProxy = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,EnableHttp1_1 = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigProxy = wininet.dll
~ Proxy management: Scanned in 00mn AMs



---\\ Line Analysis F0, F1, F2, F3 - IniFiles, Auto loading programs
F2 - REG:system.ini: USERINIT=C:\Windows\system32\userinit.exe,
F2 - REG:system.ini: Shell=C:\Windows\explorer.exe
F2 - REG:system.ini: VMApplet=C:\Windows\System32\SystemPropertiesPerformance.exe
~ Keys: Scanned in 00mn AMs



---\\ Hosts file redirection (O1)
~ Le fichier hôte est sain (The hosts file is clean) (21)
~ Hosts File: Scanned in 00mn AMs



---\\ Internet Explorer toolbars (O3)
O3 - Toolbar: Google Toolbar - [HKLM]{2318C2B1-4965-11d4-9B18-009027A5CD4F} . (.Google Inc. - Google Toolbar.) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
O3 - Toolbar\WebBrowser: (no name) - [HKCU]{47833539-D0C5-4125-9FA8-0819E2EAAC93} Orphan key
O3 - Toolbar\WebBrowser: (no name) - [HKCU]{2318C2B1-4965-11D4-9B18-009027A5CD4F} Orphan key
~ Toolbar: Scanned in 00mn AMs



---\\ Auto loading programs from Registry and folders (O4)
O4 - HKLM\..\Run: [IntelWireless] . (.Intel(R) Corporation - Intel(R) PROSet/Wireless Framework.) -- C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] . (.Adobe Systems Incorporated - Adobe Updater Startup Utility.) -- C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe =>.Adobe Systems Incorporated
O4 - HKLM\..\Run: [BCSSync] . (.Microsoft Corporation - Microsoft Office 2010 component.) -- C:\Program Files\Microsoft Office\Office14\BCSSync.exe =>.Microsoft Corporation
O4 - HKLM\..\Run: [RtHDVBg_Dolby] . (.Realtek Semiconductor - HD Audio Background Process.) -- C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
O4 - HKCU\..\Run: [AdobeBridge] Orphan key
O4 - HKCU\..\Run: [OfficeSyncProcess] . (.Microsoft Corporation - Microsoft Office Document Cache.) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.exe
O4 - HKCU\..\Run: [10] \B C:\Users\mohamed\AppData\Local\Temp\10.vbs (.not file.)
O4 - HKCU\..\Run: [hdirfbsher] \B C:\Users\mohamed\AppData\Roaming\hdirfbsher.vbs (.not file.)
O4 - HKCU\..\Run: [DrvUpdater] . (.No owner - DRP Su Updater.) -- C:\Users\mohamed\AppData\Roaming\DRPSu\DrvUpdater.exe
O4 - HKCU\..\Run: [Skype] . (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe =>.Skype Technologies S.A.
O4 - HKCU\..\Run: [GoogleChromeAutoLaunch_7A6EBF4BA7D929234BE70C030E59A016] . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 - HKCU\..\Run: [OffersWizard update] . (...) -- C:\Users\mohamed\AppData\Local\{28562B5A-C1BF-474C-AF61-E0DBF96ADFF8}\OffersWizard.exe =>PUP.OffersWizard
O4 - HKLM\..\Wow6432Node\Run: [SwitchBoard] . (.Adobe Systems Incorporated - SwitchBoard Server (32 bit).) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Wow6432Node\Run: [AdobeCS6ServiceManager] . (.Adobe Systems Incorporated - Adobe CS6 Service Manager.) -- C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe
O4 - HKLM\..\Wow6432Node\Run: [QuickTime Task] . (.Apple Inc. - QuickTime Task.) -- C:\Program Files (x86)\QuickTime\QTTask.exe
O4 - HKLM\..\Wow6432Node\Run: [PWRISOVM.EXE] . (.Power Software Ltd - PowerISO Virtual Drive Manager.) -- C:\Program Files (x86)\PowerISO\PWRISOVM.exe
O4 - HKLM\..\Wow6432Node\Run: [AvastUI.exe] . (.AVAST Software - avast! Antivirus.) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
O4 - HKLM\..\Wow6432Node\Run: [HSPALauncher] . (.No owner - HSDPALauncher MFC Application.) -- C:\Program Files (x86)\HSPA USB Modem\HSPALauncher.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe =>.Microsoft Corporation
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe =>.Microsoft Corporation
O4 - HKUS\S-1-5-21-2222444504-2789985141-4047501201-1000\..\Run: [AdobeBridge] Orphan key
O4 - HKUS\S-1-5-21-2222444504-2789985141-4047501201-1000\..\Run: [OfficeSyncProcess] . (.Microsoft Corporation - Microsoft Office Document Cache.) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.exe
O4 - HKUS\S-1-5-21-2222444504-2789985141-4047501201-1000\..\Run: [10] \B C:\Users\mohamed\AppData\Local\Temp\10.vbs (.not file.)
O4 - HKUS\S-1-5-21-2222444504-2789985141-4047501201-1000\..\Run: [hdirfbsher] \B C:\Users\mohamed\AppData\Roaming\hdirfbsher.vbs (.not file.)
O4 - HKUS\S-1-5-21-2222444504-2789985141-4047501201-1000\..\Run: [DrvUpdater] . (.No owner - DRP Su Updater.) -- C:\Users\mohamed\AppData\Roaming\DRPSu\DrvUpdater.exe
O4 - HKUS\S-1-5-21-2222444504-2789985141-4047501201-1000\..\Run: [Skype] . (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe =>.Skype Technologies S.A.
O4 - HKUS\S-1-5-21-2222444504-2789985141-4047501201-1000\..\Run: [GoogleChromeAutoLaunch_7A6EBF4BA7D929234BE70C030E59A016] . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 - HKUS\S-1-5-21-2222444504-2789985141-4047501201-1000\..\Run: [OffersWizard update] . (...) -- C:\Users\mohamed\AppData\Local\{28562B5A-C1BF-474C-AF61-E0DBF96ADFF8}\OffersWizard.exe =>PUP.OffersWizard
~ Application: Scanned in 02mn AMs



