Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue antivirus removed, followed with Google redirect, rootkit?


  • Please log in to reply
9 replies to this topic

#1 nomorevirus12

nomorevirus12

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 11 December 2011 - 10:15 PM

Hello, we appear to have a virus Rootkit. We have Webroot Secure Anywhere antivirus, and it seems to pick up a rootkit located at C:\\Windows\\system32\\DRIVERS\\i8042prt.sys

When clicking remove and re booting it appears the corrupted file re installs itself.

The main problem we are having now is search engine redirects. Also Windows Firewall won't turn on, we get an odd popup every once in a while from the system tray that says something like "some windows startup programs were blocked" if I try to open this to show which programs are blocked an error box pops up with "Windows Defender: Application Failed to Initialize: 0x80070006 The handle is invalid."

Also, when trying to turn on the windows firewall an error pops up with "The security service can't be started." And windows security center is not working.

I initially had a virus I believe called Windows Security 2012 - which was a rogue anti-virus, where I followed the steps located at http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012. This appears to be completely removed. But have now noticed the redirects. Oh, for some reason the google re-directs are only happening in Firefox and Chrome. I did perform a windows update an install ie9 after removing the the rogue anti-virus.

We are running vista 32 bit. Any assistance would be greatly appreciated.
Thanks!!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:28 AM

Posted 11 December 2011 - 10:35 PM

Hello and welcome. Lets run these and review the logs.

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

<<<<<
Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


<<<<

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal/regular mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 nomorevirus12

nomorevirus12
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 12 December 2011 - 07:53 AM

Thank you for the reply. I had turned off the wireless on the laptop overnight. This morning I turned it on to read the post and then after opening Chrome it appears I now have Security Sphere 2012 version 2.30.

My Webroot Antivirus has notified me of a file trying to modify the hosts file (I think this has been blocked), and also a file trying to modify boot registry files.

Nevertheless, I follow the instructions:
MiniToolBox Log:

MiniToolBox by Farbar
Ran by Janelle (administrator) on 12-12-2011 at 06:46:07
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)

***************************************************************************

========================= Flush DNS: ===================================

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"network.proxy.http", "127.0.0.1"
"network.proxy.http_port", 58121
"network.proxy.type", 0

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

Hosts file not detected in the default directory
========================= IP Configuration: ================================

NVIDIA nForce Networking Controller = Local Area Connection (Media disconnected)
Atheros AR5007 802.11b/g WiFi Adapter = Wireless Network Connection (Media disconnected)
The following helper DLL cannot be loaded: WSHELPER.DLL.
The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip dump.
Catalog5 06 C:\Windows\System32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog5 08 C:\Windows\system32\wshbth.dll [34304] (Microsoft Corporation)
Catalog9 01 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329656] (PC Tools Research Pty Ltd.)
Catalog9 02 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329656] (PC Tools Research Pty Ltd.)
Catalog9 03 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329656] (PC Tools Research Pty Ltd.)
Catalog9 04 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329656] (PC Tools Research Pty Ltd.)
Catalog9 05 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329656] (PC Tools Research Pty Ltd.)
Catalog9 06 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329656] (PC Tools Research Pty Ltd.)
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()
Catalog9 21 mswsock.dll [File Not found] ()
Catalog9 22 mswsock.dll [File Not found] ()
Catalog9 23 mswsock.dll [File Not found] ()
Catalog9 24 mswsock.dll [File Not found] ()
Catalog9 25 mswsock.dll [File Not found] ()
Catalog9 26 mswsock.dll [File Not found] ()
Catalog9 27 mswsock.dll [File Not found] ()
Catalog9 28 mswsock.dll [File Not found] ()
Catalog9 29 mswsock.dll [File Not found] ()
Catalog9 30 mswsock.dll [File Not found] ()
Catalog9 31 mswsock.dll [File Not found] ()
Catalog9 32 mswsock.dll [File Not found] ()
Catalog9 33 mswsock.dll [File Not found] ()
Catalog9 34 mswsock.dll [File Not found] ()
Catalog9 35 mswsock.dll [File Not found] ()
Catalog9 36 mswsock.dll [File Not found] ()
Catalog9 37 mswsock.dll [File Not found] ()
Catalog9 38 C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll [329656] (PC Tools Research Pty Ltd.)

