RogueKiller V8.6.12 _x64_ [Sep 18 2013] by Tigzy mail : tigzyRKgmailcom Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Chris [Admin rights] Mode : Scan -- Date : 09/22/2013 22:01:04 | ARK || FAK || MBR | ¤¤¤ Bad processes : 2 ¤¤¤ [SUSP PATH] cltmng.exe -- C:\Users\Chris\AppData\Roaming\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc] [SUSP PATH] visicom_antiphishing.exe -- C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe [7] -> KILLED [TermProc] ¤¤¤ Registry Entries : 12 ¤¤¤ [RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Users\Chris\AppData\Roaming\SearchProtect\bin\cltmng.exe [7]) -> FOUND [RUN][SUSP PATH] HKUS\S-1-5-21-800723558-444027858-942087171-1000\[...]\Run : SearchProtect (C:\Users\Chris\AppData\Roaming\SearchProtect\bin\cltmng.exe [7]) -> FOUND [RUN][SUSP PATH] HKLM\[...]\Wow6432Node\[...]\Run : Anti-phishing Domain Advisor ("C:\ProgramData\Anti-phishing Domain Advisor\visicom_antiphishing.exe" [7]) -> FOUND [PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (hxxp=127.0.0.1:49177;hxxps=127.0.0.1:49177) -> FOUND [PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyEnable (1) -> FOUND [DNS][PUM] HKLM\[...]\CCSet\[...]\{02501F36-6B77-4141-B1BD-49ECA95C8C89} : NameServer (172.26.38.1 172.26.38.2) -> FOUND [DNS][PUM] HKLM\[...]\CS001\[...]\{02501F36-6B77-4141-B1BD-49ECA95C8C89} : NameServer (172.26.38.1 172.26.38.2) -> FOUND [DNS][PUM] HKLM\[...]\CS002\[...]\{02501F36-6B77-4141-B1BD-49ECA95C8C89} : NameServer (172.26.38.1 172.26.38.2) -> FOUND [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 3 ¤¤¤ [V1][SUSP PATH] TopArcadeHits.job : C:\Users\Chris\AppData\Local\TopArcadeHits\updater.exe [7] -> FOUND [V2][ROGUE ST] 4686 : wscript.exe - C:\Users\Chris\AppData\Local\Temp\launchie.vbs //B -> FOUND [V2][SUSP PATH] TopArcadeHits : C:\Users\Chris\AppData\Local\TopArcadeHits\updater.exe [7] -> FOUND ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][File] @ : C:\Users\Chris\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\@ [-] --> FOUND [ZeroAccess][Folder] U : C:\Users\Chris\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U [-] --> FOUND [ZeroAccess][Folder] L : C:\Users\Chris\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L [-] --> FOUND ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD5000BPVT-75HXZT3 +++++ --- User --- [MBR] 0d9b0526228ef5c1fc4bc9fca2599a8b [BSP] d6636bfa3fb7a75fafe6c7662f8dedde : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 461838 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[0]_S_09222013_220104.txt >>