---\\ Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu (O9)
O9 - Extra button: Se&nd to OneNote [64Bits] - {2670000A-7350-4f3c-8081-5663EE0C6C49} -- C:\Program Files (x86)\MICROS~2\Office14\ONBttnIE.dll (.not file.)
O9 - Extra button: OneNote Lin&ked Notes [64Bits] - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} -- C:\Program Files (x86)\MICROS~2\Office14\ONBTTN~1.dll (.not file.)
~ IE Extra Buttons: Scanned in 00mn AMs



---\\ Lop.com/Domain Hijackers (O17)
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F1B0645-7D25-4C72-8A78-0AE93642EB68}: DhcpNameServer = 192.168.0.203 192.168.0.201 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE6BF40C-82F9-4035-864B-1752BE5B0824}: DhcpNameServer = 192.168.1.1 0.0.0.0
O17 - HKLM\System\CS1\Services\Tcpip\..\{7F1B0645-7D25-4C72-8A78-0AE93642EB68}: DhcpNameServer = 192.168.0.203 192.168.0.201 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{CE6BF40C-82F9-4035-864B-1752BE5B0824}: DhcpNameServer = 192.168.1.1 0.0.0.0
O17 - HKLM\System\CS2\Services\Tcpip\..\{7F1B0645-7D25-4C72-8A78-0AE93642EB68}: DhcpNameServer = 192.168.0.203 192.168.0.201 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{CE6BF40C-82F9-4035-864B-1752BE5B0824}: DhcpNameServer = 192.168.1.1 0.0.0.0
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 0.0.0.0
~ Domain: Scanned in 00mn AMs



---\\ Extra protocols (O18)
O18 - Handler: vbscript [64Bits] - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} . (.Microsoft Corporation - Microsoft (R) HTML Viewer.) -- C:\Windows\System32\mshtml.dll
O18 - Filter: text/xml [64Bits] - {807573E5-5146-11D5-A672-00B0D022E945} . (.Microsoft Corporation - Microsoft Office XML MIME Filter.) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.dll =>.Microsoft Corporation
~ Protocole Additionnel: Scanned in 00mn AMs



---\\ Non Microsoft non disabled Windows XP/NT/2000 Services (O23)
O23 - Service: globalUpdate Update Service (globalUpdate) (globalUpdate) . (.globalUpdate - globalUpdate Update.) - C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe =>PUP.GlobalUpdate
~ Services: 7 Legitimates Filtered in 04mn AMs



