Cannot open any programs on windows 7. [Solved/Closed]

Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 8, 2013 at 06:34 AM - Latest reply: Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen
- Nov 19, 2013 at 06:04 AM
I have contracted a virus which will not allow me to open any programs whatsoever. I have tried regedit.exe but it will not allow me to open that and have also tried downloading the dougknox.com/xp/file_assoc.htm but that comes up with a message saying "Not all data was successfully written to the registry. Some keys are open by the system or other processes. Any help or input whatsoever would be greatly appreciated.
See more 

44 replies

Best answer
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 14, 2013 at 06:10 AM
2
Thank you
Oh boy !

Your machine is badly infected: rogue trojan horse, trojan horse agent, hijacker, adware and unwanted programmes.

Here is the medicinal compound in three doses:

Step One

Please follow the following procedure carefully and to the letter.

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.

To kill the processes:

1. Download to your desktop and run Rogue Kill:

http://download.bleepingcomputer.com/grinler/rkill.com

2. You should now see a window that shows all of your desktop icons, including the rkill.com program.

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Step two

Download to your desktop Malwarebyte.

http://ccm.net/download/download-105-malwarebytes-anti-malware

Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it kioskea.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

It is very important that you let Malwarebyte run for as long as it takes, in some cases the creators of Malwarebyte suggest that you go do something like watch a rerun of "Gone with the Wind" or read Tolstoy's "War and Peace".

Step three

Download the following Adwcleaner created by Xplode

http://ccm.net/download/download-24088-adwcleaner
Launch it (for Windows 7 and 8, click right to run as administrator)

Click on delete

Post the log C:\Adwcleaner[Sx].txt on this thread.

Ambucias
Moderator, Virus/Security Contributor

Thank you, Ambucias 2

Something to say? Add comment

CCM has helped 1680 users this month

Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 9, 2013 at 04:38 PM
0
Thank you
Hello

dougknox.com/xp/file_assoc.htm is for Windows XP only.

Can you boot in safe mode with networking and open you browser ?
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 10, 2013 at 03:34 AM
0
Thank you
Yes I can do that no problem. I can also open the browser in normal mode. When I start windows it comes up with over 200 dialog boxes saying windows cannot open this file, but I cancel them and my computer runs fine...
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 10, 2013 at 05:03 AM
0
Thank you
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a log.

1. Open this link and download ZHPDiag2 :

http://telechargement.zebulon.fr/telecharger-zhpdiag.html

(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message.)

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista and Win 7 users, click right to ensure you execute with admin right)

The tool creates three icons ZHPDiag, MRB, and ZHPFix (If necessary,we will use ZHPFix after log analysis).

4. Double click on the short cut ZHPDiag on your Destktop.

5. If you need to change the language, click on the little house, (bottom right) and change to English

6. Click on the "Configure" button.

7. Click on the Magnifying glass with the + sign.

8. Click on "Search"

Wait for the tool to finished (maybe a long time)

9. Close ZHPDiag.

10. To transmit the report, click on this link :

http://www.speedyshare.com/

9. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).

10. Select the file ZHPDiag.txt.

11. Click on "upload »

12. Copy the URL and post it here.

Best regards

Ambucias
Moderator /Security Contributor
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 14, 2013 at 01:13 AM
0
Thank you
Hey thanks for the reply, and sorry for my late reply - I have been busy at work. I did exactly what you said, but got a bit lost on the speedyshare.com part, the url I came out with is this :
<a href="http://speedy.sh/UQVjV/ZHPDiag2.exe">Download at SpeedyShare</a>

If it's any help, after I ran the ZHPdiag, it opened my notepad with the following message:

~ Report of ZHPDiag v2013.11.13.29 - Nicolas Coolman (12/11/2013)
~ Launched by TOSHIBA (14/11/2013 05:50:55)
~ Web site address : http://nicolascoolman.webs.com
~ Free support forums for disinfection : http://nicolascoolman.webs.com/apps/links/
~ Translated by
~ Version State :
~ White List : Activate by program
~ Elevation of privilege : OK
~ User Account Control : Activate by user


---\\ Internet browsers
MSIE: Internet Explorer v10.0.9200.16736
GCIE: Google Chrome v30.0.1599.101 (Defaut)

---\\ Windows product information
~ Langage: Anglais
Windows 7 Home Premium Edition, 64-bit Service Pack 1 (Build 7601)
Windows Server License Manager Script : OK
~ Windows(R) 7, OEM_SLP channel
System Locked Preinstallation (OEM_SLP) : OK
Software Protection Service (Protection logicielle) : OK
Windows Automatic Updates : OK
Windows Activation Technologies : OK

---\\ System protection software
McAfee Internet Security v11.6.434
Windows Defender W7

---\\ System optimization software

---\\ Sharing software PeerToPeer

---\\ Surveillance software
Adobe Flash Player 10 ActiveX
Adobe Reader X
Java 7 Update 7

---\\ Information on the system
~ Processor: Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
~ Operating System: 64 Bits
Boot mode: Normal (Normal boot)
Total RAM: 4043.9 MB (32% free)
System Restore: Activé (Enable)
System drive C: has 174 GB (74%) free of 232 GB

---\\ Connection to the system mode
~ Computer Name: TOSHIBA-TOSH
~ User Name: TOSHIBA
~ All Users Names: TOSHIBA, Guest, Administrator,
~ Unselected Option: None
Logged in as Administrator

---\\ Environment variables
~ System Unit : C:\
~ %AppZHP% : C:\Users\TOSHIBA\AppData\Roaming\ZHP\
~ %AppData% : C:\Users\TOSHIBA\AppData\Roaming\
~ %Desktop% : C:\Users\TOSHIBA\Desktop\
~ %Favorites% : C:\Users\TOSHIBA\Favorites\
~ %LocalAppData% : C:\Users\TOSHIBA\AppData\Local\
~ %StartMenu% : C:\Users\TOSHIBA\AppData\Roaming\Microsoft\Windows\Start Menu\
~ %Windir% : C:\Windows\
~ %System% : C:\Windows\System32\

---\\ Enumeration of the disk units
C: Hard drive, Flash drive, Thumb drive (Free 174 Go of 232 Go)
D: Hard drive, Flash drive, Thumb drive (Free 218 Go of 232 Go)
E: CD-ROM drive (Free 0 Go of 1 Go)



---\\ State of the Windows Security Center
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
~ Security Center: 41 Legitimates Filtered in 00mn 00s



---\\ Search Generic System Files
[MD5.332FEAB1435662FC6C672E25BEB37BE3] - (.Microsoft Corporation - Windows Explorer.) (.25/02/2011 - 06:19:30.) -- C:\Windows\Explorer.exe [2871808]
[MD5.94355C28C1970635A31B3FE52EB7CEBA] - (.Microsoft Corporation - Windows Start-Up Application.) (.14/07/2009 - 01:39:52.) -- C:\Windows\System32\Wininit.exe [129024]
[MD5.9706C99DAEBE3FEAC811B239617E98C4] - (.Microsoft Corporation - Internet Extensions for Win32.) (.12/10/2013 - 08:45:20.) -- C:\Windows\System32\wininet.dll [2241536]
[MD5.1151B1BAA6F350B1DB6598E0FEA7C457] - (.Microsoft Corporation - Windows Logon Application.) (.21/11/2010 - 03:24:29.) -- C:\Windows\System32\Winlogon.exe [390656]
[MD5.067FA52BFB59A56110A12312EF9AF243] - (.Microsoft Corporation - Software Licensing Library.) (.21/11/2010 - 03:24:16.) -- C:\Windows\System32\sppcomapi.dll [232448]
[MD5.79059559E89D06E8B80CE2944BE20228] - (.Microsoft Corporation - Ancillary Function Driver for WinSock.) (.28/09/2013 - 01:09:10.) -- C:\Windows\system32\Drivers\AFD.sys [497152]
[MD5.02062C0B390B7729EDC9E69C680A6F3C] - (.Microsoft Corporation - ATAPI IDE Miniport Driver.) (.14/07/2009 - 01:52:21.) -- C:\Windows\system32\Drivers\atapi.sys [24128]
[MD5.B8BD2BB284668C84865658C77574381A] - (.Microsoft Corporation - CD-ROM File System Driver.) (.13/07/2009 - 23:19:47.) -- C:\Windows\system32\Drivers\Cdfs.sys [92160]
[MD5.F036CE71586E93D94DAB220D7BDF4416] - (.Microsoft Corporation - SCSI CD-ROM Driver.) (.21/11/2010 - 03:23:47.) -- C:\Windows\system32\Drivers\Cdrom.sys [147456]
[MD5.9BB2EF44EAA163B29C4A4587887A0FE4] - (.Microsoft Corporation - DFS Namespace Client Driver.) (.21/11/2010 - 03:24:32.) -- C:\Windows\system32\Drivers\DfsC.sys [102400]
[MD5.97BFED39B6B79EB12CDDBFEED51F56BB] - (.Microsoft Corporation - High Definition Audio Bus Driver.) (.21/11/2010 - 03:23:47.) -- C:\Windows\system32\Drivers\HDAudBus.sys [122368]
[MD5.FA55C73D4AFFA7EE23AC4BE53B4592D3] - (.Microsoft Corporation - i8042 Port Driver.) (.13/07/2009 - 23:19:57.) -- C:\Windows\system32\Drivers\i8042prt.sys [105472]
[MD5.AF9B39A7E7B6CAA203B3862582E9F2D0] - (.Microsoft Corporation - IP Network Address Translator.) (.14/07/2009 - 00:10:03.) -- C:\Windows\system32\Drivers\IpNat.sys [116224]
[MD5.A5D9106A73DC88564C825D317CAC68AC] - (.Microsoft Corporation - Windows NT SMB Minirdr.) (.27/04/2011 - 02:40:40.) -- C:\Windows\system32\Drivers\MRxSmb.sys [158208]
[MD5.09594D1089C523423B32A4229263F068] - (.Microsoft Corporation - MBT Transport driver.) (.21/11/2010 - 03:23:51.) -- C:\Windows\system32\Drivers\netBT.sys [261632]
[MD5.B98F8C6E31CD07B2E6F71F7F648E38C0] - (.Microsoft Corporation - NT File System Driver.) (.12/04/2013 - 14:45:08.) -- C:\Windows\system32\Drivers\ntfs.sys [1656680]
[MD5.0086431C29C35BE1DBC43F52CC273887] - (.Microsoft Corporation - Parallel Port Driver.) (.14/07/2009 - 00:00:41.) -- C:\Windows\system32\Drivers\Parport.sys [97280]
[MD5.471815800AE33E6F1C32FB1B97C490CA] - (.Microsoft Corporation - RAS L2TP mini-port/call-manager driver.) (.21/11/2010 - 03:24:33.) -- C:\Windows\system32\Drivers\Rasl2tp.sys [129536]
[MD5.548260A7B8654E024DC30BF8A7C5BAA4] - (.Microsoft Corporation - SMB Transport driver.) (.14/07/2009 - 00:09:09.) -- C:\Windows\system32\Drivers\smb.sys [93184]
[MD5.DDAD5A7AB24D8B65F8D724F5C20FD806] - (.Microsoft Corporation - TDI Translation Driver.) (.21/11/2010 - 03:24:32.) -- C:\Windows\system32\Drivers\tdx.sys [119296]
[MD5.DF8126BD41180351A093A3AD2FC8903B] - (.Microsoft Corporation - Volume Shadow Copy Driver.) (.25/02/2011 - 06:25:38.) -- C:\Windows\system32\Drivers\volsnap.sys [296320]
~ Generic Processes: Scanned in 00mn 01s



---\\ Hidden files state (Hidden/Total)
~ Mes images (My Pictures) : 1/872
~ Mes musiques (My Musics) : 1/10
~ Mes Favoris (My Favorites) : 1/23
~ Mes Documents (My Documents) : 1/24
~ Mon Bureau (My Desktop) : 1/5
~ Menu demarrer (Programs) : 1/588
~ Hidden Files: Scanned in 00mn 02s



