RogueKiller V8.4.1 _x64_ [Dec 23 2012] by Tigzy mail : tigzyRKgmailcom Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/ Website : http://tigzy.geekstogo.com/roguekiller.php Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Piotr [Admin rights] Mode : Remove -- Date : 12/24/2012 10:49:48 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0) [HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\@ --> REMOVED AT REBOOT [Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\U\00000004.@ --> REMOVED [Del.Parent][FILE] 00000008.@ : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\U\00000008.@ --> REMOVED [Del.Parent][FILE] 000000cb.@ : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\U\000000cb.@ --> REMOVED [Del.Parent][FILE] 80000000.@ : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\U\80000000.@ --> REMOVED [Del.Parent][FILE] 80000032.@ : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\U\80000032.@ --> REMOVED [Del.Parent][FILE] 80000064.@ : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\U\80000064.@ --> REMOVED [ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\U --> REMOVED [Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\L\00000004.@ --> REMOVED [Del.Parent][FILE] 201d3dde : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\L\201d3dde --> REMOVED [Del.Parent][FILE] 76603ac3 : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\L\76603ac3 --> REMOVED [ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{f4acd382-0f4f-d369-25ee-5598fa3a3fc9}\L --> REMOVED [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> REMOVED AT REBOOT [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> REMOVED AT REBOOT [Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> REPLACED AT REBOOT (C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe) ¤¤¤ Driver : [NOT LOADED] ¤¤¤ ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> C:\Windows\system32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HTS543232L9A300 ATA Device +++++ --- User --- [MBR] 7d6ce1e79e88850520bdc745bf93df25 [BSP] c83f6d3cdea8c218388548da794008b8 : Windows 7/8 MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 63 | Size: 12997 Mo 1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 26619705 | Size: 152625 Mo 2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 339196410 | Size: 139619 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: Hitachi HTS543232L9A300 ATA Device +++++ --- User --- [MBR] 232a11031020a9d30a525e00b1e7be8a [BSP] e6c2cebec9d5914c6fe029aa4b621d92 : Windows Vista/7/8 MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152621 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 312569856 | Size: 152620 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive2: Generic- Multi-Card USB Device +++++ --- User --- [MBR] b4dcf71d66e0b46e9a4a8510b19cda02 [BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown Partition table: 0 - [ACTIVE] FAT32 (0x0b) [VISIBLE] Offset (sectors): 53 | Size: 499 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[2]_D_12242012_02d1049.txt >> RKreport[1]_S_12242012_02d1045.txt ; RKreport[2]_D_12242012_02d1049.txt