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/12/2011 06:40:27 AM) (Source: Application Error) (User: )
Description: Faulting application wermgr.exe, version 6.0.6001.18000, time stamp 0x47918ca1, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x00000001,
process id 0x1074, application start time 0xwermgr.exe0.

Error: (12/12/2011 06:39:19 AM) (Source: Application Error) (User: )
Description: Faulting application _ex-68.exe, version 0.208.46335.12059, time stamp 0x4ee5ccf2, faulting module kernel32.dll, version 6.0.6002.18449, time stamp 0x4da47967, exception code 0xe06d7363, fault offset 0x0003fc56,
process id 0xec8, application start time 0x_ex-68.exe0.

Error: (12/11/2011 05:23:30 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {536b188e-8204-42f9-9e44-a3467ee4b961}

Error: (12/11/2011 05:20:26 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/11/2011 02:59:04 PM) (Source: Application Error) (User: )
Description: Faulting application REANIM~1.EXE, version 6.9.7.95, time stamp 0x00000000, faulting module kernel32.dll, version 6.0.6002.18449, time stamp 0x4da47967, exception code 0xc0000005, fault offset 0x00046fff,
process id 0xcb8, application start time 0xREANIM~1.EXE0.

Error: (12/11/2011 02:58:43 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/11/2011 02:57:57 PM) (Source: Application Error) (User: )
Description: Faulting application mDNSResponder.exe, version 2.0.4.0, time stamp 0x4cae1be1, faulting module mDNSResponder.exe, version 2.0.4.0, time stamp 0x4cae1be1, exception code 0xc0000005, fault offset 0x0000110a,
process id 0x224, application start time 0xmDNSResponder.exe0.

Error: (12/11/2011 02:00:34 PM) (Source: Application Error) (User: )
Description: Faulting application ping.exe, version 6.0.6001.18000, time stamp 0x47919130, faulting module SHLWAPI.dll, version 6.0.6002.18393, time stamp 0x4d39b5cc, exception code 0xc0000005, fault offset 0x0001e7bf,
process id 0x17c8, application start time 0xping.exe0.

Error: (12/11/2011 01:34:09 PM) (Source: Application Error) (User: )
Description: Faulting application ping.exe, version 6.0.6001.18000, time stamp 0x47919130, faulting module SHLWAPI.dll, version 6.0.6002.18393, time stamp 0x4d39b5cc, exception code 0xc0000005, fault offset 0x0001e7bf,
process id 0x1558, application start time 0xping.exe0.

Error: (12/11/2011 01:10:27 PM) (Source: Application Error) (User: )
Description: Faulting application ping.exe, version 6.0.6001.18000, time stamp 0x47919130, faulting module SHLWAPI.dll, version 6.0.6002.18393, time stamp 0x4d39b5cc, exception code 0xc0000005, fault offset 0x0001e7bf,
process id 0x1214, application start time 0xping.exe0.


System errors:
=============
Error: (12/12/2011 06:40:07 AM) (Source: Service Control Manager) (User: )
Description: 5689%%2

Error: (12/11/2011 06:06:22 PM) (Source: PCTCore) (User: )
Description: The item store is corrupted: @5512.

Error: (12/11/2011 05:33:38 PM) (Source: DCOM) (User: )
Description: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}

Error: (12/11/2011 05:33:12 PM) (Source: Service Control Manager) (User: )
Description: iPod Service%%2147549465

Error: (12/11/2011 05:20:27 PM) (Source: Service Control Manager) (User: )
Description: Internet Connection Sharing (ICS)BFE

Error: (12/11/2011 05:20:27 PM) (Source: Service Control Manager) (User: )
Description: IPsec Policy AgentBFE

Error: (12/11/2011 05:20:27 PM) (Source: Service Control Manager) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBFE

Error: (12/11/2011 05:20:27 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (12/11/2011 05:20:27 PM) (Source: Service Control Manager) (User: )
Description: Computer Browser%%1060

Error: (12/11/2011 02:58:44 PM) (Source: Service Control Manager) (User: )
Description: Bonjour Service1


Microsoft Office Sessions:
=========================
Error: (12/18/2008 03:05:58 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 21629 seconds with 240 seconds of active time. This session ended with a crash.

