Rogue killer scan complete. Killed Powelis
RogueKiller V9.2.11.0 [Sep 9 2014] by Adlice Software
mail :
http://www.adlice.com/contact/
Feedback :
http://forum.adlice.com
Website :
http://www.adlice.com/softwares/roguekiller/
Blog :
http://www.adlice.com
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : gloria [Admin rights]
Mode : Remove -- Date : 09/20/2014 18:13:40
¤¤¤ Bad processes : 1 ¤¤¤
[Tr.Poweliks] dllhost.exe -- [x] -> KILLED [TermProc]
¤¤¤ Registry Entries : 19 ¤¤¤
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\catchme (\??\C:\Users\gloria\AppData\Local\Temp\catchme.sys) -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme (\??\C:\Users\gloria\AppData\Local\Temp\catchme.sys) -> NOT SELECTED
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\catchme (\??\C:\Users\gloria\AppData\Local\Temp\catchme.sys) -> NOT SELECTED
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 68.105.28.12 68.105.29.12 -> NOT SELECTED
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 68.105.28.12 68.105.29.12 -> NOT SELECTED
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.1 68.105.28.12 68.105.29.12 -> NOT SELECTED
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{66D33798-47C6-44D6-8E05-509506CD34CB} | DhcpNameServer : 192.168.1.1 68.105.28.12 68.105.29.12 -> NOT SELECTED
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{66D33798-47C6-44D6-8E05-509506CD34CB} | DhcpNameServer : 192.168.1.1 68.105.28.12 68.105.29.12 -> NOT SELECTED
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{66D33798-47C6-44D6-8E05-509506CD34CB} | DhcpNameServer : 192.168.1.1 68.105.28.12 68.105.29.12 -> NOT SELECTED
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> NOT SELECTED
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page :
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\S-1-5-21-3885203856-4265272387-2641246387-1000\Software\Microsoft\Internet Explorer\Main | Start Page :
http://www.yahoo.com/?fr=befhp&type=iehp-3.2-1308 -> NOT SELECTED
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page :
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome -> NOT SELECTED
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page :
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[PUM.SearchPage] HKEY_USERS\S-1-5-21-3885203856-4265272387-2641246387-1000\Software\Microsoft\Internet Explorer\Main | Search Page : -> NOT SELECTED
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page :
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> NOT SELECTED
[Tr.Poweliks] HKEY_USERS\S-1-5-21-3885203856-4265272387-2641246387-1000\Software\classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} -> DELETED
¤¤¤ Scheduled tasks : 2 ¤¤¤
[Suspicious.Path] \\{BFDBC783-9AB4-7536-F046-4AF1D0999B64} -- C:\Windows\system32\regsvr32.exe (/s "C:\Users\gloria\AppData\Roaming\wxejrt.dll") -> DELETED
[Suspicious.Path] \Leader Technologies\PowerRegister\Seagate Product Registration (gloria) -- C:\Users\gloria\AppData\Roaming\Leadertech\PowerRegister\Seagate Product Registration.exe (/remind /language=ENU /BRND="Seagate" /BDSR="Seagate") -> DELETED
¤¤¤ Files : 0 ¤¤¤
¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
¤¤¤ Antirootkit : 45 (Driver: LOADED) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x866653d8
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x86665470
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[18] : Unknown @ 0x86665ad0
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[21] : Unknown @ 0x8645d158
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[42] : Unknown @ 0x86b22e20
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[67] : Unknown @ 0x86665200
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[77] : Unknown @ 0x86b22c18
[SSDT:Addr(Hook.SSDT)] NtCreateThread[78] : Unknown @ 0x86941080
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[116] : Unknown @ 0x86b22eb8
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[129] : Unknown @ 0x86665c10
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[147] : Unknown @ 0x86665960
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[156] : Unknown @ 0x866652a8
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[158] : Unknown @ 0x86665340
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[165] : Unknown @ 0x8640a520
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[177] : Unknown @ 0x866658a8
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[184] : Unknown @ 0x86665168
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[194] : Unknown @ 0x86665ce0
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[195] : Unknown @ 0x86665b78
[SSDT:Addr(Hook.SSDT)] NtOpenSection[197] : Unknown @ 0x86665038
[SSDT:Addr(Hook.SSDT)] NtOpenThread[201] : Unknown @ 0x86665c98
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[210] : Unknown @ 0x86b22d78
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[255] : Unknown @ 0x86b22b70
[SSDT:Addr(Hook.SSDT)] NtResumeThread[282] : Unknown @ 0x86665508
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[289] : Unknown @ 0x866656d0
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[305] : Unknown @ 0x86665768
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[317] : Unknown @ 0x86b22f50
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[330] : Unknown @ 0x866650d0
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[331] : Unknown @ 0x866655a0
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[334] : Unknown @ 0x8657a030
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[335] : Unknown @ 0x86665638
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[348] : Unknown @ 0x86665810
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[358] : Unknown @ 0x86665a08
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[382] : Unknown @ 0x86b22cc0
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[317] : Unknown @ 0x85dbb1e8
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[397] : Unknown @ 0x86cc52a8
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[428] : Unknown @ 0x86cc5230
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[430] : Unknown @ 0x86d30b58
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[442] : Unknown @ 0x85dbb3f0
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[479] : Unknown @ 0x86d73eb0
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[497] : Unknown @ 0x86d73fc0
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[498] : Unknown @ 0x86d73f38
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[573] : Unknown @ 0x86b34600
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[576] : Unknown @ 0x86e63b90
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\PxHelp20 @ Unknown (\SystemRoot\system32\drivers\NIS\1505000.013\SYMEFA.SYS)
[Filter(Kernel.Filter)] \Driver\atapi @ Unknown : \Driver\cdrom @ \Device\CdRom0 (\SystemRoot\system32\drivers\NETIO.SYS)
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 8227d0658481e5cae5887857205b42c1
[BSP] 2552b2d2227b2ea2b3c92a526a1a6f5d : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 296331 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 606887505 | Size: 8911 MB
User = LL1 ... OK
User = LL2 ... OK
+++++ PhysicalDrive2: +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive3: +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive4: +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
+++++ PhysicalDrive5: +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
============================================
RKreport_SCN_09202014_180823.log