RogueKiller V7.6.4 [07/17/2012] by Tigzy mail: tigzyRKgmailcom Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User: AFSHEEN KHAN [Admin rights] Mode: Remove -- Date: 07/31/2012 17:56:49 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 7 ¤¤¤ [HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> REPLACED (1) [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1) [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) [HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] n : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\n --> REMOVED [ZeroAccess][FILE] @ : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\@ --> REMOVED AT REBOOT [Del.Parent][FILE] 00000004.@ : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\U\00000004.@ --> REMOVED [Del.Parent][FILE] 00000008.@ : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\U\00000008.@ --> REMOVED [Del.Parent][FILE] 000000cb.@ : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\U\000000cb.@ --> REMOVED [Del.Parent][FILE] 80000000.@ : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\U\80000000.@ --> REMOVED [Del.Parent][FILE] 80000032.@ : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\U\80000032.@ --> REMOVED [ZeroAccess][FOLDER] U : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\U --> REMOVED [Del.Parent][FILE] 00000004.@ : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\L\00000004.@ --> REMOVED [Del.Parent][FILE] 201d3dde : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\L\201d3dde --> REMOVED [ZeroAccess][FOLDER] L : c:\windows\installer\{8aae17e6-5e51-4061-d77f-f0b85161e693}\L --> REMOVED [ZeroAccess][FILE] n : c:\users\afsheen khan\appdata\local\{8aae17e6-5e51-4061-d77f-f0b85161e693}\n --> REMOVED [ZeroAccess][FILE] @ : c:\users\afsheen khan\appdata\local\{8aae17e6-5e51-4061-d77f-f0b85161e693}\@ --> REMOVED [ZeroAccess][FOLDER] U : c:\users\afsheen khan\appdata\local\{8aae17e6-5e51-4061-d77f-f0b85161e693}\U --> REMOVED [ZeroAccess][FOLDER] L : c:\users\afsheen khan\appdata\local\{8aae17e6-5e51-4061-d77f-f0b85161e693}\L --> REMOVED [ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> REMOVED AT REBOOT [Susp.ASLR][ASLR WIPED-OFF] services.exe : c:\windows\system32\services.exe --> CANNOT FIX [ZeroAccess][Sig found] services.exe : c:\windows\system32\services.exe --> CANNOT FIX ¤¤¤ Driver: [LOADED] ¤¤¤ IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\drivers\atapi.sys -> HOOKED ([INLINE] Unknown @ 0x86AC4FA9) ¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HTS723232L9SA60 ATA Device +++++ --- User --- [MBR] 54d1c65ae2953fe4f167b5e22d556984 [BSP] 369910cafd80797495e57ccbb7aa69cb : Windows Vista MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 6540 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 13395968 | Size: 298703 Mo User = LL1 ... OK! User != LL2 ... KO! --- LL2 --- [MBR] 3a82ffe872417ad1ee21cef72ac402b3 [BSP] 369910cafd80797495e57ccbb7aa69cb : Windows Vista MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 6540 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 13395968 | Size: 298703 Mo 2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 625139712 | Size: 1 Mo Finished : << RKreport[2].txt >> RKreport[1].txt ; RKreport[2].txt