Resolved Windows encountered critical problems

Status
Not open for further replies.
V

Vilfocry

Posts: 14   +0
Like the other's case

When I turn on my Computer this message always disturb me. but, When I try to log in in Safe Mode, its totally safe.
I have tried to use "System Restore" 3 times, and it just make my computer work better gradually.

What should I do then? I use this computer for business and I'm nothing without it.
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-10-2012
Ran by SYSTEM at 16-10-2012 15:56:18
Running from I:\
Windows 7 Professional (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [AdVantage Setup] D:\Program Files\DAEMON Tools\AdVantageSetup.exe [x]
HKU\Alfi\...\Run: [syhim] I:\Users\Alfi\syhim.exe [225792 2010-09-22] ()
HKU\Alfi\...\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 [171464 2007-08-29] (DT Soft Ltd.)
HKU\Alfi\...\Run: [DAEMON Tools Lite] "J:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun [x]

==================== Services (Whitelisted) ===================

2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [75064 2011-01-23] ()

==================== Drivers (Whitelisted) ====================

3 Atc002; C:\Windows\System32\DRIVERS\l260x86.sys [29184 2009-07-13] (Atheros Communications, Inc.)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [691696 2010-11-27] (Duplex Secure Ltd.)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========



==================== 3 Months Modified Files ==================


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe
[2009-07-13 15:41] - [2009-07-13 17:14] - 2631168 ____A (Microsoft Corporation) 6FBE6F58A87283BE082A21ABC7C4F0B1

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 20%
Total physical RAM: 1911.12 MB
Available physical RAM: 1524.83 MB
Total Pagefile: 1911.12 MB
Available Pagefile: 1525.16 MB
Total Virtual: 2047.88 MB
Available Virtual: 1970.3 MB

==================== Partitions =============================

1 Drive c: (System) (Fixed) (Total:73.24 GB) (Free:26.7 GB) NTFS
2 Drive e: (Data) (Fixed) (Total:75.8 GB) (Free:44.41 GB) NTFS
3 Drive f: () (Fixed) (Total:97.56 GB) (Free:28.55 GB) NTFS
4 Drive g: (New Volume) (Fixed) (Total:368.1 GB) (Free:282.58 GB) NTFS
6 Drive I: () (Removable) (Total:14.91 GB) (Free:0.79 GB) NTFS
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 1024 KB
Disk 1 Online 149 GB 8 MB
Disk 2 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 97 GB 101 MB
Partition 3 Primary 368 GB 97 GB

=========================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F NTFS Partition 97 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G New Volume NTFS Partition 368 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 73 GB 31 KB
Partition 0 Extended 75 GB 73 GB
Partition 2 Logical 75 GB 73 GB

=========================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 C System NTFS Partition 73 GB Healthy

=========================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 E Data NTFS Partition 75 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 16 KB

=========================================================

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 I NTFS Removable 14 GB Healthy

=========================================================

Last Boot: 2011-05-30 00:21

==================== End Of Log ============================
 
Farbar Recovery Scan Tool (x86) Version: 15-10-2012
Ran by SYSTEM at 2012-10-16 16:07:24
Running from I:\

================== Search: "services.exe" ===================

C:\Windows.old\Windows\system32\services.exe
[2004-08-03 14:56] - [2004-08-03 14:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\Windows.old\Windows\system32\dllcache\services.exe
[2004-08-03 14:56] - [2004-08-03 14:56] - 0108032 ___AC (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

=== End Of Search ===
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.


Go back to FRST main screen, type explorer.exe in the search box, and press the search button. I'll need the log from the search, please. :)
 
So the content of the Search.txt will be replaced by the new search...
This is the result..


Farbar Recovery Scan Tool (x86) Version: 15-10-2012
Ran by SYSTEM at 2012-10-17 21:07:00
Running from I:\

================== Search: "explorer.exe" ===================

C:\Windows.old\Windows\explorer.exe
[2004-08-03 14:56] - [2004-08-03 14:56] - 1050112 ____A (Microsoft Corporation) 9AA83544DF07DCD8848F766F35D0FF68

C:\Windows.old\Windows\system32\dllcache\explorer.exe
[2004-08-03 14:56] - [2004-08-03 14:56] - 1032192 ___AC (Microsoft Corporation) A0732187050030AE399B241436565E64

C:\Windows\explorer.exe
[2009-07-13 15:41] - [2009-07-13 17:14] - 2631168 ____A (Microsoft Corporation) 6FBE6F58A87283BE082A21ABC7C4F0B1

C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2009-07-13 15:41] - [2009-07-13 17:14] - 2631168 ____A (Microsoft Corporation) 6FBE6F58A87283BE082A21ABC7C4F0B1

=== End Of Search ===
 
FRST Fixlist

Please download attached fixlist.txt below, and save it to your flash drive in the same location as FRST.exe. Make sure it maintains the same name, otherwise the fix will fail.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 

Attachments

  • fixlist.txt
    160 bytes · Views: 1
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 15-10-2012
Ran by SYSTEM at 2012-10-18 06:32:44 Run:1
Running from I:\

==============================================

C:\Windows\explorer.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe copied successfully to C:\Windows\explorer.exe

==== End of Fixlog ====
 
Sorry, I just have read that part

Tonight my lil brother use it and there's still "critical problem reboot message". and then several hours later I turn it on, and work better but I still not sure everything has been solved.

This morning I try to turn it on again and there was an "Critical problem reboot message". I restart it 3 times and then the message did not came again (but I can't connect to the internet, but it has been connected at taskbar). Oh, when I restarting the computer for the second time there was a message like this :

C:\windows\system32\ac82.exe
The NTVDM CPU has encountered an illegal instruction
Cs:05rd IP:0208 OP:63 61 22 20 73 Choose 'close' to terminate the application

I don't know what exactly happened. Is this message has a bond with my "Critical problem reboot message"
What should I do then Mr. DragonMaster Jay ?
 
Let's try next steps, please...

ComboFix scan

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix


After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on ComboFix.exe & follow the prompts.
  • When ComboFix finishes, it will produce a report for you.
  • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
I have downloaded it and it can't be opened. I've tried to burn the ComboFix.exe into CD-RW, but the result is same with when I open it from my removable disk. Sorry I upload a pict, because I don't know what I should do with this problem.
cofix.jpg

It appears when I run the ComboFix, after a while this message popped out.

How to solve this Master Jay?
 
Oh, that's not good there...

RogueKiller Scan

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
RGKRScan.png


  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
RGKRDelete.png


  • The report has been created on the desktop.
  • Next click on the ShortcutsFix

    RGKRShortcutsFix.png
  • The report has been created on the desktop.
Please post:

All RKreport.txt text files located on your desktop.
 
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Win7 [Admin rights]
Mode : Scan -- Date : 10/21/2012 07:08:10

¤¤¤ Bad processes : 32 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SUSP PATH] doa2k8s.exe -- C:\Windows\System32\config\systemprofile\AppData\Roaming\doa2k8s.exe -> KILLED [TermProc]
[SUSP PATH] hotnomjyzoby.exe -- C:\ProgramData\hotnomjyzoby.exe -> KILLED [TermProc]
[SUSP PATH] beanifkeafal.exe -- C:\ProgramData\beanifkeafal.exe -> KILLED [TermProc]
[SUSP PATH] pibmyrpimqaq.exe -- C:\ProgramData\pibmyrpimqaq.exe -> KILLED [TermProc]
[SUSP PATH] qykopigturuq.exe -- C:\ProgramData\qykopigturuq.exe -> KILLED [TermProc]
[SUSP PATH] xadweffumdeq.exe -- C:\ProgramData\xadweffumdeq.exe -> KILLED [TermProc]
[SUSP PATH] jafatgortycx.exe -- C:\ProgramData\jafatgortycx.exe -> KILLED [TermProc]
[SUSP PATH] koxyfyvobnog.exe -- C:\ProgramData\koxyfyvobnog.exe -> KILLED [TermProc]
[SUSP PATH] vyfalperyfir.exe -- C:\ProgramData\vyfalperyfir.exe -> KILLED [TermProc]
[SUSP PATH] daxixreameam.exe -- C:\ProgramData\daxixreameam.exe -> KILLED [TermProc]
[SUSP PATH] qyftegoblari.exe -- C:\ProgramData\qyftegoblari.exe -> KILLED [TermProc]
[SUSP PATH] senamakaqjus.exe -- C:\ProgramData\senamakaqjus.exe -> KILLED [TermProc]
[SUSP PATH] hotnomjyzoby.exe -- C:\Users\Win7\hotnomjyzoby.exe -> KILLED [TermProc]
[SUSP PATH] beanifkeafal.exe -- C:\Users\Win7\beanifkeafal.exe -> KILLED [TermProc]
[SUSP PATH] pibmyrpimqaq.exe -- C:\Users\Win7\pibmyrpimqaq.exe -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Win7\au48qsnx.dll -> KILLED [TermProc]
[SUSP PATH] qykopigturuq.exe -- C:\Users\Win7\qykopigturuq.exe -> KILLED [TermProc]
[SUSP PATH] Clients.exe -- C:\Users\Win7\AppData\Roaming\Clients.exe -> KILLED [TermProc]
[SUSP PATH] xadweffumdeq.exe -- C:\Users\Win7\xadweffumdeq.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\svchost.exe -> KILLED [TermProc]
[SUSP PATH] jafatgortycx.exe -- C:\Users\Win7\jafatgortycx.exe -> KILLED [TermProc]
[SUSP PATH] koxyfyvobnog.exe -- C:\Users\Win7\koxyfyvobnog.exe -> KILLED [TermProc]
[SUSP PATH] vyfalperyfir.exe -- C:\Users\Win7\vyfalperyfir.exe -> KILLED [TermProc]
[SUSP PATH] daxixreameam.exe -- C:\Users\Win7\daxixreameam.exe -> KILLED [TermProc]
[SUSP PATH] qyftegoblari.exe -- C:\Users\Win7\qyftegoblari.exe -> KILLED [TermProc]
[SUSP PATH] senamakaqjus.exe -- C:\Users\Win7\senamakaqjus.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 151 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Fpwiwn (C:\Windows\system32\config\systemprofile\AppData\Roaming\Fpwiwn.scr) -> FOUND
[RUN][HJNAME] HKCU\[...]\Run : Windows Media Center (C:\Users\Win7\AppData\Roaming\smss.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : hotnomjyzoby (C:\Users\Win7\hotnomjyzoby.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : beanifkeafal (C:\Users\Win7\beanifkeafal.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : rrvrue (C:\Users\Win7\ehtpnd.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : pibmyrpimqaq (C:\Users\Win7\pibmyrpimqaq.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : Microsoft Antivirus Scanner (rundll32.exe C:\Users\Win7\au48qsnx.dll,Init) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : qykopigturuq (C:\Users\Win7\qykopigturuq.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : Clients (C:\Users\Win7\AppData\Roaming\Clients.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : xadweffumdeq (C:\Users\Win7\xadweffumdeq.exe) -> FOUND
[RUN][HJNAME] HKCU\[...]\Run : svchosta (C:\Windows\svchost.exe) -> FOUND
[RUN][HJNAME] HKCU\[...]\Run : svchost.exe (C:\Windows\svchost.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : jafatgortycx (C:\Users\Win7\jafatgortycx.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : koxyfyvobnog (C:\Users\Win7\koxyfyvobnog.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : vyfalperyfir (C:\Users\Win7\vyfalperyfir.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : daxixreameam (C:\Users\Win7\daxixreameam.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : qyftegoblari (C:\Users\Win7\qyftegoblari.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : senamakaqjus (C:\Users\Win7\senamakaqjus.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : hotnomjyzoby (C:\ProgramData\hotnomjyzoby.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : beanifkeafal (C:\ProgramData\beanifkeafal.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : pibmyrpimqaq (C:\ProgramData\pibmyrpimqaq.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : qykopigturuq (C:\ProgramData\qykopigturuq.exe) -> FOUND
[RUN][HJNAME] HKLM\[...]\Run : Windows Media Center (C:\Windows\smss.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : xadweffumdeq (C:\ProgramData\xadweffumdeq.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : hwpfvisxt (C:\Users\Win7\nprtjb.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : conx (C:\Windows\System32\config\systemprofile\AppData\Roaming\wb2ek.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : jafatgortycx (C:\ProgramData\jafatgortycx.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : koxyfyvobnog (C:\ProgramData\koxyfyvobnog.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : vyfalperyfir (C:\ProgramData\vyfalperyfir.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : daxixreameam (C:\ProgramData\daxixreameam.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : qyftegoblari (C:\ProgramData\qyftegoblari.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : senamakaqjus (C:\ProgramData\senamakaqjus.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : Fpwiwn (C:\Windows\system32\config\systemprofile\AppData\Roaming\Fpwiwn.scr) -> FOUND
[RUN][HJNAME] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : Windows Media Center (C:\Users\Win7\AppData\Roaming\smss.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : hotnomjyzoby (C:\Users\Win7\hotnomjyzoby.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : beanifkeafal (C:\Users\Win7\beanifkeafal.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : rrvrue (C:\Users\Win7\ehtpnd.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : pibmyrpimqaq (C:\Users\Win7\pibmyrpimqaq.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : Microsoft Antivirus Scanner (rundll32.exe C:\Users\Win7\au48qsnx.dll,Init) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : qykopigturuq (C:\Users\Win7\qykopigturuq.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : Clients (C:\Users\Win7\AppData\Roaming\Clients.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : xadweffumdeq (C:\Users\Win7\xadweffumdeq.exe) -> FOUND
[RUN][HJNAME] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : svchosta (C:\Windows\svchost.exe) -> FOUND
[RUN][HJNAME] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : svchost.exe (C:\Windows\svchost.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : jafatgortycx (C:\Users\Win7\jafatgortycx.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : koxyfyvobnog (C:\Users\Win7\koxyfyvobnog.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : vyfalperyfir (C:\Users\Win7\vyfalperyfir.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : daxixreameam (C:\Users\Win7\daxixreameam.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : qyftegoblari (C:\Users\Win7\qyftegoblari.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Run : senamakaqjus (C:\Users\Win7\senamakaqjus.exe) -> FOUND
[RUN][ROGUE ST] HKLM\[...]\Policies\Explorer\\Run : 3289 (C:\PROGRA~2\LOCALS~1\Temp\msjkourh.scr) -> FOUND
[SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Win7\LOCALS~1\Temp\msavfk.exe) -> FOUND
[SHELL][SUSP PATH] HKUS\S-1-5-21-1376724605-2322160143-2511619695-1000[...]\Windows : Load (C:\Users\Win7\LOCALS~1\Temp\msavfk.exe) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B} (\??\C:\Program Files\CyberLink\PowerDVD\000.fcl) -> FOUND
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B} (\??\C:\Program Files\CyberLink\PowerDVD\000.fcl) -> FOUND
[STARTUP][SUSP PATH] 0llfv9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0llfv9q.exe -> FOUND
[STARTUP][SUSP PATH] 0qql1fa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0qql1fa.exe -> FOUND
[STARTUP][SUSP PATH] 0vq0k0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vq0k0k.exe -> FOUND
[STARTUP][SUSP PATH] 1aqql1f.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1aqql1f.exe -> FOUND
[STARTUP][SUSP PATH] 1fv9qql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1fv9qql.exe -> FOUND
[STARTUP][SUSP PATH] 1gaaaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1gaaaav.exe -> FOUND
[STARTUP][SUSP PATH] 1qkkfv9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qkkfv9.exe -> FOUND
[STARTUP][SUSP PATH] 1qqlaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qqlaav.exe -> FOUND
[STARTUP][SUSP PATH] 21aavvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21aavvq.exe -> FOUND
[STARTUP][SUSP PATH] 21lgwwq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21lgwwq.exe -> FOUND
[STARTUP][SUSP PATH] 2kkfvvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2kkfvvq.exe -> FOUND
[STARTUP][SUSP PATH] 31faqq1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31faqq1.exe -> FOUND
[STARTUP][SUSP PATH] 31pkaa1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31pkaa1.exe -> FOUND
[STARTUP][SUSP PATH] 3kkfv98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3kkfv98.exe -> FOUND
[STARTUP][SUSP PATH] 4fvvqff.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4fvvqff.exe -> FOUND
[STARTUP][SUSP PATH] 4v2qlaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4v2qlaa.exe -> FOUND
[STARTUP][SUSP PATH] 5faavqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5faavqq.exe -> FOUND
[STARTUP][SUSP PATH] 5kkfv9f.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5kkfv9f.exe -> FOUND
[STARTUP][SUSP PATH] 5lvvqg0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lvvqg0.exe -> FOUND
[STARTUP][SUSP PATH] 6g6avqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6g6avqq.exe -> FOUND
[STARTUP][SUSP PATH] 7vqllf5.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7vqllf5.exe -> FOUND
[STARTUP][SUSP PATH] 9a0vq0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9a0vq0k.exe -> FOUND
[STARTUP][SUSP PATH] 9q7lflq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9q7lflq.exe -> FOUND
[STARTUP][SUSP PATH] a1vqggaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1vqggaav.exe -> FOUND
[STARTUP][SUSP PATH] a2qlaa1llg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a2qlaa1llg.exe -> FOUND
[STARTUP][SUSP PATH] a8ql1faavla.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8ql1faavla.exe -> FOUND
[STARTUP][SUSP PATH] aa1llggbqql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa1llggbqql.exe -> FOUND
[STARTUP][SUSP PATH] aa1vqggaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa1vqggaav.exe -> FOUND
[STARTUP][SUSP PATH] aavk4fvvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavk4fvvq.exe -> FOUND
[STARTUP][SUSP PATH] aavllfv9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavllfv9q.exe -> FOUND
[STARTUP][SUSP PATH] aavllfv9qqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavllfv9qqq.exe -> FOUND
[STARTUP][SUSP PATH] akaqffaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\akaqffaav.exe -> FOUND
[STARTUP][SUSP PATH] aqffaavllf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aqffaavllf.exe -> FOUND
[STARTUP][SUSP PATH] av5q2ga2427.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\av5q2ga2427.exe -> FOUND
[STARTUP][SUSP PATH] av9q0lg0a.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\av9q0lg0a.exe -> FOUND
[STARTUP][SUSP PATH] avkkfv98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avkkfv98.exe -> FOUND
[STARTUP][SUSP PATH] avqq7lgaavv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avqq7lgaavv.exe -> FOUND
[STARTUP][SUSP PATH] fa2qlaa1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa2qlaa1.exe -> FOUND
[STARTUP][SUSP PATH] faa7vqll.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faa7vqll.exe -> FOUND
[STARTUP][SUSP PATH] faavqq6kf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faavqq6kf.exe -> FOUND
[STARTUP][SUSP PATH] fappkkfvvp.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fappkkfvvp.exe -> FOUND
[STARTUP][SUSP PATH] faqqkkfkvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faqqkkfkvq.exe -> FOUND
[STARTUP][SUSP PATH] fav9faav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fav9faav.exe -> FOUND
[STARTUP][SUSP PATH] ffvvqf9a0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffvvqf9a0.exe -> FOUND
[STARTUP][SUSP PATH] fv9qqlf9a.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fv9qqlf9a.exe -> FOUND
[STARTUP][SUSP PATH] fvvqf9a0vq0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fvvqf9a0vq0.exe -> FOUND
[STARTUP][SUSP PATH] fvvqf9a0vqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fvvqf9a0vqq.exe -> FOUND
[STARTUP][SUSP PATH] g6avqq7lg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g6avqq7lg.exe -> FOUND
[STARTUP][SUSP PATH] gbqqlb98wq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbqqlb98wq.exe -> FOUND
[STARTUP][SUSP PATH] gvvqg0a0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gvvqg0a0.exe -> FOUND
[STARTUP][SUSP PATH] kf5a2qkaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kf5a2qkaa.exe -> FOUND
[STARTUP][SUSP PATH] kf9a0vq0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kf9a0vq0k.exe -> FOUND
[STARTUP][SUSP PATH] kff6ppk2.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kff6ppk2.exe -> FOUND
[STARTUP][SUSP PATH] kffaq0k0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kffaq0k0.exe -> FOUND
[STARTUP][SUSP PATH] l5fvvqff.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l5fvvqff.exe -> FOUND
[STARTUP][SUSP PATH] l98gav9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l98gav9q.exe -> FOUND
[STARTUP][SUSP PATH] laa1llffa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\laa1llffa.exe -> FOUND
[STARTUP][SUSP PATH] lg1gaavl98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lg1gaavl98.exe -> FOUND
[STARTUP][SUSP PATH] lglg16v5.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lglg16v5.exe -> FOUND
[STARTUP][SUSP PATH] llgaavvq7.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llgaavvq7.exe -> FOUND
[STARTUP][SUSP PATH] llggbqqlb9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llggbqqlb9.exe -> FOUND
[STARTUP][SUSP PATH] lvvlaaf7vl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvvlaaf7vl.exe -> FOUND
[STARTUP][SUSP PATH] pffap9k0ppp.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pffap9k0ppp.exe -> FOUND
[STARTUP][SUSP PATH] pkaa1kkffaq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkaa1kkffaq.exe -> FOUND
[STARTUP][SUSP PATH] q6kfaa7vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q6kfaa7vq.exe -> FOUND
[STARTUP][SUSP PATH] q7lfaa7vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q7lfaa7vq.exe -> FOUND
[STARTUP][SUSP PATH] q80a0vqql1g.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q80a0vqql1g.exe -> FOUND
[STARTUP][SUSP PATH] qf0a0vqql1g.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qf0a0vqql1g.exe -> FOUND
[STARTUP][SUSP PATH] qffaqql1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qffaqql1.exe -> FOUND
[STARTUP][SUSP PATH] qk4fvvqf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qk4fvvqf.exe -> FOUND
[STARTUP][SUSP PATH] ql1gaavl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ql1gaavl.exe -> FOUND
[STARTUP][SUSP PATH] qlaaaav9vv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaaaav9vv.exe -> FOUND
[STARTUP][SUSP PATH] qlaqlvq4vv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqlvq4vv.exe -> FOUND
[STARTUP][SUSP PATH] qlaqv2ql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqv2ql.exe -> FOUND
[STARTUP][SUSP PATH] qlaqv2qlaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqv2qlaa.exe -> FOUND
[STARTUP][SUSP PATH] qq1a0vvqf9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qq1a0vvqf9.exe -> FOUND
[STARTUP][SUSP PATH] qq7lflqav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qq7lflqav.exe -> FOUND
[STARTUP][SUSP PATH] qqfv5a3laql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqfv5a3laql.exe -> FOUND
[STARTUP][SUSP PATH] v2qkaa1k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v2qkaa1k.exe -> FOUND
[STARTUP][SUSP PATH] v8qkf9a0vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v8qkf9a0vq.exe -> FOUND
[STARTUP][SUSP PATH] vaaa1llg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaaa1llg.exe -> FOUND
[STARTUP][SUSP PATH] vkk1vvqqk.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vkk1vvqqk.exe -> FOUND
[STARTUP][SUSP PATH] vlgqvgqql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vlgqvgqql.exe -> FOUND
[STARTUP][SUSP PATH] vllfv9qqlf9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vllfv9qqlf9.exe -> FOUND
[STARTUP][SUSP PATH] vllggaqql1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vllggaqql1.exe -> FOUND
[STARTUP][SUSP PATH] vppvvp5fa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vppvvp5fa.exe -> FOUND
[STARTUP][SUSP PATH] vqgvqgq2gl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqgvqgq2gl.exe -> FOUND
[STARTUP][SUSP PATH] vqqlgg6av.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqqlgg6av.exe -> FOUND
[STARTUP][SUSP PATH] vvqllggq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqllggq.exe -> FOUND
[STARTUP][SUSP PATH] vvqq6aavk4.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqq6aavk4.exe -> FOUND
[STARTUP][SUSP PATH] wq0lggb1wqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wq0lggb1wqq.exe -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
IRP[IRP_MJ_CREATE] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_POWER] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_PNP] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)

¤¤¤ Extern Hives: ¤¤¤
-> E:\windows\system32\config\SOFTWARE
-> E:\Users\Alfi\NTUSER.DAT
-> E:\Users\Default\NTUSER.DAT
-> G:\windows\system32\config\SOFTWARE
-> G:\Users\Default\NTUSER.DAT
-> G:\Users\Default User\NTUSER.DAT
-> G:\Users\WIN7\NTUSER.DAT
-> G:\Documents and Settings\Default\NTUSER.DAT
-> G:\Documents and Settings\Default User\NTUSER.DAT
-> G:\Documents and Settings\WIN7\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 jL.chura.pl


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500413AS ATA Device +++++
--- User ---
[MBR] ec9ed4657f9d0f42d4c335f0205aac08
[BSP] 1756590a13b3bb1a236217cdb4feec0c : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99899 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204800000 | Size: 376938 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST3160212AS ATA Device +++++
--- User ---
[MBR] f6d7a2fa25a9b6433786e133ae7d5b75
[BSP] 8b1a12dec96d8a7657aeb604cfdbf253 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 74998 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 153597465 | Size: 77618 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: SanDisk Cruzer Slice USB Device +++++
--- User ---
[MBR] 570422272ced4fad5f334efc4b25fae9
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt
 
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Win7 [Admin rights]
Mode : Remove -- Date : 10/21/2012 07:10:02

¤¤¤ Bad processes : 32 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SUSP PATH] doa2k8s.exe -- C:\Windows\System32\config\systemprofile\AppData\Roaming\doa2k8s.exe -> KILLED [TermProc]
[SUSP PATH] hotnomjyzoby.exe -- C:\ProgramData\hotnomjyzoby.exe -> KILLED [TermProc]
[SUSP PATH] beanifkeafal.exe -- C:\ProgramData\beanifkeafal.exe -> KILLED [TermProc]
[SUSP PATH] pibmyrpimqaq.exe -- C:\ProgramData\pibmyrpimqaq.exe -> KILLED [TermProc]
[SUSP PATH] qykopigturuq.exe -- C:\ProgramData\qykopigturuq.exe -> KILLED [TermProc]
[SUSP PATH] xadweffumdeq.exe -- C:\ProgramData\xadweffumdeq.exe -> KILLED [TermProc]
[SUSP PATH] jafatgortycx.exe -- C:\ProgramData\jafatgortycx.exe -> KILLED [TermProc]
[SUSP PATH] koxyfyvobnog.exe -- C:\ProgramData\koxyfyvobnog.exe -> KILLED [TermProc]
[SUSP PATH] vyfalperyfir.exe -- C:\ProgramData\vyfalperyfir.exe -> KILLED [TermProc]
[SUSP PATH] daxixreameam.exe -- C:\ProgramData\daxixreameam.exe -> KILLED [TermProc]
[SUSP PATH] qyftegoblari.exe -- C:\ProgramData\qyftegoblari.exe -> KILLED [TermProc]
[SUSP PATH] senamakaqjus.exe -- C:\ProgramData\senamakaqjus.exe -> KILLED [TermProc]
[SUSP PATH] hotnomjyzoby.exe -- C:\Users\Win7\hotnomjyzoby.exe -> KILLED [TermProc]
[SUSP PATH] beanifkeafal.exe -- C:\Users\Win7\beanifkeafal.exe -> KILLED [TermProc]
[SUSP PATH] pibmyrpimqaq.exe -- C:\Users\Win7\pibmyrpimqaq.exe -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Win7\au48qsnx.dll -> KILLED [TermProc]
[SUSP PATH] qykopigturuq.exe -- C:\Users\Win7\qykopigturuq.exe -> KILLED [TermProc]
[SUSP PATH] Clients.exe -- C:\Users\Win7\AppData\Roaming\Clients.exe -> KILLED [TermProc]
[SUSP PATH] xadweffumdeq.exe -- C:\Users\Win7\xadweffumdeq.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\svchost.exe -> KILLED [TermProc]
[SUSP PATH] jafatgortycx.exe -- C:\Users\Win7\jafatgortycx.exe -> KILLED [TermProc]
[SUSP PATH] koxyfyvobnog.exe -- C:\Users\Win7\koxyfyvobnog.exe -> KILLED [TermProc]
[SUSP PATH] vyfalperyfir.exe -- C:\Users\Win7\vyfalperyfir.exe -> KILLED [TermProc]
[SUSP PATH] daxixreameam.exe -- C:\Users\Win7\daxixreameam.exe -> KILLED [TermProc]
[SUSP PATH] qyftegoblari.exe -- C:\Users\Win7\qyftegoblari.exe -> KILLED [TermProc]
[SUSP PATH] senamakaqjus.exe -- C:\Users\Win7\senamakaqjus.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 132 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Fpwiwn (C:\Windows\system32\config\systemprofile\AppData\Roaming\Fpwiwn.scr) -> DELETED
[RUN][HJNAME] HKCU\[...]\Run : Windows Media Center (C:\Users\Win7\AppData\Roaming\smss.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : hotnomjyzoby (C:\Users\Win7\hotnomjyzoby.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : beanifkeafal (C:\Users\Win7\beanifkeafal.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : rrvrue (C:\Users\Win7\ehtpnd.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : pibmyrpimqaq (C:\Users\Win7\pibmyrpimqaq.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : Microsoft Antivirus Scanner (rundll32.exe C:\Users\Win7\au48qsnx.dll,Init) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : qykopigturuq (C:\Users\Win7\qykopigturuq.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : Clients (C:\Users\Win7\AppData\Roaming\Clients.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : xadweffumdeq (C:\Users\Win7\xadweffumdeq.exe) -> DELETED
[RUN][HJNAME] HKCU\[...]\Run : svchosta (C:\Windows\svchost.exe) -> DELETED
[RUN][HJNAME] HKCU\[...]\Run : svchost.exe (C:\Windows\svchost.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : jafatgortycx (C:\Users\Win7\jafatgortycx.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : koxyfyvobnog (C:\Users\Win7\koxyfyvobnog.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : vyfalperyfir (C:\Users\Win7\vyfalperyfir.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : daxixreameam (C:\Users\Win7\daxixreameam.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : qyftegoblari (C:\Users\Win7\qyftegoblari.exe) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : senamakaqjus (C:\Users\Win7\senamakaqjus.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : hotnomjyzoby (C:\ProgramData\hotnomjyzoby.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : beanifkeafal (C:\ProgramData\beanifkeafal.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : pibmyrpimqaq (C:\ProgramData\pibmyrpimqaq.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : qykopigturuq (C:\ProgramData\qykopigturuq.exe) -> DELETED
[RUN][HJNAME] HKLM\[...]\Run : Windows Media Center (C:\Windows\smss.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : xadweffumdeq (C:\ProgramData\xadweffumdeq.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : hwpfvisxt (C:\Users\Win7\nprtjb.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : conx (C:\Windows\System32\config\systemprofile\AppData\Roaming\wb2ek.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : jafatgortycx (C:\ProgramData\jafatgortycx.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : koxyfyvobnog (C:\ProgramData\koxyfyvobnog.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : vyfalperyfir (C:\ProgramData\vyfalperyfir.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : daxixreameam (C:\ProgramData\daxixreameam.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : qyftegoblari (C:\ProgramData\qyftegoblari.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : senamakaqjus (C:\ProgramData\senamakaqjus.exe) -> DELETED
[RUN][ROGUE ST] HKLM\[...]\Policies\Explorer\\Run : 3289 (C:\PROGRA~2\LOCALS~1\Temp\msjkourh.scr) -> DELETED
[SHELL][SUSP PATH] HKCU\[...]\Windows : Load (C:\Users\Win7\LOCALS~1\Temp\msavfk.exe) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B} (\??\C:\Program Files\CyberLink\PowerDVD\000.fcl) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B} (\??\C:\Program Files\CyberLink\PowerDVD\000.fcl) -> DELETED
[STARTUP][SUSP PATH] 0llfv9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0llfv9q.exe ->
[STARTUP][SUSP PATH] 0qql1fa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0qql1fa.exe ->
[STARTUP][SUSP PATH] 0vq0k0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vq0k0k.exe ->
[STARTUP][SUSP PATH] 1aqql1f.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1aqql1f.exe ->
[STARTUP][SUSP PATH] 1fv9qql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1fv9qql.exe ->
[STARTUP][SUSP PATH] 1gaaaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1gaaaav.exe ->
[STARTUP][SUSP PATH] 1qkkfv9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qkkfv9.exe ->
[STARTUP][SUSP PATH] 1qqlaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1qqlaav.exe ->
[STARTUP][SUSP PATH] 21aavvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21aavvq.exe ->
[STARTUP][SUSP PATH] 21lgwwq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21lgwwq.exe ->
[STARTUP][SUSP PATH] 2kkfvvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2kkfvvq.exe ->
[STARTUP][SUSP PATH] 31faqq1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31faqq1.exe ->
[STARTUP][SUSP PATH] 31pkaa1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31pkaa1.exe ->
[STARTUP][SUSP PATH] 3kkfv98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3kkfv98.exe ->
[STARTUP][SUSP PATH] 4fvvqff.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4fvvqff.exe ->
[STARTUP][SUSP PATH] 4v2qlaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4v2qlaa.exe ->
[STARTUP][SUSP PATH] 5faavqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5faavqq.exe ->
[STARTUP][SUSP PATH] 5kkfv9f.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5kkfv9f.exe ->
[STARTUP][SUSP PATH] 5lvvqg0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lvvqg0.exe ->
[STARTUP][SUSP PATH] 6g6avqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6g6avqq.exe ->
[STARTUP][SUSP PATH] 7vqllf5.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7vqllf5.exe ->
[STARTUP][SUSP PATH] 9a0vq0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9a0vq0k.exe ->
[STARTUP][SUSP PATH] 9q7lflq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9q7lflq.exe ->
[STARTUP][SUSP PATH] a1vqggaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a1vqggaav.exe ->
[STARTUP][SUSP PATH] a2qlaa1llg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a2qlaa1llg.exe ->
[STARTUP][SUSP PATH] a8ql1faavla.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8ql1faavla.exe ->
[STARTUP][SUSP PATH] aa1llggbqql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa1llggbqql.exe ->
[STARTUP][SUSP PATH] aa1vqggaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa1vqggaav.exe ->
[STARTUP][SUSP PATH] aavk4fvvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavk4fvvq.exe ->
[STARTUP][SUSP PATH] aavllfv9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavllfv9q.exe ->
[STARTUP][SUSP PATH] aavllfv9qqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aavllfv9qqq.exe ->
[STARTUP][SUSP PATH] akaqffaav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\akaqffaav.exe ->
[STARTUP][SUSP PATH] aqffaavllf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aqffaavllf.exe ->
[STARTUP][SUSP PATH] av5q2ga2427.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\av5q2ga2427.exe ->
[STARTUP][SUSP PATH] av9q0lg0a.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\av9q0lg0a.exe ->
[STARTUP][SUSP PATH] avkkfv98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avkkfv98.exe ->
[STARTUP][SUSP PATH] avqq7lgaavv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\avqq7lgaavv.exe ->
[STARTUP][SUSP PATH] fa2qlaa1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fa2qlaa1.exe ->
[STARTUP][SUSP PATH] faa7vqll.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faa7vqll.exe ->
[STARTUP][SUSP PATH] faavqq6kf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faavqq6kf.exe ->
[STARTUP][SUSP PATH] fappkkfvvp.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fappkkfvvp.exe ->
[STARTUP][SUSP PATH] faqqkkfkvq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\faqqkkfkvq.exe ->
[STARTUP][SUSP PATH] fav9faav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fav9faav.exe ->
[STARTUP][SUSP PATH] ffvvqf9a0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ffvvqf9a0.exe ->
[STARTUP][SUSP PATH] fv9qqlf9a.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fv9qqlf9a.exe ->
[STARTUP][SUSP PATH] fvvqf9a0vq0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fvvqf9a0vq0.exe ->
[STARTUP][SUSP PATH] fvvqf9a0vqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fvvqf9a0vqq.exe ->
[STARTUP][SUSP PATH] g6avqq7lg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g6avqq7lg.exe ->
[STARTUP][SUSP PATH] gbqqlb98wq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbqqlb98wq.exe ->
[STARTUP][SUSP PATH] gvvqg0a0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gvvqg0a0.exe ->
[STARTUP][SUSP PATH] kf5a2qkaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kf5a2qkaa.exe ->
[STARTUP][SUSP PATH] kf9a0vq0k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kf9a0vq0k.exe ->
[STARTUP][SUSP PATH] kff6ppk2.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kff6ppk2.exe ->
[STARTUP][SUSP PATH] kffaq0k0.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kffaq0k0.exe ->
[STARTUP][SUSP PATH] l5fvvqff.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l5fvvqff.exe ->
[STARTUP][SUSP PATH] l98gav9q.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l98gav9q.exe ->
[STARTUP][SUSP PATH] laa1llffa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\laa1llffa.exe ->
[STARTUP][SUSP PATH] lg1gaavl98.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lg1gaavl98.exe ->
[STARTUP][SUSP PATH] lglg16v5.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lglg16v5.exe ->
[STARTUP][SUSP PATH] llgaavvq7.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llgaavvq7.exe ->
[STARTUP][SUSP PATH] llggbqqlb9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llggbqqlb9.exe ->
[STARTUP][SUSP PATH] lvvlaaf7vl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvvlaaf7vl.exe ->
[STARTUP][SUSP PATH] pffap9k0ppp.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pffap9k0ppp.exe ->
[STARTUP][SUSP PATH] pkaa1kkffaq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pkaa1kkffaq.exe ->
[STARTUP][SUSP PATH] q6kfaa7vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q6kfaa7vq.exe ->
[STARTUP][SUSP PATH] q7lfaa7vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q7lfaa7vq.exe ->
[STARTUP][SUSP PATH] q80a0vqql1g.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q80a0vqql1g.exe ->
[STARTUP][SUSP PATH] qf0a0vqql1g.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qf0a0vqql1g.exe ->
[STARTUP][SUSP PATH] qffaqql1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qffaqql1.exe ->
[STARTUP][SUSP PATH] qk4fvvqf.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qk4fvvqf.exe ->
[STARTUP][SUSP PATH] ql1gaavl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ql1gaavl.exe ->
[STARTUP][SUSP PATH] qlaaaav9vv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaaaav9vv.exe ->
[STARTUP][SUSP PATH] qlaqlvq4vv.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqlvq4vv.exe ->
[STARTUP][SUSP PATH] qlaqv2ql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqv2ql.exe ->
[STARTUP][SUSP PATH] qlaqv2qlaa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qlaqv2qlaa.exe ->
[STARTUP][SUSP PATH] qq1a0vvqf9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qq1a0vvqf9.exe ->
[STARTUP][SUSP PATH] qq7lflqav.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qq7lflqav.exe ->
[STARTUP][SUSP PATH] qqfv5a3laql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqfv5a3laql.exe ->
[STARTUP][SUSP PATH] v2qkaa1k.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v2qkaa1k.exe ->
[STARTUP][SUSP PATH] v8qkf9a0vq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v8qkf9a0vq.exe ->
[STARTUP][SUSP PATH] vaaa1llg.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vaaa1llg.exe ->
[STARTUP][SUSP PATH] vkk1vvqqk.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vkk1vvqqk.exe ->
[STARTUP][SUSP PATH] vlgqvgqql.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vlgqvgqql.exe ->
[STARTUP][SUSP PATH] vllfv9qqlf9.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vllfv9qqlf9.exe ->
[STARTUP][SUSP PATH] vllggaqql1.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vllggaqql1.exe ->
[STARTUP][SUSP PATH] vppvvp5fa.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vppvvp5fa.exe ->
[STARTUP][SUSP PATH] vqgvqgq2gl.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqgvqgq2gl.exe ->
[STARTUP][SUSP PATH] vqqlgg6av.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vqqlgg6av.exe ->
[STARTUP][SUSP PATH] vvqllggq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqllggq.exe ->
[STARTUP][SUSP PATH] vvqq6aavk4.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vvqq6aavk4.exe ->
[STARTUP][SUSP PATH] wq0lggb1wqq.exe @Win7 : C:\Users\Win7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wq0lggb1wqq.exe ->
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
IRP[IRP_MJ_CREATE] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_POWER] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)
IRP[IRP_MJ_PNP] : \SystemRoot\system32\DRIVERS\atapi.sys -> HOOKED ([MAJOR] Unknown @ 0x84FCB1F8)

¤¤¤ Extern Hives: ¤¤¤
-> E:\windows\system32\config\SOFTWARE
-> E:\Users\Alfi\NTUSER.DAT
-> E:\Users\Default\NTUSER.DAT
-> G:\windows\system32\config\SOFTWARE
-> G:\Users\Default\NTUSER.DAT
-> G:\Users\Default User\NTUSER.DAT
-> G:\Users\WIN7\NTUSER.DAT
-> G:\Documents and Settings\Default\NTUSER.DAT
-> G:\Documents and Settings\Default User\NTUSER.DAT
-> G:\Documents and Settings\WIN7\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 jL.chura.pl


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500413AS ATA Device +++++
--- User ---
[MBR] ec9ed4657f9d0f42d4c335f0205aac08
[BSP] 1756590a13b3bb1a236217cdb4feec0c : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 99899 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204800000 | Size: 376938 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST3160212AS ATA Device +++++
--- User ---
[MBR] f6d7a2fa25a9b6433786e133ae7d5b75
[BSP] 8b1a12dec96d8a7657aeb604cfdbf253 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 74998 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 153597465 | Size: 77618 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: SanDisk Cruzer Slice USB Device +++++
--- User ---
[MBR] 570422272ced4fad5f334efc4b25fae9
[BSP] df4f83c1f72e36823a12b0dfc7617313 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 32 | Size: 15266 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
 
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: https://www.techspot.com/downloads/5562-roguekiller.html
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Win7 [Admin rights]
Mode : Shortcuts HJfix -- Date : 10/21/2012 07:12:26

¤¤¤ Bad processes : 32 ¤¤¤
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SUSP PATH] doa2k8s.exe -- C:\Windows\System32\config\systemprofile\AppData\Roaming\doa2k8s.exe -> KILLED [TermProc]
[SUSP PATH] hotnomjyzoby.exe -- C:\ProgramData\hotnomjyzoby.exe -> KILLED [TermProc]
[SUSP PATH] beanifkeafal.exe -- C:\ProgramData\beanifkeafal.exe -> KILLED [TermProc]
[SUSP PATH] pibmyrpimqaq.exe -- C:\ProgramData\pibmyrpimqaq.exe -> KILLED [TermProc]
[SUSP PATH] qykopigturuq.exe -- C:\ProgramData\qykopigturuq.exe -> KILLED [TermProc]
[SUSP PATH] xadweffumdeq.exe -- C:\ProgramData\xadweffumdeq.exe -> KILLED [TermProc]
[SUSP PATH] jafatgortycx.exe -- C:\ProgramData\jafatgortycx.exe -> KILLED [TermProc]
[SUSP PATH] koxyfyvobnog.exe -- C:\ProgramData\koxyfyvobnog.exe -> KILLED [TermProc]
[SUSP PATH] vyfalperyfir.exe -- C:\ProgramData\vyfalperyfir.exe -> KILLED [TermProc]
[SUSP PATH] daxixreameam.exe -- C:\ProgramData\daxixreameam.exe -> KILLED [TermProc]
[SUSP PATH] qyftegoblari.exe -- C:\ProgramData\qyftegoblari.exe -> KILLED [TermProc]
[SUSP PATH] senamakaqjus.exe -- C:\ProgramData\senamakaqjus.exe -> KILLED [TermProc]
[SUSP PATH] hotnomjyzoby.exe -- C:\Users\Win7\hotnomjyzoby.exe -> KILLED [TermProc]
[SUSP PATH] beanifkeafal.exe -- C:\Users\Win7\beanifkeafal.exe -> KILLED [TermProc]
[SUSP PATH] pibmyrpimqaq.exe -- C:\Users\Win7\pibmyrpimqaq.exe -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\Windows\System32\rundll32.exe : C:\Users\Win7\au48qsnx.dll -> KILLED [TermProc]
[SUSP PATH] qykopigturuq.exe -- C:\Users\Win7\qykopigturuq.exe -> KILLED [TermProc]
[SUSP PATH] Clients.exe -- C:\Users\Win7\AppData\Roaming\Clients.exe -> KILLED [TermProc]
[SUSP PATH] xadweffumdeq.exe -- C:\Users\Win7\xadweffumdeq.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\svchost.exe -> KILLED [TermProc]
[SUSP PATH] jafatgortycx.exe -- C:\Users\Win7\jafatgortycx.exe -> KILLED [TermProc]
[SUSP PATH] koxyfyvobnog.exe -- C:\Users\Win7\koxyfyvobnog.exe -> KILLED [TermProc]
[SUSP PATH] vyfalperyfir.exe -- C:\Users\Win7\vyfalperyfir.exe -> KILLED [TermProc]
[SUSP PATH] daxixreameam.exe -- C:\Users\Win7\daxixreameam.exe -> KILLED [TermProc]
[SUSP PATH] qyftegoblari.exe -- C:\Users\Win7\qyftegoblari.exe -> KILLED [TermProc]
[SUSP PATH] senamakaqjus.exe -- C:\Users\Win7\senamakaqjus.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\Windows\System32\svchost.exe -> KILLED [TermProc]

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> E:\windows\system32\config\SOFTWARE
-> E:\Users\Alfi\NTUSER.DAT
-> E:\Users\Default\NTUSER.DAT
-> G:\windows\system32\config\SOFTWARE
-> G:\Users\Default\NTUSER.DAT
-> G:\Users\Default User\NTUSER.DAT
-> G:\Users\WIN7\NTUSER.DAT
-> G:\Documents and Settings\Default\NTUSER.DAT
-> G:\Documents and Settings\Default User\NTUSER.DAT
-> G:\Documents and Settings\WIN7\NTUSER.DAT

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 97 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 5 / Fail 0
Start menu: Success 91 / Fail 0
User folder: Success 107 / Fail 0
My documents: Success 8 / Fail 8
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 385 / Fail 1
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume4 -- 0x3 --> Restored
[F:] \Device\HarddiskVolume5 -- 0x3 --> Restored
[G:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[H:] \Device\CdRom1 -- 0x5 --> Skipped
[I:] \Device\CdRom2 -- 0x5 --> Skipped
[J:] \Device\CdRom3 -- 0x5 --> Skipped
[K:] \Device\HarddiskVolume6 -- 0x2 --> Restored

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
 
Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.
Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

Now this again, please....
ComboFix scan

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix


After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on ComboFix.exe & follow the prompts.
  • When ComboFix finishes, it will produce a report for you.
  • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
All of them posted a log for me. but the combo fix still can't run and the message that blocked me to open combofix still appears.

I've tried to use Rkill several times, I had 9/6/5/4/3 process terminated. when I tried to run 2 Rkill at once the second Rkill posted lower amount (I ever got 1) of processes terminated than the first one. I got a conclusion that the bad program has respawn faster than I though.
Then I tried to open it in the safe mode, but it can't because a while before I have arrived at the desktop the message which told me explorer.exe is missing appeared and I can't access anything, it just all dark desktop, I don't have any choice except turn off my PC from the power button.

I will posted the log (first 3 log) below this message
 
Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/22/2012 06:31:11 AM in x86 mode.
Windows Version: Windows 7 Home Basic

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\system32\AUDIODG.EXE (PID: 1184) [WD-HEUR]
* C:\Windows\system32\config\systemprofile\AppData\Roaming\doa2k8s.exe (PID: 268) [WD-HEUR]
* C:\Windows\System32\Drivers\WTSRV.EXE (PID: 556) [WD-HEUR]
* C:\Windows\system32\WUDFHost.exe (PID: 2612) [WD-HEUR]
* C:\Windows\System32\WTClient.exe (PID: 3240) [WD-HEUR]
* C:\Windows\System32\acledit.exe (PID: 2104) [WD-HEUR]
* C:\Windows\system32\SearchProtocolHost.exe (PID: 3924) [WD-HEUR]
* C:\Windows\system32\SearchFilterHost.exe (PID: 1484) [WD-HEUR]
* C:\Windows\system32\sppsvc.exe (PID: 3172) [WD-HEUR]

9 proccesses terminated!

Possibly Patched Files.

* C:\Windows\System32\spoolsv.exe
* C:\Windows\system32\wbem\wmiprvse.exe
* C:\Windows\system32\wuauclt.exe
* C:\Windows\system32\DllHost.exe
* C:\Windows\system32\DllHost.exe
* C:\Windows\system32\conhost.exe

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* Security Center (wscsvc) is not Running.
Startup Type set to: Disabled

Searching for Missing Digital Signatures:

* C:\Windows\System32\conhost.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.16385_none_74321d74636d5b24\conhost.exe : 271.360 : 07/14/2009 00:14 AM : c2ea276f53dbc64503dd0587f9a220d0 [Pos Repl]

* C:\Windows\System32\ctfmon.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe : 8.704 : 07/14/2009 00:14 AM : 87124361a334273522b08e8ec00fcdd4 [Pos Repl]

* C:\Windows\System32\dllhost.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7\dllhost.exe : 7.168 : 07/14/2009 00:14 AM : 8b4ce34805fe85dc5fdb5f34e895b6de [Pos Repl]

* C:\Windows\System32\spoolsv.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16385_none_d621f94522dc5a87\spoolsv.exe : 316.416 : 07/14/2009 00:14 AM : 4ed1ba075935ffe7e7725bf83d37dd3c [Pos Repl]

* C:\Windows\System32\taskeng.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.1.7600.16385_none_e582a352202e02c8\taskeng.exe : 190.464 : 07/14/2009 00:14 AM : 2d8fda62ef7a7fb71bb9541995e3bdd6 [Pos Repl]

* C:\Windows\System32\userinit.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe : 26.112 : 07/14/2009 00:14 AM : 95e8e98a6079b31d90e070e52e972b43 [Pos Repl]

* C:\Windows\System32\wbem\wmiprvse.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7600.16385_none_103914aeecb89f38\WmiPrvSE.exe : 254.976 : 07/14/2009 00:14 AM : 21345efdc91c5d4dcaa4c11785a1aabf [Pos Repl]

* C:\Windows\System32\wuauclt.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe : 47.104 : 07/14/2009 00:14 AM : 02e092dce23ca26577b24e60137748e6 [Pos Repl]

* C:\Windows\explorer.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe : 2.613.248 : 07/14/2009 00:14 AM : 0200ffe1ec529ce86bae1972a74afa86 [Pos Repl]

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 jL.chura.pl

Program finished at: 10/22/2012 06:31:43 AM
Execution time: 0 hours(s), 0 minute(s), and 32 seconds(s)

---------------------------------------------------------------------------------------------------------------------------------------------------------------------


Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/22/2012 06:33:54 AM in x86 mode.
Windows Version: Windows 7 Home Basic

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\system32\WUDFHost.exe (PID: 3544) [WD-HEUR]
* C:\Windows\system32\AUDIODG.EXE (PID: 2648) [WD-HEUR]
* C:\Windows\system32\SearchProtocolHost.exe (PID: 4080) [WD-HEUR]
* C:\Windows\system32\SearchFilterHost.exe (PID: 1332) [WD-HEUR]
* C:\Windows\system32\sppsvc.exe (PID: 4012) [WD-HEUR]

5 proccesses terminated!

Possibly Patched Files.

* C:\Windows\System32\spoolsv.exe
* C:\Windows\system32\wuauclt.exe
* C:\Windows\system32\wbem\wmiprvse.exe
* C:\Windows\system32\wbem\wmiprvse.exe
* C:\Windows\system32\DllHost.exe
* C:\Windows\system32\DllHost.exe
* C:\Windows\system32\conhost.exe

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic

Searching for Missing Digital Signatures:

* C:\Windows\System32\conhost.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.16385_none_74321d74636d5b24\conhost.exe : 289.280 : 07/14/2009 00:14 AM : c2ea276f53dbc64503dd0587f9a220d0 [Pos Repl]

* C:\Windows\System32\ctfmon.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe : 26.624 : 07/14/2009 00:14 AM : 87124361a334273522b08e8ec00fcdd4 [Pos Repl]

* C:\Windows\System32\dllhost.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7\dllhost.exe : 25.088 : 07/14/2009 00:14 AM : 8b4ce34805fe85dc5fdb5f34e895b6de [Pos Repl]

* C:\Windows\System32\spoolsv.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16385_none_d621f94522dc5a87\spoolsv.exe : 334.336 : 07/14/2009 00:14 AM : 4ed1ba075935ffe7e7725bf83d37dd3c [Pos Repl]

* C:\Windows\System32\taskeng.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.1.7600.16385_none_e582a352202e02c8\taskeng.exe : 208.384 : 07/14/2009 00:14 AM : 2d8fda62ef7a7fb71bb9541995e3bdd6 [Pos Repl]

* C:\Windows\System32\userinit.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe : 44.032 : 07/14/2009 00:14 AM : 95e8e98a6079b31d90e070e52e972b43 [Pos Repl]

* C:\Windows\System32\wbem\wmiprvse.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7600.16385_none_103914aeecb89f38\WmiPrvSE.exe : 272.896 : 07/14/2009 00:14 AM : 21345efdc91c5d4dcaa4c11785a1aabf [Pos Repl]

* C:\Windows\System32\wuauclt.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe : 65.024 : 07/14/2009 00:14 AM : 02e092dce23ca26577b24e60137748e6 [Pos Repl]

* C:\Windows\explorer.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe : 2.631.168 : 07/14/2009 00:14 AM : 0200ffe1ec529ce86bae1972a74afa86 [Pos Repl]

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 jL.chura.pl

Program finished at: 10/22/2012 06:34:10 AM
Execution time: 0 hours(s), 0 minute(s), and 15 seconds(s)


---------------------------------------------------------------------------------------------------------------------------------------------------------------------


Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/22/2012 06:35:12 AM in x86 mode.
Windows Version: Windows 7 Home Basic

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Windows\system32\WUDFHost.exe (PID: 2668) [WD-HEUR]
* C:\Windows\system32\SearchProtocolHost.exe (PID: 2272) [WD-HEUR]
* C:\Windows\system32\SearchFilterHost.exe (PID: 4036) [WD-HEUR]
* C:\Windows\system32\AUDIODG.EXE (PID: 612) [WD-HEUR]

4 proccesses terminated!

Possibly Patched Files.

* C:\Windows\System32\spoolsv.exe
* C:\Windows\system32\wuauclt.exe
* C:\Windows\system32\wbem\wmiprvse.exe
* C:\Windows\system32\wbem\wmiprvse.exe
* C:\Windows\system32\DllHost.exe
* C:\Windows\system32\DllHost.exe
* C:\Windows\system32\conhost.exe

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* Security Center (wscsvc) is not Running.
Startup Type set to: Automatic

Searching for Missing Digital Signatures:

* C:\Windows\System32\conhost.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7600.16385_none_74321d74636d5b24\conhost.exe : 289.280 : 07/14/2009 00:14 AM : c2ea276f53dbc64503dd0587f9a220d0 [Pos Repl]

* C:\Windows\System32\ctfmon.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_9d06e2f6f1e51f98\ctfmon.exe : 26.624 : 07/14/2009 00:14 AM : 87124361a334273522b08e8ec00fcdd4 [Pos Repl]

* C:\Windows\System32\dllhost.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7\dllhost.exe : 25.088 : 07/14/2009 00:14 AM : 8b4ce34805fe85dc5fdb5f34e895b6de [Pos Repl]

* C:\Windows\System32\spoolsv.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16385_none_d621f94522dc5a87\spoolsv.exe : 334.336 : 07/14/2009 00:14 AM : 4ed1ba075935ffe7e7725bf83d37dd3c [Pos Repl]

* C:\Windows\System32\taskeng.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.1.7600.16385_none_e582a352202e02c8\taskeng.exe : 208.384 : 07/14/2009 00:14 AM : 2d8fda62ef7a7fb71bb9541995e3bdd6 [Pos Repl]

* C:\Windows\System32\userinit.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe : 44.032 : 07/14/2009 00:14 AM : 95e8e98a6079b31d90e070e52e972b43 [Pos Repl]

* C:\Windows\System32\wbem\wmiprvse.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7600.16385_none_103914aeecb89f38\WmiPrvSE.exe : 272.896 : 07/14/2009 00:14 AM : 21345efdc91c5d4dcaa4c11785a1aabf [Pos Repl]

* C:\Windows\System32\wuauclt.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_7.3.7600.16385_none_3086c9dad36a69b3\wuauclt.exe : 65.024 : 07/14/2009 00:14 AM : 02e092dce23ca26577b24e60137748e6 [Pos Repl]

* C:\Windows\explorer.exe [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe : 2.631.168 : 07/14/2009 00:14 AM : 0200ffe1ec529ce86bae1972a74afa86 [Pos Repl]

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 jL.chura.pl

Program finished at: 10/22/2012 06:35:28 AM
Execution time: 0 hours(s), 0 minute(s), and 15 seconds(s)
 
You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html.
Because there are a number of bugs in its code, it may create
executable files that are corrupted beyond repair resulting in an
inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.
  • Backup all your documents and important items only.
  • DO NOT backup any executable files (,exe .scr .html or .htm)
  • Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files
  • Reformat and Reinstall as outlined HERE

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all*
    your online passwords -- for email, for banks, financial accounts,
    PayPal, eBay, online companies, any online forums or groups you belong
    to.
  • DO NOT change passwords or do any transactions while
    using the infected computer because the attacker will get the new
    passwords and transaction information.
 
If I wait until my PC can't be operated again and then I reinstall my windows, is the other problem will be occur or not?

I still looking for the software and driver
 
Is it alright if I save several .exe to another drive ?
I afraid they still can infect if I put my important files back to my PC
 
They can still infect anything. As of right now, almost any file on your system is compromised (infected), so it's best that the system is wiped clean with nothing saved.

You can try to save files, BUT they will be either infected and/or damaged, and running them is going to be very risky.

This is very much related to the following:
http://www.helpmyos.com/malware-threat-removal-f6/virut-information-t879.htm

I am sorry for the bad news. I do not understand why these mean people make such harsh viruses, and I wish there was a way to clean your system without everything being damaged. But, the problem is, cleaning the system, most files will be damaged. It is like trying to clean up a city that just had a tornado or hurricane run through it. Takes rebuilding, and time to set back up.
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
531
Mark Fuller
M
Bob O'Donnell
Data Governance and Provenance: Two words that are critical to the future of generative AI
Replies
1
Views
108
human7
H
Jess_123
My num pad + doesn't work ...
Replies
0
Views
264
Jess_123
Jess_123

Latest posts

Back