TechSpot

Windows encountered critical problems

Resolved
By Vilfocry
Oct 16, 2012
Topic Status:
Not open for further replies.
  1. Like the other's case

    When I turn on my Computer this message always disturb me. but, When I try to log in in Safe Mode, its totally safe.
    I have tried to use "System Restore" 3 times, and it just make my computer work better gradually.

    What should I do then? I use this computer for business and I'm nothing without it.
  2. Vilfocry

    Vilfocry TS Rookie Topic Starter

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-10-2012
    Ran by SYSTEM at 16-10-2012 15:56:18
    Running from I:\
    Windows 7 Professional (X86) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [AdVantage Setup] D:\Program Files\DAEMON Tools\AdVantageSetup.exe [x]
    HKU\Alfi\...\Run: [syhim] I:\Users\Alfi\syhim.exe [225792 2010-09-22] ()
    HKU\Alfi\...\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 [171464 2007-08-29] (DT Soft Ltd.)
    HKU\Alfi\...\Run: [DAEMON Tools Lite] "J:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [x]

    ==================== Services (Whitelisted) ===================

    2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2011-01-23] ()

    ==================== Drivers (Whitelisted) ====================

    3 Atc002; C:\Windows\System32\DRIVERS\l260x86.sys [29184 2009-07-13] (Atheros Communications, Inc.)
    0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2010-11-27] (Duplex Secure Ltd.)

    ==================== NetSvcs (Whitelisted) ===================


    ==================== One Month Created Files and Folders ========



    ==================== 3 Months Modified Files ==================


    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\explorer.exe
    [2009-07-13 15:41] - [2009-07-13 17:14] - 2631168 ____A (Microsoft Corporation) 6FBE6F58A87283BE082A21ABC7C4F0B1

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================


    ==================== Memory info ===========================

    Percentage of memory in use: 20%
    Total physical RAM: 1911.12 MB
    Available physical RAM: 1524.83 MB
    Total Pagefile: 1911.12 MB
    Available Pagefile: 1525.16 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1970.3 MB

    ==================== Partitions =============================

    1 Drive c: (System) (Fixed) (Total:73.24 GB) (Free:26.7 GB) NTFS
    2 Drive e: (Data) (Fixed) (Total:75.8 GB) (Free:44.41 GB) NTFS
    3 Drive f: () (Fixed) (Total:97.56 GB) (Free:28.55 GB) NTFS
    4 Drive g: (New Volume) (Fixed) (Total:368.1 GB) (Free:282.58 GB) NTFS
    6 Drive I: () (Removable) (Total:14.91 GB) (Free:0.79 GB) NTFS
    7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    8 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 1024 KB
    Disk 1 Online 149 GB 8 MB
    Disk 2 Online 14 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 97 GB 101 MB
    Partition 3 Primary 368 GB 97 GB

    =========================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 F NTFS Partition 97 GB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 G New Volume NTFS Partition 368 GB Healthy

    =========================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 73 GB 31 KB
    Partition 0 Extended 75 GB 73 GB
    Partition 2 Logical 75 GB 73 GB

    =========================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 C System NTFS Partition 73 GB Healthy

    =========================================================

    Disk: 1
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 E Data NTFS Partition 75 GB Healthy

    =========================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 14 GB 16 KB

    =========================================================

    Disk: 2
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 6 I NTFS Removable 14 GB Healthy

    =========================================================

    Last Boot: 2011-05-30 00:21

    ==================== End Of Log ============================
  3. Vilfocry

    Vilfocry TS Rookie Topic Starter

    Farbar Recovery Scan Tool (x86) Version: 15-10-2012
    Ran by SYSTEM at 2012-10-16 16:07:24
    Running from I:\

    ================== Search: "services.exe" ===================

    C:\Windows.old\Windows\system32\services.exe
    [2004-08-03 14:56] - [2004-08-03 14:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

    C:\Windows.old\Windows\system32\dllcache\services.exe
    [2004-08-03 14:56] - [2004-08-03 14:56] - 0108032 ___AC (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    C:\Windows\System32\services.exe
    [2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

    === End Of Search ===
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


    Go back to FRST main screen, type explorer.exe in the search box, and press the search button. I'll need the log from the search, please. :)
  5. Vilfocry

    Vilfocry TS Rookie Topic Starter

    So the content of the Search.txt will be replaced by the new search...
    This is the result..


    Farbar Recovery Scan Tool (x86) Version: 15-10-2012
    Ran by SYSTEM at 2012-10-17 21:07:00
    Running from I:\

    ================== Search: "explorer.exe" ===================

    C:\Windows.old\Windows\explorer.exe
    [2004-08-03 14:56] - [2004-08-03 14:56] - 1050112 ____A (Microsoft Corporation) 9AA83544DF07DCD8848F766F35D0FF68

    C:\Windows.old\Windows\system32\dllcache\explorer.exe
    [2004-08-03 14:56] - [2004-08-03 14:56] - 1032192 ___AC (Microsoft Corporation) A0732187050030AE399B241436565E64

    C:\Windows\explorer.exe
    [2009-07-13 15:41] - [2009-07-13 17:14] - 2631168 ____A (Microsoft Corporation) 6FBE6F58A87283BE082A21ABC7C4F0B1

    C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
    [2009-07-13 15:41] - [2009-07-13 17:14] - 2631168 ____A (Microsoft Corporation) 6FBE6F58A87283BE082A21ABC7C4F0B1

    === End Of Search ===
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please download attached fixlist.txt below, and save it to your flash drive in the same location as FRST.exe. Make sure it maintains the same name, otherwise the fix will fail.

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.

    Attached Files:

  7. Vilfocry

    Vilfocry TS Rookie Topic Starter

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 15-10-2012
    Ran by SYSTEM at 2012-10-18 06:32:44 Run:1
    Running from I:\

    ==============================================

    C:\Windows\explorer.exe moved successfully.
    C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe copied successfully to C:\Windows\explorer.exe

    ==== End of Fixlog ====
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Can you let me know if the computer stays on without critical problem reboot? :)
  9. Vilfocry

    Vilfocry TS Rookie Topic Starter

    Sorry, I just have read that part

    Tonight my lil brother use it and there's still "critical problem reboot message". and then several hours later I turn it on, and work better but I still not sure everything has been solved.

    This morning I try to turn it on again and there was an "Critical problem reboot message". I restart it 3 times and then the message did not came again (but I can't connect to the internet, but it has been connected at taskbar). Oh, when I restarting the computer for the second time there was a message like this :

    C:\windows\system32\ac82.exe
    The NTVDM CPU has encountered an illegal instruction
    Cs:05rd IP:0208 OP:63 61 22 20 73 Choose 'close' to terminate the application

    I don't know what exactly happened. Is this message has a bond with my "Critical problem reboot message"
    What should I do then Mr. DragonMaster Jay ?
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let's try next steps, please...

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  11. Vilfocry

    Vilfocry TS Rookie Topic Starter

    I have downloaded it and it can't be opened. I've tried to burn the ComboFix.exe into CD-RW, but the result is same with when I open it from my removable disk. Sorry I upload a pict, because I don't know what I should do with this problem.
    [​IMG]
    It appears when I run the ComboFix, after a while this message popped out.

    How to solve this Master Jay?
     
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Oh, that's not good there...