---\\ Task Planned Automatically (039)
[MD5.A8EF3F9FFC3AAA1E2C8701363A0D0B84] [APT] [AmiUpdXp] (...) -- C:\Users\mohamed\AppData\Local\14005\Updater.exe [1841152] =>PUP.Software.Updater
[MD5.877759FE37E2EED150C792006B342BC3] [APT] [BYAIAMUF] (.Cinema PlusV16.03.) -- C:\Users\mohamed\AppData\Roaming\BYAIAMUF.exe [2035200] =>PUP.CrossRider
[MD5.B23B61AF1349EAB73480714042C21518] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6.exe [1408512] =>PUP.CrossRider
[MD5.1B3B0B7E6E8E4E8122A885C5ED460360] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-7] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-7.exe [1127424] =>PUP.CrossRider
[MD5.F8C3B8761686BCBC80ACDB6A5317702B] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-10_user] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-10.exe [1480192] =>PUP.CrossRider
[MD5.877759FE37E2EED150C792006B342BC3] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-11] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-11.exe [2035200] =>PUP.CrossRider
[MD5.877759FE37E2EED150C792006B342BC3] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-3] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-3.exe [2035200] =>PUP.CrossRider
[MD5.1C7FF4BFACDDD04E3504DCB1BA5987ED] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-4] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-4.exe [1380352] =>PUP.CrossRider
[MD5.3D5758641084D02C8EA0308945D8CF20] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-5] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5.exe [1190400] =>PUP.CrossRider
[MD5.3D5758641084D02C8EA0308945D8CF20] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-5_user] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5.exe [1190400] =>PUP.CrossRider
[MD5.BA093B0EFDC06A2029E61123F8772AFA] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-6] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-6.exe [1474560] =>PUP.CrossRider
[MD5.1B3B0B7E6E8E4E8122A885C5ED460360] [APT] [e653cf25-f107-4cbe-b8d1-5dadaea354f2-7] (.Cinema PlusV16.03.) -- C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-7.exe [1127424] =>PUP.CrossRider
[MD5.1C7FF4BFACDDD04E3504DCB1BA5987ED] [APT] [GNOK] (.Cinema PlusV16.03.) -- C:\Users\mohamed\AppData\Roaming\GNOK.exe [1380352] =>PUP.CrossRider
O39 - APT: AmiUpdXp - (...) -- C:\Windows\Tasks\AmiUpdXp.job [376] =>PUP.Software.Updater
O39 - APT: AmiUpdXp - (...) -- C:\Windows\System32\Tasks\AmiUpdXp [376] =>PUP.Software.Updater
O39 - APT: BYAIAMUF - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\BYAIAMUF.job [1694] =>PUP.CrossRider
O39 - APT: BYAIAMUF - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\BYAIAMUF [1694] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6 - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6.job [3136] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6 - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6 [3136] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-7 - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-7.job [3472] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-7 - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-7 [3472] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-10_user - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-10_user.job [2110] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-10_user - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-10_user [2110] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-11 - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-11.job [5182] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-11 - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-11 [5182] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-3 - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-3.job [4492] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-3 - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-3 [4492] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-4 - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-4.job [4492] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-4 - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-4 [4492] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-5 - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5.job [2444] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-5 - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5 [2444] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-5_user - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5_user.job [2444] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-5_user - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5_user [2444] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-6 - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-6.job [5516] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-6 - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-6 [5516] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-7 - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-7.job [5516] =>PUP.CrossRider
O39 - APT: e653cf25-f107-4cbe-b8d1-5dadaea354f2-7 - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-7 [5516] =>PUP.CrossRider
O39 - APT: - (..) -- C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job [974] =>PUP.GlobalUpdate
O39 - APT: - (..) -- C:\Windows\System32\Tasks\globalUpdateUpdateTaskMachineCore [974] =>PUP.GlobalUpdate
O39 - APT: - (..) -- C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job [978] =>PUP.GlobalUpdate
O39 - APT: - (..) -- C:\Windows\System32\Tasks\globalUpdateUpdateTaskMachineUA [978] =>PUP.GlobalUpdate
O39 - APT: GNOK - (.Cinema PlusV16.03.) -- C:\Windows\Tasks\GNOK.job [1342] =>PUP.CrossRider
O39 - APT: GNOK - (.Cinema PlusV16.03.) -- C:\Windows\System32\Tasks\GNOK [1342] =>PUP.CrossRider
O39 - APT: - (..) -- C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore [894]
O39 - APT: - (..) -- C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA [898]
~ Scheduled Task: 54 Legitimates Filtered in 03mn AMs