Error: (12/07/2008 10:48:42 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 5681 seconds with 3600 seconds of active time. This session ended with a crash.

Error: (10/14/2008 09:40:41 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6308.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 97785 seconds with 3960 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================


========================= Memory info: ===================================

Percentage of memory in use: 54%
Total physical RAM: 3006.18 MB
Available physical RAM: 1378.72 MB
Total Pagefile: 6226.82 MB
Available Pagefile: 4659.13 MB
Total Virtual: 2047.88 MB
Available Virtual: 1938.65 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:174.47 GB) (Free:98.44 GB) NTFS
2 Drive d: (HP_RECOVERY) (Fixed) (Total:11.84 GB) (Free:1.98 GB) NTFS

========================= Users: ========================================
========================= Minidump Files ==================================

No minidump file found

**** End of log ****














I then ran TDSSKiller, when trying to run this, the computer froze and made a buzzing noise, so I held down the power button to turn off the computer / hard reset, and windows gave me the option to boot in safe mode, so I did safe mode with networking, and was able to run TDSSKiller:
(It did require a reboot)


07:01:17.0854 1540 TDSS rootkit removing tool 2.6.22.0 Dec 7 2011 13:21:06
07:01:17.0885 1540 ============================================================
07:01:17.0885 1540 Current date / time: 2011/12/12 07:01:17.0885
07:01:17.0885 1540 SystemInfo:
07:01:17.0885 1540
07:01:17.0885 1540 OS Version: 6.0.6002 ServicePack: 2.0
07:01:17.0885 1540 Product type: Workstation
07:01:17.0885 1540 ComputerName: JANELLE-PC
07:01:17.0885 1540 UserName: Janelle
07:01:17.0885 1540 Windows directory: C:\Windows
07:01:17.0885 1540 System windows directory: C:\Windows
07:01:17.0885 1540 Processor architecture: Intel x86
07:01:17.0885 1540 Number of processors: 2
07:01:17.0885 1540 Page size: 0x1000
07:01:17.0885 1540 Boot type: Safe boot with network
07:01:17.0885 1540 ============================================================
07:01:19.0461 1540 Initialize success
07:01:21.0115 1912 ============================================================
07:01:21.0115 1912 Scan started
07:01:21.0115 1912 Mode: Manual;
07:01:21.0115 1912 ============================================================
07:01:22.0222 1912 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
07:01:22.0222 1912 ACPI - ok
07:01:22.0316 1912 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
07:01:22.0331 1912 adp94xx - ok
07:01:22.0394 1912 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
07:01:22.0394 1912 adpahci - ok
07:01:22.0441 1912 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
07:01:22.0441 1912 adpu160m - ok
07:01:22.0487 1912 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
07:01:22.0487 1912 adpu320 - ok
07:01:22.0659 1912 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
07:01:22.0675 1912 AFD - ok
07:01:22.0721 1912 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
07:01:22.0721 1912 agp440 - ok
07:01:22.0768 1912 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
07:01:22.0768 1912 aic78xx - ok
07:01:22.0799 1912 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
07:01:22.0799 1912 aliide - ok
07:01:22.0831 1912 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
07:01:22.0831 1912 amdagp - ok
07:01:22.0862 1912 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
07:01:22.0862 1912 amdide - ok
07:01:22.0877 1912 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
07:01:22.0877 1912 AmdK7 - ok
07:01:22.0909 1912 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
07:01:22.0909 1912 AmdK8 - ok
07:01:22.0971 1912 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
07:01:22.0971 1912 arc - ok
07:01:23.0002 1912 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
