[Sangoino]

hello, I think my router is infected.

Sometimes, the pc works alone when I am not on it.

I think the virus use my router because my router is strange....

Can you help for making a full scan of the pc please ?

I dont known if it's a boot virus, mbr virus or system virus but I am sur I am infected.

Thank you

Edited by Sangoino, 22 May 2013 - 02:03 AM.

[Advertisements]

Hello Sangoino and welcome to my office here at G2G!

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTES:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste it to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Let's try to find out is there malware or not...

Step 1

Download OTL to your Desktop

• Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator"). Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan/Fixes box paste this in
  
  

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  services.exe
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them here for me.

Step 2

Download GMER from Here. Note the file\'s name and save it to your root folder, such as C:.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 3

Please don't forget to include these items in your reply:

• OTL log
• OTL Extras log
• GMER log

It would be helpful if you could post each log in separate post using "Add Reply" button

[maliprog]

Hello Sangoino and welcome to my office here at G2G!

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTES:

• Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
• Absence of symptoms does not always mean the computer is clean
• Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
• Please DO NOT run any scans or fix on your own without my direction.
• Please read all of my response through at least once before attempting to follow the procedures described.
• If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste it to include the log in your reply.
• You must reply within 3 days or your topic will be closed

Let's try to find out is there malware or not...

Step 1

Download OTL to your Desktop

• Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator"). Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan/Fixes box paste this in
  
  

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  services.exe
  /md5stop
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them here for me.

Step 2

Download GMER from Here. Note the file\'s name and save it to your root folder, such as C:.

• Disconnect from the Internet and close all running programs.
• Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
• Click on this link to see a list of programs that should be disabled.
• Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
• Allow the driver to load if asked.
• You may be prompted to scan immediately if it detects rootkit activity.
• If you are prompted to scan your system click "No", save the log and post back the results.
• If not prompted, click the "Rootkit/Malware" tab.
• On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
• Select all drives that are connected to your system to be scanned.
• Click the Scan button to begin. (Please be patient as it can take some time to complete)
• When the scan is finished, click Save to save the scan results to your Desktop.
• Save the file as Results.log and copy/paste the contents in your next reply.
• Exit the program and re-enable all active protection when done.

Step 3

Please don't forget to include these items in your reply:

• OTL log
• OTL Extras log
• GMER log

It would be helpful if you could post each log in separate post using "Add Reply" button

[Sangoino]

OTL logfile created on: 16/05/2013 11:16:54 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\michel\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 0000040c | Country: France | Language: FRA | Date Format: dd/MM/yyyy

959,55 Mb Total Physical Memory | 237,76 Mb Available Physical Memory | 24,78% Memory free
1,94 Gb Paging File | 0,83 Gb Available in Paging File | 43,10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 152,57 Gb Total Space | 120,86 Gb Free Space | 79,22% Space Free | Partition Type: NTFS
Drive D: | 705,53 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: UDF

Computer Name: MICHEL-PC | User Name: michel | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/05/16 11:15:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\michel\Desktop\OTL.exe
PRC - [2013/05/11 12:37:26 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/04/19 11:18:42 | 000,595,216 | ---- | M] (Greatis Software) -- C:\Program Files\UnHackMe\hackmon.exe
PRC - [2013/04/10 08:56:41 | 000,920,472 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/12/24 05:33:29 | 000,144,520 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\20.3.1.22\ccSvcHst.exe
PRC - [2012/11/23 04:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2011/02/25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2013/04/10 08:56:55 | 003,133,336 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/05/30 08:51:08 | 000,699,280 | R--- | M] () -- C:\PROGRAM FILES\NORTON INTERNET SECURITY\ENGINE\20.3.1.22\wincfi39.dll


========== Services (SafeList) ==========

SRV - [2013/05/11 12:37:26 | 000,065,640 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/05/01 07:43:04 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2013/05/01 07:40:14 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/02/28 18:45:16 | 000,161,384 | R--- | M] (Skype Technologies) [Disabled | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013/02/19 21:32:08 | 001,259,296 | ---- | M] (NVIDIA Corporation) [Disabled | Stopped] -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012/12/24 05:33:29 | 000,144,520 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\20.3.1.22\ccSvcHst.exe -- (NIS)
SRV - [2009/07/14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Unknown] -- system32\drivers\Partizan.sys -- (Partizan)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\michel\AppData\Local\Temp\cpuz134\cpuz134_x32.sys -- (cpuz134)
DRV - [2013/05/21 15:34:38 | 000,386,720 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\IPSDefs\20130521.001\IDSvix86.sys -- (IDSVix86)
DRV - [2013/05/21 11:43:50 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2013/05/21 11:43:50 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Unknown] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11220.sys -- (EraserUtilDrv11220)
DRV - [2013/05/16 05:26:43 | 001,611,992 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\VirusDefs\20130521.032\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/05/16 05:26:43 | 000,093,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\VirusDefs\20130521.032\NAVENG.SYS -- (NAVENG)
DRV - [2013/05/16 04:31:14 | 000,142,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2013/05/16 03:55:12 | 000,039,936 | ---- | M] (CurioLab S.M.B.A.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\extit.sys -- (ExterminateIt)
DRV - [2013/05/15 01:00:30 | 001,000,024 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\Definitions\BASHDefs\20130515.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2013/05/01 09:23:22 | 004,172,832 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVAC.SYS -- (ALCXWDM)
DRV - [2013/02/19 21:32:54 | 010,919,200 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2013/01/31 05:18:18 | 000,338,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NIS\1403010.016\symnets.sys -- (SymNetS)
DRV - [2013/01/31 05:18:06 | 000,934,488 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\System32\drivers\NIS\1403010.016\symefa.sys -- (SymEFA)
DRV - [2013/01/29 03:45:18 | 000,602,712 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\NIS\1403010.016\srtsp.sys -- (SRTSP)
DRV - [2013/01/29 03:45:18 | 000,032,344 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NIS\1403010.016\srtspx.sys -- (SRTSPX)
DRV - [2013/01/22 04:15:32 | 000,367,704 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\NIS\1403010.016\symds.sys -- (SymDS)
DRV - [2012/11/16 04:22:01 | 000,175,264 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NIS\1403010.016\ironx86.sys -- (SymIRON)
DRV - [2012/11/16 04:18:04 | 000,134,304 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NIS\1403010.016\ccsetx86.sys -- (ccSet_NIS)
DRV - [2010/11/20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/07/04 21:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2009/10/07 08:49:40 | 006,756,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC)
DRV - [2009/07/14 01:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | System | Running] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/14 00:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search bar = http://search.msn.com/spbasic.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sfr.fr
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = fr
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C4 C4 8D F1 18 46 CE 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = ${searchCLSID}
IE - HKCU\..\SearchScopes\${searchCLSID}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.sfr.fr/"
FF - prefs.js..extensions.enabledAddons: %7BBBDA0591-3099-440a-AA10-41764D9DB4DB%7D:11.3.0.9%20-%205
FF - prefs.js..extensions.enabledAddons: %7B2D3F3651-74B9-4795-BDEC-6DA2F431CB62%7D:2013.3.5.1
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:20.0.1
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/Lync,version=15.0: C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\IPSFFPlgn\ [2013/05/16 04:32:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\coFFPlgn\ [2013/05/16 07:49:11 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/05/01 05:15:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 20.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/05/14 11:11:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird

[2013/05/01 05:15:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\michel\AppData\Roaming\mozilla\Extensions
[2013/05/08 20:01:44 | 000,000,000 | ---D | M] (No name found) -- C:\Users\michel\AppData\Roaming\mozilla\Firefox\Profiles\bmxtjxky.default\extensions
[2013/05/08 20:01:44 | 000,870,680 | ---- | M] () (No name found) -- C:\Users\michel\AppData\Roaming\mozilla\firefox\profiles\bmxtjxky.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013/05/16 05:21:21 | 000,002,482 | ---- | M] () -- C:\Users\michel\AppData\Roaming\mozilla\firefox\profiles\bmxtjxky.default\searchplugins\safesearch.xml
[2013/05/01 05:15:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\mozilla firefox\extensions
[2013/05/16 07:49:11 | 000,000,000 | ---D | M] (Norton Toolbar) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\COFFPLGN
[2013/05/16 04:32:01 | 000,000,000 | ---D | M] (Norton Vulnerability Protection) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.0.36\IPSFFPLGN
[2013/04/10 08:57:39 | 000,263,064 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2013/01/11 03:05:40 | 000,033,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll
[2013/04/10 10:02:39 | 000,001,609 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-france.xml
[2013/04/10 10:02:39 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2013/04/10 10:02:39 | 000,002,035 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\cnrtl-tlfi-fr.xml
[2013/04/10 10:02:39 | 000,001,472 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-france.xml
[2013/04/10 10:02:39 | 000,001,399 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-fr.xml
[2013/04/10 10:02:39 | 000,001,169 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-france.xml

O1 HOSTS File: ([2013/05/12 06:56:47 | 000,447,007 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15355 more lines...
O2 - BHO: (Lync Browser Helper) - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O2 - BHO: (Norton Identity Protection) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPath = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCMD = 1
O8 - Extra context menu item: &Envoyer à OneNote - res://C:\PROGRA~1\MICROS~2\Office15\ONBttnIE.dll/105 File not found
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office15\EXCEL.EXE/3000 File not found
O9 - Extra Button: Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Envoyer à OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Cliquer pour appeler Lync - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Cliquer pour appeler Lync - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
O9 - Extra Button: Notes &liées OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Notes &liées OneNote - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{05E5033F-09AF-4A16-97BD-82EECDE53A60}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{05E5033F-09AF-4A16-97BD-82EECDE53A60}: NameServer = 109.0.66.10,109.0.66.20
O18 - Protocol\Handler\osf {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/12/13 23:04:47 | 000,000,175 | R--- | M] () - D:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