---\\ Software installed (O42)
O42 - Logiciel: Bubble Comp - (.Image Follow corp.) [HKCU][64Bits] -- {9563BC59-9556-4805-8CD4-886781779D8D}
O42 - Logiciel: CinemaP-1.9cV16.03 - (.Cinema PlusV16.03.) [HKLM][64Bits] -- CinemaP-1.9cV16.03 =>PUP.CrossRider
O42 - Logiciel: OffersWizard - (...) [HKCU][64Bits] -- OffersWizard =>PUP.OffersWizard
O42 - Logiciel: Ooredoo N'ternet - (.Nom de votre société.) [HKLM][64Bits] -- InstallShield_{E9AD7C62-C507-49BA-91AC-1A2D0F86A913}
O42 - Logiciel: Ooredoo N'ternet - (.Nom de votre société.) [HKLM][64Bits] -- {E9AD7C62-C507-49BA-91AC-1A2D0F86A913}
~ Logic: 24 Legitimates Filtered in 00mn AMs



---\\ HKCU & HKLM Software Keys
[HKCU\Software\B65BAAD6]
[HKCU\Software\BYAIAMUF]
[HKCU\Software\CinemaP-1.9cV16.03-nv-ie] =>PUP.CrossRider
[HKCU\Software\CinemaP-1.9cV16.03-nv] =>PUP.CrossRider
[HKCU\Software\CinemaP-1.9cV16.03] =>PUP.CrossRider
[HKCU\Software\GNOK]
[HKCU\Software\InstallPath]
[HKCU\Software\InstalledBrowserExtensions] =>PUP.BrowserExtensions
[HKCU\Software\hdirfbsher]
[HKLM\Software\InstalledBrowserExtensions] =>PUP.BrowserExtensions
[HKLM\Software\Wow6432Node\9fddca14-7398-4f40-af19-aab4d29a68ef] =>PUP.CrossRider
[HKLM\Software\Wow6432Node\BabylonToolbar] =>PUP.Babylon
[HKLM\Software\Wow6432Node\Babylon] =>PUP.Babylon
[HKLM\Software\Wow6432Node\CinemaP-1.9cV16.03-nv-ie] =>PUP.CrossRider
[HKLM\Software\Wow6432Node\CinemaP-1.9cV16.03-nv] =>PUP.CrossRider
[HKLM\Software\Wow6432Node\InstalledBrowserExtensions] =>PUP.BrowserExtensions
~ Key Software: 233 Legitimates Filtered in 00mn AMs



---\\ Contents of the Common Files folders (O43)
O43 - CFD: 7/30/2015 - 9:48:16 PM - [] ----D C:\Program Files (x86)\69dc8177-a574-4dff-8461-b3267b078dcf
O43 - CFD: 7/30/2015 - 9:53:17 PM - [] ----D C:\Program Files (x86)\CinemaP-1.9cV16.03 =>PUP.CrossRider
O43 - CFD: 7/31/2015 - 4:04:11 PM - [] ----D C:\Program Files (x86)\Common Files\AV
O43 - CFD: 3/31/2015 - 5:32:03 PM - [0] ----D C:\ProgramData\Babylon =>PUP.Babylon
O43 - CFD: 7/7/2014 - 5:09:28 PM - [] ----D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ooredoo N'ternet
O43 - CFD: 4/12/2011 - 9:28:08 AM - [0] R-H-D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tablet PC
O43 - CFD: 3/31/2015 - 5:32:03 PM - [] ----D C:\Users\mohamed\AppData\Roaming\Babylon =>PUP.Babylon
O43 - CFD: 7/30/2015 - 9:50:10 PM - [] ----D C:\Users\mohamed\AppData\Local\14005
O43 - CFD: 3/31/2015 - 5:32:05 PM - [] ----D C:\Users\mohamed\AppData\Local\Babylon =>PUP.Babylon
O43 - CFD: 7/30/2015 - 9:52:55 PM - [] ----D C:\Users\mohamed\AppData\Local\Bubble Comp
O43 - CFD: 8/7/2015 - 2:30:55 PM - [] ----D C:\Users\mohamed\AppData\Local\{28562B5A-C1BF-474C-AF61-E0DBF96ADFF8}
O43 - CFD: 8/5/2015 - 10:20:04 PM - [] ----D C:\Users\mohamed\AppData\Local\{A72B98D1-99CF-4602-A88E-BD21535FB1BE}
~ Program Folder: 160 Legitimates Filtered in 00mn AMs



