Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My windows security and update wont work [Solved]


  • This topic is locked This topic is locked

#1
kingbear

kingbear

    Member

  • Member
  • PipPip
  • 52 posts
The other day I had a problem with the google redirect virus and everything was resolved, now my Norton keeps popping up saying blocking virus (zeroaccess and backdoor). All of my windows 7 updates and security center wont turn on.
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
How did you remove the virus ?

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    Posted Image
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    qmgr.dll
    /md5stop
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

THEN

  • Download RogueKiller and save it on your desktop.

    NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    Posted Image
  • Wait for the end of the scan.
  • The report has been created on the desktop.

  • 0

#3
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
OTL logfile created on: 9/22/2012 10:44:38 AM - Run 2
OTL by OldTimer - Version 3.2.65.1 Folder = C:\Users\Owner\Desktop
Starter Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 0.96 Gb Available Physical Memory | 48.18% Memory free
3.98 Gb Paging File | 2.95 Gb Available in Paging File | 74.20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 217.87 Gb Total Space | 158.20 Gb Free Space | 72.61% Space Free | Partition Type: NTFS

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/22 09:52:10 | 000,600,576 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
PRC - [2012/09/11 07:04:14 | 001,595,056 | ---- | M] (Kingsoft Corporation) -- C:\Program Files\Kingsoft\kingsoft antivirus\kxetray.exe
PRC - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/07/10 19:09:04 | 000,123,992 | ---- | M] (Kingsoft Corporation) -- C:\Program Files\Kingsoft\kingsoft antivirus\kxescore.exe
PRC - [2012/06/15 22:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\19.8.0.14\ccsvchst.exe
PRC - [2012/06/11 16:22:16 | 000,267,856 | ---- | M] (Microsoft Corporation.) -- C:\Program Files\Microsoft\BingBar\7.1.391.0\BingApp.exe
PRC - [2012/06/11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) -- C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE
PRC - [2012/05/12 02:02:46 | 001,403,640 | ---- | M] (CleanMyPC Software) -- C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
PRC - [2012/04/11 02:35:48 | 000,742,816 | ---- | M] (Kingsoft Corporation) -- C:\Program Files\Kingsoft\PCDoctor\KSafeTray.exe
PRC - [2012/04/10 13:07:58 | 000,290,720 | ---- | M] (Kingsoft Corporation) -- C:\Program Files\Kingsoft\PCDoctor\KSafeSvc.exe
PRC - [2011/10/11 13:49:14 | 001,179,648 | ---- | M] (W3i, LLC) -- C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
PRC - [2011/10/01 09:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
PRC - [2011/10/01 09:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
PRC - [2011/08/10 08:52:54 | 000,138,760 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Management\Engine\1.1.1.3\ccSvcHst.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/12/07 13:19:54 | 000,224,680 | ---- | M] () -- C:\Windows\System32\AsusService.exe
PRC - [2010/11/23 22:21:18 | 000,130,000 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe
PRC - [2010/11/22 15:12:34 | 001,086,888 | ---- | M] (AsusTek Computer Inc.) -- C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
PRC - [2010/05/28 20:41:36 | 000,445,344 | ---- | M] (ASUS) -- C:\Program Files\EeePC\CapsHook\CapsHook.exe
PRC - [2009/11/19 09:44:14 | 000,083,240 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/21 05:01:48 | 000,140,664 | ---- | M] () -- C:\Program Files\Kingsoft\PCDoctor\zlib1.dll
MOD - [2011/10/21 05:01:40 | 000,075,160 | ---- | M] () -- C:\Program Files\Kingsoft\PCDoctor\json.dll


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\uTorrent\uTorent.exe -- (uTorrentService)
SRV - [2012/07/27 16:51:26 | 000,063,960 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/07/10 19:09:04 | 000,123,992 | ---- | M] (Kingsoft Corporation) [Auto | Running] -- C:\Program Files\Kingsoft\kingsoft antivirus\kxescore.exe -- (kxescore)
SRV - [2012/06/15 22:24:19 | 000,138,272 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton AntiVirus\Engine\19.8.0.14\ccSvcHst.exe -- (NAV)
SRV - [2012/06/11 16:22:16 | 000,240,208 | ---- | M] (Microsoft Corporation.) [On_Demand | Running] -- C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.EXE -- (BBUpdate)
SRV - [2012/06/11 16:22:16 | 000,193,616 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\7.1.391.0\BBSvc.EXE -- (BBSvc)
SRV - [2012/04/10 13:07:58 | 000,290,720 | ---- | M] (Kingsoft Corporation) [Auto | Running] -- C:\Program Files\Kingsoft\PCDoctor\KSafeSvc.exe -- (KSafeSvc)
SRV - [2011/10/01 09:30:42 | 000,219,496 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2011/10/01 09:30:36 | 000,508,776 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2011/08/10 08:52:54 | 000,138,760 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Management\Engine\1.1.1.3\ccSvcHst.exe -- (MCLIENT)
SRV - [2010/12/07 13:19:54 | 000,224,680 | ---- | M] () [On_Demand | Running] -- C:\Windows\System32\AsusService.exe -- (AsusService)
SRV - [2010/11/23 22:21:18 | 000,130,000 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe -- (NSL)
SRV - [2007/03/15 14:48:26 | 000,535,807 | ---- | M] (Aladdin Knowledge Systems Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\hasplms.exe -- (hasplms)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Boot | Unknown] -- system32\drivers\Partizan.sys -- (Partizan)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\mcdbus.sys -- (mcdbus)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\btwrchid.sys -- (btwrchid)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\btwl2cap.sys -- (btwl2cap)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\btwavdt.sys -- (btwavdt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\btwaudio.sys -- (btwaudio)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (ai4x560f)
DRV - [2012/09/20 12:59:27 | 001,601,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120921.033\NAVEX15.SYS -- (NAVEX15)
DRV - [2012/09/20 12:59:27 | 000,092,704 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\VirusDefs\20120921.033\NAVENG.SYS -- (NAVENG)
DRV - [2012/09/14 08:41:34 | 000,386,720 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120921.001\IDSvix86.sys -- (IDSVix86)
DRV - [2012/09/11 07:04:05 | 000,014,200 | ---- | M] (Kingsoft Corporation) [Kernel | Disabled | Running] -- C:\Program Files\Kingsoft\kingsoft antivirus\kusbquery.sys -- (KUsbGuard)
DRV - [2012/08/31 18:09:14 | 000,995,488 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120919.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2012/08/22 16:54:41 | 000,164,728 | ---- | M] (Kingsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\kisknl.sys -- (kisknl)
DRV - [2012/08/17 09:09:53 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/09 07:37:55 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2012/07/10 19:09:06 | 000,125,784 | ---- | M] (Kingsoft Corporation) [Kernel | System | Running] -- c:\Program Files\Kingsoft\kingsoft antivirus\security\kxescan\kdhacker.sys -- (KDHacker)
DRV - [2012/07/10 19:09:06 | 000,027,240 | ---- | M] (Kingsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\kavbootc.sys -- (kavbootc)
DRV - [2012/07/10 19:09:04 | 000,082,264 | ---- | M] (Kingsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ksapi.sys -- (ksapi)
DRV - [2012/07/05 22:17:57 | 000,574,112 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\NAV\1308000.00E\srtsp.sys -- (SRTSP)
DRV - [2012/07/05 22:17:57 | 000,032,928 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NAV\1308000.00E\srtspx.sys -- (SRTSPX)
DRV - [2012/06/30 20:05:29 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\System32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2012/06/07 00:43:43 | 000,132,768 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NAV\1308000.00E\ccsetx86.sys -- (ccSet_NAV)
DRV - [2012/05/21 21:37:12 | 000,924,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\System32\drivers\NAV\1308000.00E\symefa.sys -- (SymEFA)
DRV - [2012/04/30 10:43:27 | 000,477,240 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2012/04/17 22:13:32 | 000,318,584 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NAV\1308000.00E\symnets.sys -- (SymNetS)
DRV - [2012/04/17 21:42:14 | 000,149,624 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\NAV\1308000.00E\ironx86.sys -- (SymIRON)
DRV - [2012/03/23 10:19:42 | 000,141,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/12/19 21:58:08 | 000,111,008 | ---- | M] (Kingsoft Corporation) [Kernel | System | Running] -- C:\Program Files\Kingsoft\PCDoctor\kmodurl.sys -- (kmodurl)
DRV - [2011/10/01 09:30:42 | 000,019,304 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftvollh.sys -- (Sftvol)
DRV - [2011/10/01 09:30:40 | 000,021,864 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\Sftredirlh.sys -- (Sftredir)
DRV - [2011/10/01 09:30:38 | 000,194,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftplaylh.sys -- (Sftplay)
DRV - [2011/10/01 09:30:36 | 000,579,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Sftfslh.sys -- (Sftfs)
DRV - [2011/08/08 11:38:12 | 000,132,744 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\MCLIENT\0101010.003\ccSetx86.sys -- (ccSet_MCLIENT)
DRV - [2011/07/25 22:18:36 | 000,340,088 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\NAV\1308000.00E\symds.sys -- (SymDS)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/01 06:08:46 | 000,014,416 | ---- | M] (OpenLibSys.org) [File_System | On_Demand | Stopped] -- C:\Program Files\IObit\Game Booster 3\Driver\WinRing0.sys -- (WinRing0_1_2_0)
DRV - [2010/08/24 05:55:51 | 000,068,208 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C)
DRV - [2010/07/01 21:14:00 | 001,015,912 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rtl8192se.sys -- (rtl8192se)
DRV - [2010/03/30 21:40:20 | 000,011,520 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\AsUpIO.sys -- (AsUpIO)
DRV - [2009/10/05 13:31:50 | 001,221,632 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/07/20 05:29:40 | 000,013,880 | ---- | M] ( ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\kbfiltr.sys -- (kbfiltr)
DRV - [2009/07/13 19:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/01 00:46:20 | 000,043,944 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btusbflt.sys -- (btusbflt)
DRV - [2007/03/12 20:48:56 | 000,351,744 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\aksfridge.sys -- (aksfridge)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = charter.net
IE - HKLM\..\SearchScopes,DefaultScope = {96bd48dd-741b-41ae-ac4a-aff96ba00f7e}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKLM\..\SearchScopes\{96bd48dd-741b-41ae-ac4a-aff96ba00f7e}: "URL" = http://home.myplayci...s={searchTerms}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://eeepc.asus.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = charter.net
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/w...n=&geo=US&ver=1
IE - HKCU\..\SearchScopes\{EED02185-CF0A-4895-B284-53562CE2A44E}: "URL" = http://websearch.ask...1-26BFE1EB43D2
IE - HKCU\..\SearchScopes\{EED10D7A-B1C4-498D-8E37-F9327FD2358E}: "URL" = http://search.yahoo....01,17118,0,18,0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_4_402_278.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@oberon-media.com/ONCAdapter: C:\Program Files\Common Files\Oberon Media\NCAdapter\1.0.0.8\npapicomadapter.dll (Oberon-Media )
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\IPSFFPlgn\ [2012/09/17 16:48:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{203FB6B2-2E1E-4474-863B-4C483ECCE78E}: C:\ProgramData\Norton\{92622AAD-05E8-4459-B256-765CE1E929FB}\NST_1.2.0.6\coFFNST\ [2011/05/15 19:11:54 | 000,000,000 | ---D | M]