NetSvcs: ias - C:\Windows\System32\ias.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/05/16 11:15:26 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\michel\Desktop\OTL.exe
[2013/05/16 04:45:54 | 000,934,488 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1403010.016\symefa.sys
[2013/05/16 04:45:54 | 000,602,712 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1403010.016\srtsp.sys
[2013/05/16 04:45:54 | 000,367,704 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1403010.016\symds.sys
[2013/05/16 04:45:54 | 000,338,592 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1403010.016\symnets.sys
[2013/05/16 04:45:54 | 000,032,344 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1403010.016\srtspx.sys
[2013/05/16 04:45:54 | 000,021,400 | R--- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1403010.016\symelam.sys
[2013/05/16 04:45:53 | 000,175,264 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1403010.016\ironx86.sys
[2013/05/16 04:45:53 | 000,134,304 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\NIS\1403010.016\ccsetx86.sys
[2013/05/16 04:45:28 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NIS\1403010.016
[2013/05/16 04:31:14 | 000,142,496 | ---- | C] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2013/05/16 04:31:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2013/05/16 04:31:14 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2013/05/16 04:28:37 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\NIS
[2013/05/16 04:28:31 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[2013/05/16 04:28:30 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Norton Internet Security
[2013/05/16 04:28:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Norton
[2013/05/16 04:24:11 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2013/05/16 04:20:51 | 000,000,000 | ---D | C] -- C:\ProgramData\NortonInstaller
[2013/05/16 04:20:51 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2013/05/16 03:54:46 | 000,039,936 | ---- | C] (CurioLab S.M.B.A.) -- C:\Windows\System32\drivers\extit.sys
[2013/05/16 02:04:54 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\Curiolab
[2013/05/12 10:44:23 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\AVG2013
[2013/05/12 10:42:46 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\TuneUp Software
[2013/05/12 10:40:21 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2013
[2013/05/12 10:25:17 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files
[2013/05/12 10:25:17 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\MFAData
[2013/05/12 10:25:17 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
[2013/05/12 10:25:17 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\Avg2013
[2013/05/11 22:33:13 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2013/05/11 18:43:19 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/05/10 13:45:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2013/05/10 13:44:32 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2013/05/10 13:44:09 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\Programs
[2013/05/09 15:28:38 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
[2013/05/09 15:28:37 | 000,000,000 | ---D | C] -- C:\Program Files\Unlocker
[2013/05/09 14:34:46 | 000,000,000 | ---D | C] -- C:\Program Files\PC Tools
[2013/05/09 14:28:31 | 000,202,280 | ---- | C] (PC Tools) -- C:\Windows\System32\drivers\PCTSD.sys
[2013/05/09 14:28:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2013/05/09 14:27:35 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2013/05/09 14:27:32 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Tools
[2013/05/09 14:27:29 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\TestApp
[2013/05/09 12:03:05 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2013/05/09 09:17:00 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\Norman Malware Cleaner
[2013/05/07 14:57:30 | 000,448,512 | ---- | C] (OldTimer Tools) -- C:\Users\michel\Desktop\TFC.exe
[2013/05/07 09:20:33 | 000,000,000 | ---D | C] -- C:\Program Files\RegCleaner
[2013/05/06 22:32:11 | 000,000,000 | ---D | C] -- C:\Windows\System32\SPReview
[2013/05/06 22:30:58 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
[2013/05/06 15:43:19 | 000,093,696 | ---- | C] (Windows ® Codename Longhorn DDK provider) -- C:\Windows\System32\fms.dll
[2013/05/06 15:00:26 | 000,000,000 | ---D | C] -- C:\ProgramData\RegRun
[2013/05/06 15:00:01 | 000,000,000 | ---D | C] -- C:\Program Files\UnHackMe
[2013/05/06 14:30:33 | 000,000,000 | ---D | C] -- C:\Windows\System32\catroot2
[2013/05/06 14:27:47 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2013/05/06 14:27:02 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/05/06 13:35:45 | 000,181,064 | ---- | C] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2013/05/06 13:35:11 | 000,000,000 | ---D | C] -- C:\Program Files\Tweaking.com
[2013/05/06 07:02:12 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2013/05/06 06:45:02 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/05/04 11:18:30 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2013/05/03 16:34:07 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\Adobe
[2013/05/03 16:30:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2013/05/03 16:30:18 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2013/05/02 22:49:32 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\logishrd
[2013/05/02 16:46:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\USB-set
[2013/05/02 16:46:19 | 000,000,000 | ---D | C] -- C:\ProgramData\usb-set
[2013/05/02 16:46:19 | 000,000,000 | ---D | C] -- C:\Program Files\USB-set
[2013/05/02 10:53:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
[2013/05/02 10:51:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2013/05/02 10:47:09 | 000,000,000 | ---D | C] -- C:\Windows\PCHEALTH
[2013/05/02 10:47:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft.NET
[2013/05/02 10:47:09 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft SQL Server
[2013/05/02 10:42:27 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Analysis Services
[2013/05/02 10:42:11 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\Microsoft Help
[2013/05/02 10:41:37 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2013/05/02 10:41:31 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft Help
[2013/05/02 10:39:47 | 000,000,000 | R--D | C] -- C:\MSOCache
[2013/05/01 09:48:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON Scan
[2013/05/01 09:48:23 | 000,000,000 | ---D | C] -- C:\Program Files\epson
[2013/05/01 09:45:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON
[2013/05/01 09:37:09 | 000,000,000 | ---D | C] -- C:\ProgramData\EPSON
[2013/05/01 09:24:41 | 000,000,000 | ---D | C] -- C:\Program Files\Realtek AC97
[2013/05/01 09:24:30 | 000,000,000 | ---D | C] -- C:\Program Files\InstallShield Installation Information
[2013/05/01 09:23:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2013/05/01 09:09:27 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\Skype
[2013/05/01 09:08:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2013/05/01 09:08:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2013/05/01 09:08:57 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2013/05/01 09:08:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2013/05/01 08:21:11 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\Macromedia
[2013/05/01 08:21:11 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\Macromedia
[2013/05/01 08:21:11 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\Adobe
[2013/05/01 07:43:07 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2013/05/01 07:40:09 | 000,000,000 | ---D | C] -- C:\Windows\System32\Macromed
[2013/05/01 07:38:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2013/05/01 05:47:59 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2013/05/01 05:33:19 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\ESET
[2013/05/01 05:33:19 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\ESET
[2013/05/01 05:31:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2013/05/01 05:31:30 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2013/05/01 05:28:13 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2013/05/01 05:15:48 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\Mozilla
[2013/05/01 05:15:48 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\Mozilla
[2013/05/01 05:15:30 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/05/01 05:14:15 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2013/05/01 05:13:28 | 000,053,024 | ---- | C] (Khronos Group) -- C:\Windows\System32\OpenCL.dll
[2013/05/01 05:12:50 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA Corporation
[2013/05/01 05:12:41 | 000,000,000 | ---D | C] -- C:\Program Files\NVIDIA Corporation
[2013/05/01 05:11:18 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\WinPatrol
[2013/05/01 05:11:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
[2013/05/01 05:11:13 | 000,000,000 | ---D | C] -- C:\Program Files\BillP Studios
[2013/05/01 05:09:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MCShield
[2013/05/01 05:09:44 | 000,000,000 | ---D | C] -- C:\ProgramData\MCShield
[2013/05/01 05:09:44 | 000,000,000 | ---D | C] -- C:\Program Files\MCShield
[2013/05/01 04:57:56 | 000,000,000 | R--D | C] -- C:\Users\michel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2013/05/01 04:57:56 | 000,000,000 | R--D | C] -- C:\Users\michel\Searches
[2013/05/01 04:57:56 | 000,000,000 | R--D | C] -- C:\Users\michel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2013/05/01 04:57:56 | 000,000,000 | -H-D | C] -- C:\Users\michel\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2013/05/01 04:57:45 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\Identities
[2013/05/01 04:57:44 | 000,000,000 | R--D | C] -- C:\Users\michel\Contacts
[2013/05/01 04:57:30 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\VirtualStore
[2013/05/01 04:57:27 | 000,000,000 | --SD | C] -- C:\Users\michel\Documents\Mes vidéos
[2013/05/01 04:57:27 | 000,000,000 | --SD | C] -- C:\Users\michel\Documents\Mes images
[2013/05/01 04:57:27 | 000,000,000 | --SD | C] -- C:\Users\michel\Documents\Ma musique
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\Voisinage réseau
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\Voisinage d'impression
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\AppData\Local\Temporary Internet Files
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\SendTo
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\Recent
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\Modèles
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\Mes documents
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\Menu Démarrer
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\Local Settings
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\AppData\Local\Historique
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\Cookies
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\Application Data
[2013/05/01 04:57:27 | 000,000,000 | -HSD | C] -- C:\Users\michel\AppData\Local\Application Data
[2013/05/01 04:57:21 | 000,000,000 | --SD | C] -- C:\Users\michel\AppData\Roaming\Microsoft
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\Videos
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\Saved Games
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\Pictures
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\Music
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\Links
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\Favorites
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\Downloads
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\Documents
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\Desktop
[2013/05/01 04:57:21 | 000,000,000 | R--D | C] -- C:\Users\michel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2013/05/01 04:57:21 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\Temp
[2013/05/01 04:57:21 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Local\Microsoft
[2013/05/01 04:57:21 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData\Roaming\Media Center Programs
[2013/05/01 04:57:21 | 000,000,000 | ---D | C] -- C:\Users\michel\AppData
[2013/05/01 04:57:13 | 000,000,000 | -HSD | C] -- C:\ProgramData\Modèles
[2013/05/01 04:57:13 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Mes vidéos
[2013/05/01 04:57:13 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Mes images
[2013/05/01 04:57:13 | 000,000,000 | -HSD | C] -- C:\ProgramData\Menu Démarrer
[2013/05/01 04:57:13 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Ma musique
[2013/05/01 04:57:13 | 000,000,000 | -HSD | C] -- C:\Program Files\Fichiers communs
[2013/05/01 04:57:13 | 000,000,000 | -HSD | C] -- C:\ProgramData\Favoris
[2013/05/01 04:57:13 | 000,000,000 | -HSD | C] -- C:\ProgramData\Bureau
[2013/05/01 04:57:13 | 000,000,000 | ---D | C] -- C:\Recovery
[2013/05/01 04:48:51 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2013/05/01 04:48:35 | 000,000,000 | -HSD | C] -- C:\System Volume Information