---\\ Operations and functions at Windows Explorer startup (O46)
O46 - SEH:ShellExecuteHooks - Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O46 - SEH:ShellExecuteHooks - Groove GFS Stub Execution Hook [64Bits] - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
~ ShellExecuteHooks: Scanned in 00mn AMs



---\\ MountPoints2 Shell Key (MPSK) (O51)
O51 - MPSK:{1121cbce-feda-11e3-8514-806e6f6e6963}\AutoRun\command. (...) -- E:\DriverPackSolution.exe (.not file.)
O51 - MPSK:{11af76f7-ff08-11e3-841c-806e6f6e6963}\AutoRun\command. (...) -- E:\DriverPackSolution.exe (.not file.)
O51 - MPSK:{51f42d60-00f2-11e4-9b56-544249f55696}\AutoRun\command. (...) -- F:\autorun.exe (.not file.)
O51 - MPSK:{51f42d72-00f2-11e4-9b56-544249f55696}\AutoRun\command. (...) -- F:\autorun.exe (.not file.)
O51 - MPSK:{bb8fa26e-05f0-11e4-a40b-544249f55696}\AutoRun\command. (...) -- G:\autorun.exe (.not file.)
~ Keys: Scanned in 00mn AMs



---\\ Trojan Driver Search Data (HKLM)(TDSD) (O52)
O52 - TDSD: \Drivers32\"VIDC.MLCY"="mlc.dll" . (...) -- C:\Windows\System32\mlc.dll
O52 - TDSD: \Drivers32\"VIDC.ULRA"="C:\Windows\system32\utv_vcm.dll" . (...) -- C:\Windows\system32\utv_vcm.dll
O52 - TDSD: \Drivers32\"VIDC.ULRG"="C:\Windows\system32\utv_vcm.dll" . (...) -- C:\Windows\system32\utv_vcm.dll
O52 - TDSD: \Drivers32\"VIDC.ULY0"="C:\Windows\system32\utv_vcm.dll" . (...) -- C:\Windows\system32\utv_vcm.dll
O52 - TDSD: \Drivers32\"VIDC.ULY2"="C:\Windows\system32\utv_vcm.dll" . (...) -- C:\Windows\system32\utv_vcm.dll
O52 - TDSD: \Drivers32\"VIDC.VP80"="vp8vfw.dll" . (.Optima SC Inc. - Google VP8 VFW Video Codec.) -- C:\Windows\System32\vp8vfw.dll
O52 - TDSD: \drivers.desc\"mlc.dll"="MLC Lossless Codec" . (...) -- C:\Windows\System32\mlc.dll
O52 - TDSD: \drivers.desc\"vp8vfw.dll"="VP8 Video Codec" . (.Optima SC Inc. - Google VP8 VFW Video Codec.) -- C:\Windows\System32\vp8vfw.dll
~ TDSD: 19 Legitimates Filtered in 00mn AMs



---\\ Microsoft Windows Policies System (MWPS) (O55)
O55 - MWPS:[HKLM\...\Policies\System] - "EnableUIADesktopToggle"=0
O55 - MWPS:[HKLM\...\Policies\System] - "FilterAdministratorToken"=0
~ MWPS: 16 Legitimates Filtered in 00mn AMs



---\\ Microsoft Windows Policies Explorer (MWPE) (O56)
O56 - MWPE:[HKLM\...\policies\Explorer] - "NoActiveDesktopChanges"=1
~ MWPE Keys: 3 Legitimates Filtered in 00mn AMs