    RogueKiller Scan

    • Download RogueKiller and save it on your desktop.
    • Quit all programs
    • Start RogueKiller.exe.
    • Wait until Prescan has finished ...
    • Click on Scan
    [​IMG]

    • Wait for the end of the scan.
    • The report has been created on the desktop.
    • Click on the Delete button.
    [​IMG]

    • The report has been created on the desktop.
    • Next click on the ShortcutsFix

      [​IMG]
    • The report has been created on the desktop.
    Please post:

    All RKreport.txt text files located on your desktop.
  13. Vilfocry

    Vilfocry TS Rookie Topic Starter

    RogueKiller V8.1.1 [10/01/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7600 ) 32 bits version
    Started in : Normal mode
    User : Win7 [Admin rights]
    Mode : Scan -- Date : 10/21/2012 07:08:10

    ¤¤¤ Bad processes : 32 ¤¤¤
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SUSP PATH] doa2k8s.exe -- C:\Windows\System32\config\systemprofile\AppData\Roaming\doa2k8s.exe -> KILLED [TermProc]
    [SUSP PATH] hotnomjyzoby.exe -- C:\ProgramData\hotnomjyzoby.exe -> KILLED [TermProc]
    [SUSP PATH] beanifkeafal.exe -- C:\ProgramData\beanifkeafal.exe -> KILLED [TermProc]
    [SUSP PATH] pibmyrpimqaq.exe -- C:\ProgramData\pibmyrpimqaq.exe -> KILLED [TermProc]
    [SUSP PATH] qykopigturuq.exe -- C:\ProgramData\qykopigturuq.exe -> KILLED [TermProc]
    [SUSP PATH] xadweffumdeq.exe -- C:\ProgramData\xadweffumdeq.exe -> KILLED [TermProc]
    [SUSP PATH] jafatgortycx.exe -- C:\ProgramData\jafatgortycx.exe -> KILLED [TermProc]
    [SUSP PATH] koxyfyvobnog.exe -- C:\ProgramData\koxyfyvobnog.exe -> KILLED [TermProc]
    [SUSP PATH] vyfalperyfir.exe -- C:\ProgramData\vyfalperyfir.exe -> KILLED [TermProc]
    [SUSP PATH] daxixreameam.exe -- C:\ProgramData\daxixreameam.exe -> KILLED [TermProc]
    [SUSP PATH] qyftegoblari.exe -- C:\ProgramData\qyftegoblari.exe -> KILLED [TermProc]
    [SUSP PATH] senamakaqjus.exe -- C:\ProgramData\senamakaqjus.exe -> KILLED [TermProc]
    [SUSP PATH] hotnomjyzoby.exe -- C:\Users\Win7\hotnomjyzoby.exe -> KILLED [TermProc]
    [SUSP PATH] beanifkeafal.exe -- C:\Users\Win7\beanifkeafal.exe -> KILLED [TermProc]
    [SUSP PATH] pibmyrpimqaq.exe -- C:\Users\Win7\pibmyrpimqaq.exe -> KILLED [TermProc]
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Win7\au48qsnx.dll -> KILLED [TermProc]
    [SUSP PATH] qykopigturuq.exe -- C:\Users\Win7\qykopigturuq.exe -> KILLED [TermProc]
    [SUSP PATH] Clients.exe -- C:\Users\Win7\AppData\Roaming\Clients.exe -> KILLED [TermProc]
    [SUSP PATH] xadweffumdeq.exe -- C:\Users\Win7\xadweffumdeq.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\svchost.exe -> KILLED [TermProc]
    [SUSP PATH] jafatgortycx.exe -- C:\Users\Win7\jafatgortycx.exe -> KILLED [TermProc]
    [SUSP PATH] koxyfyvobnog.exe -- C:\Users\Win7\koxyfyvobnog.exe -> KILLED [TermProc]
    [SUSP PATH] vyfalperyfir.exe -- C:\Users\Win7\vyfalperyfir.exe -> KILLED [TermProc]
    [SUSP PATH] daxixreameam.exe -- C:\Users\Win7\daxixreameam.exe -> KILLED [TermProc]
    [SUSP PATH] qyftegoblari.exe -- C:\Users\Win7\qyftegoblari.exe -> KILLED [TermProc]
    [SUSP PATH] senamakaqjus.exe -- C:\Users\Win7\senamakaqjus.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 151 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : Fpwiwn (C:\Windows\system32\config\systemprofile\AppData\Roaming\Fpwiwn.scr) -> FOUND
    [RUN][HJNAME] HKCU\[...]\Run : Windows Media Center (C:\Users\Win7\AppData\Roaming\smss.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : hotnomjyzoby (C:\Users\Win7\hotnomjyzoby.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : beanifkeafal (C:\Users\Win7\beanifkeafal.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : rrvrue (C:\Users\Win7\ehtpnd.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : pibmyrpimqaq (C:\Users\Win7\pibmyrpimqaq.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : Microsoft Antivirus Scanner (rundll32.exe C:\Users\Win7\au48qsnx.dll,Init) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : qykopigturuq (C:\Users\Win7\qykopigturuq.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : Clients (C:\Users\Win7\AppData\Roaming\Clients.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : xadweffumdeq (C:\Users\Win7\xadweffumdeq.exe) -> FOUND
    [RUN][HJNAME] HKCU\[...]\Run : svchosta (C:\Windows\svchost.exe) -> FOUND
    [RUN][HJNAME] HKCU\[...]\Run : svchost.exe (C:\Windows\svchost.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : jafatgortycx (C:\Users\Win7\jafatgortycx.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : koxyfyvobnog (C:\Users\Win7\koxyfyvobnog.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : vyfalperyfir (C:\Users\Win7\vyfalperyfir.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : daxixreameam (C:\Users\Win7\daxixreameam.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : qyftegoblari (C:\Users\Win7\qyftegoblari.exe) -> FOUND
    [RUN][SUSP PATH] HKCU\[...]\Run : senamakaqjus (C:\Users\Win7\senamakaqjus.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : hotnomjyzoby (C:\ProgramData\hotnomjyzoby.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : beanifkeafal (C:\ProgramData\beanifkeafal.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : pibmyrpimqaq (C:\ProgramData\pibmyrpimqaq.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : qykopigturuq (C:\ProgramData\qykopigturuq.exe) -> FOUND
    [RUN][HJNAME] HKLM\[...]\Run : Windows Media Center (C:\Windows\smss.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : xadweffumdeq (C:\ProgramData\xadweffumdeq.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : hwpfvisxt (C:\Users\Win7\nprtjb.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : conx (C:\Windows\System32\config\systemprofile\AppData\Roaming\wb2ek.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : jafatgortycx (C:\ProgramData\jafatgortycx.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : koxyfyvobnog (C:\ProgramData\koxyfyvobnog.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : vyfalperyfir (C:\ProgramData\vyfalperyfir.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : daxixreameam (C:\ProgramData\daxixreameam.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : qyftegoblari (C:\ProgramData\qyftegoblari.exe) -> FOUND
    [RUN][SUSP PATH] HKLM\[...]\Run : senamakaqjus (C:\ProgramData\senamakaqjus.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : Fpwiwn (C:\Windows\system32\config\systemprofile\AppData\Roaming\Fpwiwn.scr) -> FOUND
    [RUN][HJNAME] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : Windows Media Center (C:\Users\Win7\AppData\Roaming\smss.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : hotnomjyzoby (C:\Users\Win7\hotnomjyzoby.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : beanifkeafal (C:\Users\Win7\beanifkeafal.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : rrvrue (C:\Users\Win7\ehtpnd.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : pibmyrpimqaq (C:\Users\Win7\pibmyrpimqaq.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : Microsoft Antivirus Scanner (rundll32.exe C:\Users\Win7\au48qsnx.dll,Init) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : qykopigturuq (C:\Users\Win7\qykopigturuq.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : Clients (C:\Users\Win7\AppData\Roaming\Clients.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : xadweffumdeq (C:\Users\Win7\xadweffumdeq.exe) -> FOUND
    [RUN][HJNAME] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : svchosta (C:\Windows\svchost.exe) -> FOUND
    [RUN][HJNAME] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : svchost.exe (C:\Windows\svchost.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : jafatgortycx (C:\Users\Win7\jafatgortycx.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : koxyfyvobnog (C:\Users\Win7\koxyfyvobnog.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : vyfalperyfir (C:\Users\Win7\vyfalperyfir.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : daxixreameam (C:\Users\Win7\daxixreameam.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : qyftegoblari (C:\Users\Win7\qyftegoblari.exe) -> FOUND
    [RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : senamakaqjus (C:\Users\Win7\senamakaqjus.exe) -> FOUND
    [RUN][ROGUE ST] HKLM\[...]\Policies\Explorer\\Run : 3289 (C:\PROGRA~2\LOCALS~1\Temp\msjkourh.scr) -> FOUND
    [SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Win7\LOCALS~1\Temp\msavfk.exe) -> FOUND
    [SHELL][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Windows : Load (C:\Users\Win7\LOCALS~1\Temp\msavfk.exe) -> FOUND
    [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B} (\??\C:\Program Files\CyberLink\PowerDVD\000.fcl) -> FOUND
    [Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B} (\??\C:\Program Files\CyberLink\PowerDVD\000.fcl) -> FOUND
    [STARTUP][SUSP PATH] 0llfv9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0llfv9q.exe -> FOUND
    [STARTUP][SUSP PATH] 0qql1fa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0qql1fa.exe -> FOUND
    [STARTUP][SUSP PATH] 0vq0k0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vq0k0k.exe -> FOUND
    [STARTUP][SUSP PATH] 1aqql1f.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1aqql1f.exe -> FOUND
    [STARTUP][SUSP PATH] 1fv9qql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1fv9qql.exe -> FOUND
    [STARTUP][SUSP PATH] 1gaaaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1gaaaav.exe -> FOUND