[2012/06/18 01:07:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Extensions
[2012/09/18 16:57:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\0\extensions

O1 HOSTS File: ([2012/09/18 17:21:13 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Charter Toolbar) - {4E7BD74F-2B8D-469E-85AB-AF21F3D9AE2F} - C:\Program Files\chartertoolbar\chartertoolbar.dll (Charter Communications)
O2 - BHO: (Norton Vulnerability Protection) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\19.8.0.14\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (Norton Safe Web Lite BHO) - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Norton Safe Web Lite) - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Charter Toolbar) - {4E7BD74F-2B8D-469E-85AB-AF21F3D9AE2F} - C:\Program Files\chartertoolbar\chartertoolbar.dll (Charter Communications)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.391.0\BingExt.dll (Microsoft Corporation.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Safe Web Lite) - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - C:\Program Files\Norton Safe Web Lite\Engine\1.2.0.6\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [KSafeTray] C:\Program files\Kingsoft\PCDoctor\KSafeTray.exe (Kingsoft Corporation)
O4 - HKLM..\Run: [kxesc] c:\program files\kingsoft\kingsoft antivirus\kxetray.exe (Kingsoft Corporation)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [InstallIQUpdater] C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe (W3i, LLC)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000028 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000029 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000030 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000031 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000032 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000033 - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL File not found
O15 - HKCU\..Trusted Domains: moove.com ([]* in Trusted sites)
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} http://content.syste...ent_4.5.1.0.cab (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macr...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.7.2)
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} http://content.syste...yri_4.5.1.0.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 24.247.15.53 66.189.0.100 24.178.162.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{00491AA3-92D1-4157-B062-7163FE4BA717}: DhcpNameServer = 168.94.0.15 168.94.0.14
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{110D093A-1A15-48F9-A930-65F7B997C492}: DhcpNameServer = 24.247.15.53 66.189.0.100 24.178.162.3
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (MACHINE BootExecut)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...com [@ = comfile] -- Reg Error: Value error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Sharedaccess - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: wuauserv - File not found
NetSvcs: BITS - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
System Restore Service not available.

========== Files/Folders - Created Within 30 Days ==========

[2030/01/01 15:03:33 | 000,000,000 | ---D | C] -- C:\Boot
[2012/09/22 10:42:10 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\RK_Quarantine
[2012/09/22 09:51:49 | 000,600,576 | ---- | C] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2012/09/22 09:29:50 | 000,000,000 | ---D | C] -- C:\windows\$regcmp$
[2012/09/21 19:51:08 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\PC Utility Kit
[2012/09/21 19:51:08 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\DriverCure
[2012/09/21 19:50:57 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC Utility Kit
[2012/09/21 19:50:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Utility Kit
[2012/09/21 19:50:34 | 000,000,000 | ---D | C] -- C:\ProgramData\PC Utility Kit
[2012/09/21 19:50:34 | 000,000,000 | ---D | C] -- C:\Program Files\PC Utility Kit
[2012/09/21 15:45:09 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\FixZeroAccess
[2012/09/21 08:52:19 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\NPE
[2012/09/21 08:39:00 | 000,000,000 | -HSD | C] -- C:\windows\System32\%APPDATA%
[2012/09/20 08:45:57 | 000,000,000 | ---D | C] -- C:\windows\System32\1020
[2012/09/20 08:41:36 | 000,000,000 | ---D | C] -- C:\windows\System32\1019
[2012/09/19 10:10:51 | 000,000,000 | ---D | C] -- C:\Program Files\FileHippo.com
[2012/09/19 10:08:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/19 10:08:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/09/19 10:08:09 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2012/09/19 10:08:09 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/09/19 09:58:05 | 000,000,000 | ---D | C] -- C:\windows\Sun
[2012/09/19 09:57:54 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/09/19 09:54:26 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2012/09/17 19:43:45 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Malwarebytes
[2012/09/17 18:45:59 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/09/17 16:07:15 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\temp
[2012/09/17 14:44:33 | 000,000,000 | ---D | C] -- C:\windows\erdnt
[2012/09/15 15:50:02 | 000,000,000 | ---D | C] -- C:\ProgramData\KRSHistory
[2012/09/15 11:47:34 | 000,203,120 | ---- | C] (PC Tools) -- C:\windows\System32\drivers\PCTSD.sys
[2012/09/15 11:47:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2012/09/14 21:23:14 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Apps
[2012/09/14 10:55:56 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Games
[2012/09/13 10:24:02 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games for Windows
[2012/09/13 10:24:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games for Windows
[2012/09/13 10:24:00 | 000,000,000 | ---D | C] -- C:\Program Files\Games for Windows
[2012/09/13 07:00:31 | 000,000,000 | ---D | C] -- C:\windows\System32\1018
[2012/09/13 06:53:21 | 000,000,000 | ---D | C] -- C:\windows\System32\1017
[2012/09/11 07:04:18 | 000,018,296 | ---- | C] (Kingsoft Corporation) -- C:\windows\System32\drivers\kusbquery64.sys
[2012/09/11 07:04:18 | 000,014,200 | ---- | C] (Kingsoft Corporation) -- C:\windows\System32\drivers\kusbquery.sys
[2012/09/06 08:04:40 | 000,000,000 | ---D | C] -- C:\Users\Owner\Desktop\sims
[2012/09/05 20:27:34 | 000,000,000 | ---D | C] -- C:\Program Files\Electronic Arts
[2012/09/05 17:40:53 | 000,000,000 | ---D | C] -- C:\Users\Owner\Documents\Electronic Arts
[2012/09/05 15:41:21 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Roaming\Origin
[2012/09/05 15:41:20 | 000,000,000 | ---D | C] -- C:\Program Files\Origin Games
[2012/09/05 15:39:55 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\Origin
[2012/09/05 15:36:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Origin
[2012/09/05 15:36:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Origin
[2012/09/05 15:36:12 | 000,000,000 | ---D | C] -- C:\Program Files\Origin

========== Files - Modified Within 30 Days ==========

[2012/09/22 10:41:51 | 001,388,032 | ---- | M] () -- C:\Users\Owner\Desktop\RogueKiller.exe
[2012/09/22 10:39:01 | 000,000,884 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/09/22 09:52:10 | 000,600,576 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Desktop\OTL.exe
[2012/09/22 09:31:25 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/22 09:31:25 | 000,009,696 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/22 09:23:43 | 000,000,880 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/09/22 09:23:39 | 000,000,456 | ---- | M] () -- C:\windows\tasks\PC Utility Kit Registration3.job
[2012/09/22 09:23:39 | 000,000,422 | ---- | M] () -- C:\windows\tasks\PC Utility Kit Update3.job
[2012/09/22 09:23:39 | 000,000,420 | ---- | M] () -- C:\windows\tasks\PC Utility Kit.job
[2012/09/22 09:23:26 | 000,067,584 | ---- | M] () -- C:\windows\bootstat.dat
[2012/09/22 09:23:19 | 1602,887,680 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/21 19:50:57 | 000,001,164 | ---- | M] () -- C:\Users\Owner\Desktop\PC Utility Kit.lnk
[2012/09/21 17:39:19 | 000,278,928 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2012/09/21 14:12:49 | 000,003,800 | ---- | M] () -- C:\{9D8F72D4-DE0F-4DE3-BC22-1D33F7B94875}
[2012/09/21 14:03:06 | 000,003,816 | ---- | M] () -- C:\{E9192F7B-F740-4C54-91AA-B2B8CFD3DFD0}
[2012/09/21 14:01:31 | 000,003,816 | ---- | M] () -- C:\{4141542D-7CC8-4000-807B-55132C1B87FA}
[2012/09/21 14:00:21 | 000,003,784 | ---- | M] () -- C:\{4C776CC8-163E-4A3B-B030-11E94B16A086}
[2012/09/21 13:52:35 | 000,003,816 | ---- | M] () -- C:\{AD90E6A5-9CB9-4339-B82D-5477D786D40F}
[2012/09/21 13:51:21 | 000,003,784 | ---- | M] () -- C:\{3BB5DC20-3CCF-4929-AE14-CE75F212DC86}
[2012/09/21 13:44:19 | 000,003,816 | ---- | M] () -- C:\{574F5C11-9EEE-4736-9FE2-CB608ECC5049}
[2012/09/21 13:42:55 | 000,003,784 | ---- | M] () -- C:\{789B1AE7-B738-4B9D-95E3-5915F292D636}
[2012/09/21 13:22:13 | 000,003,800 | ---- | M] () -- C:\{AC70F223-B188-4B0B-BF46-217B427FC6DF}
[2012/09/21 12:58:09 | 000,003,800 | ---- | M] () -- C:\{EF869002-DBFE-4A22-8076-1140D4A20C32}
[2012/09/21 11:49:35 | 000,003,944 | ---- | M] () -- C:\{3893925D-9057-43C7-9B41-5D87E132FE35}
[2012/09/21 11:36:58 | 000,003,784 | ---- | M] () -- C:\{9671FF0F-CF19-4934-AA20-CD36EE9F3341}
[2012/09/21 11:06:49 | 000,003,800 | ---- | M] () -- C:\{B90C2531-3EA9-481F-834A-3463746BC21B}
[2012/09/21 09:15:16 | 000,003,800 | ---- | M] () -- C:\{491640E4-A8B6-4F39-B9FB-3B22F1ED5266}
[2012/09/21 08:58:17 | 000,004,096 | ---- | M] () -- C:\{67F784EB-CF43-4962-9570-1F50F6BCE9DE}
[2012/09/20 10:13:25 | 000,000,350 | ---- | M] () -- C:\windows\tasks\At1.job
[2012/09/19 10:14:55 | 000,000,901 | ---- | M] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2012/09/19 10:14:55 | 000,000,877 | ---- | M] () -- C:\Users\Public\Desktop\µTorrent.lnk
[2012/09/19 10:11:05 | 000,001,879 | ---- | M] () -- C:\Users\Owner\Desktop\Update Checker.lnk
[2012/09/19 10:08:14 | 000,001,031 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/18 17:21:13 | 000,000,098 | ---- | M] () -- C:\windows\System32\drivers\etc\Hosts
[2012/09/18 13:42:30 | 000,000,512 | ---- | M] () -- C:\Users\Owner\Documents\MBR.dat
[2012/09/18 06:50:14 | 000,002,577 | ---- | M] () -- C:\windows\System32\config.nt
[2012/09/18 06:50:14 | 000,001,688 | ---- | M] () -- C:\windows\System32\autoexec.nt
[2012/09/18 06:50:14 | 000,000,002 | RHS- | M] () -- C:\windows\winstart.bat
[2012/09/15 11:52:55 | 001,487,627 | ---- | M] () -- C:\windows\System32\drivers\Cat.DB
[2012/09/14 14:03:55 | 000,002,227 | ---- | M] () -- C:\Users\Owner\Desktop\RocketBowl Plus.lnk
[2012/09/14 06:46:32 | 000,660,762 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2012/09/14 06:46:32 | 000,121,400 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2012/09/13 10:24:31 | 000,002,154 | ---- | M] () -- C:\Users\Owner\Desktop\PopCap Game Pack.lnk
[2012/09/11 07:04:09 | 000,018,296 | ---- | M] (Kingsoft Corporation) -- C:\windows\System32\drivers\kusbquery64.sys
[2012/09/11 07:04:05 | 000,014,200 | ---- | M] (Kingsoft Corporation) -- C:\windows\System32\drivers\kusbquery.sys
[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2012/09/05 15:36:23 | 000,000,901 | ---- | M] () -- C:\Users\Public\Desktop\Origin.lnk
[2012/08/23 11:07:16 | 000,000,000 | ---- | M] () -- C:\windows\PowerReg.dat