---\\ System Drivers List (SDL) (O58)
O58 - SDL:7/6/2014 - 6:16:49 AM ---A- . (...) -- C:\Windows\System32\Drivers\aswHwid.sys [29208] =>.ALWIL Software
O58 - SDL:1/28/2010 - 8:54:45 PM ---A- . (.ALWIL Software - avast! TDI RDR Driver.) -- C:\Windows\System32\Drivers\aswRdr.sys [28752]
O58 - SDL:7/6/2014 - 6:16:49 AM ---A- . (...) -- C:\Windows\System32\Drivers\aswRvrt.sys [65776] =>.ALWIL Software
O58 - SDL:7/6/2014 - 6:16:49 AM ---A- . (...) -- C:\Windows\System32\Drivers\aswVmm.sys [224896] =>.ALWIL Software
O58 - SDL:6/29/2013 - 3:10:58 PM ---A- . (.Mobile Connector - USB/Serial Device Driver.) -- C:\Windows\System32\Drivers\cmusbser.sys [118144]
O58 - SDL:7/14/2009 - 1:47:48 AM ---A- . (.Emulex - Storport Miniport Driver for LightPulse HBAs.) -- C:\Windows\System32\Drivers\elxstor.sys [530496]
O58 - SDL:6/10/2009 - 8:31:59 PM ---A- . (.Hauppauge Computer Works, Inc. - Hauppauge WinTV 885 Consumer IR Driver for eHome.) -- C:\Windows\System32\Drivers\hcw85cir.sys [31232]
O58 - SDL:6/1/2011 - 11:22:00 AM ---A- . (.REDC - RICOH MS Driver.) -- C:\Windows\System32\Drivers\rimspe64.sys [73216]
O58 - SDL:10/28/2009 - 4:54:00 PM ---A- . (.REDC - RICOH SD/MMC Driver.) -- C:\Windows\System32\Drivers\risdpe64.sys [79360]
O58 - SDL:7/14/2009 - 1:45:55 AM ---A- . (.Promise Technology - Promise SuperTrak EX Series Driver for Windows.) -- C:\Windows\System32\Drivers\stexstor.sys [24656]
~ Drivers: 70 Legitimates Filtered in 01mn AMs



---\\ List all tools cleaner (LATC) (O63)
O63 - Logiciel: ZHPDiag 2015 - (.Nicolas Coolman.) [HKLM] -- ZHPDiag_is1 =>.Nicolas Coolman
~ ADS: Scanned in 00mn AMs



---\\ List all legacy services(LALS) (O64)
O64 - Services: CurCS - 7/6/2014 - C:\Windows\system32\drivers\aswHwid.sys (aswHwid) .(...) - LEGACY_ASWHWID
~ Legacy: 81 Legitimates Filtered in 00mn AMs



---\\ File Associations Shell Spawning (O67)
O67 - Shell Spawning: <.html> [HKCU\..\open\Command] (...) -- C:\Program Files (x86)\Opera\Launcher.exe
~ FASS Keys: 11 Legitimates Filtered in 00mn AMs



---\\ Start Menu Internet (SMI) (O68)
O68 - StartMenuInternet: [HKLM\..\Shell\open\Command] (.Mozilla Corporation - Firefox.) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
O68 - StartMenuInternet: [HKLM\..\Shell\open\Command] (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O68 - StartMenuInternet: [HKLM\..\Shell\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
~ Keys: Scanned in 00mn AMs



---\\ Search Browser Infection (SBI) (O69)
O69 - SBI: prefs.js [mohamed - 1gaprq4q.default] user_pref("extensions.crossrider.bic", "14ee4436f794a7b6062f83e42bdc1cab"); =>PUP.CrossRider
O69 - SBI: SearchScopes [HKCU] {0633EE93-D776-472f-A0FF-E1416B8B2E3A} - (Bing) - http://www.bing.com
O69 - SBI: SearchScopes [HKCU] {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} [DefaultScope] - (Search the web (Babylon)) - http://search.babylon.com =>PUP.Babylon
O69 - SBI: SearchScopes [HKCU] {6A1806CD-94D4-4689-BA73-E35EA1EA9990} - (Google) - http://www.google.com
~ Keys: Scanned in 00mn AMs



---\\ Search Particular Root Folder (SPRF) (O84)
[MD5.877759FE37E2EED150C792006B342BC3] [SPRF][7/30/2015] (.Cinema PlusV16.03 - CinemaP-1.9cV16.03 exe.) -- C:\Users\mohamed\AppData\Roaming\BYAIAMUF.exe [2035200] =>PUP.CrossRider
[MD5.1C7FF4BFACDDD04E3504DCB1BA5987ED] [SPRF][7/30/2015] (.Cinema PlusV16.03 - CinemaP-1.9cV16.03 exe.) -- C:\Users\mohamed\AppData\Roaming\GNOK.exe [1380352] =>PUP.CrossRider
[MD5.FB9DA1DD951232244203558A96E8FF66] [SPRF][2/7/2013] (.No owner - AntiDust Tool.) -- C:\Program Files (x86)\AntiDust.exe [50330]
~ Files: 3 Legitimates Filtered in 00mn AMs



---\\ Search Tracing Registry Key (O100)
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\OffersWizard_RASAPI32 =>PUP.OffersWizard
HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\OffersWizard_RASMANCS =>PUP.OffersWizard
~ BTK: 194 Legitimates Filtered in 00mn AMs