========== Files - Modified Within 30 Days ==========

[2013/05/16 11:15:50 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\michel\Desktop\OTL.exe
[2013/05/16 11:05:04 | 000,010,128 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/05/16 11:05:04 | 000,010,128 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/05/16 05:12:51 | 000,704,242 | ---- | M] () -- C:\Windows\System32\perfh00C.dat
[2013/05/16 05:12:51 | 000,615,810 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/05/16 05:12:51 | 000,130,548 | ---- | M] () -- C:\Windows\System32\perfc00C.dat
[2013/05/16 05:12:51 | 000,106,190 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/05/16 05:05:15 | 000,002,423 | ---- | M] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
[2013/05/16 05:04:38 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/05/16 05:04:28 | 754,622,464 | -HS- | M] () -- C:\hiberfil.sys
[2013/05/16 05:04:28 | 001,432,357 | ---- | M] () -- C:\Windows\System32\drivers\NIS\1403010.016\Cat.DB
[2013/05/16 05:04:00 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs
[2013/05/16 04:31:14 | 000,142,496 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\drivers\SYMEVENT.SYS
[2013/05/16 04:31:14 | 000,007,446 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2013/05/16 04:31:14 | 000,000,806 | ---- | M] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2013/05/16 03:55:12 | 000,039,936 | ---- | M] (CurioLab S.M.B.A.) -- C:\Windows\System32\drivers\extit.sys
[2013/05/13 05:25:28 | 000,000,179 | ---- | M] () -- C:\Windows\Reimage.ini
[2013/05/13 05:00:16 | 000,002,058 | ---- | M] () -- C:\Users\michel\Documents\PC Scan & Repair by Reimage.lnk
[2013/05/12 10:41:33 | 001,444,886 | ---- | M] () -- C:\Windows\System32\drivers\Cat.DB
[2013/05/12 06:56:47 | 000,447,007 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/05/12 04:17:03 | 000,000,612 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts.20130512-065647.backup
[2013/05/07 14:57:30 | 000,448,512 | ---- | M] (OldTimer Tools) -- C:\Users\michel\Desktop\TFC.exe
[2013/05/07 14:09:29 | 000,000,512 | ---- | M] () -- C:\PhysicalMBR.bin
[2013/05/06 15:00:29 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2013/05/06 15:00:29 | 000,001,688 | ---- | M] () -- C:\Windows\System32\autoexec.nt
[2013/05/06 15:00:29 | 000,000,002 | RHS- | M] () -- C:\Windows\winstart.bat
[2013/05/06 14:25:20 | 000,181,064 | ---- | M] (Sysinternals) -- C:\Windows\PSEXESVC.EXE
[2013/05/06 03:24:59 | 000,000,962 | ---- | M] () -- C:\Users\michel\Desktop\Internet Explorer.lnk
[2013/05/03 16:31:35 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/05/02 16:46:21 | 000,000,903 | ---- | M] () -- C:\Users\michel\Documents\USB-set.lnk
[2013/05/01 09:48:24 | 000,000,934 | ---- | M] () -- C:\Users\Public\Desktop\EPSON Scan.lnk
[2013/05/01 09:23:23 | 000,154,144 | ---- | M] () -- C:\Windows\System32\RTLCPAPI.dll
[2013/05/01 09:23:17 | 000,141,016 | ---- | M] () -- C:\Windows\System32\ALSNDMGR.WAV
[2013/05/01 09:08:58 | 000,002,503 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2013/05/01 06:16:49 | 000,072,822 | ---- | M] () -- C:\Windows\System32\ieuinit.inf
[2013/05/01 05:31:32 | 000,000,969 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/05/01 05:15:33 | 000,001,109 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2013/05/01 04:52:40 | 000,057,206 | ---- | M] () -- C:\Windows\System32\license.rtf
[2013/05/01 04:50:52 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf

========== Files Created - No Company Name ==========

[2013/05/16 05:03:45 | 001,432,357 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\Cat.DB
[2013/05/16 04:48:48 | 000,014,818 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\VT20130115.021
[2013/05/16 04:45:54 | 000,009,670 | R--- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\symelam.cat
[2013/05/16 04:45:54 | 000,007,601 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\symnet.cat
[2013/05/16 04:45:54 | 000,007,583 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\symefa.cat
[2013/05/16 04:45:54 | 000,007,581 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\srtspx.cat
[2013/05/16 04:45:54 | 000,007,577 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\symds.cat
[2013/05/16 04:45:54 | 000,003,434 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\symefa.inf
[2013/05/16 04:45:54 | 000,002,852 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\symds.inf
[2013/05/16 04:45:54 | 000,001,440 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\symnet.inf
[2013/05/16 04:45:54 | 000,001,389 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\srtspx.inf
[2013/05/16 04:45:54 | 000,001,389 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\srtsp.inf
[2013/05/16 04:45:54 | 000,000,996 | R--- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\symelam.inf
[2013/05/16 04:45:53 | 000,007,611 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\ccsetx86.cat
[2013/05/16 04:45:53 | 000,007,593 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\iron.cat
[2013/05/16 04:45:53 | 000,007,577 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\srtsp.cat
[2013/05/16 04:45:53 | 000,000,827 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\ccsetx86.inf
[2013/05/16 04:45:53 | 000,000,737 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\iron.inf
[2013/05/16 04:45:28 | 000,000,172 | ---- | C] () -- C:\Windows\System32\drivers\NIS\1403010.016\isolate.ini
[2013/05/16 04:31:15 | 000,007,446 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.CAT
[2013/05/16 04:31:15 | 000,000,806 | ---- | C] () -- C:\Windows\System32\drivers\SYMEVENT.INF
[2013/05/16 04:30:45 | 000,002,423 | ---- | C] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
[2013/05/14 11:11:37 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2013/05/13 05:00:16 | 000,002,058 | ---- | C] () -- C:\Users\michel\Documents\PC Scan & Repair by Reimage.lnk
[2013/05/13 04:55:31 | 000,000,179 | ---- | C] () -- C:\Windows\Reimage.ini
[2013/05/09 14:28:57 | 001,444,886 | ---- | C] () -- C:\Windows\System32\drivers\Cat.DB
[2013/05/07 14:09:29 | 000,000,512 | ---- | C] () -- C:\PhysicalMBR.bin
[2013/05/06 15:47:04 | 000,146,852 | ---- | C] () -- C:\Windows\System32\systemsf.ebd
[2013/05/06 15:42:40 | 000,010,429 | ---- | C] () -- C:\Windows\System32\ScavengeSpace.xml
[2013/05/06 15:42:08 | 000,105,559 | ---- | C] () -- C:\Windows\System32\RacRules.xml
[2013/05/06 15:00:29 | 000,000,002 | RHS- | C] () -- C:\Windows\winstart.bat
[2013/05/06 03:24:59 | 000,000,962 | ---- | C] () -- C:\Users\michel\Desktop\Internet Explorer.lnk
[2013/05/03 16:31:35 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2013/05/02 22:49:40 | 000,000,000 | ---- | C] () -- C:\Windows\System32\drivers\lvuvc.hs
[2013/05/02 22:33:02 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
[2013/05/02 22:32:10 | 000,000,003 | ---- | C] () -- C:\Windows\System32\drivers\MsftWdf_User_01_11_00_Inbox_Critical.Wdf
[2013/05/02 16:46:21 | 000,000,903 | ---- | C] () -- C:\Users\michel\Documents\USB-set.lnk
[2013/05/01 09:48:24 | 000,000,934 | ---- | C] () -- C:\Users\Public\Desktop\EPSON Scan.lnk
[2013/05/01 09:24:40 | 000,141,016 | ---- | C] () -- C:\Windows\System32\ALSNDMGR.WAV
[2013/05/01 09:24:38 | 000,154,144 | ---- | C] () -- C:\Windows\System32\RTLCPAPI.dll
[2013/05/01 09:08:58 | 000,002,503 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2013/05/01 08:37:28 | 000,020,135 | ---- | C] () -- C:\Users\michel\Desktop\porte ouverte.ods
[2013/05/01 08:37:22 | 000,016,953 | ---- | C] () -- C:\Users\michel\Desktop\INVENTAIRE-VITRINE.ods
[2013/05/01 06:16:49 | 000,072,822 | ---- | C] () -- C:\Windows\System32\ieuinit.inf
[2013/05/01 05:31:32 | 000,000,969 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2013/05/01 05:15:33 | 000,001,109 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2013/05/01 04:57:58 | 000,001,433 | ---- | C] () -- C:\Users\michel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2013/05/01 04:50:52 | 000,000,000 | ---- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2013/05/01 04:48:35 | 754,622,464 | -HS- | C] () -- C:\hiberfil.sys

========== ZeroAccess Check ==========

[2009/07/14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/02/27 06:55:05 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\Windows\system32\wbem\fastprox.dll -- [2010/11/20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\Windows\system32\wbem\wbemess.dll -- [2009/07/14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2013/05/12 10:44:23 | 000,000,000 | ---D | M] -- C:\Users\michel\AppData\Roaming\AVG2013
[2013/05/16 02:04:54 | 000,000,000 | ---D | M] -- C:\Users\michel\AppData\Roaming\Curiolab
[2013/05/01 05:33:19 | 000,000,000 | ---D | M] -- C:\Users\michel\AppData\Roaming\ESET
[2013/05/09 14:27:29 | 000,000,000 | ---D | M] -- C:\Users\michel\AppData\Roaming\TestApp
[2013/05/12 10:42:46 | 000,000,000 | ---D | M] -- C:\Users\michel\AppData\Roaming\TuneUp Software
[2013/05/01 05:11:18 | 000,000,000 | ---D | M] -- C:\Users\michel\AppData\Roaming\WinPatrol