========== Files Created - No Company Name ==========

[2030/01/01 15:03:34 | 000,383,786 | RHS- | C] () -- C:\bootmgr
[2012/09/22 10:41:42 | 001,388,032 | ---- | C] () -- C:\Users\Owner\Desktop\RogueKiller.exe
[2012/09/21 19:51:13 | 000,000,456 | ---- | C] () -- C:\windows\tasks\PC Utility Kit Registration3.job
[2012/09/21 19:50:56 | 000,001,164 | ---- | C] () -- C:\Users\Owner\Desktop\PC Utility Kit.lnk
[2012/09/21 19:50:55 | 000,000,422 | ---- | C] () -- C:\windows\tasks\PC Utility Kit Update3.job
[2012/09/21 19:50:48 | 000,000,420 | ---- | C] () -- C:\windows\tasks\PC Utility Kit.job
[2012/09/21 17:39:04 | 000,278,928 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
[2012/09/21 14:12:48 | 000,003,800 | ---- | C] () -- C:\{9D8F72D4-DE0F-4DE3-BC22-1D33F7B94875}
[2012/09/21 14:03:05 | 000,003,816 | ---- | C] () -- C:\{E9192F7B-F740-4C54-91AA-B2B8CFD3DFD0}
[2012/09/21 14:01:31 | 000,003,816 | ---- | C] () -- C:\{4141542D-7CC8-4000-807B-55132C1B87FA}
[2012/09/21 14:00:21 | 000,003,784 | ---- | C] () -- C:\{4C776CC8-163E-4A3B-B030-11E94B16A086}
[2012/09/21 13:52:35 | 000,003,816 | ---- | C] () -- C:\{AD90E6A5-9CB9-4339-B82D-5477D786D40F}
[2012/09/21 13:51:20 | 000,003,784 | ---- | C] () -- C:\{3BB5DC20-3CCF-4929-AE14-CE75F212DC86}
[2012/09/21 13:44:18 | 000,003,816 | ---- | C] () -- C:\{574F5C11-9EEE-4736-9FE2-CB608ECC5049}
[2012/09/21 13:42:54 | 000,003,784 | ---- | C] () -- C:\{789B1AE7-B738-4B9D-95E3-5915F292D636}
[2012/09/21 13:22:11 | 000,003,800 | ---- | C] () -- C:\{AC70F223-B188-4B0B-BF46-217B427FC6DF}
[2012/09/21 12:58:09 | 000,003,800 | ---- | C] () -- C:\{EF869002-DBFE-4A22-8076-1140D4A20C32}
[2012/09/21 11:49:35 | 000,003,944 | ---- | C] () -- C:\{3893925D-9057-43C7-9B41-5D87E132FE35}
[2012/09/21 11:36:57 | 000,003,784 | ---- | C] () -- C:\{9671FF0F-CF19-4934-AA20-CD36EE9F3341}
[2012/09/21 11:06:49 | 000,003,800 | ---- | C] () -- C:\{B90C2531-3EA9-481F-834A-3463746BC21B}
[2012/09/21 09:15:15 | 000,003,800 | ---- | C] () -- C:\{491640E4-A8B6-4F39-B9FB-3B22F1ED5266}
[2012/09/21 08:58:16 | 000,004,096 | ---- | C] () -- C:\{67F784EB-CF43-4962-9570-1F50F6BCE9DE}
[2012/09/20 08:45:58 | 000,000,350 | ---- | C] () -- C:\windows\tasks\At1.job
[2012/09/19 10:19:44 | 000,000,512 | ---- | C] () -- C:\Users\Owner\Documents\MBR.dat
[2012/09/19 10:11:05 | 000,001,909 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Update Checker.lnk
[2012/09/19 10:11:05 | 000,001,879 | ---- | C] () -- C:\Users\Owner\Desktop\Update Checker.lnk
[2012/09/19 10:08:14 | 000,001,031 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/18 06:50:14 | 000,000,002 | RHS- | C] () -- C:\windows\winstart.bat
[2012/09/15 11:48:09 | 001,487,627 | ---- | C] () -- C:\windows\System32\drivers\Cat.DB
[2012/09/14 14:03:55 | 000,002,227 | ---- | C] () -- C:\Users\Owner\Desktop\RocketBowl Plus.lnk
[2012/09/13 10:24:31 | 000,002,154 | ---- | C] () -- C:\Users\Owner\Desktop\PopCap Game Pack.lnk
[2012/09/05 15:36:22 | 000,000,901 | ---- | C] () -- C:\Users\Public\Desktop\Origin.lnk
[2012/08/23 11:07:16 | 000,000,000 | ---- | C] () -- C:\windows\PowerReg.dat
[2012/08/22 21:35:51 | 000,024,576 | ---- | C] () -- C:\windows\UniFISH.exe
[2012/08/16 22:41:22 | 000,000,017 | ---- | C] () -- C:\windows\System32\shortcut_ex.dat
[2012/08/10 22:10:44 | 000,091,072 | ---- | C] () -- C:\windows\System32\RoseCo2.dll
[2012/07/30 07:23:18 | 000,000,233 | ---- | C] () -- C:\windows\SIERRA.INI
[2012/04/23 12:51:28 | 000,004,096 | ---- | C] () -- C:\windows\d3dx.dat
[2012/01/30 16:52:55 | 000,077,824 | ---- | C] () -- C:\windows\System32\d3dx11_4442.dll
[2012/01/30 16:52:55 | 000,077,824 | ---- | C] () -- C:\windows\System32\d3dx11_442.dll
[2012/01/30 16:51:51 | 000,077,824 | ---- | C] () -- C:\windows\System32\d3dx9_2225.dll
[2012/01/24 15:50:07 | 000,043,520 | ---- | C] () -- C:\windows\System32\CmdLineExt03.dll
[2012/01/17 21:43:29 | 000,000,748 | ---- | C] () -- C:\windows\eReg.dat
[2011/11/28 19:26:09 | 000,000,064 | ---- | C] () -- C:\windows\GPlrLanc.dat
[2011/05/06 10:08:19 | 000,208,896 | ---- | C] () -- C:\windows\System32\accessibilllllitycpl.dll
[2011/05/06 10:08:19 | 000,208,896 | ---- | C] () -- C:\windows\System32\accessibillllitycpl.dll
[2011/05/06 10:08:19 | 000,208,896 | ---- | C] () -- C:\windows\System32\accessibilllitycpl.dll
[2011/05/06 10:08:19 | 000,208,896 | ---- | C] () -- C:\windows\System32\accessibillitycpl.dll
[2011/05/06 08:19:38 | 000,005,576 | ---- | C] () -- C:\windows\Language.ini
[2011/05/06 08:14:30 | 000,004,692 | ---- | C] () -- C:\windows\System32\drivers\SamSfPa.dat
[2011/05/06 08:14:30 | 000,000,008 | ---- | C] () -- C:\windows\System32\drivers\rtkhdaud.dat
[2011/03/03 20:17:09 | 000,077,824 | ---- | C] () -- C:\windows\System32\d3dx10_442.dll
[2011/03/03 20:14:28 | 000,224,680 | ---- | C] () -- C:\windows\System32\AsusService.exe
[2011/03/03 20:14:28 | 000,025,616 | ---- | C] () -- C:\windows\AsAcpiSvrLang.ini
[2011/03/03 20:11:46 | 000,011,520 | ---- | C] () -- C:\windows\System32\drivers\AsUpIO.sys
[2011/03/03 20:11:25 | 000,000,831 | ---- | C] () -- C:\windows\Reboot.ini
[2011/03/03 20:07:01 | 000,451,072 | ---- | C] () -- C:\windows\System32\ISSRemoveSP.exe
[2011/03/03 20:06:35 | 000,014,051 | ---- | C] () -- C:\windows\System32\RaCoInst.dat
[2011/03/02 12:39:08 | 000,000,485 | ---- | C] () -- C:\windows\WinRAR.dll

========== ZeroAccess Check ==========

[2009/07/14 00:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

========== LOP Check ==========

[2012/06/08 10:09:17 | 000,000,000 | -HSD | M] -- C:\Users\Owner\AppData\Roaming\.#
[2012/05/17 11:40:41 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\CleanMyPC Software
[2012/01/21 16:10:50 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Clickteam
[2012/07/16 21:23:35 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\DAEMON Tools Lite
[2012/09/21 19:51:08 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\DriverCure
[2011/05/06 08:18:10 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\E-Cam
[2012/08/21 09:55:52 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\EA
[2012/09/21 15:45:09 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\FixZeroAccess
[2012/01/20 07:55:29 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\flashInstall
[2012/05/23 15:11:57 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\kingsoft
[2012/05/23 15:12:05 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\KSafe
[2012/01/24 15:37:01 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Leadertech
[2012/05/08 10:56:00 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Oberon Media
[2012/09/05 15:41:46 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Origin
[2012/09/21 19:51:08 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\PC Utility Kit
[2012/05/30 08:04:36 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Rovio
[2012/08/21 09:30:32 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\SoftGrid Client
[2012/04/22 12:03:35 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Thinstall
[2012/01/21 10:27:30 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Trio
[2012/09/21 14:27:56 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\uTorrent
[2011/07/20 21:56:28 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Windows Live Writer

