ÿþRkill 2.9.1 by Lawrence Abrams (Grinler) http://www.bleepingcomputer.com/ Copyright 2008-2017 BleepingComputer.com More Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.html Program started at: 11/04/2017 10:32:46 PM in x64 mode. Windows Version: Windows 7 Professional Service Pack 1 Checking for Windows services to stop: * No malware services found to stop. Checking for processes to terminate: * C:\Users\IFTA\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe (PID: 1932) [UP-HEUR] * C:\Users\IFTA\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe (PID: 3108) [UP-HEUR] * C:\Users\IFTA\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe (PID: 6064) [UP-HEUR] * C:\Users\IFTA\AppData\Roaming\Microsoft\SoundMixer\SoundMixer.exe (PID: 4904) [UP-HEUR] 4 proccesses terminated! Possibly Patched Files. * C:\Windows\system32\winlogon.exe Checking Registry for malware related settings: * Advanced Explorer Setting Removed: HideIcons [HKCU] Backup Registry file created at: C:\Users\IFTA\Desktop\rkill\rkill-11-04-2017-10-34-11.reg Resetting .EXE, .COM, & .BAT associations in the Windows Registry. Performing miscellaneous checks: * Modified HKCU\...\Winlogon: [Shell] => %comspec% * No issues found. Searching for Missing Digital Signatures: * C:\Windows\System32\user32.dll : 1 008 640 : 01/16/2011 01:01 AM : 0b864e15a0badff0e7bb8b59009fddcf [NoSig] +-> C:\Windows\KJ\Pirate\P\SysWOW64P\user32.dll : 833 024 : 11/19/2010 09:08 PM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl] +-> C:\Windows\KJ\Pirate\P\x64P\user32.dll : 1 008 128 : 11/19/2010 10:27 PM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl] +-> C:\Windows\KJ\Pirate\P\x86P\user32.dll : 811 520 : 11/19/2010 09:21 PM : f1dd3acaee5e6b4bbc69bc6df75cef66 [Pos Repl] +-> C:\Windows\KJ\Pirate\T\SysWOW64T\user32.dll : 833 024 : 11/19/2010 09:08 PM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl] +-> C:\Windows\KJ\Pirate\T\x64T\user32.dll : 1 008 640 : 01/16/2011 01:01 AM : 0b864e15a0badff0e7bb8b59009fddcf [Pos Repl] +-> C:\Windows\KJ\Pirate\T\x86T\user32.dll : 812 032 : 11/19/2010 09:21 PM : cf97d64d7ec169c53c93b0a192218b29 [Pos Repl] +-> C:\Windows\SysWOW64\user32.dll : 833 024 : 11/19/2010 09:08 PM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl] +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll : 1 008 640 : 07/14/2009 02:41 AM : 72d7b3ea16946e8f0cf7458150031cc6 [Pos Repl] +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll : 1 008 128 : 11/20/2010 02:27 PM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl] +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll : 833 024 : 07/14/2009 02:11 AM : e8b0ffc209e504cb7e79fc24e6c085f0 [Pos Repl] +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll : 833 024 : 11/20/2010 01:08 PM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl] * C:\Windows\System32\winlogon.exe : 389 632 : 01/16/2011 01:01 AM : 81257415084b84f3c0d95c381a8d4c8f [NoSig] +-> C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_cbb7f2bdeea2829c\winlogon.exe : 389 120 : 07/14/2009 02:39 AM : 132328df455b0028f13bf0abee51a63a [Pos Repl] +-> C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636\winlogon.exe : 390 656 : 11/20/2010 02:25 PM : 1151b1baa6f350b1db6598e0fea7c457 [Pos Repl] +-> C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.18409_none_cdf8bf35eb848572\winlogon.exe : 455 168 : 03/04/2014 10:43 AM : 88ab9b72b4bf3963a0de0820b4b0b06c [Pos Repl] +-> C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.18540_none_cdc47ed1ebad0e4e\winlogon.exe : 455 168 : 07/17/2014 03:07 AM : 8cebd9d0a0a879cde9f36f4383b7caea [Pos Repl] +-> C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.22616_none_ce748d1d04acf24f\winlogon.exe : 455 680 : 03/04/2014 12:08 AM : 6ce2ae073bd21c542fc2c707cae944cc [Pos Repl] +-> C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.22750_none_ce434d9704d2c730\winlogon.exe : 455 680 : 07/16/2014 04:23 AM : 98aa0bfee089c7e5dadb94190d93456c [Pos Repl] Checking HOSTS File: * HOSTS file entries found: 127.0.0.1 209.34.83.73:443 127.0.0.1 209.34.83.73:43 127.0.0.1 209.34.83.73 127.0.0.1 209.34.83.67:443 127.0.0.1 209.34.83.67:43 127.0.0.1 209.34.83.67 127.0.0.1 ood.opsource.net 127.0.0.1 199.7.52.190:80 127.0.0.1 199.7.52.190 127.0.0.1 OCSP.SPO1.VERISIGN.COM 127.0.0.1 199.7.54.72:80 127.0.0.1 199.7.54.72 127.0.0.1 192.150.14.69 127.0.0.1 192.150.18.101 127.0.0.1 192.150.18.108 127.0.0.1 192.150.22.40 127.0.0.1 192.150.8.100 127.0.0.1 192.150.8.118 127.0.0.1 209-34-83-73.ood.opsource.net 127.0.0.1 3dns-1.adobe.com 20 out of 191 HOSTS entries shown. Please review HOSTS file for further entries. Program finished at: 11/04/2017 10:36:42 PM Execution time: 0 hours(s), 3 minute(s), and 56 seconds(s)