---\\ Process running
[MD5.2A1BE3D0B2F439ABB52EF1570D8EB4F7] - (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe [20549280] [PID.4364]
[MD5.D630F2D985E5FED43FC41D5A9430FBDC] - (.No owner - QuickCet.) -- C:\Users\TOSHIBA\AppData\Local\QuickCet\QuickCet\QuickCet.exe [46592] [PID.4400]
[MD5.47C1DE0A890613FFCFF1D67648EEDF90] - (.Adobe Systems Incorporated - Adobe Reader and Acrobat Manager.) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920] [PID.5668]
[MD5.B9FBE2C4DE9A72E8997697C8D5CAD009] - (.TOSHIBA CORPORATION - IT Security Manager for Toshiba Stack.) -- C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [83336] [PID.5748]
[MD5.4AFFDCAADCB1DBBFFAF06C7F82E7F6FC] - (.Apple Inc. - iTunesHelper.) -- C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776] [PID.5872]
[MD5.12916E0642E92561C98B18A2A2D01B14] - (.Sun Microsystems, Inc. - Java(TM) Update Scheduler.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848] [PID.5920]
[MD5.3E399A1328181C2A352472369DE2A93A] - (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [844752] [PID.6056]
[MD5.97A1AFD42B8016D132C7BF38C955C6E1] - (.TOSHIBA CORPORATION - ConfigFree Task Tray Menu.) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [304560] [PID.5736]
[MD5.8A07221789D46B2EA7DFCA2BC807572A] - (.TOSHIBA CORPORATION - ConfigFree Switch Manager Process.) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe [62848] [PID.7520]
[MD5.C4B3C0EA2E75BEF2C57B2316CC08C04A] - (.© 2013 Microsoft Corporation - DefaultSetup.) -- C:\Users\TOSHIBA\AppData\Local\Microsoft\DefaultSetup\DefaultSetup.exe [2562712] [PID.17180]
[MD5.65C05CC168F30145E893641A4C4167C8] - (.Nicolas Coolman - ZHPDiag.) -- C:\Program Files (x86)\ZHPDiag\ZHPDiag.exe [8214016] [PID.15904]
[MD5.11A52CF7B265631DEEB24C6149309EFF] - (.Adobe Systems Incorporated - Adobe Acrobat Update Service.) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [64952] [PID.1456]
[MD5.A5299D04ED225D64CF07A568A3E1BF8C] - (.Apple Inc. - MobileDeviceService.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [55184] [PID.1500]
[MD5.9F712B26EE3B0242DE997A42FD302E2C] - (.Skype Technologies S.A. - Skype C2C Service.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136] [PID.1720]
[MD5.51138BEEA3E2C21EC44D0932C71762A8] - (...) -- ysWOW64\rundll32.exe [0] [PID.2240]
[MD5.CAB0EEAF5295FC96DDD3E19DCE27E131] - (.TOSHIBA CORPORATION - ConfigFree Service Process.) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [46448] [PID.17260]
[MD5.F02A533F517EB38333CB12A9E8963773] - (.Google Inc. - Google Installer.) -- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [136176] [PID.3660]
[MD5.2ED1786B7542CDA261029F6B526EDF44] - (.Intel Corporation - Local Manageability Service.) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [325656] [PID.5860]
[MD5.13AA2130F2A104DD775EAD0F0EE5417B] - (.Nero AG - NeroUpdate.) -- c:\Program Files (x86)\Nero\Update\NASvc.exe [598312] [PID.16732]
[MD5.7E5E1603D0FF2D240AE70295C5C3FEFC] - (.Intel Corporation - User Notification Service.) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2656280] [PID.6756]
~ Processes Running: Scanned in 00mn 03s



---\\ Google Chrome, Start,Search,Extensions (G0,G1,G2)
C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Preferences
G1 - GCS: Preference [User Data\Default] http://search.do =>Hijacker.SearchDo
~ Google Browser: 9 Legitimates Filtered in 00mn 12s



---\\ Mozilla Firefox,Plugins,Start,Search,Extensions (P2,M0,M1,M2,M3)
P2 - FPN: [HKLM] [@mcafee.com/MSC,version=10] - (...) -- C:\Program Files\mcafee\msc\npMcSnFFPl64.dll
~ Firefox Browser: 2 Legitimates Filtered in 00mn 00s



---\\ Internet Explorer, Proxy Management (R5)
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = no key
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyEnable = 0
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,MigrateProxy = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,EnableHttp1_1 = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigProxy = wininet.dll
~ Proxy management: Scanned in 00mn 00s



---\\ Line Analysis F0, F1, F2, F3 - IniFiles, Auto loading programs
F2 - REG:system.ini: USERINIT=C:\Windows\system32\userinit.exe,
F2 - REG:system.ini: Shell=C:\Windows\explorer.exe
F2 - REG:system.ini: VMApplet=C:\Windows\System32\SystemPropertiesPerformance.exe
~ Keys: Scanned in 00mn 00s



---\\ Hosts file redirection (O1)
~ Le fichier hosts est sain (The hosts file is clean).
~ Hosts File: Scanned in 00mn 00s
~ Nombre de lignes (Lines number): 21



---\\ Internet Explorer toolbars (O3)
O3 - Toolbar: McAfee SiteAdvisor Toolbar [64Bits] - [HKLM]{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} . (.McAfee, Inc. - SiteAdvisor.) -- C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
O3 - Toolbar: Google Toolbar [64Bits] - [HKLM]{2318C2B1-4965-11d4-9B18-009027A5CD4F} . (.Google Inc. - Google Toolbar.) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll =>Toolbar.Google
O3 - Toolbar\WebBrowser: (no name) [64Bits] - [HKCU]{2318C2B1-4965-11D4-9B18-009027A5CD4F} Orphan key
~ Toolbar: Scanned in 00mn 00s



---\\ Other User Links (O4)
O4 - GS\Desktop [Public]: BBC iPlayer Desktop.lnk . (...) -- C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - GS\Desktop [Public]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 - GS\Desktop [Public]: Manual.lnk . (.TOSHIBA - Toshiba Regensburg EXternal file Launcher.) -- C:\Program Files (x86)\TOSHIBA\Manuals\TREXLauncher.exe
O4 - GS\Program [Public]: BBC iPlayer Desktop.lnk . (...) -- C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - GS\QuickLaunch [TOSHIBA]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 - GS\QuickLaunch [TOSHIBA]: Launch Internet Explorer Browser.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - GS\TaskBar [TOSHIBA]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 - GS\Program [TOSHIBA]: Internet Explorer.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - GS\SystemTools [TOSHIBA]: Internet Explorer (No Add-ons).lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
~ Global Startup: 73 Legitimates Filtered in 00mn 10s



---\\ Auto loading programs from Registry and folders (O4)
O4 - GS\Startup [Public]: Toshiba Places Icon Utility.lnk . (.Toshiba - Toshiba Places Icon Utility.) -- C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe
O4 - GS\Startup [TOSHIBA]: TRDCReminder.lnk . (.TOSHIBA Europe - TOSHIBA Recovery Reminder.) -- C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe
O4 - HKLM\..\Run: [Toshiba TEMPRO] . (.Toshiba Europe GmbH - Toshiba TEMPRO.) -- C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe =>.Toshiba Corporation
O4 - HKLM\..\Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe (.not file.)
O4 - HKLM\..\Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe (.not file.)
O4 - HKLM\..\Run: [IgfxTray] . (.Intel Corporation - igfxTray Module.) -- C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] . (.Intel Corporation - hkcmd Module.) -- C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] . (.Intel Corporation - persistence Module.) -- C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.exe (.not file.)
O4 - HKLM\..\Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe (.not file.)
O4 - HKLM\..\Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe (.not file.)
O4 - HKLM\..\Run: [SmartAudio] . (.Conexant systems, Inc. - SmartAudio Control Panel application.) -- C:\Program Files\CONEXANT\SAII\SAIICpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe (.not file.)
O4 - HKLM\..\Run: [Teco] C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe (.not file.)
O4 - HKLM\..\Run: [TosSENotify] . (.TOSHIBA Corporation - No Comment.) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe (.not file.)
O4 - HKLM\..\Run: [TosVolRegulator] . (.TOSHIBA Corporation - Toshiba Volume Regulator.) -- C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe =>.Toshiba Corporation
O4 - HKLM\..\Run: [Toshiba Registration] . (.Toshiba Europe GmbH - Toshiba Notebook Registration Reminder.) -- C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe
O4 - HKCU\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKCU\..\Run: [Steam] . (.Valve Corporation - Steam Client Bootstrapper (buildbot_winslav.) -- C:\Program Files (x86)\Steam\Steam.exe
O4 - HKCU\..\Run: [Skype] . (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe =>.Skype Technologies S.A.
O4 - HKCU\..\Run: [QuickCet] . (.No owner - QuickCet.) -- C:\Users\TOSHIBA\AppData\Local\QuickCet\QuickCet\QuickCet.exe
O4 - HKCU\..\Run: [HKCU] . (.cd - No Comment.) -- C:\dir\install\install\server.exe
O4 - HKLM\..\Wow6432Node\Run: [Adobe ARM] . (.Adobe Systems Incorporated - Adobe Reader and Acrobat Manager.) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe =>.Adobe Systems Incorporated
O4 - HKLM\..\Wow6432Node\Run: [NBAgent] . (.Nero AG - Nero BackItUp.) -- c:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
O4 - HKLM\..\Wow6432Node\Run: [mcui_exe] . (.McAfee, Inc. - McAfee Security Center.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Wow6432Node\Run: [ITSecMng] . (.TOSHIBA CORPORATION - IT Security Manager for Toshiba Stack.) -- C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
O4 - HKLM\..\Wow6432Node\Run: [TSleepSrv] . (.TOSHIBA - TOSHIBA Sleep Service.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
O4 - HKLM\..\Wow6432Node\Run: [ToshibaServiceStation] . (.TOSHIBA Corporation - TOSHIBA Service Station.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe =>.Toshiba Corporation
O4 - HKLM\..\Wow6432Node\Run: [APSDaemon] . (.Apple Inc. - Apple Push.) -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
O4 - HKLM\..\Wow6432Node\Run: [iTunesHelper] . (.Apple Inc. - iTunesHelper.) -- C:\Program Files (x86)\iTunes\iTunesHelper.exe
O4 - HKLM\..\Wow6432Node\Run: [SunJavaUpdateSched] . (.Sun Microsystems, Inc. - Java(TM) Update Scheduler.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe =>.Oracle Corporation
O4 - HKUS\S-1-5-18\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-19\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-20\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe =>.Microsoft Corporation
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe =>.Microsoft Corporation
O4 - HKUS\S-1-5-21-4197480782-1916531730-623419528-1000\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKUS\S-1-5-21-4197480782-1916531730-623419528-1000\..\Run: [Steam] . (.Valve Corporation - Steam Client Bootstrapper (buildbot_winslav.) -- C:\Program Files (x86)\Steam\Steam.exe
O4 - HKUS\S-1-5-21-4197480782-1916531730-623419528-1000\..\Run: [Skype] . (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe =>.Skype Technologies S.A.
O4 - HKUS\S-1-5-21-4197480782-1916531730-623419528-1000\..\Run: [QuickCet] . (.No owner - QuickCet.) -- C:\Users\TOSHIBA\AppData\Local\QuickCet\QuickCet\QuickCet.exe
O4 - HKUS\S-1-5-21-4197480782-1916531730-623419528-1000\..\Run: [HKCU] . (.cd - No Comment.) -- C:\dir\install\install\server.exe
~ Application: Scanned in 00mn 00s



---\\ Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu (O9)
O9 - Extra button: Skype Click to Call [64Bits] - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} . (...) -- c:\program files (x86)\skype\toolbars\internet explorer x64\icon.ico
O9 - Extra button: @C:\Program Files\TOSHIBA\BulletinBoard\TosNcUi.dll,-228 [64Bits] - {97F922BD-8563-4184-87EE-8C4ACA438823} . (...) -- C:\Program Files\TOSHIBA\BulletinBoard\images\pin.ico
~ IE Extra Buttons: Scanned in 00mn 00s