---\\ General States of Services not Microsoft (EGS) (SR=Running, SS=Stopped)
SS - | Auto 7/30/2015 68608 | (globalUpdate) . (.globalUpdate.) - C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe =>PUP.GlobalUpdate
SS - | Demand 7/30/2015 68608 | (globalUpdatem) . (.globalUpdate.) - C:\Program Files (x86)\globalUpdate\Update\GoogleUpdate.exe =>PUP.GlobalUpdate
SS - | Auto 7/6/2014 116648 | (gupdate) . (.Google Inc..) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
SS - | Demand 7/6/2014 116648 | (gupdatem) . (.Google Inc..) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
SS - | Demand 7/6/2014 194032 | (gusvc) . (.Google.) - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
SS - | Demand 7/31/2015 148136 | (MozillaMaintenance) . (.Mozilla Foundation.) - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
SS - | Demand 3/5/2010 340240 | (MyWiFiDHCPDNS) . (...) - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
SS - | Demand 2/19/2010 517096 | (SwitchBoard) . (.Adobe Systems Incorporated.) - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
SS - | Demand 7/22/1658 0 | (WMPNetworkSvc) . (...) - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe =>.Microsoft Corporation
SR - | Auto 7/7/2015 82128 | (AdobeARMservice) . (.Adobe Systems Incorporated.) - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
SR - | Auto 12/19/2012 240640 | (AMD External Events Utility) . (.AMD.) - C:\Windows\System32\atiesrxx.exe
SR - | Auto 7/6/2014 50344 | (avast! Antivirus) . (.AVAST Software.) - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
SR - | Auto 3/5/2010 1425168 | (EvtEng) . (.Intel(R) Corporation.) - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
SR - | Auto 3/5/2010 831760 | (RegSrvc) . (.Intel(R) Corporation.) - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
SR - | Auto 7/14/2009 27136 | C:\Program Files (x86)\Windows Defender\mpsvc.dll (WinDefend) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
SR - | Auto 7/14/2009 27136 | C:\Windows\System32\wuaueng.dll (wuauserv) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
~ Services: Scanned in 13mn AMs



---\\ Scan Additionnel (O88)
Database Version : 13008 - (5/31/2015)
Clés trouvées (Keys found) : 15
Valeurs trouvées (Values found) : 1
Dossiers trouvés (Folders found) : 4
Fichiers trouvés (Files found) : 50