07:01:23.0002 1912 arcsas - ok
07:01:23.0049 1912 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
07:01:23.0049 1912 AsyncMac - ok
07:01:23.0096 1912 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
07:01:23.0096 1912 atapi - ok
07:01:23.0158 1912 athr (fa4e39b289d3a9606f03c90a933b2b1f) C:\Windows\system32\DRIVERS\athr.sys
07:01:23.0252 1912 athr - ok
07:01:23.0392 1912 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
07:01:23.0423 1912 BCM43XV - ok
07:01:23.0486 1912 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
07:01:23.0486 1912 Beep - ok
07:01:23.0533 1912 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
07:01:23.0533 1912 blbdrive - ok
07:01:23.0657 1912 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
07:01:23.0657 1912 bowser - ok
07:01:23.0720 1912 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
07:01:23.0720 1912 BrFiltLo - ok
07:01:23.0751 1912 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
07:01:23.0751 1912 BrFiltUp - ok
07:01:23.0923 1912 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
07:01:23.0923 1912 Brserid - ok
07:01:23.0954 1912 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
07:01:23.0954 1912 BrSerWdm - ok
07:01:23.0969 1912 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
07:01:23.0985 1912 BrUsbMdm - ok
07:01:24.0016 1912 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
07:01:24.0016 1912 BrUsbSer - ok
07:01:24.0079 1912 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
07:01:24.0079 1912 BthEnum - ok
07:01:24.0125 1912 BTHMODEM (5ffa6988ff9597986ff2ada736cc90c0) C:\Windows\system32\DRIVERS\bthmodem.sys
07:01:24.0125 1912 BTHMODEM - ok
07:01:24.0172 1912 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
07:01:24.0172 1912 BthPan - ok
07:01:24.0219 1912 BTHPORT (611ff3f2f095c8d4a6d4cfd9dcc09793) C:\Windows\system32\Drivers\BTHport.sys
07:01:24.0235 1912 BTHPORT - ok
07:01:24.0281 1912 BTHUSB (d330803eab2a15caec7f011f1d4cb30e) C:\Windows\system32\Drivers\BTHUSB.sys
07:01:24.0281 1912 BTHUSB - ok
07:01:24.0328 1912 btwaudio (99aeea7cefdfc6e4151a8f620d682088) C:\Windows\system32\drivers\btwaudio.sys
07:01:24.0359 1912 btwaudio - ok
07:01:24.0453 1912 btwavdt (195872e48a7fb01f8bc9b800f70f4054) C:\Windows\system32\drivers\btwavdt.sys
07:01:24.0453 1912 btwavdt - ok
07:01:24.0500 1912 btwrchid (0724e7d6c9b6a289eddda33fa8176e80) C:\Windows\system32\DRIVERS\btwrchid.sys
07:01:24.0500 1912 btwrchid - ok
07:01:24.0547 1912 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
07:01:24.0547 1912 cdfs - ok
07:01:24.0593 1912 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
07:01:24.0593 1912 cdrom - ok
07:01:24.0609 1912 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
07:01:24.0609 1912 circlass - ok
07:01:24.0656 1912 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
07:01:24.0656 1912 CLFS - ok
07:01:24.0734 1912 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
07:01:24.0734 1912 CmBatt - ok
07:01:24.0749 1912 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
07:01:24.0765 1912 cmdide - ok
07:01:24.0796 1912 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
07:01:24.0796 1912 Compbatt - ok
07:01:24.0843 1912 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
07:01:24.0859 1912 crcdisk - ok
07:01:24.0937 1912 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
07:01:24.0937 1912 Crusoe - ok
07:01:25.0046 1912 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
07:01:25.0046 1912 DfsC - ok
07:01:25.0124 1912 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
07:01:25.0124 1912 disk - ok
07:01:25.0186 1912 dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
07:01:25.0186 1912 dot4 - ok
07:01:25.0264 1912 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
07:01:25.0264 1912 Dot4Print - ok
07:01:25.0295 1912 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
07:01:25.0295 1912 dot4usb - ok
07:01:25.0373 1912 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
