Hi SleepyDude, Sorry about the late response, I have been real busy at work.
The Rougekiller log is listed below:
RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.co...es/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : ATS [Admin rights]
Mode : Scan -- Date : 03/27/2014 18:34:28
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Browser Addons : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[37] : NtCreateFile @ 0x805790A2 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491178)
[Address] SSDT[41] : NtCreateKey @ 0x8062426A -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA4919F8)
[Address] SSDT[62] : NtDeleteFile @ 0x80576C4A -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA49110C)
[Address] SSDT[65] : NtDeleteValueKey @ 0x806248D6 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491C7E)
[Address] SSDT[116] : NtOpenFile @ 0x8057A1A0 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA49124E)
[Address] SSDT[119] : NtOpenKey @ 0x80625648 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491AEA)
[Address] SSDT[122] : NtOpenProcess @ 0x805CB486 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491DF8)
[Address] SSDT[145] : NtQueryDirectoryFile @ 0x80579E82 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA4914B4)
[Address] SSDT[224] : NtSetInformationFile @ 0x8057B02E -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA490F46)
[Address] SSDT[247] : NtSetValueKey @ 0x806227DC -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491B72)
[Address] SSDT[257] : NtTerminateProcess @ 0x805D2308 -> HOOKED (C:\WINDOWS\system32\drivers\pcwatch.sys @ 0xBA491E94)
[Address] EAT @explorer.exe (DllCanUnloadNow) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D31070)
[Address] EAT @explorer.exe (DllGetClassObject) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D31030)
[Address] EAT @explorer.exe (DllRegisterServer) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D310D0)
[Address] EAT @explorer.exe (DllUnregisterServer) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D31110)
[Address] EAT @explorer.exe (GetProxyDllInfo) : nvshell.dll -> HOOKED (C:\WINDOWS\system32\igfxsrvc.dll @ 0x03D31000)
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
127.0.0.1 localhost
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10EZEX-00BN5A0 +++++
--- User ---
[MBR] 28bcb8d38c04fead2455e6eca651aad8
[BSP] 548f75f2985f65716ba6e26a5aae5841 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) OCZ RALLY2 USB Device +++++
--- User ---
[MBR] 214e2c171bfd7b1ed22d9e09f136746e
[BSP] 0885be81cc915c2a066451995cdfd914 : MBR Code unknown
Partition table:
0 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 778135908 | Size: 557377 MB
1 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 168689522 | Size: 945326 MB
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 1869881465 | Size: 945326 MB
3 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): -1409286144 | Size: 27 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )
Finished : << RKreport[0]_S_03272014_183428.txt >>
MiniToolBoxlog:
MiniToolBox by Farbar Version: 23-01-2014
Ran by ATS (administrator) on 27-03-2014 at 18:42:34
Running from "C:\Documents and Settings\ATS\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
========================= IP Configuration: ================================
Atheros L2 Fast Ethernet 10/100 Base-T Controller = Local Area Connection 7 (Connected)
# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip
# Interface IP Configuration for "Local Area Connection 7"
set address name="Local Area Connection 7" source=dhcp
set dns name="Local Area Connection 7" source=dhcp register=PRIMARY
set wins name="Local Area Connection 7" source=dhcp
popd
# End of interface IP configuration
Windows IP Configuration
Host Name . . . . . . . . . . . . : PWIcp005
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros L2 Fast Ethernet 10/100 Base-T Controller
Physical Address. . . . . . . . . : 00-1F-C6-A0-58-07
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IP Address. . . : 169.254.98.153
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host google.com. Please check the name and try again.
Server: UnKnown
Address: 127.0.0.1
Ping request could not find host yahoo.com. Please check the name and try again.
