RogueKiller V8.6.7 [Aug 28 2013] by Tigzy mail : tigzyRKgmailcom Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 8 (6.2.9200 ) 64 bits version Started in : Safe mode with network support User : Krasimira [Admin rights] Mode : Remove -- Date : 08/31/2013 09:20:59 | ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤ [SUSP PATH] WINWORD.EXE -- C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE [7] -> KILLED [TermProc] ¤¤¤ Registry Entries : 48 ¤¤¤ [RUN][SUSP PATH] HKCU\[...]\Run : BitComet ("C:\Program Files\BitComet\BitComet.exe" /tray [7]) -> DELETED [RUN][SUSP PATH] HKCU\[...]\Run : Green Christmas Tree (C:\Users\Krasimira\Desktop\? ???????????!!!!.exe [x][x]) -> DELETED [RUN][SUSP PATH] HKCU\[...]\Run : X-Lite ("C:\Program Files (x86)\CounterPath\X-Lite\X-Lite.exe" [7]) -> DELETED [RUN][SUSP PATH] HKCU\[...]\Run : swg ("C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : IgfxTray (C:\windows\system32\igfxtray.exe [x]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : HotKeysCmds (C:\windows\system32\hkcmd.exe [x]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : Persistence (C:\windows\system32\igfxpers.exe [x]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : SmartAudio (C:\Program Files\CONEXANT\SAII\SACpl.exe /t [-]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : cAudioFilterAgent (C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : Energy Management (C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : EnergyUtility (C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : Autodesk Sync (C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : egui ("C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice [7]) -> DELETED [RUN][SUSP PATH] HKUS\S-1-5-21-3645740697-2236784829-290951543-1001\[...]\Run : BitComet ("C:\Program Files\BitComet\BitComet.exe" /tray [7]) -> [0x2] The system cannot find the file specified. [RUN][SUSP PATH] HKUS\S-1-5-21-3645740697-2236784829-290951543-1001\[...]\Run : Green Christmas Tree (C:\Users\Krasimira\Desktop\? ???????????!!!!.exe [x][x]) -> [0x2] The system cannot find the file specified. [RUN][SUSP PATH] HKUS\S-1-5-21-3645740697-2236784829-290951543-1001\[...]\Run : X-Lite ("C:\Program Files (x86)\CounterPath\X-Lite\X-Lite.exe" [7]) -> [0x2] The system cannot find the file specified. [RUN][SUSP PATH] HKUS\S-1-5-21-3645740697-2236784829-290951543-1001\[...]\Run : swg ("C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [7]) -> [0x2] The system cannot find the file specified. [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : Dolby Advanced Audio v2 ("C:\Program Files (x86)\Dolby Advanced Audio v2\pcee4.exe" -autostart [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : 331BigDog (C:\Program Files (x86)\USB Camera\VM331STI.EXE [-]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : YouCam Mirage ("C:\Program Files (x86)\Lenovo\YouCam\YCMMirage.exe" [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : YouCam Tray ("C:\Program Files (x86)\Lenovo\YouCam\YouCamTray.exe" /s [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : RemoteControl10 ("C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.exe" [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : Intel AppUp(SM) center ("C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe" --domain-id F0399437-FD0C-4A48-B101-F0314A6172E4 [7][x]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : CStart8 ("C:\Program Files (x86)\CStart8\CStart8Tray64.exe" /STARTUP [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : GrooveMonitor ("C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : TkBellExe ("C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Run : BtvStack ("C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [7]) -> DELETED [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : BtvStack ("C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [7]) -> [0x2] The system cannot find the file specified. [HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> [0x2] The system cannot find the file specified. [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified. [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) [HJ INPROC][SUSP PATH] HKCR\[...]\InprocServer32 : (%systemroot%\system32\wbem\wbemess.dll [x]) -> REPLACED (C:\windows\system32\wbem\wbemess.dll) [HJ INPROC][SUSP PATH] HKCR\[...]\InprocServer32 : (%SystemRoot%\system32\shell32.dll [-]) -> REPLACED (C:\windows\system32\shell32.dll) [HJ INPROC][SUSP PATH] HKCR\[...]\InprocServer32 : (%SystemRoot%\system32\shell32.dll [-]) -> REPLACED (C:\windows\system32\shell32.dll) [HJ INPROC][SUSP PATH] HKCR\[...]\InprocServer32 : (%systemroot%\system32\wbem\fastprox.dll [-]) -> REPLACED (C:\windows\system32\wbem\fastprox.dll) [HJ INPROC][SUSP PATH] HKLM\[...]\InprocServer32 : (%systemroot%\system32\wbem\wbemess.dll [x]) -> REPLACED (C:\windows\system32\wbem\wbemess.dll) [HJ INPROC][SUSP PATH] HKLM\[...]\InprocServer32 : (%SystemRoot%\system32\shell32.dll [-]) -> REPLACED (C:\windows\system32\shell32.dll) [HJ INPROC][SUSP PATH] HKLM\[...]\InprocServer32 : (%SystemRoot%\system32\shell32.dll [-]) -> REPLACED (C:\windows\system32\shell32.dll) [HJ INPROC][SUSP PATH] HKLM\[...]\InprocServer32 : (%systemroot%\system32\wbem\fastprox.dll [-]) -> REPLACED (C:\windows\system32\wbem\fastprox.dll) [HJ DLL][SUSP PATH] HKLM\[...]\CCSet\[...]\Parameters : ServiceDll (%SystemRoot%\system32\wbem\WMIsvc.dll [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll) [HJ DLL][SUSP PATH] HKLM\[...]\CS001\[...]\Parameters : ServiceDll (%SystemRoot%\system32\wbem\WMIsvc.dll [x]) -> REPLACED (%SystemRoot%\system32\wbem\WMIsvc.dll) [SHELLSPWN] HKLM\[...]\command : (%1" %) -> REPLACED ("%1" %*) [SHELLSPWN] HKCR\[...]\command : (%1" %) -> REPLACED ("%1" %*) [HJ BROWSR][SUSP PATH] HKLM\[...]\command : (C:\Program Files\Internet Explorer\iexplore.exe [-]) -> REPLACED ("C:\Program Files\Internet Explorer\iexplore.exe") ¤¤¤ Scheduled tasks : 2 ¤¤¤ [V1][SUSP PATH] GoogleUpdateTaskMachineUA.job : C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> DELETED [V1][SUSP PATH] GoogleUpdateTaskMachineCore.job : C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - /c [7] -> DELETED ¤¤¤ Startup Entries : 1 ¤¤¤ [Krasimira][SUSP PATH] OneNote 2007 Screen Clipper and Launcher.lnk : C:\Users\Krasimira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk @C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE /tsr [-][7] -> DELETED ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts ÿþ1 ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++ --- User --- [MBR] d385997e1f60d6ba7fba357716db0e8b [BSP] 5d0ae49d3f4a488c4756a24da7349626 : Empty MBR Code Partition table: 0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_D_08312013_092059.txt >> RKreport[0]_S_08312013_092004.txt