---\\ Lop.com/Domain Hijackers (O17)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BFFDE79-E2F8-449D-BCC4-9A455CF3301C}: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BFFDE79-E2F8-449D-BCC4-9A455CF3301C}: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BFFDE79-E2F8-449D-BCC4-9A455CF3301C}: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
~ Domain: Scanned in 00mn 00s



---\\ Extra protocols (O18)
O18 - Handler: wlpg [64Bits] - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} . (...) --
O18 - Filter: application/x-msdownload [64Bits] - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} . (.Microsoft Corporation - Microsoft .NET Runtime Execution Engine.) -- C:\Windows\System32\mscoree.dll =>.Microsoft Corporation
~ Protocole Additionnel: Scanned in 00mn 00s



---\\ AppInit_DLLs Registry value Autorun (O20)
O20 - Winlogon Notify: igfxcui . (.Intel Corporation - igfxdev Module.) -- C:\Windows\System32\igfxdev.dll
~ Winlogon: Scanned in 00mn 00s



---\\ Software installed (O42)
O42 - Logiciel: QuickCet - (.QuickCet.) [HKCU][64Bits] -- QuickCet
~ Logic: 153 Legitimates Filtered in 00mn 00s



---\\ HKCU & HKLM Software Keys
[HKCU\Software\ChrmTB]
[HKCU\Software\vítima]
~ Key Software: 156 Legitimates Filtered in 00mn 00s



---\\ Contents of the Common Files folders (O43)
O43 - CFD: 08/11/2013 - 14:21:19 - [0.937] ----D C:\Program Files (x86)\Advanced System Protector =>PUP.AdvancedSystemProtector
O43 - CFD: 08/11/2013 - 14:20:59 - [0.258] ----D C:\Program Files (x86)\MyPC Backup =>PUP.MyPCBackup
O43 - CFD: 08/11/2013 - 14:20:50 - [0.227] ----D C:\Program Files (x86)\RegClean Pro =>Rogue.RegistryPowerCleaner
O43 - CFD: 08/11/2013 - 14:20:41 - [0.004] ----D C:\ProgramData\eSafe =>PUP.eSafeSecurity
O43 - CFD: 20/06/2013 - 18:38:54 - [0.005] ----D C:\ProgramData\oodr
O43 - CFD: 08/11/2013 - 18:32:25 - [0.002] ----D C:\ProgramData\Partner
O43 - CFD: 08/11/2013 - 13:44:42 - [0] ----D C:\Users\TOSHIBA\AppData\Roaming\0D0S1L2Z1P1B
O43 - CFD: 08/11/2013 - 14:20:37 - [1.074] ----D C:\Users\TOSHIBA\AppData\Roaming\dosearches =>PUP.DoSearches
O43 - CFD: 15/05/2013 - 19:17:10 - [0.150] ----D C:\Users\TOSHIBA\AppData\Local\QuickCet
~ 238 Dossiers CLSID vides (CLSID Empty Folders)
~ Program Folder: 373 Legitimates Filtered in 01mn 30s



---\\ Last modified or created files under Windows and System32 (O44)
O44 - LFC:[MD5.0094CEEF6AC0BB3F53D4B9E19BFE7DC6] - 08/11/2013 - 13:44:01 ---A- . (.Systweak Inc., (www.systweak.com) - Regclean Pro.) -- C:\Windows\SysNative\roboot64.exe [20312] =>Rogue.RegistryPowerCleaner
O44 - LFC:[MD5.0094CEEF6AC0BB3F53D4B9E19BFE7DC6] - 08/11/2013 - 13:44:01 ---A- . (.Systweak Inc., (www.systweak.com) - Regclean Pro.) -- C:\Windows\System32\roboot64.exe [20312] =>Rogue.RegistryPowerCleaner
O44 - LFC:[MD5.D940035EC108F52A007E347E47EAA149] - 14/11/2013 - 05:56:04 --HA- . (...) -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [25120]
O44 - LFC:[MD5.D940035EC108F52A007E347E47EAA149] - 14/11/2013 - 05:56:04 --HA- . (...) -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [25120]
~ Files: 88 Legitimates Filtered in 02mn 37s



---\\ Last files created in Windows Prefetcher (O45)
O45 - LFCP:[MD5.7583AC60E6B432EB9DDF24352C0F5C10] - 13/11/2013 - 16:07:24 ---A- - C:\Windows\Prefetch\MCVSSHLD.EXE-D7F6620D.pf
O45 - LFCP:[MD5.0C54DB557BAB00CA0E0721DD8E8D184E] - 13/11/2013 - 22:08:04 ---A- - C:\Windows\Prefetch\BINGBARSETUP-PARTNER.EXE-CDAA0746.pf
O45 - LFCP:[MD5.7E381FF126C7946CB31E1853BD327AA4] - 14/11/2013 - 03:21:12 ---A- - C:\Windows\Prefetch\SERVER.EXE-B0666E77.pf
~ Prefetcher: 140 Legitimates Filtered in 00mn 01s



---\\ Microsoft Windows Policies System (MWPS) (O55)
O55 - MWPS:[HKLM\...\Policies\System] - "EnableUIADesktopToggle"=0
O55 - MWPS:[HKLM\...\Policies\System] - "FilterAdministratorToken"=0
O55 - MWPS:[HKLM\...\Policies\System] - "EnableLinkedConnections"=1
~ MWPS: 19 Legitimates Filtered in 00mn 00s



---\\ Microsoft Windows Policies Explorer (MWPE) (O56)
O56 - MWPE:[HKLM\...\policies\Explorer] - "NoActiveDesktopChanges"=1
~ MWPE Keys: 5 Legitimates Filtered in 00mn 00s



---\\ System Drivers List (SDL) (O58)
O58 - SDL:[MD5.0E5DA5369A0FCAEA12456DD852545184] - 14/07/2009 - 01:47:48 ---A- . (.Emulex - Storport Miniport Driver for LightPulse HBAs.) -- C:\Windows\System32\Drivers\elxstor.sys [530496]
~ Drivers: 19 Legitimates Filtered in 00mn 00s



---\\ List all tools cleaner (LATC) (O63)
O63 - Logiciel: ZHPDiag 2013 - (.Nicolas Coolman.) [HKLM] -- ZHPDiag_is1 =>.Nicolas Coolman
~ ADS: Scanned in 00mn 00s



---\\ File Associations Shell Spawning (O67)
O67 - Shell Spawning: <.html> <ChromeHTML>[HKCU\..\open\Command] (.Not Key.)
~ FASS Keys: 11 Legitimates Filtered in 00mn 00s



---\\ Start Menu Internet (SMI) (O68)
O68 - StartMenuInternet: <Google Chrome> <Google Chrome>[HKLM\..\Shell\open\Command] (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O68 - StartMenuInternet: <IEXPLORE.EXE> <Internet Explorer>[HKLM\..\Shell\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
~ Keys: Scanned in 00mn 00s



---\\ Search Browser Infection (SBI) (O69)
O69 - SBI: SearchScopes [HKCU] AD52FC5A0D30457F816CEDCD5861BF93 - (Google) - http://www.google.com
O69 - SBI: SearchScopes [HKCU] {6A1806CD-94D4-4689-BA73-E35EA1EA9990} [DefaultScope] - (Bing) - http://www.bing.com
~ Keys: Scanned in 00mn 00s



---\\ Search Particular Root Folder (SPRF) (O84)
[MD5.F97115F5789F137FE993865974BE4898] [SPRF][15/05/2013] (.Technology Inc. - Compatible Super VGA.) -- C:\Users\TOSHIBA\AppData\Local\Temp\5ACD62F0DB94CD80.dll [602112]
[MD5.257FC57A2F48FE15E775CC47BC7BE33A] [SPRF][15/05/2013] (...) -- C:\Users\TOSHIBA\AppData\Local\Temp\aweocrnsxm.exe [165888]
[MD5.268483A0A4F8AC7A8BE8882F0601169C] [SPRF][15/05/2013] (...) -- C:\Users\TOSHIBA\AppData\Local\Temp\msimg32.dll [165888]
[MD5.57EA49906D7A73BA5ADA04694FF93628] [SPRF][13/04/2013] (...) -- C:\Users\TOSHIBA\AppData\Local\Temp\rcaewoxsmn.exe [194048]
[MD5.D41D8CD98F00B204E9800998ECF8427E] [SPRF][13/04/2013] (...) -- C:\Users\TOSHIBA\AppData\Local\Temp\vgkzgxylp3j4api2u27wq9.exe [0]
[MD5.2231D660C88F7E5A2D25C9B7AC2376B8] [SPRF][14/11/2013] (...) -- C:\Users\TOSHIBA\AppData\Roaming\logs.dat [1527909]
[MD5.F97115F5789F137FE993865974BE4898] [SPRF][15/05/2013] (.Technology Inc. - Compatible Super VGA.) -- C:\Users\TOSHIBA\AppData\Roaming\uxsbn.dll [602112]
~ Files: 10 Legitimates Filtered in 00mn 00s



---\\ Windows Installer Scan (WIS) (O93) (NTFS)
[MD5.2053A256B7082A3C6CABAD9895679569] [WIS][11/09/2012] (.British Broadcasting Corp. - BBC iPlayer Desktop.) -- C:\Windows\Installer\44e1a.msi [22016]
~ WIS: 165 Legitimates Filtered in 00mn 28s



---\\ General States of Services not Microsoft (EGS) (SR=Running, SS=Stopped)
SR - | Auto 06/06/2011 64952 | (AdobeARMservice) . (.Adobe Systems Incorporated.) - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
SR - | Auto 11/08/2012 55184 | (Apple Mobile Device) . (.Apple Inc..) - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
SR - | Auto 30/08/2011 462184 | (Bonjour Service) . (.Apple Inc..) - C:\Program Files\Bonjour\mDNSResponder.exe
SR - | Auto 28/01/2010 249200 | (cfWiMAXService) . (.TOSHIBA CORPORATION.) - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
SR - | Auto 10/03/2009 46448 | (ConfigFree Service) . (.TOSHIBA CORPORATION.) - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
SS - | Demand 12/10/2010 206072 | (GamesAppService) . (.WildTangent, Inc..) - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
SS - | Auto 03/08/2011 136176 | (gupdate) . (.Google Inc..) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
SS - | Demand 03/08/2011 136176 | (gupdatem) . (.Google Inc..) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
SS - | Demand 16/09/2012 194032 | (gusvc) . (.Google.) - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
SS - | Demand 13/11/2005 69632 | (IDriverT) . (.Macrovision Corporation.) - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
SR - | Demand 09/09/2012 936848 | (iPod Service) . (.Apple Inc..) - C:\Program Files\iPod\bin\iPodService.exe
SR - | Auto 20/12/2010 325656 | (LMS) . (.Intel Corporation.) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
SR - | Auto 11/05/2012 200728 | (McAfee SiteAdvisor Service) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
SS - | Demand 28/01/2011 225216 | (McAWFwk) . (.McAfee, Inc..) - C:\Program Files\mcafee\msc\McAWFwk.exe
SR - | Auto 11/05/2012 200728 | (McMPFSvc) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
SR - | Auto 11/05/2012 200728 | (mcmscsvc) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SR - | Auto 11/05/2012 200728 | (McNaiAnn) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SR - | Auto 11/05/2012 200728 | (McNASvc) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SS - | Demand 10/09/2012 383608 | (McODS) . (.McAfee, Inc..) - C:\Program Files\mcafee\VirusScan\mcods.exe
SS - | Disabled 11/05/2012 200728 | (McOobeSv) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SR - | Auto 11/05/2012 200728 | (McProxy) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SR - | Auto 22/06/2012 237920 | (McShield) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
SR - | Auto 22/06/2012 218320 | (mfefire) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
SR - | Auto 22/06/2012 177144 | (mfevtp) . (.McAfee, Inc..) - C:\Windows\system32\mfevtps.exe
SR - | Auto 11/05/2012 200728 | (MSK80Service) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
SR - | Auto 29/03/2011 598312 | (NAUpdate) . (.Nero AG.) - c:\Program Files (x86)\Nero\Update\NASvc.exe
SR - | Auto 09/10/2013 3275136 | (Skype C2C Service) . (.Skype Technologies S.A..) - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
SS - | Auto 05/09/2013 171680 | (SkypeUpdate) . (.Skype Technologies.) - C:\Program Files (x86)\Skype\Updater\Updater.exe
SS - | Demand 28/08/2013 566696 | (Steam Client Service) . (.Valve Corporation.) - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
SS - | Demand 10/02/2011 112080 | (TemproMonitoringService) . (.Toshiba Europe GmbH.) - C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe =>.Toshiba Corporation
SR - | Demand 29/11/2010 54136 | (TMachInfo) . (.TOSHIBA Corporation.) - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe =>.Toshiba Corporation
SR - | Auto 20/10/2010 138656 | (TODDSrv) . (.TOSHIBA Corporation.) - C:\Windows\system32\TODDSrv.exe
SR - | Auto 09/12/2010 489384 | (TosCoSrv) . (.TOSHIBA Corporation.) - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
SS - | Demand 12/04/2010 196976 | (TOSHIBA Bluetooth Service) . (.TOSHIBA CORPORATION.) - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
SR - | Auto 02/03/2011 266680 | (TOSHIBA eco Utility Service) . (.TOSHIBA Corporation.) - C:\Program Files\TOSHIBA\TECO\TecoService.exe =>.Toshiba Corporation
SR - | Demand 08/12/2010 137632 | (TOSHIBA HDD SSD Alert Service) . (.TOSHIBA Corporation.) - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
SR - | Demand 01/07/2011 828856 | (TPCHSrv) . (.TOSHIBA Corporation.) - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
SR - | Auto 20/12/2010 2656280 | (UNS) . (.Intel Corporation.) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
SS - | Demand 01/03/2011 27648 | C:\Program Files (x86)\Windows Defender\mpsvc.dll (WinDefend) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
SR - | Demand 10/07/1658 0 | (WMPNetworkSvc) . (...) - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe =>.Microsoft Corporation
SR - | Auto 01/03/2011 27648 | C:\Windows\System32\wuaueng.dll (wuauserv) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
~ Services: Scanned in 00mn 33s