========== Purity Check ==========



========== Custom Scans ==========

========== Base Services ==========
SRV - [2009/07/13 21:14:53 | 000,062,464 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\aelupsvc.dll -- (AeLookupSvc)
SRV - [2010/11/20 08:18:03 | 000,047,104 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\appinfo.dll -- (Appinfo)
SRV - [2009/07/13 21:14:11 | 000,059,392 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\alg.exe -- (ALG)
No service found with a name of BITS
SRV - [2010/11/20 08:18:06 | 000,494,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\BFE.DLL -- (BFE)
SRV - [2011/11/17 01:29:50 | 000,022,528 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\lsass.exe -- (KeyIso)
SRV - [2009/07/13 21:15:19 | 000,271,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\es.dll -- (EventSystem)
SRV - [2012/07/04 17:14:34 | 000,102,912 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\browser.dll -- (Browser)
SRV - [2012/04/24 00:36:42 | 000,140,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\cryptsvc.dll -- (CryptSvc)
SRV - [2010/11/20 08:21:03 | 000,376,832 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\rpcss.dll -- (DcomLaunch)
SRV - [2010/11/20 08:18:30 | 000,254,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2011/03/03 01:38:01 | 000,132,608 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dnsrslvr.dll -- (Dnscache)
SRV - [2009/07/13 21:15:13 | 000,098,304 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\eapsvc.dll -- (EapHost)
SRV - [2009/07/13 21:15:24 | 000,049,152 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\hidserv.dll -- (hidserv)
No service found with a name of SharedAccess
SRV - [2010/11/20 08:19:23 | 000,350,208 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\IPSECSVC.DLL -- (PolicyAgent)
No service found with a name of MsMpSvc
No service found with a name of NisSrv
SRV - [2009/07/13 21:16:15 | 000,313,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\swprv.dll -- (swprv)
SRV - [2009/07/13 21:15:41 | 000,049,664 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\mmcss.dll -- (MMCSS)
SRV - [2009/07/13 21:16:03 | 000,280,576 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\netman.dll -- (Netman)
SRV - [2009/07/13 21:16:03 | 000,360,448 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\netprofm.dll -- (netprofm)
SRV - [2010/11/20 08:20:30 | 000,242,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\nlasvc.dll -- (NlaSvc)
SRV - [2009/07/13 21:16:11 | 000,019,456 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\nsisvc.dll -- (nsi)
SRV - [2011/05/24 06:44:59 | 000,293,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpnpmgr.dll -- (PlugPlay)
SRV - [2012/02/11 01:37:49 | 000,317,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\spoolsv.exe -- (Spooler)
SRV - [2011/11/17 01:29:50 | 000,022,528 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\lsass.exe -- (ProtectedStorage)
No service found with a name of EMDMgmt
SRV - [2009/07/13 21:16:12 | 000,090,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\rasauto.dll -- (RasAuto)
SRV - [2010/11/20 08:21:00 | 000,286,208 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\rasmans.dll -- (RasMan)
SRV - [2010/11/20 08:21:03 | 000,376,832 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\rpcss.dll -- (RpcSs)
SRV - [2009/07/13 21:16:13 | 000,021,504 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\seclogon.dll -- (seclogon)
SRV - [2011/11/17 01:29:50 | 000,022,528 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\lsass.exe -- (SamSs)
No service found with a name of wscsvc
SRV - [2010/11/20 08:21:26 | 000,168,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\srvsvc.dll -- (LanmanServer)
SRV - [2010/11/20 08:21:19 | 000,328,192 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\shsvcs.dll -- (ShellHWDetection)
No service found with a name of slsvc
SRV - [2010/11/20 08:21:05 | 000,750,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\schedsvc.dll -- (Schedule)
SRV - [2010/11/20 08:21:28 | 000,242,176 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\tapisrv.dll -- (TapiSrv)
SRV - [2009/07/13 21:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2012/05/01 00:44:12 | 000,164,352 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\profsvc.dll -- (ProfSvc)
SRV - [2010/11/20 08:17:51 | 001,025,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\VSSVC.exe -- (VSS)
SRV - [2010/11/20 08:18:05 | 000,473,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\audiosrv.dll -- (Audiosrv)
SRV - [2010/11/20 08:18:05 | 000,473,600 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\audiosrv.dll -- (AudioEndpointBuilder)
SRV - [2010/11/20 08:21:06 | 000,125,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sdrsvc.dll -- (SDRSVC)
No service found with a name of WinDefend
SRV - [2010/11/20 08:21:35 | 001,086,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wevtsvc.dll -- (eventlog)
SRV - [2010/11/20 08:19:40 | 000,566,272 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\MPSSVC.dll -- (MpsSvc)
SRV - [2010/11/20 08:21:35 | 000,463,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wiaservc.dll -- (StiSvc)
SRV - [2010/11/20 08:17:22 | 000,073,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\windows\System32\msiexec.exe -- (msiserver)
SRV - [2009/07/13 21:16:19 | 000,168,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wbem\WMIsvc.dll -- (Winmgmt)
No service found with a name of wuauserv
SRV - [2010/11/20 08:18:34 | 000,214,016 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\dot3svc.dll -- (dot3svc)
SRV - [2009/07/13 21:16:19 | 000,829,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wlansvc.dll -- (Wlansvc)
SRV - [2010/11/20 08:21:36 | 000,084,480 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\wkssvc.dll -- (LanmanWorkstation)

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2011/02/26 01:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\erdnt\cache\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe

< MD5 for: QMGR.DLL >
[2010/11/20 08:20:58 | 000,585,728 | ---- | M] (Microsoft Corporation) MD5=E585445D5021971FAE10393F0F1C3961 -- C:\Windows\erdnt\cache\qmgr.dll
[2010/11/20 08:20:58 | 000,585,728 | ---- | M] (Microsoft Corporation) MD5=E585445D5021971FAE10393F0F1C3961 -- C:\Windows\System32\qmgr.dll
[2010/11/20 08:20:58 | 000,585,728 | ---- | M] (Microsoft Corporation) MD5=E585445D5021971FAE10393F0F1C3961 -- C:\Windows\winsxs\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.1.7601.17514_none_25982ed857b42497\qmgr.dll

< MD5 for: SERVICES >
[2012/07/01 10:57:21 | 000,017,589 | ---- | M] () MD5=8949DD322EDF0FD9056657A8E270DC09 -- C:\Windows\System32\drivers\etc\services
[2009/06/10 17:39:37 | 000,017,463 | ---- | M] () MD5=D9E1A01B480D961B7CF0509D597A92D6 -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_045b589158ae90da\services

< MD5 for: SERVICES.CFG >
[2012/07/27 16:51:34 | 000,586,083 | ---- | M] () MD5=6DE4EA437EC1FE6DB27CADB0A7EA8DC2 -- C:\Program Files\Adobe\Reader 10.0\Reader\Services\Services.cfg
[2011/06/06 13:55:30 | 000,584,045 | R--- | M] () MD5=B82DD53FA8C260DDD7FDC42182DB816E -- C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744AA0100000010\10.1.0\services.cfg

< MD5 for: SERVICES.EXE >
[2009/07/13 21:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- C:\Windows\erdnt\cache\services.exe
[2009/07/13 21:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- C:\Windows\System32\services.exe
[2009/07/13 21:14:36 | 000,259,072 | ---- | M] (Microsoft Corporation) MD5=5F1B6A9C35D3D5CA72D6D6FDEF9747D6 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe

< MD5 for: SERVICES.EXE.MUI >
[2009/07/13 22:03:06 | 000,017,408 | ---- | M] (Microsoft Corporation) MD5=0DA5F221169DEB5AC3A22465CD6F0281 -- C:\Users\Owner\AppData\Local\temp\services.exe.mui
[2009/07/13 22:03:06 | 000,017,408 | ---- | M] (Microsoft Corporation) MD5=0DA5F221169DEB5AC3A22465CD6F0281 -- C:\Windows\System32\en-US\services.exe.mui
[2009/07/13 22:03:06 | 000,017,408 | ---- | M] (Microsoft Corporation) MD5=0DA5F221169DEB5AC3A22465CD6F0281 -- C:\Windows\winsxs\x86_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_en-us_69d39d3a8748c332\services.exe.mui

< MD5 for: SERVICES.LNK >
[2009/07/14 00:41:45 | 000,001,288 | ---- | M] () MD5=021B1B178776500E54560EDCFFE0EE21 -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk
[2009/07/14 00:41:45 | 000,001,288 | ---- | M] () MD5=021B1B178776500E54560EDCFFE0EE21 -- C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk

< MD5 for: SERVICES.MOF >
[2009/06/10 17:26:14 | 000,002,866 | ---- | M] () MD5=26A11C895A7F0B6D32105EBE127D8500 -- C:\Windows\System32\wbem\services.mof
[2009/06/10 17:26:14 | 000,002,866 | ---- | M] () MD5=26A11C895A7F0B6D32105EBE127D8500 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.mof

< MD5 for: SERVICES.MSC >
[2009/07/13 22:08:50 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\System32\en-US\services.msc
[2009/06/10 17:21:09 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\System32\services.msc
[2009/07/13 22:08:50 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\winsxs\x86_microsoft-windows-s..cessnapin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a4156d265db25d25\services.msc
[2009/06/10 17:21:09 | 000,092,745 | ---- | M] () MD5=7A1D35F59468B8118AF5B8E21DF78AE2 -- C:\Windows\winsxs\x86_microsoft-windows-servicessnapin_31bf3856ad364e35_6.1.7600.16385_none_cf3a38c7a70e7a54\services.msc

< MD5 for: SERVICES.PTXML >
[2009/07/13 16:20:01 | 000,001,061 | ---- | M] () MD5=640D7DD61B1CFA6C96F80F68F78CDFA7 -- C:\Windows\System32\wdi\perftrack\Services.ptxml
[2009/07/13 16:20:01 | 000,001,061 | ---- | M] () MD5=640D7DD61B1CFA6C96F80F68F78CDFA7 -- C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\Services.ptxml

< MD5 for: SVCHOST.EXE >
[2012/09/07 17:04:42 | 000,218,696 | ---- | M] () MD5=4E0D8C9F83B7FD82393F7D8CCC27E7AE -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\erdnt\cache\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\System32\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe

< MD5 for: USERINIT.EXE >
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\erdnt\cache\userinit.exe
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe

< MD5 for: WINLOGON.EXE >
[2012/09/07 17:04:42 | 000,218,696 | ---- | M] () MD5=4E0D8C9F83B7FD82393F7D8CCC27E7AE -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\erdnt\cache\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe

========== Alternate Data Streams ==========

@Alternate Data Stream - 175 bytes -> C:\ProgramData\TEMP:ECF54A0E
@Alternate Data Stream - 167 bytes -> C:\ProgramData\TEMP:87A3A233
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:85AA7074
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:5D90B241
@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:FD786DCA
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:7D288858
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:38D2EA83
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:09867A8B
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:92DB4653
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:6387AA6C
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:73C78BAA
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:02A78DF6
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:0F6AC518
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:073139EC
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:FB647F34
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:7EC01D6D
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:72C99D4E
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:A1460B2A
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:DFC5A2B2

< End of report >
  • 0

#4
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
RogueKiller V8.0.4 [09/19/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/22/2012 11:03:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[TASK][ROGUE ST] 0 : c:\program files\internet explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4704 : wscript.exe -> FOUND
[TASK][SUSP PATH] Norton PC Checkup Setup : C:\Users\Owner\AppData\Local\Temp\PCCUStubInstaller\SymcPCCUInstaller.exe -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x81F1BCA9 -> HOOKED (Unknown @ 0x8780DFD0)
SSDT[14] : NtAlertThread @ 0x81E6EBC0 -> HOOKED (Unknown @ 0x8780F0A8)
SSDT[19] : NtAllocateVirtualMemory @ 0x81E67BCC -> HOOKED (Unknown @ 0x8780FA20)
SSDT[22] : NtAlpcConnectPort @ 0x81EB344E -> HOOKED (Unknown @ 0x8708C628)
SSDT[43] : NtAssignProcessToJobObject @ 0x81E3CFCA -> HOOKED (Unknown @ 0x8780D778)
SSDT[74] : NtCreateMutant @ 0x81E4E28E -> HOOKED (Unknown @ 0x8780DD20)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x81E3F8ED -> HOOKED (Unknown @ 0x8780D498)
SSDT[87] : NtCreateThread @ 0x81F19ED6 -> HOOKED (Unknown @ 0x8780FF28)
SSDT[88] : NtCreateThreadEx @ 0x81EAE34B -> HOOKED (Unknown @ 0x8780D588)
SSDT[93] : NtCreateUserProcess @ 0x81EAC27D -> HOOKED (\??\C:\windows\system32\drivers\kisknl.sys @ 0x945888CD)
SSDT[96] : NtDebugActiveProcess @ 0x81EEBDB0 -> HOOKED (Unknown @ 0x8780D858)
SSDT[111] : NtDuplicateObject @ 0x81E6F65A -> HOOKED (Unknown @ 0x8780FBF0)
SSDT[131] : NtFreeVirtualMemory @ 0x81CF747A -> HOOKED (Unknown @ 0x8780F7D8)
SSDT[145] : NtImpersonateAnonymousToken @ 0x81E338BC -> HOOKED (Unknown @ 0x8780DE10)
SSDT[147] : NtImpersonateThread @ 0x81EB784C -> HOOKED (Unknown @ 0x8780DEF0)
SSDT[155] : NtLoadDriver @ 0x81E03BFC -> HOOKED (Unknown @ 0x870860C0)
SSDT[168] : NtMapViewOfSection @ 0x81E84512 -> HOOKED (Unknown @ 0x8780F6D8)
SSDT[177] : NtOpenEvent @ 0x81E4DC8A -> HOOKED (Unknown @ 0x8780DC40)
SSDT[190] : NtOpenProcess @ 0x81E4FAD4 -> HOOKED (Unknown @ 0x8780FDD0)
SSDT[191] : NtOpenProcessToken @ 0x81EA221F -> HOOKED (Unknown @ 0x8780FB10)
SSDT[194] : NtOpenSection @ 0x81EA789B -> HOOKED (Unknown @ 0x8780DA80)
SSDT[198] : NtOpenThread @ 0x81E9BF95 -> HOOKED (Unknown @ 0x8780FCE0)
SSDT[215] : NtProtectVirtualMemory @ 0x81E80581 -> HOOKED (Unknown @ 0x8780D688)
SSDT[304] : NtResumeThread @ 0x81EAE572 -> HOOKED (Unknown @ 0x8780F188)
SSDT[316] : NtSetContextThread @ 0x81F1B755 -> HOOKED (Unknown @ 0x8780F428)
SSDT[333] : NtSetInformationProcess @ 0x81E7676D -> HOOKED (Unknown @ 0x8780F508)
SSDT[350] : NtSetSystemInformation @ 0x81E8C26C -> HOOKED (Unknown @ 0x8780D938)
SSDT[366] : NtSuspendProcess @ 0x81F1BBE3 -> HOOKED (Unknown @ 0x8780DB60)
SSDT[367] : NtSuspendThread @ 0x81ED3085 -> HOOKED (Unknown @ 0x8780F268)
SSDT[370] : NtTerminateProcess @ 0x81E98BCD -> HOOKED (Unknown @ 0x8780F008)
SSDT[371] : NtTerminateThread @ 0x81EB6584 -> HOOKED (Unknown @ 0x8780F348)
SSDT[385] : NtUnmapViewOfSection @ 0x81EA285A -> HOOKED (Unknown @ 0x8780F5F8)
SSDT[399] : NtWriteVirtualMemory @ 0x81E9D92A -> HOOKED (Unknown @ 0x8780F8C8)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x86EED8D0)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x86EEF858)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x878C8A98)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x9596C858)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87E3B500)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x959E9998)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x959F6B30)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x959F6A60)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x95BED8B0)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x878C8AD0)
_INLINE_ : NtCreateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFCE)
_INLINE_ : NtDeleteKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD8)
_INLINE_ : NtDeleteValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFC9)
_INLINE_ : NtEnumerateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFDD)
_INLINE_ : NtEnumerateValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE2)
_INLINE_ : NtOpenKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFF1)
_INLINE_ : NtQueryKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFEC)
_INLINE_ : NtQueryValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE7)
_INLINE_ : NtSetValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD3)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

’ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] dc1bd48b34b59529ecc3a62d53843960
[BSP] bb25640bcdec7b4b08fe45bbad3a1b26 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 223097 Mo
1 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 456904704 | Size: 15360 Mo
2 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488361984 | Size: 16 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
  • 0

#5
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
do i delete everything that is checked? not sure im gonna wait for you
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Lets kill it now

*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished ...
[*] Click on Scan[/list]Posted Image

  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#7
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
RogueKiller V8.0.4 [09/19/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/22/2012 11:03:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[TASK][ROGUE ST] 0 : c:\program files\internet explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4704 : wscript.exe -> FOUND
[TASK][SUSP PATH] Norton PC Checkup Setup : C:\Users\Owner\AppData\Local\Temp\PCCUStubInstaller\SymcPCCUInstaller.exe -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x81F1BCA9 -> HOOKED (Unknown @ 0x8780DFD0)
SSDT[14] : NtAlertThread @ 0x81E6EBC0 -> HOOKED (Unknown @ 0x8780F0A8)
SSDT[19] : NtAllocateVirtualMemory @ 0x81E67BCC -> HOOKED (Unknown @ 0x8780FA20)
SSDT[22] : NtAlpcConnectPort @ 0x81EB344E -> HOOKED (Unknown @ 0x8708C628)
SSDT[43] : NtAssignProcessToJobObject @ 0x81E3CFCA -> HOOKED (Unknown @ 0x8780D778)
SSDT[74] : NtCreateMutant @ 0x81E4E28E -> HOOKED (Unknown @ 0x8780DD20)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x81E3F8ED -> HOOKED (Unknown @ 0x8780D498)
SSDT[87] : NtCreateThread @ 0x81F19ED6 -> HOOKED (Unknown @ 0x8780FF28)
SSDT[88] : NtCreateThreadEx @ 0x81EAE34B -> HOOKED (Unknown @ 0x8780D588)
SSDT[93] : NtCreateUserProcess @ 0x81EAC27D -> HOOKED (\??\C:\windows\system32\drivers\kisknl.sys @ 0x945888CD)
SSDT[96] : NtDebugActiveProcess @ 0x81EEBDB0 -> HOOKED (Unknown @ 0x8780D858)
SSDT[111] : NtDuplicateObject @ 0x81E6F65A -> HOOKED (Unknown @ 0x8780FBF0)
SSDT[131] : NtFreeVirtualMemory @ 0x81CF747A -> HOOKED (Unknown @ 0x8780F7D8)
SSDT[145] : NtImpersonateAnonymousToken @ 0x81E338BC -> HOOKED (Unknown @ 0x8780DE10)
SSDT[147] : NtImpersonateThread @ 0x81EB784C -> HOOKED (Unknown @ 0x8780DEF0)
SSDT[155] : NtLoadDriver @ 0x81E03BFC -> HOOKED (Unknown @ 0x870860C0)
SSDT[168] : NtMapViewOfSection @ 0x81E84512 -> HOOKED (Unknown @ 0x8780F6D8)
SSDT[177] : NtOpenEvent @ 0x81E4DC8A -> HOOKED (Unknown @ 0x8780DC40)
SSDT[190] : NtOpenProcess @ 0x81E4FAD4 -> HOOKED (Unknown @ 0x8780FDD0)
SSDT[191] : NtOpenProcessToken @ 0x81EA221F -> HOOKED (Unknown @ 0x8780FB10)
SSDT[194] : NtOpenSection @ 0x81EA789B -> HOOKED (Unknown @ 0x8780DA80)
SSDT[198] : NtOpenThread @ 0x81E9BF95 -> HOOKED (Unknown @ 0x8780FCE0)
SSDT[215] : NtProtectVirtualMemory @ 0x81E80581 -> HOOKED (Unknown @ 0x8780D688)
SSDT[304] : NtResumeThread @ 0x81EAE572 -> HOOKED (Unknown @ 0x8780F188)
SSDT[316] : NtSetContextThread @ 0x81F1B755 -> HOOKED (Unknown @ 0x8780F428)
SSDT[333] : NtSetInformationProcess @ 0x81E7676D -> HOOKED (Unknown @ 0x8780F508)
SSDT[350] : NtSetSystemInformation @ 0x81E8C26C -> HOOKED (Unknown @ 0x8780D938)
SSDT[366] : NtSuspendProcess @ 0x81F1BBE3 -> HOOKED (Unknown @ 0x8780DB60)
SSDT[367] : NtSuspendThread @ 0x81ED3085 -> HOOKED (Unknown @ 0x8780F268)
SSDT[370] : NtTerminateProcess @ 0x81E98BCD -> HOOKED (Unknown @ 0x8780F008)
SSDT[371] : NtTerminateThread @ 0x81EB6584 -> HOOKED (Unknown @ 0x8780F348)
SSDT[385] : NtUnmapViewOfSection @ 0x81EA285A -> HOOKED (Unknown @ 0x8780F5F8)
SSDT[399] : NtWriteVirtualMemory @ 0x81E9D92A -> HOOKED (Unknown @ 0x8780F8C8)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x86EED8D0)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x86EEF858)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x878C8A98)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x9596C858)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87E3B500)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x959E9998)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x959F6B30)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x959F6A60)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x95BED8B0)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x878C8AD0)
_INLINE_ : NtCreateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFCE)
_INLINE_ : NtDeleteKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD8)
_INLINE_ : NtDeleteValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFC9)
_INLINE_ : NtEnumerateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFDD)
_INLINE_ : NtEnumerateValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE2)
_INLINE_ : NtOpenKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFF1)
_INLINE_ : NtQueryKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFEC)
_INLINE_ : NtQueryValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE7)
_INLINE_ : NtSetValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD3)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

’ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] dc1bd48b34b59529ecc3a62d53843960
[BSP] bb25640bcdec7b4b08fe45bbad3a1b26 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 223097 Mo
1 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 456904704 | Size: 15360 Mo
2 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488361984 | Size: 16 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller V8.0.4 [09/19/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/22/2012 11:03:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[TASK][ROGUE ST] 0 : c:\program files\internet explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4704 : wscript.exe -> FOUND
[TASK][SUSP PATH] Norton PC Checkup Setup : C:\Users\Owner\AppData\Local\Temp\PCCUStubInstaller\SymcPCCUInstaller.exe -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x81F1BCA9 -> HOOKED (Unknown @ 0x8780DFD0)
SSDT[14] : NtAlertThread @ 0x81E6EBC0 -> HOOKED (Unknown @ 0x8780F0A8)
SSDT[19] : NtAllocateVirtualMemory @ 0x81E67BCC -> HOOKED (Unknown @ 0x8780FA20)
SSDT[22] : NtAlpcConnectPort @ 0x81EB344E -> HOOKED (Unknown @ 0x8708C628)
SSDT[43] : NtAssignProcessToJobObject @ 0x81E3CFCA -> HOOKED (Unknown @ 0x8780D778)
SSDT[74] : NtCreateMutant @ 0x81E4E28E -> HOOKED (Unknown @ 0x8780DD20)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x81E3F8ED -> HOOKED (Unknown @ 0x8780D498)
SSDT[87] : NtCreateThread @ 0x81F19ED6 -> HOOKED (Unknown @ 0x8780FF28)
SSDT[88] : NtCreateThreadEx @ 0x81EAE34B -> HOOKED (Unknown @ 0x8780D588)
SSDT[93] : NtCreateUserProcess @ 0x81EAC27D -> HOOKED (\??\C:\windows\system32\drivers\kisknl.sys @ 0x945888CD)
SSDT[96] : NtDebugActiveProcess @ 0x81EEBDB0 -> HOOKED (Unknown @ 0x8780D858)
SSDT[111] : NtDuplicateObject @ 0x81E6F65A -> HOOKED (Unknown @ 0x8780FBF0)
SSDT[131] : NtFreeVirtualMemory @ 0x81CF747A -> HOOKED (Unknown @ 0x8780F7D8)
SSDT[145] : NtImpersonateAnonymousToken @ 0x81E338BC -> HOOKED (Unknown @ 0x8780DE10)
SSDT[147] : NtImpersonateThread @ 0x81EB784C -> HOOKED (Unknown @ 0x8780DEF0)
SSDT[155] : NtLoadDriver @ 0x81E03BFC -> HOOKED (Unknown @ 0x870860C0)
SSDT[168] : NtMapViewOfSection @ 0x81E84512 -> HOOKED (Unknown @ 0x8780F6D8)
SSDT[177] : NtOpenEvent @ 0x81E4DC8A -> HOOKED (Unknown @ 0x8780DC40)
SSDT[190] : NtOpenProcess @ 0x81E4FAD4 -> HOOKED (Unknown @ 0x8780FDD0)
SSDT[191] : NtOpenProcessToken @ 0x81EA221F -> HOOKED (Unknown @ 0x8780FB10)
SSDT[194] : NtOpenSection @ 0x81EA789B -> HOOKED (Unknown @ 0x8780DA80)
SSDT[198] : NtOpenThread @ 0x81E9BF95 -> HOOKED (Unknown @ 0x8780FCE0)
SSDT[215] : NtProtectVirtualMemory @ 0x81E80581 -> HOOKED (Unknown @ 0x8780D688)
SSDT[304] : NtResumeThread @ 0x81EAE572 -> HOOKED (Unknown @ 0x8780F188)
SSDT[316] : NtSetContextThread @ 0x81F1B755 -> HOOKED (Unknown @ 0x8780F428)
SSDT[333] : NtSetInformationProcess @ 0x81E7676D -> HOOKED (Unknown @ 0x8780F508)
SSDT[350] : NtSetSystemInformation @ 0x81E8C26C -> HOOKED (Unknown @ 0x8780D938)
SSDT[366] : NtSuspendProcess @ 0x81F1BBE3 -> HOOKED (Unknown @ 0x8780DB60)
SSDT[367] : NtSuspendThread @ 0x81ED3085 -> HOOKED (Unknown @ 0x8780F268)
SSDT[370] : NtTerminateProcess @ 0x81E98BCD -> HOOKED (Unknown @ 0x8780F008)
SSDT[371] : NtTerminateThread @ 0x81EB6584 -> HOOKED (Unknown @ 0x8780F348)
SSDT[385] : NtUnmapViewOfSection @ 0x81EA285A -> HOOKED (Unknown @ 0x8780F5F8)
SSDT[399] : NtWriteVirtualMemory @ 0x81E9D92A -> HOOKED (Unknown @ 0x8780F8C8)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x86EED8D0)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x86EEF858)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x878C8A98)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x9596C858)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87E3B500)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x959E9998)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x959F6B30)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x959F6A60)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x95BED8B0)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x878C8AD0)
_INLINE_ : NtCreateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFCE)
_INLINE_ : NtDeleteKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD8)
_INLINE_ : NtDeleteValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFC9)
_INLINE_ : NtEnumerateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFDD)
_INLINE_ : NtEnumerateValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE2)
_INLINE_ : NtOpenKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFF1)
_INLINE_ : NtQueryKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFEC)
_INLINE_ : NtQueryValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE7)
_INLINE_ : NtSetValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD3)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

’ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] dc1bd48b34b59529ecc3a62d53843960
[BSP] bb25640bcdec7b4b08fe45bbad3a1b26 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 223097 Mo
1 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 456904704 | Size: 15360 Mo
2 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488361984 | Size: 16 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V8.0.4 [09/19/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/22/2012 11:03:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[TASK][ROGUE ST] 0 : c:\program files\internet explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4704 : wscript.exe -> FOUND
[TASK][SUSP PATH] Norton PC Checkup Setup : C:\Users\Owner\AppData\Local\Temp\PCCUStubInstaller\SymcPCCUInstaller.exe -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x81F1BCA9 -> HOOKED (Unknown @ 0x8780DFD0)
SSDT[14] : NtAlertThread @ 0x81E6EBC0 -> HOOKED (Unknown @ 0x8780F0A8)
SSDT[19] : NtAllocateVirtualMemory @ 0x81E67BCC -> HOOKED (Unknown @ 0x8780FA20)
SSDT[22] : NtAlpcConnectPort @ 0x81EB344E -> HOOKED (Unknown @ 0x8708C628)
SSDT[43] : NtAssignProcessToJobObject @ 0x81E3CFCA -> HOOKED (Unknown @ 0x8780D778)
SSDT[74] : NtCreateMutant @ 0x81E4E28E -> HOOKED (Unknown @ 0x8780DD20)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x81E3F8ED -> HOOKED (Unknown @ 0x8780D498)
SSDT[87] : NtCreateThread @ 0x81F19ED6 -> HOOKED (Unknown @ 0x8780FF28)
SSDT[88] : NtCreateThreadEx @ 0x81EAE34B -> HOOKED (Unknown @ 0x8780D588)
SSDT[93] : NtCreateUserProcess @ 0x81EAC27D -> HOOKED (\??\C:\windows\system32\drivers\kisknl.sys @ 0x945888CD)
SSDT[96] : NtDebugActiveProcess @ 0x81EEBDB0 -> HOOKED (Unknown @ 0x8780D858)
SSDT[111] : NtDuplicateObject @ 0x81E6F65A -> HOOKED (Unknown @ 0x8780FBF0)
SSDT[131] : NtFreeVirtualMemory @ 0x81CF747A -> HOOKED (Unknown @ 0x8780F7D8)
SSDT[145] : NtImpersonateAnonymousToken @ 0x81E338BC -> HOOKED (Unknown @ 0x8780DE10)
SSDT[147] : NtImpersonateThread @ 0x81EB784C -> HOOKED (Unknown @ 0x8780DEF0)
SSDT[155] : NtLoadDriver @ 0x81E03BFC -> HOOKED (Unknown @ 0x870860C0)
SSDT[168] : NtMapViewOfSection @ 0x81E84512 -> HOOKED (Unknown @ 0x8780F6D8)
SSDT[177] : NtOpenEvent @ 0x81E4DC8A -> HOOKED (Unknown @ 0x8780DC40)
SSDT[190] : NtOpenProcess @ 0x81E4FAD4 -> HOOKED (Unknown @ 0x8780FDD0)
SSDT[191] : NtOpenProcessToken @ 0x81EA221F -> HOOKED (Unknown @ 0x8780FB10)
SSDT[194] : NtOpenSection @ 0x81EA789B -> HOOKED (Unknown @ 0x8780DA80)
SSDT[198] : NtOpenThread @ 0x81E9BF95 -> HOOKED (Unknown @ 0x8780FCE0)
SSDT[215] : NtProtectVirtualMemory @ 0x81E80581 -> HOOKED (Unknown @ 0x8780D688)
SSDT[304] : NtResumeThread @ 0x81EAE572 -> HOOKED (Unknown @ 0x8780F188)
SSDT[316] : NtSetContextThread @ 0x81F1B755 -> HOOKED (Unknown @ 0x8780F428)
SSDT[333] : NtSetInformationProcess @ 0x81E7676D -> HOOKED (Unknown @ 0x8780F508)
SSDT[350] : NtSetSystemInformation @ 0x81E8C26C -> HOOKED (Unknown @ 0x8780D938)
SSDT[366] : NtSuspendProcess @ 0x81F1BBE3 -> HOOKED (Unknown @ 0x8780DB60)
SSDT[367] : NtSuspendThread @ 0x81ED3085 -> HOOKED (Unknown @ 0x8780F268)
SSDT[370] : NtTerminateProcess @ 0x81E98BCD -> HOOKED (Unknown @ 0x8780F008)
SSDT[371] : NtTerminateThread @ 0x81EB6584 -> HOOKED (Unknown @ 0x8780F348)
SSDT[385] : NtUnmapViewOfSection @ 0x81EA285A -> HOOKED (Unknown @ 0x8780F5F8)
SSDT[399] : NtWriteVirtualMemory @ 0x81E9D92A -> HOOKED (Unknown @ 0x8780F8C8)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x86EED8D0)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x86EEF858)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x878C8A98)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x9596C858)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87E3B500)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x959E9998)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x959F6B30)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x959F6A60)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x95BED8B0)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x878C8AD0)
_INLINE_ : NtCreateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFCE)
_INLINE_ : NtDeleteKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD8)
_INLINE_ : NtDeleteValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFC9)
_INLINE_ : NtEnumerateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFDD)
_INLINE_ : NtEnumerateValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE2)
_INLINE_ : NtOpenKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFF1)
_INLINE_ : NtQueryKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFEC)
_INLINE_ : NtQueryValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE7)
_INLINE_ : NtSetValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD3)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

’ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] dc1bd48b34b59529ecc3a62d53843960
[BSP] bb25640bcdec7b4b08fe45bbad3a1b26 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 223097 Mo
1 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 456904704 | Size: 15360 Mo
2 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488361984 | Size: 16 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt



RogueKiller V8.0.4 [09/19/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Owner [Admin rights]
Mode : Scan -- Date : 09/22/2012 11:03:57

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[TASK][ROGUE ST] 0 : c:\program files\internet explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4704 : wscript.exe -> FOUND
[TASK][SUSP PATH] Norton PC Checkup Setup : C:\Users\Owner\AppData\Local\Temp\PCCUStubInstaller\SymcPCCUInstaller.exe -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-18\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-1893933335-3957457206-1101798082-1000\$0c57ed650c8826adc74c3ac0e983d3d0\L --> FOUND

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[13] : NtAlertResumeThread @ 0x81F1BCA9 -> HOOKED (Unknown @ 0x8780DFD0)
SSDT[14] : NtAlertThread @ 0x81E6EBC0 -> HOOKED (Unknown @ 0x8780F0A8)
SSDT[19] : NtAllocateVirtualMemory @ 0x81E67BCC -> HOOKED (Unknown @ 0x8780FA20)
SSDT[22] : NtAlpcConnectPort @ 0x81EB344E -> HOOKED (Unknown @ 0x8708C628)
SSDT[43] : NtAssignProcessToJobObject @ 0x81E3CFCA -> HOOKED (Unknown @ 0x8780D778)
SSDT[74] : NtCreateMutant @ 0x81E4E28E -> HOOKED (Unknown @ 0x8780DD20)
SSDT[86] : NtCreateSymbolicLinkObject @ 0x81E3F8ED -> HOOKED (Unknown @ 0x8780D498)
SSDT[87] : NtCreateThread @ 0x81F19ED6 -> HOOKED (Unknown @ 0x8780FF28)
SSDT[88] : NtCreateThreadEx @ 0x81EAE34B -> HOOKED (Unknown @ 0x8780D588)
SSDT[93] : NtCreateUserProcess @ 0x81EAC27D -> HOOKED (\??\C:\windows\system32\drivers\kisknl.sys @ 0x945888CD)
SSDT[96] : NtDebugActiveProcess @ 0x81EEBDB0 -> HOOKED (Unknown @ 0x8780D858)
SSDT[111] : NtDuplicateObject @ 0x81E6F65A -> HOOKED (Unknown @ 0x8780FBF0)
SSDT[131] : NtFreeVirtualMemory @ 0x81CF747A -> HOOKED (Unknown @ 0x8780F7D8)
SSDT[145] : NtImpersonateAnonymousToken @ 0x81E338BC -> HOOKED (Unknown @ 0x8780DE10)
SSDT[147] : NtImpersonateThread @ 0x81EB784C -> HOOKED (Unknown @ 0x8780DEF0)
SSDT[155] : NtLoadDriver @ 0x81E03BFC -> HOOKED (Unknown @ 0x870860C0)
SSDT[168] : NtMapViewOfSection @ 0x81E84512 -> HOOKED (Unknown @ 0x8780F6D8)
SSDT[177] : NtOpenEvent @ 0x81E4DC8A -> HOOKED (Unknown @ 0x8780DC40)
SSDT[190] : NtOpenProcess @ 0x81E4FAD4 -> HOOKED (Unknown @ 0x8780FDD0)
SSDT[191] : NtOpenProcessToken @ 0x81EA221F -> HOOKED (Unknown @ 0x8780FB10)
SSDT[194] : NtOpenSection @ 0x81EA789B -> HOOKED (Unknown @ 0x8780DA80)
SSDT[198] : NtOpenThread @ 0x81E9BF95 -> HOOKED (Unknown @ 0x8780FCE0)
SSDT[215] : NtProtectVirtualMemory @ 0x81E80581 -> HOOKED (Unknown @ 0x8780D688)
SSDT[304] : NtResumeThread @ 0x81EAE572 -> HOOKED (Unknown @ 0x8780F188)
SSDT[316] : NtSetContextThread @ 0x81F1B755 -> HOOKED (Unknown @ 0x8780F428)
SSDT[333] : NtSetInformationProcess @ 0x81E7676D -> HOOKED (Unknown @ 0x8780F508)
SSDT[350] : NtSetSystemInformation @ 0x81E8C26C -> HOOKED (Unknown @ 0x8780D938)
SSDT[366] : NtSuspendProcess @ 0x81F1BBE3 -> HOOKED (Unknown @ 0x8780DB60)
SSDT[367] : NtSuspendThread @ 0x81ED3085 -> HOOKED (Unknown @ 0x8780F268)
SSDT[370] : NtTerminateProcess @ 0x81E98BCD -> HOOKED (Unknown @ 0x8780F008)
SSDT[371] : NtTerminateThread @ 0x81EB6584 -> HOOKED (Unknown @ 0x8780F348)
SSDT[385] : NtUnmapViewOfSection @ 0x81EA285A -> HOOKED (Unknown @ 0x8780F5F8)
SSDT[399] : NtWriteVirtualMemory @ 0x81E9D92A -> HOOKED (Unknown @ 0x8780F8C8)
S_SSDT[318] : Unknown -> HOOKED (Unknown @ 0x86EED8D0)
S_SSDT[402] : Unknown -> HOOKED (Unknown @ 0x86EEF858)
S_SSDT[434] : Unknown -> HOOKED (Unknown @ 0x878C8A98)
S_SSDT[436] : Unknown -> HOOKED (Unknown @ 0x9596C858)
S_SSDT[448] : Unknown -> HOOKED (Unknown @ 0x87E3B500)
S_SSDT[490] : Unknown -> HOOKED (Unknown @ 0x959E9998)
S_SSDT[508] : Unknown -> HOOKED (Unknown @ 0x959F6B30)
S_SSDT[509] : Unknown -> HOOKED (Unknown @ 0x959F6A60)
S_SSDT[585] : Unknown -> HOOKED (Unknown @ 0x95BED8B0)
S_SSDT[588] : Unknown -> HOOKED (Unknown @ 0x878C8AD0)
_INLINE_ : NtCreateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFCE)
_INLINE_ : NtDeleteKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD8)
_INLINE_ : NtDeleteValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFC9)
_INLINE_ : NtEnumerateKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFDD)
_INLINE_ : NtEnumerateValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE2)
_INLINE_ : NtOpenKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFF1)
_INLINE_ : NtQueryKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFEC)
_INLINE_ : NtQueryValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFE7)
_INLINE_ : NtSetValueKey -> HOOKED (\SystemRoot\system32\drivers\aksfridge.sys @ 0x81C3DFD3)

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\windows\system32\drivers\etc\hosts

’ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] dc1bd48b34b59529ecc3a62d53843960
[BSP] bb25640bcdec7b4b08fe45bbad3a1b26 : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 223097 Mo
1 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 456904704 | Size: 15360 Mo
2 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488361984 | Size: 16 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
  • 0