    [STARTUP][SUSP PATH] 1qkkfv9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qkkfv9.exe -> FOUND
    [STARTUP][SUSP PATH] 1qqlaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qqlaav.exe -> FOUND
    [STARTUP][SUSP PATH] 21aavvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21aavvq.exe -> FOUND
    [STARTUP][SUSP PATH] 21lgwwq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21lgwwq.exe -> FOUND
    [STARTUP][SUSP PATH] 2kkfvvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2kkfvvq.exe -> FOUND
    [STARTUP][SUSP PATH] 31faqq1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31faqq1.exe -> FOUND
    [STARTUP][SUSP PATH] 31pkaa1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31pkaa1.exe -> FOUND
    [STARTUP][SUSP PATH] 3kkfv98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3kkfv98.exe -> FOUND
    [STARTUP][SUSP PATH] 4fvvqff.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4fvvqff.exe -> FOUND
    [STARTUP][SUSP PATH] 4v2qlaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4v2qlaa.exe -> FOUND
    [STARTUP][SUSP PATH] 5faavqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5faavqq.exe -> FOUND
    [STARTUP][SUSP PATH] 5kkfv9f.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5kkfv9f.exe -> FOUND
    [STARTUP][SUSP PATH] 5lvvqg0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lvvqg0.exe -> FOUND
    [STARTUP][SUSP PATH] 6g6avqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6g6avqq.exe -> FOUND
    [STARTUP][SUSP PATH] 7vqllf5.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7vqllf5.exe -> FOUND
    [STARTUP][SUSP PATH] 9a0vq0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9a0vq0k.exe -> FOUND
    [STARTUP][SUSP PATH] 9q7lflq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9q7lflq.exe -> FOUND
    [STARTUP][SUSP PATH] a1vqggaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1vqggaav.exe -> FOUND
    [STARTUP][SUSP PATH] a2qlaa1llg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a2qlaa1llg.exe -> FOUND
    [STARTUP][SUSP PATH] a8ql1faavla.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8ql1faavla.exe -> FOUND
    [STARTUP][SUSP PATH] aa1llggbqql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa1llggbqql.exe -> FOUND
    [STARTUP][SUSP PATH] aa1vqggaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa1vqggaav.exe -> FOUND
    [STARTUP][SUSP PATH] aavk4fvvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavk4fvvq.exe -> FOUND
    [STARTUP][SUSP PATH] aavllfv9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavllfv9q.exe -> FOUND
    [STARTUP][SUSP PATH] aavllfv9qqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavllfv9qqq.exe -> FOUND
    [STARTUP][SUSP PATH] akaqffaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\akaqffaav.exe -> FOUND
    [STARTUP][SUSP PATH] aqffaavllf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aqffaavllf.exe -> FOUND
    [STARTUP][SUSP PATH] av5q2ga2427.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\av5q2ga2427.exe -> FOUND
    [STARTUP][SUSP PATH] av9q0lg0a.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\av9q0lg0a.exe -> FOUND
    [STARTUP][SUSP PATH] avkkfv98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avkkfv98.exe -> FOUND
    [STARTUP][SUSP PATH] avqq7lgaavv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avqq7lgaavv.exe -> FOUND
    [STARTUP][SUSP PATH] fa2qlaa1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa2qlaa1.exe -> FOUND
    [STARTUP][SUSP PATH] faa7vqll.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faa7vqll.exe -> FOUND
    [STARTUP][SUSP PATH] faavqq6kf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faavqq6kf.exe -> FOUND
    [STARTUP][SUSP PATH] fappkkfvvp.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fappkkfvvp.exe -> FOUND
    [STARTUP][SUSP PATH] faqqkkfkvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faqqkkfkvq.exe -> FOUND
    [STARTUP][SUSP PATH] fav9faav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fav9faav.exe -> FOUND
    [STARTUP][SUSP PATH] ffvvqf9a0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffvvqf9a0.exe -> FOUND
    [STARTUP][SUSP PATH] fv9qqlf9a.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fv9qqlf9a.exe -> FOUND
    [STARTUP][SUSP PATH] fvvqf9a0vq0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fvvqf9a0vq0.exe -> FOUND
    [STARTUP][SUSP PATH] fvvqf9a0vqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fvvqf9a0vqq.exe -> FOUND
    [STARTUP][SUSP PATH] g6avqq7lg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g6avqq7lg.exe -> FOUND
    [STARTUP][SUSP PATH] gbqqlb98wq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbqqlb98wq.exe -> FOUND
    [STARTUP][SUSP PATH] gvvqg0a0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gvvqg0a0.exe -> FOUND
    [STARTUP][SUSP PATH] kf5a2qkaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kf5a2qkaa.exe -> FOUND
    [STARTUP][SUSP PATH] kf9a0vq0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kf9a0vq0k.exe -> FOUND
    [STARTUP][SUSP PATH] kff6ppk2.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kff6ppk2.exe -> FOUND
    [STARTUP][SUSP PATH] kffaq0k0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kffaq0k0.exe -> FOUND
    [STARTUP][SUSP PATH] l5fvvqff.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l5fvvqff.exe -> FOUND
    [STARTUP][SUSP PATH] l98gav9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l98gav9q.exe -> FOUND
    [STARTUP][SUSP PATH] laa1llffa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\laa1llffa.exe -> FOUND
    [STARTUP][SUSP PATH] lg1gaavl98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lg1gaavl98.exe -> FOUND
    [STARTUP][SUSP PATH] lglg16v5.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lglg16v5.exe -> FOUND
    [STARTUP][SUSP PATH] llgaavvq7.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llgaavvq7.exe -> FOUND
    [STARTUP][SUSP PATH] llggbqqlb9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llggbqqlb9.exe -> FOUND
    [STARTUP][SUSP PATH] lvvlaaf7vl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvvlaaf7vl.exe -> FOUND
    [STARTUP][SUSP PATH] pffap9k0ppp.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pffap9k0ppp.exe -> FOUND
    [STARTUP][SUSP PATH] pkaa1kkffaq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkaa1kkffaq.exe -> FOUND
    [STARTUP][SUSP PATH] q6kfaa7vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q6kfaa7vq.exe -> FOUND
    [STARTUP][SUSP PATH] q7lfaa7vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q7lfaa7vq.exe -> FOUND
    [STARTUP][SUSP PATH] q80a0vqql1g.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q80a0vqql1g.exe -> FOUND
    [STARTUP][SUSP PATH] qf0a0vqql1g.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qf0a0vqql1g.exe -> FOUND
    [STARTUP][SUSP PATH] qffaqql1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qffaqql1.exe -> FOUND
    [STARTUP][SUSP PATH] qk4fvvqf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qk4fvvqf.exe -> FOUND
    [STARTUP][SUSP PATH] ql1gaavl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ql1gaavl.exe -> FOUND
    [STARTUP][SUSP PATH] qlaaaav9vv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaaaav9vv.exe -> FOUND
    [STARTUP][SUSP PATH] qlaqlvq4vv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqlvq4vv.exe -> FOUND
    [STARTUP][SUSP PATH] qlaqv2ql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqv2ql.exe -> FOUND
    [STARTUP][SUSP PATH] qlaqv2qlaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqv2qlaa.exe -> FOUND
    [STARTUP][SUSP PATH] qq1a0vvqf9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qq1a0vvqf9.exe -> FOUND
    [STARTUP][SUSP PATH] qq7lflqav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qq7lflqav.exe -> FOUND
    [STARTUP][SUSP PATH] qqfv5a3laql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqfv5a3laql.exe -> FOUND
    [STARTUP][SUSP PATH] v2qkaa1k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v2qkaa1k.exe -> FOUND
    [STARTUP][SUSP PATH] v8qkf9a0vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v8qkf9a0vq.exe -> FOUND
    [STARTUP][SUSP PATH] vaaa1llg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaaa1llg.exe -> FOUND
    [STARTUP][SUSP PATH] vkk1vvqqk.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vkk1vvqqk.exe -> FOUND
    [STARTUP][SUSP PATH] vlgqvgqql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vlgqvgqql.exe -> FOUND
    [STARTUP][SUSP PATH] vllfv9qqlf9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vllfv9qqlf9.exe -> FOUND
    [STARTUP][SUSP PATH] vllggaqql1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vllggaqql1.exe -> FOUND
    [STARTUP][SUSP PATH] vppvvp5fa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vppvvp5fa.exe -> FOUND
    [STARTUP][SUSP PATH] vqgvqgq2gl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqgvqgq2gl.exe -> FOUND
    [STARTUP][SUSP PATH] vqqlgg6av.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqqlgg6av.exe -> FOUND
    [STARTUP][SUSP PATH] vvqllggq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqllggq.exe -> FOUND
    [STARTUP][SUSP PATH] vvqq6aavk4.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqq6aavk4.exe -> FOUND
    [STARTUP][SUSP PATH] wq0lggb1wqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wq0lggb1wqq.exe -> FOUND
    [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
    [HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_POWER] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_PNP] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)