---\\ Search Master Boot Record Infection (MBR)(O80)
Run by TOSHIBA at 14/11/2013 06:00:58
~ OS 64 not supported by MBR tool
~ MBR: 0 Legitimates Filtered in 00mn 00s



---\\ Search Master Boot Record Infection (MBRCheck)(O80)
Written by ad13, http://ad13.geekstog
Run by TOSHIBA at 14/11/2013 06:01:01

********* Dump file Name *********
C:\PhysicalDisk0_MBR.bin
~ MBR: Scanned in 00mn 02s



---\\ Scan Additionnel (O88)
Database Version : 12994 - (12/11/2013)
Clés trouvées (Keys found) : 12
Valeurs trouvées (Values found) : 2
Dossiers trouvés (Folders found) : 7
Fichiers trouvés (Files found) : 0

[HKLM\Software\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] =>Toolbar.Skype
[HKLM\Software\Microsoft\Internet Explorer\extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] =>Toolbar.Skype
[HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] =>Toolbar.Skype
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] =>Toolbar.Skype
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] =>Toolbar.Skype
[HKLM\Software\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] =>Toolbar.Skype
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] =>Toolbar.Skype
[HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}] =>Toolbar.Skype
[HKCU\Software\QuickCet] =>Adware.QuickCet
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\QuickCet] =>Adware.QuickCet
[HKLM\Software\Classes\protector_dll.protectorbho] =>PUP.BProtector
[HKLM\Software\Classes\protector_dll.protectorbho.1] =>PUP.BProtector
[HKLM\Software\Microsoft\Internet Explorer\Toolbar]:{2318C2B1-4965-11d4-9B18-009027A5CD4F} =>Toolbar.Google^
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]:HKCU =>Trojan.Agent
C:\Program Files (x86)\Advanced System Protector =>PUP.AdvancedSystemProtector^
C:\Program Files (x86)\MyPC Backup =>PUP.MyPCBackup^
C:\Program Files (x86)\RegClean Pro =>Rogue.RegistryPowerCleaner^
C:\ProgramData\eSafe =>PUP.eSafeSecurity^
C:\Users\TOSHIBA\AppData\Roaming\dosearches =>PUP.DoSearches^
C:\ProgramData\Partner =>Spyware.Partner
C:\Users\TOSHIBA\AppData\Local\QuickCet =>Adware.QuickCet
~ Additionnel Scan: 327247 Items scanned in 00mn 36s



---\\ Summary of the detections found on your workstation
~ http://nicolascoolman.webs.com/apps/blog/show/32384220-toolbar-google =>Toolbar.Google
~ http://nicolascoolman.webs.com/apps/blog/show/26630283-pup-advancedsystemprotector =>PUP.AdvancedSystemProtector
~ http://nicolascoolman.webs.com/apps/blog/show/32174815-pup-mypcbackup =>PUP.MyPCBackup
~ http://nicolascoolman.webs.com/apps/blog/show/29295819-rogue-registrypowercleaner =>Rogue.RegistryPowerCleaner
~ http://nicolascoolman.webs.com/apps/blog/show/27588628-pup-esafesecurity =>PUP.eSafeSecurity
~ http://nicolascoolman.webs.com/apps/blog/show/33477786-pup-dosearches =>PUP.DoSearches
~ http://nicolascoolman.webs.com/apps/blog/show/30898245-toolbar-skype =>Toolbar.Skype
~ http://nicolascoolman.webs.com/apps/blog/show/28155479-adware-quickcet =>Adware.QuickCet
~ http://nicolascoolman.webs.com/apps/blog/show/28133096-pup-bprotector =>PUP.BProtector
~ http://nicolascoolman.webs.com/apps/blog/show/28193283-spyware-partner =>Spyware.Partner
~ MSI: 10 link(s) detected in 00mn 36s



~ 1740 Legitimates filtered by white list
End of the scan (498 lines in 10mn 42s)(0)


Thanks for your time, I really appreciate it.
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 14, 2013 at 01:40 AM
0
Thank you
Think I've just sorted the speedyshare.com part out, the new link I come up with is : [code]http://speedy.sh/d54U4/ZHPDiag.txt/code if that's any further help.
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 14, 2013 at 06:26 AM
0
Thank you
Oh, it's more serious than I thought then! Thank you for your help, after running the rkill link, I ended with a notepad with the following information, just wanted to check I've done this correct before moving onto step two:

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/14/2013 11:18:08 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Users\TOSHIBA\AppData\Local\QuickCet\QuickCet\QuickCet.exe (PID: 4400) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\TOSHIBA\Desktop\rkill\rkill-11-14-2013-11-18-26.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* ALERT: ZEROACCESS rootkit symptoms found!

* C:\$Recycle.Bin\S-1-5-21-4197480782-1916531730-623419528-1000\$1ccb6b054caad53c151863bf333b4792\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-4197480782-1916531730-623419528-1000\$1ccb6b054caad53c151863bf333b4792\@ [ZA File]
* C:\$Recycle.Bin\S-1-5-21-4197480782-1916531730-623419528-1000\$1ccb6b054caad53c151863bf333b4792\L\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-4197480782-1916531730-623419528-1000\$1ccb6b054caad53c151863bf333b4792\U\ [ZA Dir]

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 11/14/2013 11:18:50 AM
Execution time: 0 hours(s), 0 minute(s), and 41 seconds(s)
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 14, 2013 at 06:50 AM
0
Thank you
Thanks for the report.

Worst than seen after the initial analysis as we have a possible Zero Access Rootkit and they are a bugger to clean.

Continue with step 2 and 3 and let me know.

I may log off for 10 hours but will return to check up on you.

We will need to do further work.

Pip pip ! Chin-up and God save the Queen !
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 14, 2013 at 08:58 AM
0
Thank you
Ok after running the Adwcleaner by Xplode, it automatically restarted my computer, to which it came back with a dialog box reading :The Recycle Bin on c:\ is corrupted. Do you want to empty the recycle bin for this drive? Yes or no. I have yet to choose an answer. It also opened up the notepad with the following log:

# AdwCleaner v3.012 - Report created 14/11/2013 at 13:47:14
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : TOSHIBA - TOSHIBA-TOSH
# Running from : C:\Users\TOSHIBA\Downloads\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\eSafe
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\ProgramData\Systweak
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced System Protector
Folder Deleted : C:\Program Files (x86)\MyPC Backup
Folder Deleted : C:\Program Files (x86)\RegClean Pro
Folder Deleted : C:\Users\TOSHIBA\AppData\Roaming\digitalsite
Folder Deleted : C:\Users\TOSHIBA\AppData\Roaming\Systweak
File Deleted : C:\Users\Public\Desktop\eBay.lnk
File Deleted : C:\Windows\System32\roboot64.exe

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16736


-\\ Google Chrome v30.0.1599.101

[ File : C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted : search_url
Deleted : keyword

*************************

AdwCleaner[R0].txt - [2264 octets] - [14/11/2013 13:44:56]
AdwCleaner[S0].txt - [2237 octets] - [14/11/2013 13:47:14]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2297 octets] ##########
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 14, 2013 at 04:48 PM
Yes, you empty the bin.

Once you have finished,

1. please reboot you machine.

2. I would appreciate if you paste the malwarebyte log here.

3. Delete the previous ZHP Diag report.

4. Generate a new log and upload it on speedyshare. (I would like to make another final analysis to ensure we got every thing and also make suggestions to make your system more virus proof)
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 14, 2013 at 05:18 PM
I can find the following two logs :

2013/11/14 11:56:43 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Starting protection
2013/11/14 11:56:43 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Protection started successfully
2013/11/14 11:56:43 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Starting IP protection
2013/11/14 11:57:05 GMT TOSHIBA-TOSH TOSHIBA MESSAGE IP Protection started successfully
2013/11/14 11:57:10 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Starting database refresh
2013/11/14 11:57:10 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Stopping IP protection
2013/11/14 11:57:11 GMT TOSHIBA-TOSH TOSHIBA MESSAGE IP Protection stopped successfully
2013/11/14 11:57:13 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Database refreshed successfully
2013/11/14 11:57:13 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Starting IP protection
2013/11/14 11:57:15 GMT TOSHIBA-TOSH TOSHIBA MESSAGE IP Protection started successfully
2013/11/14 11:58:33 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Executing scheduled update: Daily
2013/11/14 11:58:35 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Database already up-to-date
2013/11/14 13:16:13 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\Users\TOSHIBA\AppData\Local\Temp\XxX.xXx Malware.Trace QUARANTINE
2013/11/14 13:16:14 GMT TOSHIBA-TOSH TOSHIBA ERROR Quarantine failed: SetFileAttributes failed with error code 2
2013/11/14 13:16:40 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\Users\TOSHIBA\AppData\Local\Temp\XxX.xXx Malware.Trace QUARANTINE
2013/11/14 13:47:18 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\dir\install\install\server.exe Trojan.Agent QUARANTINE
2013/11/14 13:47:24 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\dir\install\install\server.exe Trojan.Agent QUARANTINE
2013/11/14 13:47:29 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\dir\install\install\server.exe Trojan.Agent QUARANTINE
2013/11/14 13:47:34 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\dir\install\install\server.exe Trojan.Agent QUARANTINE
2013/11/14 13:47:39 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\dir\install\install\server.exe Trojan.Agent QUARANTINE
2013/11/14 13:47:44 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\dir\install\install\server.exe Trojan.Agent QUARANTINE
2013/11/14 13:47:49 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\dir\install\install\server.exe Trojan.Agent QUARANTINE
2013/11/14 13:47:54 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\dir\install\install\server.exe Trojan.Agent QUARANTINE
2013/11/14 13:47:59 GMT TOSHIBA-TOSH TOSHIBA DETECTION C:\dir\install\install\server.exe Trojan.Agent QUARANTINE
2013/11/14 13:49:29 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Starting protection
2013/11/14 13:49:29 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Protection started successfully
2013/11/14 13:49:29 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Starting IP protection
2013/11/14 13:49:32 GMT TOSHIBA-TOSH TOSHIBA MESSAGE IP Protection started successfully
2013/11/14 19:17:55 GMT TOSHIBA-TOSH TOSHIBA IP-BLOCK 88.208.1.236 (Type: outgoing, Port: 56089, Process: chrome.exe)
2013/11/14 19:17:55 GMT TOSHIBA-TOSH TOSHIBA IP-BLOCK 88.208.1.236 (Type: outgoing, Port: 56090, Process: chrome.exe)
2013/11/14 19:17:55 GMT TOSHIBA-TOSH TOSHIBA IP-BLOCK 88.208.1.236 (Type: outgoing, Port: 56091, Process: chrome.exe)
2013/11/14 19:17:55 GMT TOSHIBA-TOSH TOSHIBA IP-BLOCK 88.208.1.236 (Type: outgoing, Port: 56092, Process: chrome.exe)
2013/11/14 19:17:55 GMT TOSHIBA-TOSH TOSHIBA IP-BLOCK 88.208.1.236 (Type: outgoing, Port: 56093, Process: chrome.exe)
2013/11/14 19:17:55 GMT TOSHIBA-TOSH TOSHIBA IP-BLOCK 88.208.1.236 (Type: outgoing, Port: 56094, Process: chrome.exe)
2013/11/14 22:11:46 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Starting protection
2013/11/14 22:11:46 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Protection started successfully
2013/11/14 22:11:46 GMT TOSHIBA-TOSH TOSHIBA MESSAGE Starting IP protection
2013/11/14 22:11:48 GMT TOSHIBA-TOSH TOSHIBA MESSAGE IP Protection started successfully