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2011/02/26 07:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[2009/07/14 03:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2011/02/26 07:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe
[2009/10/31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2011/02/26 07:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\erdnt\cache\explorer.exe
[2011/02/26 07:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe
[2010/11/20 14:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2011/02/25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe
[2011/02/25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[2009/08/03 07:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2009/08/03 07:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009/10/31 08:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

< MD5 for: SERVICES.EXE >
[2009/07/14 03:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- C:\Windows\erdnt\cache\services.exe
[2009/07/14 03:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- C:\Windows\System32\services.exe
[2009/07/14 03:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

< MD5 for: SVCHOST.EXE >
[2009/07/14 03:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\erdnt\cache\svchost.exe
[2009/07/14 03:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\System32\svchost.exe
[2009/07/14 03:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe

< MD5 for: USERINIT.EXE >
[2010/11/20 14:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe
[2010/11/20 14:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2009/07/14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\erdnt\cache\userinit.exe
[2009/07/14 03:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/10/28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\erdnt\cache\winlogon.exe
[2009/10/28 08:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009/10/28 07:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2010/11/20 14:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010/11/20 14:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2009/07/14 03:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >

[Sangoino]

OTL Extras logfile created on: 16/05/2013 11:16:54 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\michel\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 0000040c | Country: France | Language: FRA | Date Format: dd/MM/yyyy

959,55 Mb Total Physical Memory | 237,76 Mb Available Physical Memory | 24,78% Memory free
1,94 Gb Paging File | 0,83 Gb Available in Paging File | 43,10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 152,57 Gb Total Space | 120,86 Gb Free Space | 79,22% Space Free | Partition Type: NTFS
Drive D: | 705,53 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: UDF

Computer Name: MICHEL-PC | User Name: michel | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office15\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office15\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{359D4E32-9D84-4FA1-8A3E-5F50B7D331F4}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office15\outlook.exe |
"{6FD54B8A-4B72-45CF-B2CF-3E8397DE0257}" = lport=48113 | protocol=6 | dir=in | name=maconfig_tcp |
"{B99ADA06-7F1B-45E0-97CF-111F9757A78F}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{D35FCAD1-99C5-4214-8E47-A2D7ACB638EB}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{69A381FD-54A2-452F-B31C-C0069FB62CE2}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{7656C092-CA4D-4A91-983A-C88ADCBB60C9}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office15\lync.exe |
"{78C75AD6-C4C9-4F63-A6A2-EE34F6A07DF4}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office15\ucmapi.exe |
"{8959AAE0-BEED-4ACC-89CF-A978CD0DC549}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office15\lync.exe |
"{9652D8A7-ECA0-41A7-8920-091CFEFE30DF}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office15\lync.exe |
"{9D6BBE1C-5EA8-4004-ABB0-EA85700DBF3A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office15\ucmapi.exe |
"{D3FB5DDE-8451-4C59-88C4-FDFB77B3BEB4}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office15\ucmapi.exe |
"{EA5660E8-BC71-45D6-B0B5-DF03E123124A}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office15\lync.exe |
"{FE408CB5-655B-48ED-ADBC-DB568B619F36}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office15\ucmapi.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0F5B4A82-9DAF-3D13-8CB8-AEB25E4A614E}" = Microsoft .NET Framework 4 Client Profile FRA Language Pack
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.3
"{90150000-0015-040C-0000-0000000FF1CE}" = Microsoft Access MUI (French) 2013
"{90150000-0016-040C-0000-0000000FF1CE}" = Microsoft Excel MUI (French) 2013
"{90150000-0018-040C-0000-0000000FF1CE}" = Microsoft PowerPoint MUI (French) 2013
"{90150000-0019-040C-0000-0000000FF1CE}" = Microsoft Publisher MUI (French) 2013
"{90150000-001A-040C-0000-0000000FF1CE}" = Microsoft Outlook MUI (French) 2013
"{90150000-001B-040C-0000-0000000FF1CE}" = Microsoft Word MUI (French) 2013
"{90150000-001F-0401-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - اللغة العربية
"{90150000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Korrekturhilfen 2013 - Deutsch
"{90150000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - English
"{90150000-001F-040C-0000-0000000FF1CE}" = Outils de vérification linguistique 2013 de Microsoft Office - Français
"{90150000-001F-0413-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - Nederlands
"{90150000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proofing Tools 2013 - Español
"{90150000-002C-040C-0000-0000000FF1CE}" = Microsoft Office Proofing (French) 2013
"{90150000-0044-040C-0000-0000000FF1CE}" = Microsoft InfoPath MUI (French) 2013
"{90150000-006E-040C-0000-0000000FF1CE}" = Microsoft Office Shared MUI (French) 2013
"{90150000-0090-040C-0000-0000000FF1CE}" = Microsoft DCF MUI (French) 2013
"{90150000-00A1-040C-0000-0000000FF1CE}" = Microsoft OneNote MUI (French) 2013
"{90150000-00BA-040C-0000-0000000FF1CE}" = Microsoft Groove MUI (French) 2013
"{90150000-00E1-040C-0000-0000000FF1CE}" = Microsoft Office OSM MUI (French) 2013
"{90150000-00E2-040C-0000-0000000FF1CE}" = Microsoft Office OSM UX MUI (French) 2013
"{90150000-012B-040C-0000-0000000FF1CE}" = Microsoft Lync MUI (French) 2013
"{91150000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2013
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{AC76BA86-7AD7-1036-7B44-AB0000000001}" = Adobe Reader XI (11.0.03) - Français
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = Panneau de configuration NVIDIA 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Pilote graphique 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = Mises à jour NVIDIA 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B92B952E-4459-480F-A500-60D87F6F527F}_is1" = USB-set 1.4
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"CCleaner" = CCleaner
"EPSON Printer and Utilities" = EPSON Logiciel imprimante
"EPSON Scanner" = EPSON Scan
"MCShield" = MCShield ::Anti-Malware Tool::
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile FRA Language Pack" = Module linguistique Microsoft .NET Framework 4 Client Profile FRA
"Mozilla Firefox 20.0.1 (x86 fr)" = Mozilla Firefox 20.0.1 (x86 fr)
"NIS" = Norton Internet Security
"Office15.PROPLUSR" = Microsoft Office Professionnel Plus 2013
"Unlocker" = Unlocker 1.9.1

