start::
closeprocesses:
createrestorepoint:
virustotal: C:\Users\henri\AppData\Roaming\fkasvefiqc\corsve.exe
CustomCLSID: HKU\S-1-5-21-3708637319-2021640499-2676900747-1001_Classes\CLSID\{A1EE81D1-DCE8-D4BC-CD2F-4AB314D28BDC}\InprocServer32 -> pas de chemin du fichier
ContextMenuHandlers1: [BB FlashBack 2] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} => -> Pas de fichier
ContextMenuHandlers1: [QuickShare] -> {A8065B9E-193F-4797-B62D-8F6321E7FCCB} => -> Pas de fichier
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> Pas de fichier
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> Pas de fichier
AlternateDataStreams: C:\ProgramData\TEMP:810B9F0D [282]
AlternateDataStreams: C:\ProgramData\TEMP:B56E7461 [122]
AlternateDataStreams: C:\ProgramData\TEMP:F8009D7E [148]
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
HKU\S-1-5-21-3708637319-2021640499-2676900747-1001\Software\Microsoft\Internet Explorer\Main,Local Page = %11%\blank.htm
SearchScopes: HKU\S-1-5-21-3708637319-2021640499-2676900747-1001 -> DefaultScope {AFB251B6-D40B-433D-AD00-CB6AD8637C03} URL =
SearchScopes: HKU\S-1-5-21-3708637319-2021640499-2676900747-1001 -> {AFB251B6-D40B-433D-AD00-CB6AD8637C03} URL =
BHO: Pas de nom -> {34EDF7FD-FD9B-420F-A701-CC2C081FB26C} -> Pas de fichier
BHO: Pas de nom -> {6B158EC8-7978-474A-967F-AFC4328C2666}' -> Pas de fichier
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-3708637319-2021640499-2676900747-1001\...\webcompanion.com -> hxxp://webcompanion.com
HKU\S-1-5-21-3708637319-2021640499-2676900747-1001\...\StartupApproved\Run: => "Web Companion"
HKU\S-1-5-21-3708637319-2021640499-2676900747-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe [8520168 2021-05-10] (LAVASOFT SOFTWARE CANADA INC -> Lavasoft)
HKU\S-1-5-21-3708637319-2021640499-2676900747-1001\...\Run: [SharewareOnSale Notifier] => C:\ProgramData\SharewareOnSale Notifier\SharewareOnSale Notifier.exe [1008816 2021-05-13] (Azadi Network LLC -> ) <==== ATTENTION
HKU\S-1-5-21-3708637319-2021640499-2676900747-1001\...\MountPoints2: D - "D:\setup.EXE" /AUTORUN
GroupPolicy: Restriction - Windows Defender <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
Task: {3B21143C-17E4-4BCB-8632-F7287E1A45C7} - System32\Tasks\KMS Activation for Office => C:\Windows\KMSAct.exe (Pas de fichier)
Task: {44588A14-037E-4F44-8097-ACFBCA6BBEED} - System32\Tasks\PowerControl LG => C:\Program [Argument = Files (x86)\PowerControl\PowerControl_Svc.exe] <==== ATTENTION
Task: {8EA3C914-B0E8-4442-BE55-312732A2B000} - System32\Tasks\PowerControl HR => C:\Program [Argument = Files (x86)\PowerControl\PowerControl_Svc.exe] <==== ATTENTION
Task: {A70E2886-DDDD-47C7-BEE7-21B74B455653} - System32\Tasks\Diagnostic\Service => C:\Users\henri\AppData\Roaming\fkasvefiqc\corsve.exe [893608 2022-11-11] (AutoIt Consulting Ltd -> AutoIt Team) -> "C:\Users\henri\AppData\Roaming\fkasvefiqc\corsve.dat"
Task: {C0526593-3099-4756-BE71-66AE2A820508} - System32\Tasks\Opera scheduled Autoupdate 1620660871 => C:\Users\henri\AppData\Local\Programs\Opera\launcher.exe --scheduledautoupdate $(Arg0) (Pas de fichier)
Task: {C9602F37-A10F-4230-8E77-296C8FE48EA1} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\SystemInfo => C:\Users\henri\AppData\Roaming\\sysinfotool\\sitool.exe -st -tu 8 (Pas de fichier) <==== ATTENTION
Task: {D47DEE20-7820-4E5C-BBE8-FAEF5C261189} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\SystemInfoTool => C:\Users\henri\AppData\Roaming\\sysinfotool\\sitool.exe -st -tu 8 (Pas de fichier) <==== ATTENTION
AutoConfigURL: [{FC111E22-9DF1-47DE-A6B9-501C2455869E}] => hxxp://34.80.59.191/win.pac <==== ATTENTION
AutoConfigURL: [S-1-5-21-3708637319-2021640499-2676900747-1001] => hxxp://34.80.59.191/win.pac <==== ATTENTION
ManualProxies: 0hxxp://34.80.59.191/win.pac <==== ATTENTION
FF Homepage: Mozilla\Firefox\Profiles\9d95wnd2.default -> hxxps://mysearchengine.co/homepage?hp=1&bitmask=9996&pId=BT170603&iDate=2021-05-10 03:31:45&bName=
FF NewTab: Mozilla\Firefox\Profiles\9d95wnd2.default -> hxxps://mysearchengine.co/homepage?hp=1&bitmask=9996&pId=BT170603&iDate=2021-05-10 03:31:45&bName=
S3 wuauserv; C:\Windows\system32\svchost.exe [57360 2020-11-19] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (pas de ServiceDLL)
S3 wuauserv; C:\Windows\SysWOW64\svchost.exe [47016 2020-11-19] (Microsoft Windows Publisher -> Microsoft Corporation) <==== ATTENTION (pas de ServiceDLL)
S3 OSFMount; \??\C:\Program Files\OSFMount\win10\OSFMount.sys [X]
2022-11-11 22:06 - 2022-08-30 08:27 - 000003028 _____ C:\Windows\system32\Tasks\KMS Activation for Office
cmd: netsh advfirewall reset
emptytemp:
end::