and also :

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.14.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16736
TOSHIBA :: TOSHIBA-TOSH [administrator]

Protection: Enabled

14/11/2013 11:58:10
mbam-log-2013-11-14 (11-58-10).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 358781
Time elapsed: 1 hour(s), 9 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\VÍTIMA (Backdoor.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HKCU (Trojan.Agent) -> Data: C:\dir\install\install\server.exe -> Quarantined and deleted successfully.
HKCU\Software\vítima|FirstExecution (Backdoor.Trace) -> Data: 23/08/2013 -- 01:23 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 13
C:\Users\TOSHIBA\AppData\Roaming\DigitalSite\UpdateProc (PUP.Optional.DigitalSite.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Advanced System Protector (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Advanced System Protector\clamunpack (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Advanced System Protector\Troubleshooter (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\ProgramData\Systweak\Advanced System Protector (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\ProgramData\Systweak\Advanced System Protector\2.1.1000.12150 (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\ProgramData\Systweak\Advanced System Protector\signatures (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\Advanced System Protector (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\Advanced System Protector\2.1.1000.12150 (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\RegClean Pro (PUP.Optional.RegCleanerPro.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\RegClean Pro\Version 6.1 (PUP.Optional.RegCleanerPro.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\RegClean Pro\Version 6.1\Partial Backups (PUP.Optional.RegCleanerPro.A) -> Quarantined and deleted successfully.

Files Detected: 34
C:\dir\install\install\server.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\ashleyxxx?gpj.exe (Backdoor.Agent.MITGen) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\Temp\5ACD62F0DB94CD80.dll (Trojan.Medfos) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\Temp\aweocrnsxm.exe (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\Temp\CE3A.tmp (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\Temp\cnmraexosw.exe (Trojan.FakeNPPlus) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\Temp\msimg32.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\Temp\rcaewoxsmn.exe (Rootkit.0Access.ED) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\VirtualStore\Windows\SysWOW64\fcba.tmp (Trojan.FakeSIG) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\uxsbn.dll (Trojan.Medfos) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\Downloads\FlashPlayer_V.43042820c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\Downloads\VaudiX.exe (PUP.Optional.Installex) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\DigitalSite\UpdateProc\config.dat (PUP.Optional.DigitalSite.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\DigitalSite\UpdateProc\prod.dat (PUP.Optional.DigitalSite.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\Temp\UuU.uUu (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\Temp\XxX.xXx (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\dclogs\2013-11-07-5.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\dclogs\2013-11-08-6.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Local\Temp\AppLaunch\Service.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Advanced System Protector\loading_withWhiteBG.avi (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Advanced System Protector\unins000.dat (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Advanced System Protector\unins000.msg (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Advanced System Protector\clamunpack\libclamav.dll (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Advanced System Protector\clamunpack\readme.txt (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Advanced System Protector\Troubleshooter\ASP-Troubleshooter.chm (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\ProgramData\Systweak\Advanced System Protector\AddonSafelist (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\ProgramData\Systweak\Advanced System Protector\log.xslt (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\Advanced System Protector\Settings.db (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\Advanced System Protector\2.1.1000.12150\ASPLog.txt (PUP.Optional.AdvancedSystemProtector.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\RegClean Pro\Version 6.1\eng_rcp.dat (PUP.Optional.RegCleanerPro.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\RegClean Pro\Version 6.1\log_11-08-2013.log (PUP.Optional.RegCleanerPro.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\RegClean Pro\Version 6.1\Partial Backups\00000001.rmx (PUP.Optional.RegCleanerPro.A) -> Quarantined and deleted successfully.
C:\Users\TOSHIBA\AppData\Roaming\Systweak\RegClean Pro\Version 6.1\Partial Backups\00000001.rxb (PUP.Optional.RegCleanerPro.A) -> Quarantined and deleted successfully.

(end)
Thanks for your time again.
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 14, 2013 at 05:30 PM
And here's the new Zhpdiag report. :
~ Report of ZHPDiag v2013.11.14.33 - Nicolas Coolman (14/11/2013)
~ Launched by TOSHIBA (14/11/2013 22:21:01)
~ Web site address : http://nicolascoolman.webs.com
~ Free support forums for disinfection : http://nicolascoolman.webs.com/apps/links/
~ Translated by
~ Version State :
~ White List : Activate by program
~ Elevation of privilege : OK
~ User Account Control : Deactivate by program


---\\ Internet browsers
MSIE: Internet Explorer v10.0.9200.16736
GCIE: Google Chrome v30.0.1599.101 (Defaut)

---\\ Windows product information
~ Langage: Anglais
Windows 7 Home Premium Edition, 64-bit Service Pack 1 (Build 7601)
Windows Server License Manager Script : OK
~ Windows(R) 7, OEM_SLP channel
System Locked Preinstallation (OEM_SLP) : OK
Software Protection Service (Protection logicielle) : OK
Windows Automatic Updates : OK
Windows Activation Technologies : OK

---\\ System protection software
Malwarebytes Anti-Malware version 1.75.0.1300
McAfee Internet Security v11.6.434
Windows Defender W7

---\\ System optimization software

---\\ Sharing software PeerToPeer

---\\ Surveillance software
Adobe Flash Player 10 ActiveX
Adobe Reader X
Java 7 Update 7

---\\ Information on the system
~ Processor: Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
~ Operating System: 64 Bits
Boot mode: Normal (Normal boot)
Total RAM: 4043.9 MB (51% free)
System Restore: Activé (Enable)
System drive C: has 173 GB (74%) free of 232 GB

---\\ Connection to the system mode
~ Computer Name: TOSHIBA-TOSH
~ User Name: TOSHIBA
~ All Users Names: TOSHIBA, Guest, Administrator,
~ Unselected Option: None
Logged in as Administrator

---\\ Environment variables
~ System Unit : C:\
~ %AppZHP% : C:\Users\TOSHIBA\AppData\Roaming\ZHP\
~ %AppData% : C:\Users\TOSHIBA\AppData\Roaming\
~ %Desktop% : C:\Users\TOSHIBA\Desktop\
~ %Favorites% : C:\Users\TOSHIBA\Favorites\
~ %LocalAppData% : C:\Users\TOSHIBA\AppData\Local\
~ %StartMenu% : C:\Users\TOSHIBA\AppData\Roaming\Microsoft\Windows\Start Menu\
~ %Windir% : C:\Windows\
~ %System% : C:\Windows\System32\

---\\ Enumeration of the disk units
C: Hard drive, Flash drive, Thumb drive (Free 173 Go of 232 Go)
D: Hard drive, Flash drive, Thumb drive (Free 218 Go of 232 Go)
E: CD-ROM drive (Free 0 Go of 1 Go)



---\\ State of the Windows Security Center
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] NoActiveDesktopChanges: Modified
~ Security Center: 41 Legitimates Filtered in 00mn 00s



---\\ Search Generic System Files
[MD5.332FEAB1435662FC6C672E25BEB37BE3] - (.Microsoft Corporation - Windows Explorer.) (.25/02/2011 - 06:19:30.) -- C:\Windows\Explorer.exe [2871808]
[MD5.94355C28C1970635A31B3FE52EB7CEBA] - (.Microsoft Corporation - Windows Start-Up Application.) (.14/07/2009 - 01:39:52.) -- C:\Windows\System32\Wininit.exe [129024]
[MD5.9706C99DAEBE3FEAC811B239617E98C4] - (.Microsoft Corporation - Internet Extensions for Win32.) (.12/10/2013 - 08:45:20.) -- C:\Windows\System32\wininet.dll [2241536]
[MD5.1151B1BAA6F350B1DB6598E0FEA7C457] - (.Microsoft Corporation - Windows Logon Application.) (.21/11/2010 - 03:24:29.) -- C:\Windows\System32\Winlogon.exe [390656]
[MD5.067FA52BFB59A56110A12312EF9AF243] - (.Microsoft Corporation - Software Licensing Library.) (.21/11/2010 - 03:24:16.) -- C:\Windows\System32\sppcomapi.dll [232448]
[MD5.79059559E89D06E8B80CE2944BE20228] - (.Microsoft Corporation - Ancillary Function Driver for WinSock.) (.28/09/2013 - 01:09:10.) -- C:\Windows\system32\Drivers\AFD.sys [497152]
[MD5.02062C0B390B7729EDC9E69C680A6F3C] - (.Microsoft Corporation - ATAPI IDE Miniport Driver.) (.14/07/2009 - 01:52:21.) -- C:\Windows\system32\Drivers\atapi.sys [24128]
[MD5.B8BD2BB284668C84865658C77574381A] - (.Microsoft Corporation - CD-ROM File System Driver.) (.13/07/2009 - 23:19:47.) -- C:\Windows\system32\Drivers\Cdfs.sys [92160]
[MD5.F036CE71586E93D94DAB220D7BDF4416] - (.Microsoft Corporation - SCSI CD-ROM Driver.) (.21/11/2010 - 03:23:47.) -- C:\Windows\system32\Drivers\Cdrom.sys [147456]
[MD5.9BB2EF44EAA163B29C4A4587887A0FE4] - (.Microsoft Corporation - DFS Namespace Client Driver.) (.21/11/2010 - 03:24:32.) -- C:\Windows\system32\Drivers\DfsC.sys [102400]
[MD5.97BFED39B6B79EB12CDDBFEED51F56BB] - (.Microsoft Corporation - High Definition Audio Bus Driver.) (.21/11/2010 - 03:23:47.) -- C:\Windows\system32\Drivers\HDAudBus.sys [122368]
[MD5.FA55C73D4AFFA7EE23AC4BE53B4592D3] - (.Microsoft Corporation - i8042 Port Driver.) (.13/07/2009 - 23:19:57.) -- C:\Windows\system32\Drivers\i8042prt.sys [105472]
[MD5.AF9B39A7E7B6CAA203B3862582E9F2D0] - (.Microsoft Corporation - IP Network Address Translator.) (.14/07/2009 - 00:10:03.) -- C:\Windows\system32\Drivers\IpNat.sys [116224]
[MD5.A5D9106A73DC88564C825D317CAC68AC] - (.Microsoft Corporation - Windows NT SMB Minirdr.) (.27/04/2011 - 02:40:40.) -- C:\Windows\system32\Drivers\MRxSmb.sys [158208]
[MD5.09594D1089C523423B32A4229263F068] - (.Microsoft Corporation - MBT Transport driver.) (.21/11/2010 - 03:23:51.) -- C:\Windows\system32\Drivers\netBT.sys [261632]
[MD5.B98F8C6E31CD07B2E6F71F7F648E38C0] - (.Microsoft Corporation - NT File System Driver.) (.12/04/2013 - 14:45:08.) -- C:\Windows\system32\Drivers\ntfs.sys [1656680]
[MD5.0086431C29C35BE1DBC43F52CC273887] - (.Microsoft Corporation - Parallel Port Driver.) (.14/07/2009 - 00:00:41.) -- C:\Windows\system32\Drivers\Parport.sys [97280]
[MD5.471815800AE33E6F1C32FB1B97C490CA] - (.Microsoft Corporation - RAS L2TP mini-port/call-manager driver.) (.21/11/2010 - 03:24:33.) -- C:\Windows\system32\Drivers\Rasl2tp.sys [129536]
[MD5.548260A7B8654E024DC30BF8A7C5BAA4] - (.Microsoft Corporation - SMB Transport driver.) (.14/07/2009 - 00:09:09.) -- C:\Windows\system32\Drivers\smb.sys [93184]
[MD5.DDAD5A7AB24D8B65F8D724F5C20FD806] - (.Microsoft Corporation - TDI Translation Driver.) (.21/11/2010 - 03:24:32.) -- C:\Windows\system32\Drivers\tdx.sys [119296]
[MD5.DF8126BD41180351A093A3AD2FC8903B] - (.Microsoft Corporation - Volume Shadow Copy Driver.) (.25/02/2011 - 06:25:38.) -- C:\Windows\system32\Drivers\volsnap.sys [296320]
~ Generic Processes: Scanned in 00mn 01s