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 06/05/2013 07:41:20 | Computer Name = michel-PC | Source = Windows Search Service | ID = 7040
Description = Le service de recherche a détecté des fichiers de données endommagés
dans l’index {id=4700}. Le service tentera de corriger automatiquement ce problème
en recréant l’index. Détails : Le catalogue d’index des contenus est endommagé.
(HRESULT : 0xc0041801) (0xc0041801)

Error - 06/05/2013 07:41:20 | Computer Name = michel-PC | Source = Windows Search Service | ID = 7042
Description = Le service de recherche Windows a été arrêté à cause d’un problème
avec l’indexeur : The catalog is corrupt. Détails : Le catalogue d’index des contenus
est endommagé. (HRESULT : 0xc0041801) (0xc0041801)

Error - 06/05/2013 07:41:20 | Computer Name = michel-PC | Source = Windows Search Service | ID = 9002
Description = Le service Windows Search ne peut pas charger les informations de
la banque de propriétés. Contexte : Application Windows, Catalogue SystemIndex Détails
: La base de données d’index des contenus est endommagée. (HRESULT : 0xc0041800)
(0xc0041800)

Error - 06/05/2013 07:41:21 | Computer Name = michel-PC | Source = Windows Search Service | ID = 3029
Description = Impossible d’initialiser le plug-in dans <Search.JetPropStore>. Contexte
: Application Windows, Catalogue SystemIndex Détails : Le catalogue d’index des contenus
est endommagé. (HRESULT : 0xc0041801) (0xc0041801)

Error - 06/05/2013 07:41:22 | Computer Name = michel-PC | Source = Windows Search Service | ID = 3029
Description = Impossible d’initialiser le plug-in dans <Search.TripoliIndexer>. Contexte
: Application Windows, Catalogue SystemIndex Détails : Élément introuvable. (HRESULT
: 0x80070490) (0x80070490)

Error - 06/05/2013 07:41:22 | Computer Name = michel-PC | Source = Windows Search Service | ID = 3028
Description = Impossible d’initialiser l’objet rassembleur. Contexte : Application
Windows, Catalogue SystemIndex Détails : Le catalogue d’index des contenus est endommagé.
(HRESULT : 0xc0041801) (0xc0041801)

Error - 06/05/2013 07:41:22 | Computer Name = michel-PC | Source = Windows Search Service | ID = 3058
Description = Impossible d’initialiser l’application. Contexte : Application Windows

Détails
: Le catalogue d’index des contenus est endommagé. (HRESULT : 0xc0041801) (0xc0041801)


Error - 06/05/2013 07:41:22 | Computer Name = michel-PC | Source = Windows Search Service | ID = 7010
Description = Impossible d’initialiser l’index. Détails : Le catalogue d’index des
contenus est endommagé. (HRESULT : 0xc0041801) (0xc0041801)

Error - 06/05/2013 09:42:38 | Computer Name = michel-PC | Source = VSS | ID = 8194
Description = Erreur du service de cliché instantané des volumes : erreur lors de
l’interrogation de l’interface IVssWriterCallback. hr = 0x80070005, Accès refusé.
.
Cette
erreur est souvent due à des paramètres de sécurité incorrects dans le processus
du rédacteur ou du demandeur. Opération : Données du rédacteur en cours de collecte

Contexte :

ID de classe du rédacteur: {e8132975-6f93-4464-a53e-1050253ae220} Nom du rédacteur:
System Writer ID d’instance du rédacteur: {7d2d142b-efc7-4b9c-8d00-03bb34bb9b82}

Error - 06/05/2013 10:01:35 | Computer Name = michel-PC | Source = VSS | ID = 8194
Description = Erreur du service de cliché instantané des volumes : erreur lors de
l’interrogation de l’interface IVssWriterCallback. hr = 0x80070005, Accès refusé.
.
Cette
erreur est souvent due à des paramètres de sécurité incorrects dans le processus
du rédacteur ou du demandeur. Opération : Données du rédacteur en cours de collecte

Contexte :

ID de classe du rédacteur: {e8132975-6f93-4464-a53e-1050253ae220} Nom du rédacteur:
System Writer ID d’instance du rédacteur: {72082e13-c834-463a-803e-fa94dba2b28f}

[ System Events ]
Error - 10/05/2013 08:53:35 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058

Error - 10/05/2013 08:53:35 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058

Error - 10/05/2013 08:53:35 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058

Error - 10/05/2013 08:53:35 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058

Error - 10/05/2013 08:53:35 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058

Error - 10/05/2013 08:53:35 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058

Error - 10/05/2013 08:53:35 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058

Error - 10/05/2013 08:53:36 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058

Error - 10/05/2013 08:53:36 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058

Error - 10/05/2013 08:53:36 | Computer Name = michel-PC | Source = Service Control Manager | ID = 7001
Description = Le service Explorateur d’ordinateurs dépend du service Serveur qui
n’a pas pu démarrer en raison de l’erreur : %%1058


< End of report >

[Sangoino]

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-05-16 12:51:01
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Maxtor_6L160P0 rev.BAJ41G20 152,67GB
Running: vjrmi647.exe; Driver: C:\Users\michel\AppData\Local\Temp\uwdiypow.sys


