rootkits found rogue killer, report posted

[Kevin Hill]

RogueKiller V11.0.10.0 (x64) [Feb 1 2016] (Free) by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/software/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200) 64 bits version

Started in : Normal mode

User : kjh71 [Administrator]

Started from : C:\Users\kjh71\Downloads\RogueKillerX64.exe

Mode : Scan -- Date : 01/18/2017 22:43:32

¤¤¤ Processes : 1 ¤¤¤

[PUP|VT.Adware.PremierOpinion] pmservice.exe(6420) -- C:\Program Files (x86)\PremierOpinion\pmservice.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 2 ¤¤¤

[PUP|VT.Adware.PremierOpinion] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PremierOpinion (C:\Program Files (x86)\PremierOpinion\pmservice.exe /service) -> Found

[PUP|VT.Adware.PremierOpinion] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PremierOpinion (C:\Program Files (x86)\PremierOpinion\pmservice.exe /service) -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤

[PUP][Folder] C:\ProgramData\{AFF99647-6D64-46F2-934A-F12F468037F6} -> Found

[PUP][Folder] C:\Program Files (x86)\PremierOpinion -> Found

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 88 (Driver: Loaded) ¤¤¤

[iAT:Addr(Hook.IEAT)] (explorer.exe @ StartIsBack64.dll) kernel32!Sleep : Unknown @ 0x4216bb0

[iAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7f8fa56002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ msctf.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7f8fa56002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ msctf.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7f8fa56002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ msctf.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7f8fa56002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ msctf.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7f8fa56002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ msctf.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7f8fcb1002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7f8fa56006c

[iAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7f8fc85002c

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: TOSHIBA DT01ACA1 SCSI Disk Device +++++

--- User ---

[MBR] 13b4414b5744289ebfd7703bbd14aa8f

[bSP] 00630af4f5e57acac24c510e2e96afaf : Empty|VT.Unknown MBR Code

Partition table:

0 - [sYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1023 MB

1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2097152 | Size: 360 MB

2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2834432 | Size: 128 MB

3 - Basic data partition | Offset (sectors): 3096576 | Size: 940331 MB

4 - [sYSTEM][MAN-MOUNT] | Offset (sectors): 1928894464 | Size: 451 MB

5 - [sYSTEM] Basic data partition | Offset (sectors): 1929818112 | Size: 11380 MB

User = LL1 ... OK

Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++

Error reading User MBR! ([15] The device is not ready. )

Error reading LL1 MBR! NOT VALID!

Error reading LL2 MBR! ([32] The request is not supported. )

[Juliet]

You have PremierOpinion in your add/remove programs list?

If found uninstall it.

 

~~

 

Farbar Recovery Scan Tool (FRST) Scan

• Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
• Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
• Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

   

[Kevin Hill]

how do u run as admin, it isnt showing up on downloads

[Juliet]

Have you tried to right click, does it say it there?

 

If it doesn't appear, please run the tool anyway.

[Kevin Hill]

man i can barely move my mouse, get back to me asap

[Kevin Hill]

access denied

 

pen a command prompt run as administrator

if ur usb disk is e:
Then type attrib -a -s -h -r e:\ \* /d /s

[Juliet]

Can you open task manager, look to see what it using the highest amount of CPU?

Is it something you can end task on?

 

Can you boot into safe with networking?

[Kevin Hill]

task manager doesnt open right away

[Kevin Hill]

how do u boot into safe mode and what do u want me to do next

[Juliet]

not sure which operating system you have so let's see if this will work

 

Hold down the power button and count to 5 (slowly)

 

Let it sit a minute then reboot.

it's going to open up different options on how to restart your computer.

Chose safe mode with networking. then do this

 

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 6 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

• rkill.exe
• rkill.com
• rkill.scr
• rkill.pif
• WiNlOgOn.exe
• uSeRiNiT.exe

~~~

 

Farbar Recovery Scan Tool (FRST) Scan

• Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
• Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
• Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

   

~~~

 

After this and you have saved these logs I need to see on desktopor somewhere you know you can get to afterwards

See what happens if you try to now boot back into normal mode.