---\\ Hidden files state (Hidden/Total)
~ Mes images (My Pictures) : 1/875
~ Mes musiques (My Musics) : 1/10
~ Mes Favoris (My Favorites) : 1/23
~ Mes Documents (My Documents) : 1/25
~ Mon Bureau (My Desktop) : 1/7
~ Menu demarrer (Programs) : 1/588
~ Hidden Files: Scanned in 00mn 01s



---\\ Process running
[MD5.D1D5DAB39DCB4BE0359943738D87409B] - (.Malwarebytes Corporation - Malwarebytes Anti-Malware.) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [532040] [PID.3632]
[MD5.97A1AFD42B8016D132C7BF38C955C6E1] - (.TOSHIBA CORPORATION - ConfigFree Task Tray Menu.) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [304560] [PID.3860]
[MD5.2A1BE3D0B2F439ABB52EF1570D8EB4F7] - (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe [20549280] [PID.4120]
[MD5.D630F2D985E5FED43FC41D5A9430FBDC] - (.No owner - QuickCet.) -- C:\Users\TOSHIBA\AppData\Local\QuickCet\QuickCet\QuickCet.exe [46592] [PID.4204]
[MD5.47C1DE0A890613FFCFF1D67648EEDF90] - (.Adobe Systems Incorporated - Adobe Reader and Acrobat Manager.) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920] [PID.4588]
[MD5.B9FBE2C4DE9A72E8997697C8D5CAD009] - (.TOSHIBA CORPORATION - IT Security Manager for Toshiba Stack.) -- C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [83336] [PID.3148]
[MD5.4AFFDCAADCB1DBBFFAF06C7F82E7F6FC] - (.Apple Inc. - iTunesHelper.) -- C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776] [PID.3380]
[MD5.12916E0642E92561C98B18A2A2D01B14] - (.Sun Microsystems, Inc. - Java(TM) Update Scheduler.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252848] [PID.4856]
[MD5.8A07221789D46B2EA7DFCA2BC807572A] - (.TOSHIBA CORPORATION - ConfigFree Switch Manager Process.) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSwMgr.exe [62848] [PID.5920]
[MD5.3E399A1328181C2A352472369DE2A93A] - (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [844752] [PID.7384]
[MD5.A9B236A317FD2D8C9C9F43F33707667E] - (.Nicolas Coolman - ZHPDiag.) -- C:\Program Files (x86)\ZHPDiag\ZHPDiag.exe [8216064] [PID.6576]
[MD5.11A52CF7B265631DEEB24C6149309EFF] - (.Adobe Systems Incorporated - Adobe Acrobat Update Service.) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [64952] [PID.1492]
[MD5.A5299D04ED225D64CF07A568A3E1BF8C] - (.Apple Inc. - MobileDeviceService.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [55184] [PID.1532]
[MD5.65085456FD9A74D7F1A999520C299ECB] - (.Malwarebytes Corporation - Malwarebytes Anti-Malware.) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376] [PID.1724]
[MD5.E0D7732F2D2E24B2DB3F67B6750295B8] - (.Malwarebytes Corporation - Malwarebytes Anti-Malware.) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512] [PID.2008]
[MD5.9F712B26EE3B0242DE997A42FD302E2C] - (.Skype Technologies S.A. - Skype C2C Service.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136] [PID.1556]
[MD5.51138BEEA3E2C21EC44D0932C71762A8] - (...) -- ysWOW64\rundll32.exe [0] [PID.1480]
[MD5.CAB0EEAF5295FC96DDD3E19DCE27E131] - (.TOSHIBA CORPORATION - ConfigFree Service Process.) -- C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe [46448] [PID.10748]
[MD5.2ED1786B7542CDA261029F6B526EDF44] - (.Intel Corporation - Local Manageability Service.) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [325656] [PID.10464]
[MD5.13AA2130F2A104DD775EAD0F0EE5417B] - (.Nero AG - NeroUpdate.) -- c:\Program Files (x86)\Nero\Update\NASvc.exe [598312] [PID.10640]
[MD5.7E5E1603D0FF2D240AE70295C5C3FEFC] - (.Intel Corporation - User Notification Service.) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2656280] [PID.11200]
~ Processes Running: Scanned in 00mn 04s



---\\ Google Chrome, Start,Search,Extensions (G0,G1,G2)
C:\Users\TOSHIBA\AppData\Local\Google\Chrome\User Data\Default\Preferences
G1 - GCS: Preference [User Data\Default] http://search.do =>Hijacker.SearchDo
~ Google Browser: 9 Legitimates Filtered in 00mn 10s



---\\ Mozilla Firefox,Plugins,Start,Search,Extensions (P2,M0,M1,M2,M3)
P2 - FPN: [HKLM] [@mcafee.com/MSC,version=10] - (...) -- C:\Program Files\mcafee\msc\npMcSnFFPl64.dll
~ Firefox Browser: 2 Legitimates Filtered in 00mn 00s



---\\ Internet Explorer, Proxy Management (R5)
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = no key
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyEnable = 0
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,MigrateProxy = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,EnableHttp1_1 = 1
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigProxy = wininet.dll
~ Proxy management: Scanned in 00mn 00s



---\\ Line Analysis F0, F1, F2, F3 - IniFiles, Auto loading programs
F2 - REG:system.ini: USERINIT=C:\Windows\system32\userinit.exe,
F2 - REG:system.ini: Shell=C:\Windows\explorer.exe
F2 - REG:system.ini: VMApplet=C:\Windows\System32\SystemPropertiesPerformance.exe
~ Keys: Scanned in 00mn 00s



---\\ Hosts file redirection (O1)
~ Le fichier hosts est sain (The hosts file is clean).
~ Hosts File: Scanned in 00mn 00s
~ Nombre de lignes (Lines number): 21



---\\ Internet Explorer toolbars (O3)
O3 - Toolbar: McAfee SiteAdvisor Toolbar [64Bits] - [HKLM]{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} . (.McAfee, Inc. - SiteAdvisor.) -- C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll
O3 - Toolbar: Google Toolbar [64Bits] - [HKLM]{2318C2B1-4965-11d4-9B18-009027A5CD4F} . (.Google Inc. - Google Toolbar.) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll =>Toolbar.Google
O3 - Toolbar\WebBrowser: (no name) [64Bits] - [HKCU]{2318C2B1-4965-11D4-9B18-009027A5CD4F} Orphan key
~ Toolbar: Scanned in 00mn 00s



---\\ Other User Links (O4)
O4 - GS\Desktop [Public]: BBC iPlayer Desktop.lnk . (...) -- C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - GS\Desktop [Public]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 - GS\Desktop [Public]: Kioskea.exe.lnk . (.Malwarebytes Corporation - Malwarebytes Anti-Malware.) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
O4 - GS\Desktop [Public]: Manual.lnk . (.TOSHIBA - Toshiba Regensburg EXternal file Launcher.) -- C:\Program Files (x86)\TOSHIBA\Manuals\TREXLauncher.exe
O4 - GS\Program [Public]: BBC iPlayer Desktop.lnk . (...) -- C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - GS\QuickLaunch [TOSHIBA]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 - GS\QuickLaunch [TOSHIBA]: Launch Internet Explorer Browser.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - GS\TaskBar [TOSHIBA]: Google Chrome.lnk . (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O4 - GS\Program [TOSHIBA]: Internet Explorer.lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
O4 - GS\SystemTools [TOSHIBA]: Internet Explorer (No Add-ons).lnk . (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files (x86)\Internet Explorer\iexplore.exe
~ Global Startup: 73 Legitimates Filtered in 00mn 03s