    ¤¤¤ Extern Hives: ¤¤¤
    -> E:\windows\system32\config\SOFTWARE
    -> E:\Users\Alfi\NTUSER.DAT
    -> E:\Users\Default\NTUSER.DAT
    -> G:\windows\system32\config\SOFTWARE
    -> G:\Users\Default\NTUSER.DAT
    -> G:\Users\Default User\NTUSER.DAT
    -> G:\Users\WIN7\NTUSER.DAT
    -> G:\Documents and Settings\Default\NTUSER.DAT
    -> G:\Documents and Settings\Default User\NTUSER.DAT
    -> G:\Documents and Settings\WIN7\NTUSER.DAT

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 jL.chura.pl


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST3500413AS ATA Device +++++
    --- User ---
    [MBR] ec9ed4657f9d0f42d4c335f0205aac08
    [BSP] 1756590a13b3bb1a236217cdb4feec0c : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99899 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204800000 | Size: 376938 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: ST3160212AS ATA Device +++++
    --- User ---
    [MBR] f6d7a2fa25a9b6433786e133ae7d5b75
    [BSP] 8b1a12dec96d8a7657aeb604cfdbf253 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 74998 Mo
    1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 153597465 | Size: 77618 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: SanDisk Cruzer Slice USB Device +++++
    --- User ---
    [MBR] 570422272ced4fad5f334efc4b25fae9
    [BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt
  14. Vilfocry

    Vilfocry TS Rookie Topic Starter

    RogueKiller V8.1.1 [10/01/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7600 ) 32 bits version
    Started in : Normal mode
    User : Win7 [Admin rights]
    Mode : Remove -- Date : 10/21/2012 07:10:02

    ¤¤¤ Bad processes : 32 ¤¤¤
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SUSP PATH] doa2k8s.exe -- C:\Windows\System32\config\systemprofile\AppData\Roaming\doa2k8s.exe -> KILLED [TermProc]
    [SUSP PATH] hotnomjyzoby.exe -- C:\ProgramData\hotnomjyzoby.exe -> KILLED [TermProc]
    [SUSP PATH] beanifkeafal.exe -- C:\ProgramData\beanifkeafal.exe -> KILLED [TermProc]
    [SUSP PATH] pibmyrpimqaq.exe -- C:\ProgramData\pibmyrpimqaq.exe -> KILLED [TermProc]
    [SUSP PATH] qykopigturuq.exe -- C:\ProgramData\qykopigturuq.exe -> KILLED [TermProc]
    [SUSP PATH] xadweffumdeq.exe -- C:\ProgramData\xadweffumdeq.exe -> KILLED [TermProc]
    [SUSP PATH] jafatgortycx.exe -- C:\ProgramData\jafatgortycx.exe -> KILLED [TermProc]
    [SUSP PATH] koxyfyvobnog.exe -- C:\ProgramData\koxyfyvobnog.exe -> KILLED [TermProc]
    [SUSP PATH] vyfalperyfir.exe -- C:\ProgramData\vyfalperyfir.exe -> KILLED [TermProc]
    [SUSP PATH] daxixreameam.exe -- C:\ProgramData\daxixreameam.exe -> KILLED [TermProc]
    [SUSP PATH] qyftegoblari.exe -- C:\ProgramData\qyftegoblari.exe -> KILLED [TermProc]
    [SUSP PATH] senamakaqjus.exe -- C:\ProgramData\senamakaqjus.exe -> KILLED [TermProc]
    [SUSP PATH] hotnomjyzoby.exe -- C:\Users\Win7\hotnomjyzoby.exe -> KILLED [TermProc]
    [SUSP PATH] beanifkeafal.exe -- C:\Users\Win7\beanifkeafal.exe -> KILLED [TermProc]
    [SUSP PATH] pibmyrpimqaq.exe -- C:\Users\Win7\pibmyrpimqaq.exe -> KILLED [TermProc]
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Win7\au48qsnx.dll -> KILLED [TermProc]
    [SUSP PATH] qykopigturuq.exe -- C:\Users\Win7\qykopigturuq.exe -> KILLED [TermProc]
    [SUSP PATH] Clients.exe -- C:\Users\Win7\AppData\Roaming\Clients.exe -> KILLED [TermProc]
    [SUSP PATH] xadweffumdeq.exe -- C:\Users\Win7\xadweffumdeq.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\svchost.exe -> KILLED [TermProc]
    [SUSP PATH] jafatgortycx.exe -- C:\Users\Win7\jafatgortycx.exe -> KILLED [TermProc]
    [SUSP PATH] koxyfyvobnog.exe -- C:\Users\Win7\koxyfyvobnog.exe -> KILLED [TermProc]
    [SUSP PATH] vyfalperyfir.exe -- C:\Users\Win7\vyfalperyfir.exe -> KILLED [TermProc]
    [SUSP PATH] daxixreameam.exe -- C:\Users\Win7\daxixreameam.exe -> KILLED [TermProc]
    [SUSP PATH] qyftegoblari.exe -- C:\Users\Win7\qyftegoblari.exe -> KILLED [TermProc]
    [SUSP PATH] senamakaqjus.exe -- C:\Users\Win7\senamakaqjus.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries : 132 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : Fpwiwn (C:\Windows\system32\config\systemprofile\AppData\Roaming\Fpwiwn.scr) -> DELETED
    [RUN][HJNAME] HKCU\[...]\Run : Windows Media Center (C:\Users\Win7\AppData\Roaming\smss.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : hotnomjyzoby (C:\Users\Win7\hotnomjyzoby.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : beanifkeafal (C:\Users\Win7\beanifkeafal.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : rrvrue (C:\Users\Win7\ehtpnd.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : pibmyrpimqaq (C:\Users\Win7\pibmyrpimqaq.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : Microsoft Antivirus Scanner (rundll32.exe C:\Users\Win7\au48qsnx.dll,Init) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : qykopigturuq (C:\Users\Win7\qykopigturuq.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : Clients (C:\Users\Win7\AppData\Roaming\Clients.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : xadweffumdeq (C:\Users\Win7\xadweffumdeq.exe) -> DELETED
    [RUN][HJNAME] HKCU\[...]\Run : svchosta (C:\Windows\svchost.exe) -> DELETED
    [RUN][HJNAME] HKCU\[...]\Run : svchost.exe (C:\Windows\svchost.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : jafatgortycx (C:\Users\Win7\jafatgortycx.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : koxyfyvobnog (C:\Users\Win7\koxyfyvobnog.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : vyfalperyfir (C:\Users\Win7\vyfalperyfir.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : daxixreameam (C:\Users\Win7\daxixreameam.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : qyftegoblari (C:\Users\Win7\qyftegoblari.exe) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : senamakaqjus (C:\Users\Win7\senamakaqjus.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : hotnomjyzoby (C:\ProgramData\hotnomjyzoby.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : beanifkeafal (C:\ProgramData\beanifkeafal.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : pibmyrpimqaq (C:\ProgramData\pibmyrpimqaq.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : qykopigturuq (C:\ProgramData\qykopigturuq.exe) -> DELETED
    [RUN][HJNAME] HKLM\[...]\Run : Windows Media Center (C:\Windows\smss.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : xadweffumdeq (C:\ProgramData\xadweffumdeq.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : hwpfvisxt (C:\Users\Win7\nprtjb.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : conx (C:\Windows\System32\config\systemprofile\AppData\Roaming\wb2ek.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : jafatgortycx (C:\ProgramData\jafatgortycx.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : koxyfyvobnog (C:\ProgramData\koxyfyvobnog.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : vyfalperyfir (C:\ProgramData\vyfalperyfir.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : daxixreameam (C:\ProgramData\daxixreameam.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : qyftegoblari (C:\ProgramData\qyftegoblari.exe) -> DELETED
    [RUN][SUSP PATH] HKLM\[...]\Run : senamakaqjus (C:\ProgramData\senamakaqjus.exe) -> DELETED
    [RUN][ROGUE ST] HKLM\[...]\Policies\Explorer\\Run : 3289 (C:\PROGRA~2\LOCALS~1\Temp\msjkourh.scr) -> DELETED
    [SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Win7\LOCALS~1\Temp\msavfk.exe) -> DELETED
    [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B} (\??\C:\Program Files\CyberLink\PowerDVD\000.fcl) -> DELETED
    [Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B} (\??\C:\Program Files\CyberLink\PowerDVD\000.fcl) -> DELETED
    [STARTUP][SUSP PATH] 0llfv9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0llfv9q.exe ->
    [STARTUP][SUSP PATH] 0qql1fa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0qql1fa.exe ->
    [STARTUP][SUSP PATH] 0vq0k0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vq0k0k.exe ->
    [STARTUP][SUSP PATH] 1aqql1f.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1aqql1f.exe ->
    [STARTUP][SUSP PATH] 1fv9qql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1fv9qql.exe ->
    [STARTUP][SUSP PATH] 1gaaaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1gaaaav.exe ->
    [STARTUP][SUSP PATH] 1qkkfv9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qkkfv9.exe ->
    [STARTUP][SUSP PATH] 1qqlaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qqlaav.exe ->
    [STARTUP][SUSP PATH] 21aavvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21aavvq.exe ->
    [STARTUP][SUSP PATH] 21lgwwq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21lgwwq.exe ->
    [STARTUP][SUSP PATH] 2kkfvvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2kkfvvq.exe ->
    [STARTUP][SUSP PATH] 31faqq1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31faqq1.exe ->
    [STARTUP][SUSP PATH] 31pkaa1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31pkaa1.exe ->
    [STARTUP][SUSP PATH] 3kkfv98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3kkfv98.exe ->
    [STARTUP][SUSP PATH] 4fvvqff.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4fvvqff.exe ->
    [STARTUP][SUSP PATH] 4v2qlaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4v2qlaa.exe ->
    [STARTUP][SUSP PATH] 5faavqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5faavqq.exe ->
    [STARTUP][SUSP PATH] 5kkfv9f.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5kkfv9f.exe ->
    [STARTUP][SUSP PATH] 5lvvqg0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lvvqg0.exe ->
    [STARTUP][SUSP PATH] 6g6avqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6g6avqq.exe ->
    [STARTUP][SUSP PATH] 7vqllf5.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7vqllf5.exe ->
    [STARTUP][SUSP PATH] 9a0vq0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9a0vq0k.exe ->
    [STARTUP][SUSP PATH] 9q7lflq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9q7lflq.exe ->
    [STARTUP][SUSP PATH] a1vqggaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1vqggaav.exe ->
    [STARTUP][SUSP PATH] a2qlaa1llg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a2qlaa1llg.exe ->
    [STARTUP][SUSP PATH] a8ql1faavla.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8ql1faavla.exe ->
    [STARTUP][SUSP PATH] aa1llggbqql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa1llggbqql.exe ->
    [STARTUP][SUSP PATH] aa1vqggaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa1vqggaav.exe ->
    [STARTUP][SUSP PATH] aavk4fvvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavk4fvvq.exe ->
    [STARTUP][SUSP PATH] aavllfv9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavllfv9q.exe ->
    [STARTUP][SUSP PATH] aavllfv9qqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavllfv9qqq.exe ->
    [STARTUP][SUSP PATH] akaqffaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\akaqffaav.exe ->
    [STARTUP][SUSP PATH] aqffaavllf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aqffaavllf.exe ->
    [STARTUP][SUSP PATH] av5q2ga2427.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\av5q2ga2427.exe ->
    [STARTUP][SUSP PATH] av9q0lg0a.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\av9q0lg0a.exe ->
    [STARTUP][SUSP PATH] avkkfv98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avkkfv98.exe ->
    [STARTUP][SUSP PATH] avqq7lgaavv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avqq7lgaavv.exe ->
    [STARTUP][SUSP PATH] fa2qlaa1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa2qlaa1.exe ->
    [STARTUP][SUSP PATH] faa7vqll.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faa7vqll.exe ->
    [STARTUP][SUSP PATH] faavqq6kf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faavqq6kf.exe ->
    [STARTUP][SUSP PATH] fappkkfvvp.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fappkkfvvp.exe ->
    [STARTUP][SUSP PATH] faqqkkfkvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faqqkkfkvq.exe ->
    [STARTUP][SUSP PATH] fav9faav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fav9faav.exe ->
    [STARTUP][SUSP PATH] ffvvqf9a0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffvvqf9a0.exe ->
    [STARTUP][SUSP PATH] fv9qqlf9a.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fv9qqlf9a.exe ->
    [STARTUP][SUSP PATH] fvvqf9a0vq0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fvvqf9a0vq0.exe ->
    [STARTUP][SUSP PATH] fvvqf9a0vqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fvvqf9a0vqq.exe ->
    [STARTUP][SUSP PATH] g6avqq7lg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g6avqq7lg.exe ->
    [STARTUP][SUSP PATH] gbqqlb98wq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbqqlb98wq.exe ->
    [STARTUP][SUSP PATH] gvvqg0a0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gvvqg0a0.exe ->
    [STARTUP][SUSP PATH] kf5a2qkaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kf5a2qkaa.exe ->
    [STARTUP][SUSP PATH] kf9a0vq0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kf9a0vq0k.exe ->
    [STARTUP][SUSP PATH] kff6ppk2.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kff6ppk2.exe ->
    [STARTUP][SUSP PATH] kffaq0k0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kffaq0k0.exe ->
    [STARTUP][SUSP PATH] l5fvvqff.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l5fvvqff.exe ->
    [STARTUP][SUSP PATH] l98gav9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l98gav9q.exe ->
    [STARTUP][SUSP PATH] laa1llffa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\laa1llffa.exe ->
    [STARTUP][SUSP PATH] lg1gaavl98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lg1gaavl98.exe ->
    [STARTUP][SUSP PATH] lglg16v5.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lglg16v5.exe ->
    [STARTUP][SUSP PATH] llgaavvq7.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llgaavvq7.exe ->
    [STARTUP][SUSP PATH] llggbqqlb9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llggbqqlb9.exe ->
    [STARTUP][SUSP PATH] lvvlaaf7vl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvvlaaf7vl.exe ->
    [STARTUP][SUSP PATH] pffap9k0ppp.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pffap9k0ppp.exe ->
    [STARTUP][SUSP PATH] pkaa1kkffaq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkaa1kkffaq.exe ->
    [STARTUP][SUSP PATH] q6kfaa7vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q6kfaa7vq.exe ->
    [STARTUP][SUSP PATH] q7lfaa7vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q7lfaa7vq.exe ->
    [STARTUP][SUSP PATH] q80a0vqql1g.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q80a0vqql1g.exe ->
    [STARTUP][SUSP PATH] qf0a0vqql1g.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qf0a0vqql1g.exe ->
    [STARTUP][SUSP PATH] qffaqql1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qffaqql1.exe ->
    [STARTUP][SUSP PATH] qk4fvvqf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qk4fvvqf.exe ->
    [STARTUP][SUSP PATH] ql1gaavl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ql1gaavl.exe ->
    [STARTUP][SUSP PATH] qlaaaav9vv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaaaav9vv.exe ->
    [STARTUP][SUSP PATH] qlaqlvq4vv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqlvq4vv.exe ->
    [STARTUP][SUSP PATH] qlaqv2ql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqv2ql.exe ->
    [STARTUP][SUSP PATH] qlaqv2qlaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqv2qlaa.exe ->
    [STARTUP][SUSP PATH] qq1a0vvqf9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qq1a0vvqf9.exe ->
    [STARTUP][SUSP PATH] qq7lflqav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qq7lflqav.exe ->
    [STARTUP][SUSP PATH] qqfv5a3laql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqfv5a3laql.exe ->
    [STARTUP][SUSP PATH] v2qkaa1k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v2qkaa1k.exe ->
    [STARTUP][SUSP PATH] v8qkf9a0vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v8qkf9a0vq.exe ->
    [STARTUP][SUSP PATH] vaaa1llg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaaa1llg.exe ->
    [STARTUP][SUSP PATH] vkk1vvqqk.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vkk1vvqqk.exe ->
    [STARTUP][SUSP PATH] vlgqvgqql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vlgqvgqql.exe ->
    [STARTUP][SUSP PATH] vllfv9qqlf9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vllfv9qqlf9.exe ->
    [STARTUP][SUSP PATH] vllggaqql1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vllggaqql1.exe ->
    [STARTUP][SUSP PATH] vppvvp5fa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vppvvp5fa.exe ->
    [STARTUP][SUSP PATH] vqgvqgq2gl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqgvqgq2gl.exe ->
    [STARTUP][SUSP PATH] vqqlgg6av.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqqlgg6av.exe ->
    [STARTUP][SUSP PATH] vvqllggq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqllggq.exe ->
    [STARTUP][SUSP PATH] vvqq6aavk4.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqq6aavk4.exe ->
    [STARTUP][SUSP PATH] wq0lggb1wqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wq0lggb1wqq.exe ->
    [HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
    [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
    [HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [LOADED] ¤¤¤
    IRP[IRP_MJ_CREATE] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_POWER] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
    IRP[IRP_MJ_PNP] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)

    ¤¤¤ Extern Hives: ¤¤¤
    -> E:\windows\system32\config\SOFTWARE
    -> E:\Users\Alfi\NTUSER.DAT
    -> E:\Users\Default\NTUSER.DAT
    -> G:\windows\system32\config\SOFTWARE
    -> G:\Users\Default\NTUSER.DAT
    -> G:\Users\Default User\NTUSER.DAT
    -> G:\Users\WIN7\NTUSER.DAT
    -> G:\Documents and Settings\Default\NTUSER.DAT
    -> G:\Documents and Settings\Default User\NTUSER.DAT
    -> G:\Documents and Settings\WIN7\NTUSER.DAT

    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\Windows\system32\drivers\etc\hosts

    127.0.0.1 jL.chura.pl


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: ST3500413AS ATA Device +++++
    --- User ---
    [MBR] ec9ed4657f9d0f42d4c335f0205aac08
    [BSP] 1756590a13b3bb1a236217cdb4feec0c : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99899 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204800000 | Size: 376938 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: ST3160212AS ATA Device +++++
    --- User ---
    [MBR] f6d7a2fa25a9b6433786e133ae7d5b75
    [BSP] 8b1a12dec96d8a7657aeb604cfdbf253 : Windows XP MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 74998 Mo
    1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 153597465 | Size: 77618 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive2: SanDisk Cruzer Slice USB Device +++++
    --- User ---
    [MBR] 570422272ced4fad5f334efc4b25fae9
    [BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
    Partition table:
    0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt
  15. Vilfocry

    Vilfocry TS Rookie Topic Starter

    RogueKiller V8.1.1 [10/01/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7600 ) 32 bits version
    Started in : Normal mode
    User : Win7 [Admin rights]
    Mode : Shortcuts HJfix -- Date : 10/21/2012 07:12:26

    ¤¤¤ Bad processes : 32 ¤¤¤
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SUSP PATH] doa2k8s.exe -- C:\Windows\System32\config\systemprofile\AppData\Roaming\doa2k8s.exe -> KILLED [TermProc]
    [SUSP PATH] hotnomjyzoby.exe -- C:\ProgramData\hotnomjyzoby.exe -> KILLED [TermProc]
    [SUSP PATH] beanifkeafal.exe -- C:\ProgramData\beanifkeafal.exe -> KILLED [TermProc]
    [SUSP PATH] pibmyrpimqaq.exe -- C:\ProgramData\pibmyrpimqaq.exe -> KILLED [TermProc]
    [SUSP PATH] qykopigturuq.exe -- C:\ProgramData\qykopigturuq.exe -> KILLED [TermProc]
    [SUSP PATH] xadweffumdeq.exe -- C:\ProgramData\xadweffumdeq.exe -> KILLED [TermProc]
    [SUSP PATH] jafatgortycx.exe -- C:\ProgramData\jafatgortycx.exe -> KILLED [TermProc]
    [SUSP PATH] koxyfyvobnog.exe -- C:\ProgramData\koxyfyvobnog.exe -> KILLED [TermProc]
    [SUSP PATH] vyfalperyfir.exe -- C:\ProgramData\vyfalperyfir.exe -> KILLED [TermProc]
    [SUSP PATH] daxixreameam.exe -- C:\ProgramData\daxixreameam.exe -> KILLED [TermProc]
    [SUSP PATH] qyftegoblari.exe -- C:\ProgramData\qyftegoblari.exe -> KILLED [TermProc]
    [SUSP PATH] senamakaqjus.exe -- C:\ProgramData\senamakaqjus.exe -> KILLED [TermProc]
    [SUSP PATH] hotnomjyzoby.exe -- C:\Users\Win7\hotnomjyzoby.exe -> KILLED [TermProc]
    [SUSP PATH] beanifkeafal.exe -- C:\Users\Win7\beanifkeafal.exe -> KILLED [TermProc]
    [SUSP PATH] pibmyrpimqaq.exe -- C:\Users\Win7\pibmyrpimqaq.exe -> KILLED [TermProc]
    [SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Win7\au48qsnx.dll -> KILLED [TermProc]
    [SUSP PATH] qykopigturuq.exe -- C:\Users\Win7\qykopigturuq.exe -> KILLED [TermProc]
    [SUSP PATH] Clients.exe -- C:\Users\Win7\AppData\Roaming\Clients.exe -> KILLED [TermProc]
    [SUSP PATH] xadweffumdeq.exe -- C:\Users\Win7\xadweffumdeq.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\svchost.exe -> KILLED [TermProc]
    [SUSP PATH] jafatgortycx.exe -- C:\Users\Win7\jafatgortycx.exe -> KILLED [TermProc]
    [SUSP PATH] koxyfyvobnog.exe -- C:\Users\Win7\koxyfyvobnog.exe -> KILLED [TermProc]
    [SUSP PATH] vyfalperyfir.exe -- C:\Users\Win7\vyfalperyfir.exe -> KILLED [TermProc]
    [SUSP PATH] daxixreameam.exe -- C:\Users\Win7\daxixreameam.exe -> KILLED [TermProc]
    [SUSP PATH] qyftegoblari.exe -- C:\Users\Win7\qyftegoblari.exe -> KILLED [TermProc]
    [SUSP PATH] senamakaqjus.exe -- C:\Users\Win7\senamakaqjus.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
    [SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]

    ¤¤¤ Driver : [LOADED] ¤¤¤

    ¤¤¤ Extern Hives: ¤¤¤
    -> E:\windows\system32\config\SOFTWARE
    -> E:\Users\Alfi\NTUSER.DAT
    -> E:\Users\Default\NTUSER.DAT
    -> G:\windows\system32\config\SOFTWARE
    -> G:\Users\Default\NTUSER.DAT
    -> G:\Users\Default User\NTUSER.DAT
    -> G:\Users\WIN7\NTUSER.DAT
    -> G:\Documents and Settings\Default\NTUSER.DAT
    -> G:\Documents and Settings\Default User\NTUSER.DAT
    -> G:\Documents and Settings\WIN7\NTUSER.DAT

    ¤¤¤ File attributes restored: ¤¤¤
    Desktop: Success 97 / Fail 0
    Quick launch: Success 1 / Fail 0
    Programs: Success 5 / Fail 0
    Start menu: Success 91 / Fail 0
    User folder: Success 107 / Fail 0
    My documents: Success 8 / Fail 8
    My favorites: Success 0 / Fail 0
    My pictures: Success 0 / Fail 0
    My music: Success 0 / Fail 0
    My videos: Success 0 / Fail 0
    Local drives: Success 385 / Fail 1
    Backup: [NOT FOUND]

    Drives:
    [C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
    [D:] \Device\CdRom0 -- 0x5 --> Skipped
    [E:] \Device\HarddiskVolume4 -- 0x3 --> Restored
    [F:] \Device\HarddiskVolume5 -- 0x3 --> Restored
    [G:] \Device\HarddiskVolume3 -- 0x3 --> Restored
    [H:] \Device\CdRom1 -- 0x5 --> Skipped
    [I:] \Device\CdRom2 -- 0x5 --> Skipped
    [J:] \Device\CdRom3 -- 0x5 --> Skipped
    [K:] \Device\HarddiskVolume6 -- 0x2 --> Restored

    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download and run RKill.

    Download mirror 1 - Download mirror 2 - Download mirror 3

    • Save it to your Desktop.
    • Double click the RKill desktop icon.
    • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
    • Please post its log in your next reply.
    • After it has run successfully, delete RKill.
    Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

    Now this again, please....
    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  17. Vilfocry

    Vilfocry TS Rookie Topic Starter

    All of them posted a log for me. but the combo fix still can't run and the message that blocked me to open combofix still appears.

    I've tried to use Rkill several times, I had 9/6/5/4/3 process terminated. when I tried to run 2 Rkill at once the second Rkill posted lower amount (I ever got 1) of processes terminated than the first one. I got a conclusion that the bad program has respawn faster than I though.
    Then I tried to open it in the safe mode, but it can't because a while before I have arrived at the desktop the message which told me explorer.exe is missing appeared and I can't access anything, it just all dark desktop, I don't have any choice except turn off my PC from the power button.

    I will posted the log (first 3 log) below this message
  18. Vilfocry

    Vilfocry TS Rookie Topic Starter

    Rkill 2.4.3 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 10/22/2012 06:31:11 AM in x86 mode.
    Windows Version: Windows 7 Home Basic

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * C:\Windows\system32\AUDIODG.EXE (PID: 1184) [WD-HEUR]
    * C:\Windows\system32\config\systemprofile\AppData\Roaming\doa2k8s.exe (PID: 268) [WD-HEUR]
    * C:\Windows\System32\Drivers\WTSRV.EXE (PID: 556) [WD-HEUR]
    * C:\Windows\system32\WUDFHost.exe (PID: 2612) [WD-HEUR]
    * C:\Windows\System32\WTClient.exe (PID: 3240) [WD-HEUR]
    * C:\Windows\System32\acledit.exe (PID: 2104) [WD-HEUR]
    * C:\Windows\system32\SearchProtocolHost.exe (PID: 3924) [WD-HEUR]
    * C:\Windows\system32\SearchFilterHost.exe (PID: 1484) [WD-HEUR]
    * C:\Windows\system32\sppsvc.exe (PID: 3172) [WD-HEUR]

    9 proccesses terminated!

    Possibly Patched Files.

    * C:\Windows\System32\spoolsv.exe
    * C:\Windows\system32\wbem\wmiprvse.exe
    * C:\Windows\system32\wuauclt.exe
    * C:\Windows\system32\DllHost.exe
    * C:\Windows\system32\DllHost.exe
    * C:\Windows\system32\conhost.exe

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * Windows Firewall Disabled

    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = dword:00000000

    Checking Windows Service Integrity:

    * Security Center (wscsvc) is not Running.
    Startup Type set to: Disabled

    Searching for Missing Digital Signatures:

    * C:\Windows\System32\conhost.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.16385_none_74321d74636d5b24\conhost.exe : 271.360 : 07/14/2009 00:14 AM : c2ea276f53dbc64503dd0587f9a220d0 [Pos Repl]

    * C:\Windows\System32\ctfmon.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe : 8.704 : 07/14/2009 00:14 AM : 87124361a334273522b08e8ec00fcdd4 [Pos Repl]

    * C:\Windows\System32\dllhost.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7\dllhost.exe : 7.168 : 07/14/2009 00:14 AM : 8b4ce34805fe85dc5fdb5f34e895b6de [Pos Repl]

    * C:\Windows\System32\spoolsv.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16385_none_d621f94522dc5a87\spoolsv.exe : 316.416 : 07/14/2009 00:14 AM : 4ed1ba075935ffe7e7725bf83d37dd3c [Pos Repl]

    * C:\Windows\System32\taskeng.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.1.7600.16385_none_e582a352202e02c8\taskeng.exe : 190.464 : 07/14/2009 00:14 AM : 2d8fda62ef7a7fb71bb9541995e3bdd6 [Pos Repl]

    * C:\Windows\System32\userinit.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe : 26.112 : 07/14/2009 00:14 AM : 95e8e98a6079b31d90e070e52e972b43 [Pos Repl]

    * C:\Windows\System32\wbem\wmiprvse.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7600.16385_none_103914aeecb89f38\WmiPrvSE.exe : 254.976 : 07/14/2009 00:14 AM : 21345efdc91c5d4dcaa4c11785a1aabf [Pos Repl]

    * C:\Windows\System32\wuauclt.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe : 47.104 : 07/14/2009 00:14 AM : 02e092dce23ca26577b24e60137748e6 [Pos Repl]

    * C:\Windows\explorer.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe : 2.613.248 : 07/14/2009 00:14 AM : 0200ffe1ec529ce86bae1972a74afa86 [Pos Repl]

    Checking HOSTS File:

    * HOSTS file entries found:

    127.0.0.1 jL.chura.pl

    Program finished at: 10/22/2012 06:31:43 AM
    Execution time: 0 hours(s), 0 minute(s), and 32 seconds(s)

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------


    Rkill 2.4.3 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 10/22/2012 06:33:54 AM in x86 mode.
    Windows Version: Windows 7 Home Basic

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * C:\Windows\system32\WUDFHost.exe (PID: 3544) [WD-HEUR]
    * C:\Windows\system32\AUDIODG.EXE (PID: 2648) [WD-HEUR]
    * C:\Windows\system32\SearchProtocolHost.exe (PID: 4080) [WD-HEUR]
    * C:\Windows\system32\SearchFilterHost.exe (PID: 1332) [WD-HEUR]
    * C:\Windows\system32\sppsvc.exe (PID: 4012) [WD-HEUR]

    5 proccesses terminated!

    Possibly Patched Files.

    * C:\Windows\System32\spoolsv.exe
    * C:\Windows\system32\wuauclt.exe
    * C:\Windows\system32\wbem\wmiprvse.exe
    * C:\Windows\system32\wbem\wmiprvse.exe
    * C:\Windows\system32\DllHost.exe
    * C:\Windows\system32\DllHost.exe
    * C:\Windows\system32\conhost.exe

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * Windows Firewall Disabled

    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = dword:00000000

    Checking Windows Service Integrity:

    * Security Center (wscsvc) is not Running.
    Startup Type set to: Automatic

    Searching for Missing Digital Signatures:

    * C:\Windows\System32\conhost.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.16385_none_74321d74636d5b24\conhost.exe : 289.280 : 07/14/2009 00:14 AM : c2ea276f53dbc64503dd0587f9a220d0 [Pos Repl]

    * C:\Windows\System32\ctfmon.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe : 26.624 : 07/14/2009 00:14 AM : 87124361a334273522b08e8ec00fcdd4 [Pos Repl]

    * C:\Windows\System32\dllhost.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7\dllhost.exe : 25.088 : 07/14/2009 00:14 AM : 8b4ce34805fe85dc5fdb5f34e895b6de [Pos Repl]

    * C:\Windows\System32\spoolsv.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16385_none_d621f94522dc5a87\spoolsv.exe : 334.336 : 07/14/2009 00:14 AM : 4ed1ba075935ffe7e7725bf83d37dd3c [Pos Repl]

    * C:\Windows\System32\taskeng.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.1.7600.16385_none_e582a352202e02c8\taskeng.exe : 208.384 : 07/14/2009 00:14 AM : 2d8fda62ef7a7fb71bb9541995e3bdd6 [Pos Repl]

    * C:\Windows\System32\userinit.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe : 44.032 : 07/14/2009 00:14 AM : 95e8e98a6079b31d90e070e52e972b43 [Pos Repl]

    * C:\Windows\System32\wbem\wmiprvse.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7600.16385_none_103914aeecb89f38\WmiPrvSE.exe : 272.896 : 07/14/2009 00:14 AM : 21345efdc91c5d4dcaa4c11785a1aabf [Pos Repl]

    * C:\Windows\System32\wuauclt.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe : 65.024 : 07/14/2009 00:14 AM : 02e092dce23ca26577b24e60137748e6 [Pos Repl]

    * C:\Windows\explorer.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe : 2.631.168 : 07/14/2009 00:14 AM : 0200ffe1ec529ce86bae1972a74afa86 [Pos Repl]

    Checking HOSTS File:

    * HOSTS file entries found:

    127.0.0.1 jL.chura.pl

    Program finished at: 10/22/2012 06:34:10 AM
    Execution time: 0 hours(s), 0 minute(s), and 15 seconds(s)


    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------


    Rkill 2.4.3 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html

    Program started at: 10/22/2012 06:35:12 AM in x86 mode.
    Windows Version: Windows 7 Home Basic

    Checking for Windows services to stop:

    * No malware services found to stop.

    Checking for processes to terminate:

    * C:\Windows\system32\WUDFHost.exe (PID: 2668) [WD-HEUR]
    * C:\Windows\system32\SearchProtocolHost.exe (PID: 2272) [WD-HEUR]
    * C:\Windows\system32\SearchFilterHost.exe (PID: 4036) [WD-HEUR]
    * C:\Windows\system32\AUDIODG.EXE (PID: 612) [WD-HEUR]

    4 proccesses terminated!

    Possibly Patched Files.

    * C:\Windows\System32\spoolsv.exe
    * C:\Windows\system32\wuauclt.exe
    * C:\Windows\system32\wbem\wmiprvse.exe
    * C:\Windows\system32\wbem\wmiprvse.exe
    * C:\Windows\system32\DllHost.exe
    * C:\Windows\system32\DllHost.exe
    * C:\Windows\system32\conhost.exe

    Checking Registry for malware related settings:

    * No issues found in the Registry.

    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

    Performing miscellaneous checks:

    * Windows Firewall Disabled

    [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = dword:00000000

    Checking Windows Service Integrity:

    * Security Center (wscsvc) is not Running.
    Startup Type set to: Automatic

    Searching for Missing Digital Signatures:

    * C:\Windows\System32\conhost.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.16385_none_74321d74636d5b24\conhost.exe : 289.280 : 07/14/2009 00:14 AM : c2ea276f53dbc64503dd0587f9a220d0 [Pos Repl]

    * C:\Windows\System32\ctfmon.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe : 26.624 : 07/14/2009 00:14 AM : 87124361a334273522b08e8ec00fcdd4 [Pos Repl]

    * C:\Windows\System32\dllhost.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7\dllhost.exe : 25.088 : 07/14/2009 00:14 AM : 8b4ce34805fe85dc5fdb5f34e895b6de [Pos Repl]

    * C:\Windows\System32\spoolsv.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16385_none_d621f94522dc5a87\spoolsv.exe : 334.336 : 07/14/2009 00:14 AM : 4ed1ba075935ffe7e7725bf83d37dd3c [Pos Repl]

    * C:\Windows\System32\taskeng.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.1.7600.16385_none_e582a352202e02c8\taskeng.exe : 208.384 : 07/14/2009 00:14 AM : 2d8fda62ef7a7fb71bb9541995e3bdd6 [Pos Repl]

    * C:\Windows\System32\userinit.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe : 44.032 : 07/14/2009 00:14 AM : 95e8e98a6079b31d90e070e52e972b43 [Pos Repl]

    * C:\Windows\System32\wbem\wmiprvse.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7600.16385_none_103914aeecb89f38\WmiPrvSE.exe : 272.896 : 07/14/2009 00:14 AM : 21345efdc91c5d4dcaa4c11785a1aabf [Pos Repl]

    * C:\Windows\System32\wuauclt.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe : 65.024 : 07/14/2009 00:14 AM : 02e092dce23ca26577b24e60137748e6 [Pos Repl]

    * C:\Windows\explorer.exe [NoSig]
    +-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe : 2.631.168 : 07/14/2009 00:14 AM : 0200ffe1ec529ce86bae1972a74afa86 [Pos Repl]

    Checking HOSTS File:

    * HOSTS file entries found:

    127.0.0.1 jL.chura.pl

    Program finished at: 10/22/2012 06:35:28 AM
    Execution time: 0 hours(s), 0 minute(s), and 15 seconds(s)
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html.
    Because there are a number of bugs in its code, it may create
    executable files that are corrupted beyond repair resulting in an
    inoperative machine.

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.
    • Backup all your documents and important items only.
    • DO NOT backup any executable files (,exe .scr .html or .htm)
    • Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files
    • Reformat and Reinstall as outlined HERE

    I suggest you do the following immediately:
    • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    • From a clean computer, change *all*
      your online passwords -- for email, for banks, financial accounts,
      PayPal, eBay, online companies, any online forums or groups you belong
      to.
    • DO NOT change passwords or do any transactions while
      using the infected computer because the attacker will get the new
      passwords and transaction information.
  20. Vilfocry

    Vilfocry TS Rookie Topic Starter

    If I wait until my PC can't be operated again and then I reinstall my windows, is the other problem will be occur or not?

    I still looking for the software and driver
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    It infected a ton of your files. Waiting won't cut it. :(
  22. Vilfocry

    Vilfocry TS Rookie Topic Starter

    Is it alright if I save several .exe to another drive ?
    I afraid they still can infect if I put my important files back to my PC
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    They can still infect anything. As of right now, almost any file on your system is compromised (infected), so it's best that the system is wiped clean with nothing saved.

    You can try to save files, BUT they will be either infected and/or damaged, and running them is going to be very risky.

    This is very much related to the following:
    http://www.helpmyos.com/malware-threat-removal-f6/virut-information-t879.htm

    I am sorry for the bad news. I do not understand why these mean people make such harsh viruses, and I wish there was a way to clean your system without everything being damaged. But, the problem is, cleaning the system, most files will be damaged. It is like trying to clean up a city that just had a tornado or hurricane run through it. Takes rebuilding, and time to set back up.
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Topic marked resolved and closed.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.