Pinging ø˜ with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for :
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1f c6 a0 58 07 ...... Atheros L2 Fast Ethernet 10/100 Base-T Controller - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 169.254.98.153 169.254.98.153 20
169.254.98.153 255.255.255.255 127.0.0.1 127.0.0.1 20
169.254.255.255 255.255.255.255 169.254.98.153 169.254.98.153 20
224.0.0.0 240.0.0.0 169.254.98.153 169.254.98.153 20
255.255.255.255 255.255.255.255 169.254.98.153 169.254.98.153 1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================
Catalog5 01 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\PCProtect.dll [File not found] ()
Catalog9 02 C:\WINDOWS\system32\PCProtect.dll [File not found] ()
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\WINDOWS\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\WINDOWS\system32\PCProtect.dll [File not found] ()
========================= Event log errors: ===============================
Application errors:
==================
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.156]: [00001108]: ---- Monitor Thread OpenBrNetUDP_Server Error ----
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.156]: [00001108]: BrMfNet:: OpenUDPServer Error
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.156]: [00001108]: BrNet:: OpenUDP_Server socket INVALID
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.140]: [00001108]: ---- Monitor Thread OpenBrNetUDP_Server Error ----
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.140]: [00001108]: BrMfNet:: OpenUDPServer Error
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/27 17:27:01.140]: [00001108]: BrNet:: OpenUDP_Server socket INVALID
Error: (03/25/2014 09:00:02 PM) (Source: Application Error) (User: )
Description: Faulting application frst.exe, version 3.3.10.2, faulting module frst.exe, version 3.3.10.2, fault address 0x0001fcbe.
Processing media-specific event for [frst.exe!ws!]
Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/25 20:55:49.453]: [00001004]: ---- Monitor Thread OpenBrNetUDP_Server Error ----
Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/25 20:55:49.453]: [00001004]: BrMfNet:: OpenUDPServer Error
Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog) (User: )
Description: STI BrtSTI: [2014/03/25 20:55:49.453]: [00001004]: BrNet:: OpenUDP_Server socket INVALID
System errors:
=============
Error: (03/27/2014 06:22:46 PM) (Source: DCOM) (User: PWICP005)
Description: The server {4991D34B-80A1-4291-83B6-3328366B9097} did not register with DCOM within the required timeout.
Error: (03/27/2014 06:22:16 PM) (Source: Service Control Manager) (User: )
Description: The BITS service terminated with service-specific error 2147952506 (0x8007277A).
Error: (03/27/2014 05:27:01 PM) (Source: Service Control Manager) (User: )
Description: The Automatic Updates service terminated with the following error:
%%2147952506
Error: (03/27/2014 05:27:01 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service terminated with the following error:
%%10106
Error: (03/25/2014 09:00:33 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}
Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AFD
Fips
i8042prt
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip
WS2IFSL
Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31
Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31
Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:
%%31
Error: (03/25/2014 08:59:48 PM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:
%%31
Microsoft Office Sessions:
=========================
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.156]: [00001108]: ---- Monitor Thread OpenBrNetUDP_Server Error ----
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.156]: [00001108]: BrMfNet:: OpenUDPServer Error
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.156]: [00001108]: BrNet:: OpenUDP_Server socket INVALID
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.140]: [00001108]: ---- Monitor Thread OpenBrNetUDP_Server Error ----
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.140]: [00001108]: BrMfNet:: OpenUDPServer Error
Error: (03/27/2014 05:27:01 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/27 17:27:01.140]: [00001108]: BrNet:: OpenUDP_Server socket INVALID
Error: (03/25/2014 09:00:02 PM) (Source: Application Error)(User: )
Description: frst.exe3.3.10.2frst.exe3.3.10.20001fcbe
Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/25 20:55:49.453]: [00001004]: ---- Monitor Thread OpenBrNetUDP_Server Error ----
Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/25 20:55:49.453]: [00001004]: BrMfNet:: OpenUDPServer Error
Error: (03/25/2014 08:55:49 PM) (Source: Brother BrLog)(User: )
Description: STIBrtSTI: [2014/03/25 20:55:49.453]: [00001004]: BrNet:: OpenUDP_Server socket INVALID
========================= Devices: ================================
Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Class Guid: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
**** End of log ****
The FSS log:
Farbar Service Scanner Version: 25-02-2014
Ran by ATS (administrator) on 27-03-2014 at 18:57:45
Running from "C:\Documents and Settings\ATS\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Windows Autoupdate Disabled Policy:
============================
Other Services:
==============
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.
**** End of log ****