---\\ Auto loading programs from Registry and folders (O4)
O4 - GS\Startup [Public]: Toshiba Places Icon Utility.lnk . (.Toshiba - Toshiba Places Icon Utility.) -- C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe
O4 - GS\Startup [TOSHIBA]: TRDCReminder.lnk . (.TOSHIBA Europe - TOSHIBA Recovery Reminder.) -- C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe
O4 - HKLM\..\Run: [Toshiba TEMPRO] . (.Toshiba Europe GmbH - Toshiba TEMPRO.) -- C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe =>.Toshiba Corporation
O4 - HKLM\..\Run: [TosNC] C:\Program Files (x86)\Toshiba\BulletinBoard\TosNcCore.exe (.not file.)
O4 - HKLM\..\Run: [TosReelTimeMonitor] C:\Program Files (x86)\TOSHIBA\ReelTime\TosReelTimeMonitor.exe (.not file.)
O4 - HKLM\..\Run: [IgfxTray] . (.Intel Corporation - igfxTray Module.) -- C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] . (.Intel Corporation - hkcmd Module.) -- C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] . (.Intel Corporation - persistence Module.) -- C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPwrMain] C:\Program Files (x86)\TOSHIBA\Power Saver\TPwrMain.exe (.not file.)
O4 - HKLM\..\Run: [HSON] C:\Program Files (x86)\TOSHIBA\TBS\HSON.exe (.not file.)
O4 - HKLM\..\Run: [TCrdMain] C:\Program Files (x86)\TOSHIBA\FlashCards\TCrdMain.exe (.not file.)
O4 - HKLM\..\Run: [SmartAudio] . (.Conexant systems, Inc. - SmartAudio Control Panel application.) -- C:\Program Files\CONEXANT\SAII\SAIICpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe (.not file.)
O4 - HKLM\..\Run: [Teco] C:\Program Files (x86)\TOSHIBA\TECO\Teco.exe (.not file.)
O4 - HKLM\..\Run: [TosSENotify] . (.TOSHIBA Corporation - No Comment.) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [TosWaitSrv] C:\Program Files (x86)\TOSHIBA\TPHM\TosWaitSrv.exe (.not file.)
O4 - HKLM\..\Run: [TosVolRegulator] . (.TOSHIBA Corporation - Toshiba Volume Regulator.) -- C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe =>.Toshiba Corporation
O4 - HKLM\..\Run: [Toshiba Registration] . (.Toshiba Europe GmbH - Toshiba Notebook Registration Reminder.) -- C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe
O4 - HKCU\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKCU\..\Run: [Steam] . (.Valve Corporation - Steam Client Bootstrapper (buildbot_winslav.) -- C:\Program Files (x86)\Steam\Steam.exe
O4 - HKCU\..\Run: [Skype] . (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe =>.Skype Technologies S.A.
O4 - HKCU\..\Run: [QuickCet] . (.No owner - QuickCet.) -- C:\Users\TOSHIBA\AppData\Local\QuickCet\QuickCet\QuickCet.exe
O4 - HKLM\..\Wow6432Node\Run: [Adobe ARM] . (.Adobe Systems Incorporated - Adobe Reader and Acrobat Manager.) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe =>.Adobe Systems Incorporated
O4 - HKLM\..\Wow6432Node\Run: [NBAgent] . (.Nero AG - Nero BackItUp.) -- c:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe
O4 - HKLM\..\Wow6432Node\Run: [mcui_exe] . (.McAfee, Inc. - McAfee Security Center.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Wow6432Node\Run: [ITSecMng] . (.TOSHIBA CORPORATION - IT Security Manager for Toshiba Stack.) -- C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
O4 - HKLM\..\Wow6432Node\Run: [TSleepSrv] . (.TOSHIBA - TOSHIBA Sleep Service.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
O4 - HKLM\..\Wow6432Node\Run: [ToshibaServiceStation] . (.TOSHIBA Corporation - TOSHIBA Service Station.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe =>.Toshiba Corporation
O4 - HKLM\..\Wow6432Node\Run: [APSDaemon] . (.Apple Inc. - Apple Push.) -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
O4 - HKLM\..\Wow6432Node\Run: [iTunesHelper] . (.Apple Inc. - iTunesHelper.) -- C:\Program Files (x86)\iTunes\iTunesHelper.exe
O4 - HKLM\..\Wow6432Node\Run: [SunJavaUpdateSched] . (.Sun Microsystems, Inc. - Java(TM) Update Scheduler.) -- C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe =>.Oracle Corporation
O4 - HKUS\S-1-5-18\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-19\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] . (.Microsoft Corporation - Windows Desktop Gadgets.) -- C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
O4 - HKUS\S-1-5-20\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe =>.Microsoft Corporation
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] . (.Microsoft Corporation - MCTAdmin.) -- C:\Windows\System32\mctadmin.exe =>.Microsoft Corporation
O4 - HKUS\S-1-5-21-4197480782-1916531730-623419528-1000\..\Run: [TOPI.EXE] . (.TOSHIBA - TOSHIBA Online Product Information.) -- C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe =>.Toshiba Corporation
O4 - HKUS\S-1-5-21-4197480782-1916531730-623419528-1000\..\Run: [Steam] . (.Valve Corporation - Steam Client Bootstrapper (buildbot_winslav.) -- C:\Program Files (x86)\Steam\Steam.exe
O4 - HKUS\S-1-5-21-4197480782-1916531730-623419528-1000\..\Run: [Skype] . (.Skype Technologies S.A. - Skype.) -- C:\Program Files (x86)\Skype\Phone\Skype.exe =>.Skype Technologies S.A.
O4 - HKUS\S-1-5-21-4197480782-1916531730-623419528-1000\..\Run: [QuickCet] . (.No owner - QuickCet.) -- C:\Users\TOSHIBA\AppData\Local\QuickCet\QuickCet\QuickCet.exe
~ Application: Scanned in 00mn 01s



---\\ Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu (O9)
O9 - Extra button: Skype Click to Call [64Bits] - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} . (...) -- c:\program files (x86)\skype\toolbars\internet explorer x64\icon.ico
O9 - Extra button: @C:\Program Files\TOSHIBA\BulletinBoard\TosNcUi.dll,-228 [64Bits] - {97F922BD-8563-4184-87EE-8C4ACA438823} . (...) -- C:\Program Files\TOSHIBA\BulletinBoard\images\pin.ico
~ IE Extra Buttons: Scanned in 00mn 00s



---\\ Lop.com/Domain Hijackers (O17)
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BFFDE79-E2F8-449D-BCC4-9A455CF3301C}: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BFFDE79-E2F8-449D-BCC4-9A455CF3301C}: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BFFDE79-E2F8-449D-BCC4-9A455CF3301C}: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
~ Domain: Scanned in 00mn 00s



---\\ Extra protocols (O18)
O18 - Handler: wlpg [64Bits] - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} . (...) --
O18 - Filter: application/x-msdownload [64Bits] - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} . (.Microsoft Corporation - Microsoft .NET Runtime Execution Engine.) -- C:\Windows\System32\mscoree.dll =>.Microsoft Corporation
~ Protocole Additionnel: Scanned in 00mn 00s



---\\ AppInit_DLLs Registry value Autorun (O20)
O20 - Winlogon Notify: igfxcui . (.Intel Corporation - igfxdev Module.) -- C:\Windows\System32\igfxdev.dll
~ Winlogon: Scanned in 00mn 00s



---\\ Software installed (O42)
O42 - Logiciel: QuickCet - (.QuickCet.) [HKCU][64Bits] -- QuickCet
~ Logic: 154 Legitimates Filtered in 00mn 00s



---\\ HKCU & HKLM Software Keys
[HKCU\Software\ChrmTB]
~ Key Software: 160 Legitimates Filtered in 00mn 00s



---\\ Contents of the Common Files folders (O43)
O43 - CFD: 20/06/2013 - 18:38:54 - [0.005] ----D C:\ProgramData\oodr
O43 - CFD: 08/11/2013 - 13:44:42 - [0] ----D C:\Users\TOSHIBA\AppData\Roaming\0D0S1L2Z1P1B
O43 - CFD: 08/11/2013 - 14:20:37 - [1.074] ----D C:\Users\TOSHIBA\AppData\Roaming\dosearches =>PUP.DoSearches
O43 - CFD: 15/05/2013 - 19:17:10 - [0.150] ----D C:\Users\TOSHIBA\AppData\Local\QuickCet
~ 238 Dossiers CLSID vides (CLSID Empty Folders)
~ Program Folder: 367 Legitimates Filtered in 01mn 03s



---\\ Last files created in Windows Prefetcher (O45)
O45 - LFCP:[MD5.60A6A30499835C4FA5FEB1351840C89B] - 14/11/2013 - 16:19:21 ---A- - C:\Windows\Prefetch\FM.EXE-751F7775.pf
~ Prefetcher: 139 Legitimates Filtered in 00mn 00s



---\\ Microsoft Windows Policies System (MWPS) (O55)
O55 - MWPS:[HKLM\...\Policies\System] - "EnableUIADesktopToggle"=0
O55 - MWPS:[HKLM\...\Policies\System] - "FilterAdministratorToken"=0
O55 - MWPS:[HKLM\...\Policies\System] - "EnableLinkedConnections"=1
~ MWPS: 19 Legitimates Filtered in 00mn 00s



---\\ Microsoft Windows Policies Explorer (MWPE) (O56)
O56 - MWPE:[HKLM\...\policies\Explorer] - "NoActiveDesktopChanges"=1
~ MWPE Keys: 5 Legitimates Filtered in 00mn 00s



---\\ System Drivers List (SDL) (O58)
O58 - SDL:[MD5.0E5DA5369A0FCAEA12456DD852545184] - 14/07/2009 - 01:47:48 ---A- . (.Emulex - Storport Miniport Driver for LightPulse HBAs.) -- C:\Windows\System32\Drivers\elxstor.sys [530496]
~ Drivers: 19 Legitimates Filtered in 00mn 00s



---\\ List all tools cleaner (LATC) (O63)
O63 - Logiciel: ZHPDiag 2013 - (.Nicolas Coolman.) [HKLM] -- ZHPDiag_is1 =>.Nicolas Coolman
~ ADS: Scanned in 00mn 00s



---\\ File Associations Shell Spawning (O67)
O67 - Shell Spawning: <.html> <ChromeHTML>[HKCU\..\open\Command] (.Not Key.)
~ FASS Keys: 11 Legitimates Filtered in 00mn 00s



---\\ Start Menu Internet (SMI) (O68)
O68 - StartMenuInternet: <Google Chrome> <Google Chrome>[HKLM\..\Shell\open\Command] (.Google Inc. - Google Chrome.) -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
O68 - StartMenuInternet: <IEXPLORE.EXE> <Internet Explorer>[HKLM\..\Shell\open\Command] (.Microsoft Corporation - Internet Explorer.) -- C:\Program Files\Internet Explorer\iexplore.exe
~ Keys: Scanned in 00mn 00s



---\\ Search Browser Infection (SBI) (O69)
O69 - SBI: SearchScopes [HKCU] AD52FC5A0D30457F816CEDCD5861BF93 - (Google) - http://www.google.com
O69 - SBI: SearchScopes [HKCU] {6A1806CD-94D4-4689-BA73-E35EA1EA9990} - (Bing) - http://www.bing.com
~ Keys: Scanned in 00mn 00s



---\\ Search Particular Root Folder (SPRF) (O84)
[MD5.F3B33AC8EF0950E8F37AC867DB2825F6] [SPRF][03/11/2013] (...) -- C:\Users\TOSHIBA\AppData\Local\Temp\Quarantine.exe [350259]
[MD5.D41D8CD98F00B204E9800998ECF8427E] [SPRF][13/04/2013] (...) -- C:\Users\TOSHIBA\AppData\Local\Temp\vgkzgxylp3j4api2u27wq9.exe [0]
~ Files: 4 Legitimates Filtered in 00mn 00s



---\\ Windows Installer Scan (WIS) (O93) (NTFS)
[MD5.2053A256B7082A3C6CABAD9895679569] [WIS][11/09/2012] (.British Broadcasting Corp. - BBC iPlayer Desktop.) -- C:\Windows\Installer\44e1a.msi [22016]
~ WIS: 165 Legitimates Filtered in 00mn 36s



