RogueKiller V12.9.1.0 [Jan 2 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version Started in : Normal mode User : greg [Administrator] Started from : C:\Users\Greg_2\Desktop\RogueKiller.exe Mode : Scan -- Date : 01/02/2017 23:29:17 (Duration : 08:13:53) ¤¤¤ Processes : 1 ¤¤¤ [Proc.Injected] spoolsv.exe(1472) -- C:\Windows\System32\spoolsv.exe[7] -> Found ¤¤¤ Registry : 8 ¤¤¤ [VT.Unknown] HKEY_USERS\S-1-5-21-3511603995-3759102385-647382594-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | Report : \AdwCleaner\AdwCleaner[C0].txt [-] -> Found [PUM.HomePage] HKEY_USERS\S-1-5-21-3511603995-3759102385-647382594-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com -> Found [PUM.HomePage] HKEY_USERS\S-1-5-21-3511603995-3759102385-647382594-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com -> Found [PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{D52F811E-11B0-41D3-95C9-129B336F46DE}C:\program files\orbitdownloader\orbitnet.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files\orbitdownloader\orbitnet.exe|Name=P2P service of Orbit Downloader|Desc=P2P service of Orbit Downloader|Defer=User| [x] -> Found [PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9F68E998-6417-40C1-B408-9FDF051D3F15}C:\program files\orbitdownloader\orbitnet.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files\orbitdownloader\orbitnet.exe|Name=P2P service of Orbit Downloader|Desc=P2P service of Orbit Downloader|Defer=User| [x] -> Found [PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{D52F811E-11B0-41D3-95C9-129B336F46DE}C:\program files\orbitdownloader\orbitnet.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files\orbitdownloader\orbitnet.exe|Name=P2P service of Orbit Downloader|Desc=P2P service of Orbit Downloader|Defer=User| [x] -> Found [PUP.Gen1] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9F68E998-6417-40C1-B408-9FDF051D3F15}C:\program files\orbitdownloader\orbitnet.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files\orbitdownloader\orbitnet.exe|Name=P2P service of Orbit Downloader|Desc=P2P service of Orbit Downloader|Defer=User| [x] -> Found [PUM.StartMenu] HKEY_USERS\S-1-5-21-3511603995-3759102385-647382594-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 21 (Driver: Loaded) ¤¤¤ [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwCreateSection[84] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec75874 [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwCreateThread[87] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec759fa [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwCreateThreadEx[88] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec75a88 [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwMakeTemporaryObject[164] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec757ea [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwQueueApcThread[269] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec75b1a [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwQueueApcThreadEx[270] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec75baa [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwSetContextThread[316] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec75c3a [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwSetSystemInformation[350] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec71af4 [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwSetSystemTime[352] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec71caa [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwTerminateProcess[370] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec71d38 [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwUnmapViewOfSection[385] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec7575c [SSDT:Addr(Suspicious.Path|Hook.SSDT)] ZwWriteVirtualMemory[399] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec738f6 [ShwSSDT:Addr(Suspicious.Path|Hook.Shadow)] NtUserCallTwoParam[335] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec7470a [ShwSSDT:Addr(Suspicious.Path|Hook.Shadow)] NtUserMessageCall[490] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec7149e [ShwSSDT:Addr(Suspicious.Path|Hook.Shadow)] NtUserPostMessage[508] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec71368 [ShwSSDT:Addr(Suspicious.Path|Hook.Shadow)] NtUserPostThreadMessage[509] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec70aa4 [ShwSSDT:Addr(Suspicious.Path|Hook.Shadow)] NtUserQueryWindow[515] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec708a4 [ShwSSDT:Addr(Suspicious.Path|Hook.Shadow)] NtUserSendInput[536] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec746b4 [ShwSSDT:Addr(Suspicious.Path|Hook.Shadow)] NtUserSetParent[560] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec71440 [ShwSSDT:Addr(Suspicious.Path|Hook.Shadow)] NtUserSetWindowLong[578] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec713cc [ShwSSDT:Addr(Suspicious.Path|Hook.Shadow)] NtUserSwitchDesktop[594] : C:\Users\greg\AppData\Local\Temp\36B259FD-E6FB684E-5A84F91F-91DDE21E\166332144.sys @ 0xffffffffaec70572 ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: Hitachi HTS545025B9A300 +++++ --- User --- [MBR] f256aa256c1dca350f5d0cde6b1352ce [BSP] 0fccb63e033589657bff94dacfa2ed28 : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 102400 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 209717248 | Size: 125816 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] FAT32 (0x1b) [HIDDEN!] Offset (sectors): 467388416 | Size: 10240 MB 3 - [XXXXXX] UNKNOWN (0xef) [VISIBLE] Offset (sectors): 488359936 | Size: 15 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: Single Flash Reader USB Device +++++ Error reading User MBR! ([15] Le périphérique n?est pas prêt. ) Error reading LL1 MBR! NOT VALID! Error reading LL2 MBR! ([32] Cette demande n?est pas prise en charge. )