---- System - GMER 2.1 ----

SSDT 866350A0 ZwAlertResumeThread
SSDT 8660D750 ZwAlertThread
SSDT 8659C820 ZwAllocateVirtualMemory
SSDT 86819008 ZwAlpcConnectPort
SSDT 8666F3B8 ZwAssignProcessToJobObject
SSDT 8660B660 ZwCreateMutant
SSDT 86652080 ZwCreateSymbolicLinkObject
SSDT 86552570 ZwCreateThread
SSDT 8652FEA0 ZwCreateThreadEx
SSDT 8665F1D0 ZwDebugActiveProcess
SSDT 86596C30 ZwDuplicateObject
SSDT 865687E8 ZwFreeVirtualMemory
SSDT 86644C08 ZwImpersonateAnonymousToken
SSDT 86635828 ZwImpersonateThread
SSDT 8664A210 ZwLoadDriver
SSDT 865362D8 ZwMapViewOfSection
SSDT 8664CCA0 ZwOpenEvent
SSDT 8659ACA8 ZwOpenProcess
SSDT 865F2298 ZwOpenProcessToken
SSDT 86649368 ZwOpenSection
SSDT 865EC560 ZwOpenThread
SSDT 866490D0 ZwProtectVirtualMemory
SSDT 8660BCA0 ZwResumeThread
SSDT 866024D0 ZwSetContextThread
SSDT 86615390 ZwSetInformationProcess
SSDT 8665AF68 ZwSetSystemInformation
SSDT 86659278 ZwSuspendProcess
SSDT 866202D0 ZwSuspendThread
SSDT 865A2B48 ZwTerminateProcess
SSDT 8661D498 ZwTerminateThread
SSDT 865FFEA0 ZwUnmapViewOfSection
SSDT 866020B0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E80A09 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EBA1F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82EC1230 8 Bytes [A0, 50, 63, 86, 50, D7, 60, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82EC1248 4 Bytes [20, C8, 59, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82EC1254 4 Bytes [08, 90, 81, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82EC12A8 4 Bytes [B8, F3, 66, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82EC1324 4 Bytes [60, B6, 60, 86]
.text ...

---- User code sections - GMER 2.1 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[384] ntdll.dll!NtSetInformationProcess 776D6678 5 Bytes JMP 020F04B2
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] ntdll.dll!NtTerminateThread 776D68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] ntdll.dll!LdrGetProcedureAddress + 26 776F2239 7 Bytes JMP 63DA6D70 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!K32GetPerformanceInfo + 1CC 767D632B 7 Bytes JMP 020F012A
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!TerminateProcess + B 767E2C10 3 Bytes JMP 020F02EE
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!TerminateProcess + F 767E2C14 3 Bytes [8B, EB, F9] {MOV EBP, EBX; STC }
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 767E941E 7 Bytes JMP 640FD713 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!QueryPerformanceCounter + 13 767EC435 3 Bytes JMP 020F020C
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!QueryPerformanceCounter + 17 767EC439 3 Bytes [8B, EB, F9] {MOV EBP, EBX; STC }
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!FreeLibrary + 8 767EEF6F 3 Bytes JMP 020F03D0
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!FreeLibrary + C 767EEF73 3 Bytes [8B, EB, F9] {MOV EBP, EBX; STC }
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!LoadAppInitDlls + 355 767EF4F6 7 Bytes JMP 63DC1C62 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] kernel32.dll!CheckElevation + 2DB 7680959A 7 Bytes JMP 020F0048
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] USER32.dll!RecordShutdownReason + 372 767206C2 7 Bytes JMP 000F0048
.text C:\Program Files\Mozilla Firefox\firefox.exe[384] GDI32.dll!GetViewportOrgEx + 26C 7786884B 7 Bytes JMP 640FD694 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1368] ntdll.dll!NtTerminateThread 776D68D8 5 Bytes JMP 0002004C
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1368] USER32.dll!RecordShutdownReason + 372 767206C2 7 Bytes JMP 00090930
.text C:\Program Files\UnHackMe\hackmon.exe[2348] ntdll.dll!NtTerminateThread 776D68D8 5 Bytes JMP 0002004C
.text C:\Program Files\UnHackMe\hackmon.exe[2348] USER32.dll!RecordShutdownReason + 372 767206C2 7 Bytes JMP 001E0930
.text C:\vjrmi647.exe[3256] ntdll.dll!NtTerminateThread 776D68D8 5 Bytes JMP 0002004C
.text C:\vjrmi647.exe[3256] USER32.dll!RecordShutdownReason + 372 767206C2 7 Bytes JMP 001F0930

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\SCardSvr@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\services\SCardSvr
Reg HKLM\SYSTEM\CurrentControlSet\services\VSS@DisplayName @%systemroot%\system32\vssvc.exe,-102
Reg HKLM\SYSTEM\CurrentControlSet\services\VSS@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\services\VSS

---- EOF - GMER 2.1 ----

[Sangoino]

It's suspicious too when I connect my printer. Thank you for your help.

[maliprog]

OK. I don't see any malware for now but from your system log I can see that you have problem with Indexing service. This ca cause some strange system behavior. Restart your system once after these steps and test it. Let me know results.

Step 1

Can you please uninstall CCleaner from your system.

Step 2

• Open an elevated command prompt. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow.
• Type the following command, and then press ENTER:
  
  

  sfc /scannow

Step 3

• Go to Start -> My Computer
• Right click on C: disk and clik on Properties
• Click on tab Tools and click on Check now... button
• Check Automatically fix system errors and Scan for and attempt recovery of bad sectors
• Click Start button
• Confirm schedule disk check next time computer starts with Yes button
• Restart your system and wait while system checks your disk for errors

[Sangoino]

I have trying several times the sfc but the router is strange when I connect my printer. Is it possibl ?to make a full scan of the pc with OTL and keep only Norton Internet antivirus. Thank You

[maliprog]

I don't understand your question. We already did OTL scan. I didn't say anything about your antivirus and he doesn't bother me for now. You can keep it on your system.

Can you do my steps now as I posted them. Also can you be more specific about your problem so we can narrow it.

[Sangoino]

wHEN I making sfc /scannow, my traffic buton is always on on, it never stop, is it normal ?

[maliprog]

... my traffic buton is always on on ...

What do you mean by traffic button? I must say that I don't really understand you.

SFC is checking system files for consistency so you will notice a lot of hard disk access.

[maliprog]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.