---\\ General States of Services not Microsoft (EGS) (SR=Running, SS=Stopped)
SR - | Auto 06/06/2011 64952 | (AdobeARMservice) . (.Adobe Systems Incorporated.) - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
SR - | Auto 11/08/2012 55184 | (Apple Mobile Device) . (.Apple Inc..) - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
SR - | Auto 30/08/2011 462184 | (Bonjour Service) . (.Apple Inc..) - C:\Program Files\Bonjour\mDNSResponder.exe
SR - | Auto 28/01/2010 249200 | (cfWiMAXService) . (.TOSHIBA CORPORATION.) - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFIWmxSvcs64.exe
SR - | Auto 10/03/2009 46448 | (ConfigFree Service) . (.TOSHIBA CORPORATION.) - C:\Program Files (x86)\TOSHIBA\ConfigFree\CFSvcs.exe
SS - | Demand 12/10/2010 206072 | (GamesAppService) . (.WildTangent, Inc..) - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
SS - | Auto 03/08/2011 136176 | (gupdate) . (.Google Inc..) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
SS - | Demand 03/08/2011 136176 | (gupdatem) . (.Google Inc..) - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
SS - | Demand 16/09/2012 194032 | (gusvc) . (.Google.) - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
SS - | Demand 13/11/2005 69632 | (IDriverT) . (.Macrovision Corporation.) - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
SR - | Demand 09/09/2012 936848 | (iPod Service) . (.Apple Inc..) - C:\Program Files\iPod\bin\iPodService.exe
SR - | Auto 20/12/2010 325656 | (LMS) . (.Intel Corporation.) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
SR - | Auto 04/04/2013 418376 | (MBAMScheduler) . (.Malwarebytes Corporation.) - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
SR - | Auto 04/04/2013 701512 | (MBAMService) . (.Malwarebytes Corporation.) - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
SR - | Auto 11/05/2012 200728 | (McAfee SiteAdvisor Service) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
SS - | Demand 28/01/2011 225216 | (McAWFwk) . (.McAfee, Inc..) - C:\Program Files\mcafee\msc\McAWFwk.exe
SR - | Auto 11/05/2012 200728 | (McMPFSvc) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
SR - | Auto 11/05/2012 200728 | (mcmscsvc) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SR - | Auto 11/05/2012 200728 | (McNaiAnn) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SR - | Auto 11/05/2012 200728 | (McNASvc) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SS - | Demand 10/09/2012 383608 | (McODS) . (.McAfee, Inc..) - C:\Program Files\mcafee\VirusScan\mcods.exe
SS - | Disabled 11/05/2012 200728 | (McOobeSv) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SR - | Auto 11/05/2012 200728 | (McProxy) . (.McAfee, Inc..) - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
SR - | Auto 22/06/2012 237920 | (McShield) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
SR - | Auto 22/06/2012 218320 | (mfefire) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
SR - | Auto 22/06/2012 177144 | (mfevtp) . (.McAfee, Inc..) - C:\Windows\system32\mfevtps.exe
SR - | Auto 11/05/2012 200728 | (MSK80Service) . (.McAfee, Inc..) - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
SR - | Auto 29/03/2011 598312 | (NAUpdate) . (.Nero AG.) - c:\Program Files (x86)\Nero\Update\NASvc.exe
SR - | Auto 09/10/2013 3275136 | (Skype C2C Service) . (.Skype Technologies S.A..) - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
SS - | Auto 05/09/2013 171680 | (SkypeUpdate) . (.Skype Technologies.) - C:\Program Files (x86)\Skype\Updater\Updater.exe
SS - | Demand 28/08/2013 566696 | (Steam Client Service) . (.Valve Corporation.) - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
SS - | Demand 10/02/2011 112080 | (TemproMonitoringService) . (.Toshiba Europe GmbH.) - C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe =>.Toshiba Corporation
SR - | Demand 29/11/2010 54136 | (TMachInfo) . (.TOSHIBA Corporation.) - C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe =>.Toshiba Corporation
SR - | Auto 20/10/2010 138656 | (TODDSrv) . (.TOSHIBA Corporation.) - C:\Windows\system32\TODDSrv.exe
SR - | Auto 09/12/2010 489384 | (TosCoSrv) . (.TOSHIBA Corporation.) - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
SS - | Demand 12/04/2010 196976 | (TOSHIBA Bluetooth Service) . (.TOSHIBA CORPORATION.) - C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
SR - | Auto 02/03/2011 266680 | (TOSHIBA eco Utility Service) . (.TOSHIBA Corporation.) - C:\Program Files\TOSHIBA\TECO\TecoService.exe =>.Toshiba Corporation
SR - | Demand 08/12/2010 137632 | (TOSHIBA HDD SSD Alert Service) . (.TOSHIBA Corporation.) - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
SR - | Demand 01/07/2011 828856 | (TPCHSrv) . (.TOSHIBA Corporation.) - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
SR - | Auto 20/12/2010 2656280 | (UNS) . (.Intel Corporation.) - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
SS - | Demand 01/03/2011 27648 | C:\Program Files (x86)\Windows Defender\mpsvc.dll (WinDefend) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
SR - | Demand 10/07/1658 0 | (WMPNetworkSvc) . (...) - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe =>.Microsoft Corporation
SR - | Auto 01/03/2011 27648 | C:\Windows\System32\wuaueng.dll (wuauserv) . (.Microsoft Corporation.) - C:\Windows\System32\svchost.exe
~ Services: Scanned in 00mn 39s



---\\ Search Master Boot Record Infection (MBR)(O80)
Run by TOSHIBA at 14/11/2013 22:26:55
~ OS 64 not supported by MBR tool
~ MBR: 0 Legitimates Filtered in 00mn 00s



---\\ Search Master Boot Record Infection (MBRCheck)(O80)
Written by ad13, http://ad13.geekstog
Run by TOSHIBA at 14/11/2013 22:26:57

********* Dump file Name *********
C:\PhysicalDisk0_MBR.bin
~ MBR: Scanned in 00mn 02s



---\\ Scan Additionnel (O88)
Database Version : 12994 - (14/11/2013)
Clés trouvées (Keys found) : 5
Valeurs trouvées (Values found) : 2
Dossiers trouvés (Folders found) : 2
Fichiers trouvés (Files found) : 0

[HKLM\Software\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] =>Toolbar.Skype
[HKLM\Software\Microsoft\Internet Explorer\extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] =>Toolbar.Skype
[HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}] =>Toolbar.Skype
[HKCU\Software\QuickCet] =>Adware.QuickCet
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\QuickCet] =>Adware.QuickCet
[HKLM\Software\Microsoft\Internet Explorer\Toolbar]:{2318C2B1-4965-11d4-9B18-009027A5CD4F} =>Toolbar.Google^
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]:QuickCet =>Adware.QuickCet
C:\Users\TOSHIBA\AppData\Roaming\dosearches =>PUP.DoSearches^
C:\Users\TOSHIBA\AppData\Local\QuickCet =>Adware.QuickCet
~ Additionnel Scan: 327212 Items scanned in 00mn 32s



---\\ Summary of the detections found on your workstation
~ http://nicolascoolman.webs.com/apps/blog/show/32384220-toolbar-google =>Toolbar.Google
~ http://nicolascoolman.webs.com/apps/blog/show/33477786-pup-dosearches =>PUP.DoSearches
~ http://nicolascoolman.webs.com/apps/blog/show/30898245-toolbar-skype =>Toolbar.Skype
~ http://nicolascoolman.webs.com/apps/blog/show/28155479-adware-quickcet =>Adware.QuickCet
~ MSI: 4 link(s) detected in 00mn 32s



~ 1801 Legitimates filtered by white list
End of the scan (461 lines in 06mn 28s)(0)
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 14, 2013 at 05:34 PM
0
Thank you
By George, this is a total success ! Victory !

You system should be running fine now, at least better.

Please delete:

1. Rogue Killer
2. Adwcleaner
3. Malwarebyte

Adwcleaner always updates and Malwarebyte may conflict with your antivirus.

Tomorrow, after I analyse your ZHP log, I will steps to optomize your system for safety and better performance.
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 14, 2013 at 05:42 PM
0
Thank you
Argh well maybe the problem lies further, I still get the dredded 200+ messages of : window's cant open this file when I start Windows. Thank you for input and time I can't thank you enough.
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 15, 2013 at 04:33 AM
0
Thank you
Please upload a new ZHP Diag log on Speedyshare
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 15, 2013 at 04:48 AM
0
Thank you
Ok, that's done, the url is
<a href="http://speedy.sh/CnY5j/ZHPDiag.txt">Download at SpeedyShare</a>
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 15, 2013 at 05:46 AM
Stand-by!
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 15, 2013 at 06:07 AM
0
Thank you
Okay, got it !

(Warning to all other members other than Crakermatt, this is a custom made solution, do not copy or emulate or your machine may be damaged)

1. Close all applications

2. Select and copy all of the following bold lines.

[HKCU\Software\ChrmTB]
G1 - GCS: Preference [User Data\Default] http://search.do
O43 - CFD: 08/11/2013 - 14:20:37 - [1.074] ----D C:\Users\TOSHIBA\AppData\Roaming\dosearches
C:\Users\TOSHIBA\AppData\Roaming\dosearches
C:\Users\TOSHIBA\AppData\Local\Temp\GoogleToolbarInstaller1.log
O45 - LFCP:[MD5.2B411B3E1325C72805C91FE34963B199] - 15/11/2013 - 00:57:41 ---A- - C:\Windows\Prefetch\QUICKCET.EXE-06EA7130.pf
O45 - LFCP:[MD5.B14DC3744CE79A66E86C58F3F210238B] - 15/11/2013 - 00:58:22 ---A- - C:\Windows\Prefetch\GUS3499.TMP-D9105FCE.pf
[MD5.F3B33AC8EF0950E8F37AC867DB2825F6] [SPRF][03/11/2013] (...) -- C:\Users\TOSHIBA\AppData\Local\Temp\Quarantine.exe [350259]
[MD5.B84C34C7087AC42C69133581A1924A53] [SPRF][15/11/2013] (.SanctionedMedia - SmadUninstaller.) -- C:\Users\TOSHIBA\AppData\Local\Temp\smUninstall.exe [8192]
[MD5.D41D8CD98F00B204E9800998ECF8427E] [SPRF][13/04/2013] (...) -- C:\Users\TOSHIBA\AppData\Local\Temp\vgkzgxylp3j4api2u27wq9.exe
O3 - Toolbar\WebBrowser: (no name) [64Bits] - [HKCU]{2318C2B1-4965-11D4-9B18-009027A5CD4F} Orphan key
[HKLM\Software\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}]
[HKLM\Software\Microsoft\Internet Explorer\extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}]
[HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
]

3. ZHP Diag created a short cut on your desktop called ZHP Fix, launch ZHP Fix (For Windows 7 click right to run as admin. Answer yes if you get an enquiry as to weither you want to run it or not

4. Click on the the Import button and the lines will automatically paste themselves.

5. Click on the Go button to clean

6. Confirm by clicking OK

7. ZHP Fix will ask if you wish to empty the bin, click on your choice...it may take time

8. A report will appear on your desktop and on C:\ZHP\ZHPFix[R1].txt which you can copy and paste in your reply.
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 15, 2013 at 06:55 AM
0
Thank you
Once I'ved copied and pasted the bold lines, and clicked Go - a dialog box opens with the following and won't let me go further:

Avertissement

Samples
----------------------
Script ZHPFix (Ligne obligatoire)
C:\ProgramFiles\Magnipic
[HKEY_CURRENT_USER\Software\Magnipic]
[HKEY_USER\S-1-5-18\Control Magnipic]
[HKCU\Software\MagniPic]


Thanks for your time yet again.
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 16, 2013 at 04:11 AM
Close ZHP Fix

Boot in safe mode and repeat the entire process with ZHP Fix
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 16, 2013 at 05:35 AM
Another thing.

Can you check in your programme files if you have such software as Magnipic.

Thanks
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 16, 2013 at 09:25 AM
I have the same problem in Safe mode with ZHP Fix I'm afraid pal.

I can check program files okay - but unsure what to look for.
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 16, 2013 at 09:27 AM
I mean I have searched for Magnipic and nothing found - but I'm told it could be disguised as another name?
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 16, 2013 at 06:06 PM
Dear Matt,

I have also asked about Magnipic to my most experienced colleages in virus.

It is an application which just inserts itself into other applications.

I suggest that we go to the ultimate cure, a powerful tool, a last resort.

To keep your system safe, you must follow the instructions hereunder to the letter:

1. Download Combofix to your desktop.

http://www.bleepingcomputer.com/download/combofix/

(click on the download @ bleeping computer button)

2.Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

3. Double click on the ComboFix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

4. Accept the disclaimer and the recovery

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.

Good luck
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 17, 2013 at 02:34 AM
0
Thank you
I thank you very kindly for your patience in dealing with this problem, you must be as frustrated as me at times lol, Do I run combofix in safe made with networking or normal windows?
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 18, 2013 at 07:04 PM
It wont let me reinstall :( , and furthermore when I press play it opens in windows media player and yes E is external
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 18, 2013 at 08:27 PM
I've managed to get rid of the file messages that appear on startup and also reinstalled football manager, which now runs successfully - Still have a feeling I'm infected but I can't thank you enough for your generous help. You've restored a little bit of my faith in human kind!
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 19, 2013 at 04:22 AM
You are most welcome ! It was quite the challenge !

Please delete: adwcleaner, Combofix, Malwarebyte, RKill and ZHP Diag, through the add/remove programmes utility. Some bits will be left on the machine in the machine and can be manually deleted through Explorer programmes files. For adwcleaner, there is an uninstall button when you open it.

"Still have a feeling I'm infected", please explain.
Crackermatt 24 Posts Friday November 8, 2013Registration date November 19, 2013 Last seen - Nov 19, 2013 at 06:00 AM
I have uninstalled all the malware programs,

"Still have a feeling I'm infected", please explain.

Just a gut feeling - Just seen on my Hard Disk drives it says Vista C: - even though this is a Windows 7 computer :S
Ambucias 53286 Posts Monday February 1, 2010Registration dateModeratorStatus July 20, 2018 Last seen - Nov 19, 2013 at 06:04 AM
No, I think this just a bad dream.

If something goes wrong again, upload a brand spanking new ZHP Diag log.

Farewell