#8
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
ComboFix 12-09-22.02 - Owner 09/22/2012 11:43:05.2.2 - x86
Running from: c:\users\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Roaming\.#
c:\windows\system32\1020
c:\windows\system32\1020\inf1020.dat
.
.
((((((((((((((((((((((((( Files Created from 2012-08-22 to 2012-09-22 )))))))))))))))))))))))))))))))
.
.
2030-01-01 19:03 . 2012-09-10 10:52 -------- d-----w- C:\Boot
2012-09-22 16:28 . 2012-09-22 16:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-22 13:29 . 2012-09-22 13:33 -------- d-----w- c:\windows\$regcmp$
2012-09-21 23:51 . 2012-09-21 23:51 -------- d-----w- c:\users\Owner\AppData\Roaming\PC Utility Kit
2012-09-21 23:51 . 2012-09-21 23:51 -------- d-----w- c:\users\Owner\AppData\Roaming\DriverCure
2012-09-21 23:50 . 2012-09-21 23:50 -------- d-----w- c:\program files\Common Files\PC Utility Kit
2012-09-21 23:50 . 2012-09-21 23:50 -------- d-----w- c:\programdata\PC Utility Kit
2012-09-21 23:50 . 2012-09-21 23:50 -------- d-----w- c:\program files\PC Utility Kit
2012-09-21 19:45 . 2012-09-21 19:45 -------- d-----w- c:\users\Owner\AppData\Roaming\FixZeroAccess
2012-09-21 12:52 . 2012-09-21 20:22 -------- d-----w- c:\users\Owner\AppData\Local\NPE
2012-09-21 12:39 . 2012-09-21 12:39 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-09-20 12:41 . 2012-09-20 12:41 -------- d-----w- c:\windows\system32\1019
2012-09-19 14:10 . 2012-09-19 14:10 -------- d-----w- c:\program files\FileHippo.com
2012-09-19 14:08 . 2012-09-19 14:08 -------- d-----w- c:\programdata\Malwarebytes
2012-09-19 14:08 . 2012-09-19 14:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-19 14:08 . 2012-09-07 21:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-19 13:58 . 2012-09-19 13:58 -------- d-----w- c:\windows\Sun
2012-09-19 13:57 . 2012-09-19 13:57 -------- d-----w- c:\program files\Common Files\Java
2012-09-19 13:57 . 2012-09-19 13:56 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-19 13:54 . 2012-09-19 13:54 -------- d-----w- c:\programdata\McAfee
2012-09-18 15:25 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{41C6041B-CBB1-4111-8D39-EA8A8366A96B}\mpengine.dll
2012-09-18 10:50 . 2012-09-18 10:50 2 --shatr- c:\windows\winstart.bat
2012-09-17 23:43 . 2012-09-17 23:43 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2012-09-17 20:07 . 2012-09-22 16:31 -------- d-----w- c:\users\Owner\AppData\Local\temp
2012-09-15 19:50 . 2012-09-15 19:50 -------- d-----w- c:\programdata\KRSHistory
2012-09-15 15:47 . 2012-09-17 20:48 -------- d-----w- c:\program files\Common Files\PC Tools
2012-09-15 15:47 . 2012-06-22 19:34 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-09-15 01:23 . 2012-09-15 01:23 -------- d-----w- c:\users\Owner\AppData\Local\Apps
2012-09-14 14:55 . 2012-09-14 15:08 -------- d-----w- c:\program files\Microsoft Games
2012-09-13 14:24 . 2012-09-19 14:23 -------- d-----w- c:\program files\Games for Windows
2012-09-13 11:00 . 2012-09-17 20:48 -------- d-----w- c:\windows\system32\1018
2012-09-13 10:53 . 2012-09-13 10:53 -------- d-----w- c:\windows\system32\1017
2012-09-12 12:24 . 2012-08-22 17:16 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-09-12 12:24 . 2012-07-04 19:45 33280 ----a-w- c:\windows\system32\drivers\RNDISMP.sys
2012-09-12 12:24 . 2012-08-22 17:16 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-09-12 12:24 . 2012-08-22 17:16 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-09-12 12:24 . 2012-08-22 17:16 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-09-12 12:24 . 2012-08-02 16:57 490496 ----a-w- c:\windows\system32\d3d10level9.dll
2012-09-11 11:04 . 2012-09-11 11:04 18296 ----a-w- c:\windows\system32\drivers\kusbquery64.sys
2012-09-11 11:04 . 2012-09-11 11:04 14200 ----a-w- c:\windows\system32\drivers\kusbquery.sys
2012-09-06 00:27 . 2012-09-16 20:08 -------- d-----w- c:\program files\Electronic Arts
2012-09-05 19:41 . 2012-09-05 19:41 -------- d-----w- c:\users\Owner\AppData\Roaming\Origin
2012-09-05 19:41 . 2012-09-08 01:46 -------- d-----w- c:\program files\Origin Games
2012-09-05 19:39 . 2012-09-05 19:39 -------- d-----w- c:\users\Owner\AppData\Local\Origin
2012-09-05 19:36 . 2012-09-05 19:42 -------- d-----w- c:\programdata\Origin
2012-09-05 19:36 . 2012-09-08 01:32 -------- d-----w- c:\program files\Origin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-21 12:34 . 2012-07-26 13:32 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-21 12:34 . 2012-02-23 11:15 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-19 13:56 . 2011-05-06 17:48 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-22 20:54 . 2012-07-10 23:09 164728 ----a-w- c:\windows\system32\drivers\kisknl.sys
2012-07-18 17:47 . 2012-08-15 11:33 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-10 23:09 . 2012-07-10 23:09 31848 ----a-w- c:\windows\system32\drivers\kavbootc64.sys
2012-07-10 23:09 . 2012-07-10 23:09 27240 ----a-w- c:\windows\system32\drivers\kavbootc.sys
2012-07-10 23:09 . 2012-07-10 23:09 24472 ----a-w- c:\windows\system32\drivers\bc.sys
2012-07-10 23:09 . 2012-07-10 23:09 208216 ----a-w- c:\windows\system32\drivers\kisknl64.sys
2012-07-10 23:09 . 2012-07-10 23:09 19352 ----a-w- c:\windows\system32\drivers\ksskrpr.sys
2012-07-10 23:09 . 2012-07-10 23:09 164696 ----a-w- c:\windows\system32\drivers\kdhacker64.sys
2012-07-10 23:09 . 2012-07-10 23:09 125784 ----a-w- c:\windows\system32\drivers\kdhacker.sys
2012-07-10 23:09 . 2012-07-10 23:09 82264 ----a-w- c:\windows\system32\drivers\ksapi.sys
2012-07-06 19:23 . 2012-08-16 00:33 393728 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-07-06 02:17 . 2012-08-15 02:17 574112 ----a-w- c:\windows\system32\drivers\NAV\1308000.00E\srtsp.sys
2012-07-06 02:17 . 2012-08-15 02:17 32928 ----a-w- c:\windows\system32\drivers\NAV\1308000.00E\srtspx.sys
2012-07-04 21:14 . 2012-08-15 11:33 41984 ----a-w- c:\windows\system32\browcli.dll
2012-07-04 21:14 . 2012-08-15 11:33 102912 ----a-w- c:\windows\system32\browser.dll
2012-07-01 00:05 . 2012-07-01 00:05 242240 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-06-29 00:16 . 2012-08-15 23:51 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-06-29 00:09 . 2012-08-15 23:51 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-29 00:08 . 2012-08-15 23:51 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-29 00:04 . 2012-08-15 23:51 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-29 00:00 . 2012-08-15 23:51 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-25 20:04 . 2012-06-25 20:04 1394248 ----a-w- c:\windows\system32\msxml4.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-85AB-AF21F3D9AE2F}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2012-04-17 3671872]
"InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-10-11 1179648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KSafeTray"="c:\program files\Kingsoft\PCDoctor\KSafeTray.exe" [2012-04-11 742816]
"kxesc"="c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" [2012-09-11 1595056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 uTorrentService;uTorrent;c:\program files\uTorrent\uTorent.exe [x]
R3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.391.0\SeaPort.exe [x]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files\IObit\Game Booster 3\Driver\WinRing0.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 kavbootc;kavbootc;c:\windows\system32\drivers\kavbootc.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1308000.00E\SYMDS.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1308000.00E\SYMEFA.SYS [x]
S1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [x]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\BASHDefs\20120919.001\BHDrvx86.sys [x]
S1 ccSet_MCLIENT;Norton Management Settings Manager;c:\windows\system32\drivers\MCLIENT\0101010.003\ccSetx86.sys [x]
S1 ccSet_NAV;Norton AntiVirus Settings Manager;c:\windows\system32\drivers\NAV\1308000.00E\ccSetx86.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_19.1.0.28\Definitions\IPSDefs\20120921.001\IDSvix86.sys [x]
S1 KDHacker;KDHacker;c:\program files\kingsoft\kingsoft antivirus\security\kxescan\kdhacker.sys [x]
S1 kmodurl;kmodurl;c:\program files\Kingsoft\PCDoctor\kmodurl.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1308000.00E\Ironx86.SYS [x]
S1 SymNetS;Symantec Network Security WFP Driver;c:\windows\System32\Drivers\NAV\1308000.00E\SYMNETS.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.391.0\BBSvc.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [x]
S2 kisknl;kisknl;c:\windows\system32\drivers\kisknl.sys [x]
S2 KSafeSvc;KSafe service;c:\program files\Kingsoft\PCDoctor\KSafeSvc.exe [x]
S2 kxescore;Kingsoft Core Service;c:\program files\Kingsoft\kingsoft antivirus\kxescore.exe [x]
S2 MCLIENT;Norton Management;c:\program files\Norton Management\Engine\1.1.1.3\ccSvcHst.exe [x]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\19.8.0.14\ccSvcHst.exe [x]
S2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe [x]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [x]
S3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S3 AsusService;Asus Launcher Service;c:\windows\system32\AsusService.exe [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 ksapi;ksapi;c:\windows\system32\drivers\ksapi.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x86.sys [x]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S4 KUsbGuard;KUsbGuard;c:\program files\Kingsoft\kingsoft antivirus\kusbquery.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPNAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-24 11:49]
.
2012-09-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-24 11:49]
.
2012-07-19 c:\windows\Tasks\KsafeDelay.job
- c:\program files\Kingsoft\PCDoctor\KSafeTray.exe [2012-04-11 06:35]
.
2012-09-22 c:\windows\Tasks\PC Utility Kit Registration3.job
- c:\program files\Common Files\PC Utility Kit\UUS3\UUS3.dll [2012-03-27 19:30]
.
2012-09-22 c:\windows\Tasks\PC Utility Kit Update3.job
- c:\program files\Common Files\PC Utility Kit\UUS3\Update3.exe [2012-03-27 19:30]
.
2012-09-22 c:\windows\Tasks\PC Utility Kit.job
- c:\program files\PC Utility Kit\PC Utility Kit\pcutilitykit.exe [2012-08-30 20:12]
.
.
------- Supplementary Scan -------
.
uStart Page = charter.net
mStart Page = charter.net
Trusted Zone: moove.com
TCP: DhcpNameServer = 24.247.15.53 66.189.0.100 24.178.162.3
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MCLIENT]
"ImagePath"="\"c:\program files\Norton Management\Engine\1.1.1.3\ccSvcHst.exe\" /s \"MCLIENT\" /m \"c:\program files\Norton Management\Engine\1.1.1.3\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\19.8.0.14\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\19.8.0.14\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.2.0.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1893933335-3957457206-1101798082-1000\Software\SecuROM\License information*]
"datasecu"=hex:36,ef,1f,6e,fd,03,e0,f5,2e,a0,15,32,ad,99,b2,7f,5e,ee,cb,38,bb,
21,ca,d6,d7,08,f7,e7,18,b4,a0,68,11,20,9e,5b,2b,28,b4,7d,e7,59,83,17,7d,ca,\
"rkeysecu"=hex:a7,ac,b2,52,88,15,94,92,58,39,ac,00,28,b5,ae,d1
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3856)
c:\program files\Kingsoft\kingsoft antivirus\kwsui.dll
c:\program files\Kingsoft\kingsoft antivirus\kswebshield.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-09-22 12:41:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-09-22 16:41
.
Pre-Run: 169,760,223,232 bytes free
Post-Run: 169,696,174,080 bytes free
.
- - End Of File - - 113BD5FD8F01F1F31DD613FFC7A23F82
  • 0

#9
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
well my computer now says that i have updates, should i run them?
  • 0

#10
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
seems to be running fine. i havent installed the updates yet, but at least my windows update icon is back in my system tray and the windows firewall is back on. Im not sure but every time i open my internet explorer it always asks for permission to run java. i always hit yes or ok.
  • 0

Advertisements


#11
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
are you going to help me remove the things installed from you again?
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes allow all updates to install

Could you confirm that you have no further problems
  • 0

#13
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
everything seems to be running fine, i installed my updates and everything went good then when my pc started back up there was a window open the said MRI disabled and it was just an open folder in notepad (ithink)
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Have you recieved help from GeekSquad at some stage ?

Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK

    Posted Image
  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Go to control panel
  • Select folder options (Appearance > Folder options in category view)
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:
  • 0

#15
kingbear

kingbear

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
it wont let me create a new restore point. it says writer encountered a transient error. so i have not done the step after that in your instructions. and when my computer starts up it still says mri disabled
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP