RogueKiller for 32bit or RogueKiller for 64bit
Click on one of the links above that goes with your Windows 7 bit versions
and choose Run as Administrator
RogueKiller V8.6.1 _x64_ [Jun 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : hxxp://www.adlice.com/forum/
Website : hxxp://www.adlice.com/softwares/roguekiller/
Blog : tigzy-RK
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : alireep [Admin rights]
Mode : Scan -- Date : 07/01/2013 19:22:35
| ARK || FAK || MBR |
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 10 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : AmazonMP3DownloaderHelper (C:\Users\alireep\AppData\Local\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-4217943154-2574403412-3452344980-1001\[...]\Run : AmazonMP3DownloaderHelper (C:\Users\alireep\AppData\Local\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe [7]) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SHELLSPWN] HKCU\[...]\command : ("C:\Users\alireep\AppData\Local\qwl.exe" -a "%1" %*) -> FOUND
[SHELLSPWN] HKCR\[...]\command : ("C:\Users\alireep\AppData\Local\qwl.exe" -a "%1" %*) -> FOUND
[SHELLSPWN] HKUS\S-1-5-21-4217943154-2574403412-3452344980-1001\[...]\command : ("C:\Users\alireep\AppData\Local\qwl.exe" -a "%1" %*) -> FOUND
[FILEASSO] HKCR\[...]\.exe : (sC) -> FOUND
[FILEASSO] HKCU\[...]\.exe : (sC) -> FOUND
[FILEASSO] HKUS\S-1-5-21-4217943154-2574403412-3452344980-1001\[...]\.exe : (sC) -> FOUND
¤¤¤ Scheduled tasks : 0 ¤¤¤
¤¤¤ Startup Entries : 0 ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
¤¤¤ External Hives: ¤¤¤
¤¤¤ Infection : ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: WDC WD3200BEVT-22ZCT0 +++++
--- User ---
[MBR] 8d15ff1cb0cee65668c16e6bdc48690c
[BSP] 7cffa2bbebcd5bf713a9ff9b748eb9d5 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 12000 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 24578048 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 24782848 | Size: 293143 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[0]_S_07012013_192235.txt >>
I also ran Kaspersky TDSSKiller no threats found.
Ran Malwarebytes and deleted all threats..34 found here is log:
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
Malwarebytes : Free anti-malware download
Database version: v2013.07.01.08
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
alireep :: ALIREEP-PC [administrator]
Protection: Enabled
7/1/2013 7:57:17 PM
mbam-log-2013-07-01 (19-57-17).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217810
Time elapsed: 10 minute(s),
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 3
HKCR\AH (Rogue.MultipleAV) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ArcadeWeb (Adware.ArcadeWeb) -> Quarantined and deleted successfully.
Registry Values Detected: 1
HKCR\ah|Content Type (Rogue.MultipleAV) -> Data: application/x-msdownload -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 18
C:\Program Files (x86)\RelevantKnowledge (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\defaults (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\defaults\preferences (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\locale (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\addon-kit (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\addon-kit\data (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\addon-kit\lib (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\api-utils (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\api-utils\data (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\api-utils\lib (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\api-utils\lib\content (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\dpjs (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\dpjs\data (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\dpjs\data\.idea (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\dpjs\data\.idea\scopes (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\dpjs\lib (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
Files Detected: 12
C:\Program Files (x86)\RelevantKnowledge\install.rdf (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\nscf.dat (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\rlcm.txt (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\rloci.bin (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\shfscp.dat (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\harness-options.json (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\install.rdf (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\locales.json (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\locale\en-GB.json (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\locale\eo.json (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\locale\fr-FR.json (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RelevantKnowledge\firefox\resources\api-utils\data\test-trusted-document.html (PUP.Spyware.MarketScore) -> Quarantined and deleted successfully.
(end)
If I may. Malwarebytes Anti Malware was run in post #2. I don't understand how it just found all these infection in post #26.
Where did all these things come from between post #2 and post #26?
From post #2
Also install and run Malwarebytes Antimalware.
http://www.malwarebytes.org/
dexterrules4,
Let's see if we can find out what is going on with Windows Defender...
Please download SystemLook for 64-bit system: http://jpshortstuff.247Fixes.com/SystemLook_x64.exe
Save the file to the Desktop
- Double-click SystemLook.exe to run it.
- Copy the content inside the following code box into the open field:
Code::reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend /s HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\WinDefend /sThanks!
- Click the Look button to start the scan.
- When finished, a Notepad window opens with the results of the scan.
Please post the SystemLook.txt in your reply.
Farbar Service Scanner Version: 27-06-2013
Ran by alireep (administrator) on 01-07-2013 at 21:57:50
Running from "C:\Users\alireep\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo.com returned error: Yahoo.com is offline
Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.
bfe Service is not running. Checking service configuration:
The start type of bfe service is OK.
The ImagePath of bfe service is OK.
The ServiceDll of bfe service is OK.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of WinDefend. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of WinDefend. The value does not exist.
Unable to retrieve ServiceDll of WinDefend. The value does not exist.
Other Services:
==============
File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
**** End of log ****
Quote