[HKLM\SYSTEM\CurrentControlSet\Services\globalUpdate) (globalUpdate] =>PUP.GlobalUpdate^
[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\CinemaP-1.9cV16.03] =>PUP.CrossRider^
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\OffersWizard] =>PUP.OffersWizard^
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ecdf796-c2dc-4d79-a620-cce0c0a66cc9}] =>PUP.Babylon
[HKLM\Software\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}] =>Toolbar.Ask
[HKLM\Software\Classes\protector_dll.protectorbho.1] =>PUP.BProtector
[HKLM\Software\Classes\Prod.cap] =>PUP.ClaroSearch
[HKLM\Software\Classes\protector_dll.protectorbho] =>PUP.BProtector
[HKLM\Software\Wow6432Node\BabylonToolbar] =>PUP.Babylon
[HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}] =>PUP.Software.Updater
[HKCU\Software\AppDataLow\Software\Crossrider] =>PUP.CrossRider
[HKCU\Software\InstalledBrowserExtensions\] =>PUP.CrossRider
[HKCU\Software\InstalledBrowserExtensions] =>PUP.CrossRider
[HKLM\Software\InstalledBrowserExtensions] =>PUP.CrossRider
[HKLM\Software\Wow6432Node\InstalledBrowserExtensions] =>PUP.CrossRider
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]:OffersWizard update =>PUP.OffersWizard^
C:\Program Files (x86)\CinemaP-1.9cV16.03 =>PUP.CrossRider^
C:\ProgramData\Babylon =>PUP.Babylon^
C:\Users\mohamed\AppData\Roaming\Babylon =>PUP.Babylon^
C:\Users\mohamed\AppData\Local\Babylon =>PUP.Babylon^
C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-10.exe =>PUP.CrossRider^
C:\Users\mohamed\AppData\Local\{A72B98D1-99CF-4602-A88E-BD21535FB1BE}\OffersWizard.exe =>PUP.OffersWizard^
C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-6.exe =>PUP.CrossRider^
C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6.exe =>PUP.CrossRider^
C:\Users\mohamed\AppData\Local\14005\Updater.exe =>PUP.Software.Updater^
C:\Users\mohamed\AppData\Roaming\BYAIAMUF.exe =>PUP.CrossRider^
C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-7.exe =>PUP.CrossRider^
C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-11.exe =>PUP.CrossRider^
C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-3.exe =>PUP.CrossRider^
C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-4.exe =>PUP.CrossRider^
C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5.exe =>PUP.CrossRider^
C:\Program Files (x86)\CinemaP-1.9cV16.03\e653cf25-f107-4cbe-b8d1-5dadaea354f2-7.exe =>PUP.CrossRider^
C:\Users\mohamed\AppData\Roaming\GNOK.exe =>PUP.CrossRider^
C:\Windows\Tasks\AmiUpdXp.job =>PUP.Software.Updater^
C:\Windows\System32\Tasks\AmiUpdXp =>PUP.Software.Updater^
C:\Windows\Tasks\BYAIAMUF.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\BYAIAMUF =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-6 =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-7.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-1-7 =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-10_user.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-10_user =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-11.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-11 =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-3.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-3 =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-4.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-4 =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5 =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5_user.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-5_user =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-6.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-6 =>PUP.CrossRider^
C:\Windows\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-7.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\e653cf25-f107-4cbe-b8d1-5dadaea354f2-7 =>PUP.CrossRider^
C:\Windows\Tasks\globalUpdateUpdateTaskMachineCore.job =>PUP.GlobalUpdate^
C:\Windows\System32\Tasks\globalUpdateUpdateTaskMachineCore =>PUP.GlobalUpdate^
C:\Windows\Tasks\globalUpdateUpdateTaskMachineUA.job =>PUP.GlobalUpdate^
C:\Windows\System32\Tasks\globalUpdateUpdateTaskMachineUA =>PUP.GlobalUpdate^
C:\Windows\Tasks\GNOK.job =>PUP.CrossRider^
C:\Windows\System32\Tasks\GNOK =>PUP.CrossRider^
[HKCU\Software\CinemaP-1.9cV16.03-nv-ie] =>PUP.CrossRider^
[HKCU\Software\CinemaP-1.9cV16.03-nv] =>PUP.CrossRider^
[HKCU\Software\CinemaP-1.9cV16.03] =>PUP.CrossRider^
[HKLM\Software\Wow6432Node\9fddca14-7398-4f40-af19-aab4d29a68ef] =>PUP.CrossRider^
[HKLM\Software\Wow6432Node\Babylon] =>PUP.Babylon^
[HKLM\Software\Wow6432Node\CinemaP-1.9cV16.03-nv-ie] =>PUP.CrossRider^
[HKLM\Software\Wow6432Node\CinemaP-1.9cV16.03-nv] =>PUP.CrossRider^
~ Additionnel Scan: 310672 Items scanned in 28mn AMs



---\\ Additional information about modules
~ http://nicolascoolman.fr/r5-internet-explorer-proxy-management-iepm/ =>.Internet Explorer, Proxy Management (R5)
~ http://nicolascoolman.fr/o3-internet-explorer-toolbars/ =>.Internet Explorer toolbars (O3)
~ http://nicolascoolman.fr/o4-applications-demarrees-par-le-registre/ =>.Auto loading programs from Registry and folders (O4)
~ http://nicolascoolman.fr/o51-mountpoints2-shell-key-mpsk/ =>.MountPoints2 Shell Key (MPSK) (O51)
~ AMI: 4 Legitimates Filtered in 00mn AMs



---\\ Summary of the detections found on your workstation
http://nicolascoolman.fr/pup-crossrider =>PUP.CrossRider
http://www.nicolascoolman.fr/blog/ =>PUP.OffersWizard
http://nicolascoolman.fr/pup-babylon =>PUP.Babylon
http://nicolascoolman.fr/pup-globalupdate =>PUP.GlobalUpdate
http://nicolascoolman.fr/pup-software-updater =>PUP.Software.Updater
http://www.nicolascoolman.fr/blog/ =>PUP.BrowserExtensions
http://nicolascoolman.fr/toolbar-ask =>Toolbar.Ask
http://nicolascoolman.fr/pup-bprotector =>PUP.BProtector
http://nicolascoolman.fr/pup-clarosearch =>PUP.ClaroSearch
~ MSI: 9 link(s) detected in 00mn AMs



~ 780 Legitimates filtered by white list
End of the scan (588 lines in 21mn AMs)(0.8)

Publicité


Signaler le contenu de ce document

Publicité