07:01:25.0373 1912 drmkaud - ok
07:01:25.0436 1912 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
07:01:25.0451 1912 DXGKrnl - ok
07:01:25.0467 1912 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
07:01:25.0498 1912 E1G60 - ok
07:01:25.0607 1912 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
07:01:25.0607 1912 Ecache - ok
07:01:25.0670 1912 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
07:01:25.0685 1912 elxstor - ok
07:01:25.0732 1912 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
07:01:25.0732 1912 ErrDev - ok
07:01:25.0810 1912 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
07:01:25.0826 1912 exfat - ok
07:01:25.0873 1912 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
07:01:25.0873 1912 fastfat - ok
07:01:25.0935 1912 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
07:01:25.0935 1912 fdc - ok
07:01:25.0982 1912 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
07:01:25.0997 1912 FileInfo - ok
07:01:26.0044 1912 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
07:01:26.0044 1912 Filetrace - ok
07:01:26.0075 1912 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
07:01:26.0075 1912 flpydisk - ok
07:01:26.0138 1912 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
07:01:26.0153 1912 FltMgr - ok
07:01:26.0200 1912 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
07:01:26.0200 1912 Fs_Rec - ok
07:01:26.0231 1912 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
07:01:26.0231 1912 gagp30kx - ok
07:01:26.0294 1912 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
07:01:26.0294 1912 GEARAspiWDM - ok
07:01:26.0341 1912 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\Windows\system32\drivers\grmnusb.sys
07:01:26.0341 1912 grmnusb - ok
07:01:26.0387 1912 HdAudAddService (7be40bb4cd16d8760e18ea981ff452ec) C:\Windows\system32\drivers\CHDART.sys
07:01:26.0403 1912 HdAudAddService - ok
07:01:26.0450 1912 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
07:01:26.0497 1912 HDAudBus - ok
07:01:26.0590 1912 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
07:01:26.0590 1912 HidBth - ok
07:01:26.0637 1912 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
07:01:26.0637 1912 HidIr - ok
07:01:26.0668 1912 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
07:01:26.0668 1912 HidUsb - ok
07:01:26.0777 1912 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
07:01:26.0777 1912 HpCISSs - ok
07:01:26.0824 1912 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
07:01:26.0824 1912 HpqKbFiltr - ok
07:01:26.0840 1912 HpqRemHid (115c0933b3ed51dfbec4449348c8065b) C:\Windows\system32\DRIVERS\HpqRemHid.sys
07:01:26.0840 1912 HpqRemHid - ok
07:01:26.0918 1912 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
07:01:26.0918 1912 HSFHWAZL - ok
07:01:26.0980 1912 HSF_DPV (1882827f41dee51c70e24c567c35bfb5) C:\Windows\system32\DRIVERS\HSX_DPV.sys
07:01:27.0011 1912 HSF_DPV - ok
07:01:27.0121 1912 HSXHWAZL (a44ddf3ba83e4664bf4de9220097578c) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
07:01:27.0121 1912 HSXHWAZL - ok
07:01:27.0214 1912 HTCAND32 (cbd09ed9cf6822177ee85aea4d8816a2) C:\Windows\system32\Drivers\ANDROIDUSB.sys
07:01:27.0214 1912 HTCAND32 - ok
07:01:27.0277 1912 htcnprot (52395a94c127c0266d1c0f3cce8a4345) C:\Windows\system32\DRIVERS\htcnprot.sys
07:01:27.0277 1912 htcnprot - ok
07:01:27.0339 1912 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
07:01:27.0339 1912 HTTP - ok
07:01:27.0401 1912 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
07:01:27.0401 1912 i2omp - ok
07:01:27.0464 1912 i8042prt (5ee7f06bae08d17cbf030d831a80a296) C:\Windows\system32\DRIVERS\i8042prt.sys
07:01:27.0464 1912 Suspicious file (Forged): C:\Windows\system32\DRIVERS\i8042prt.sys. Real md5: 5ee7f06bae08d17cbf030d831a80a296, Fake md5: 22d56c8184586b7a1f6fa60be5f5a2bd
07:01:27.0464 1912 i8042prt ( Rootkit.Win32.ZAccess.aml ) - infected
07:01:27.0464 1912 i8042prt - detected Rootkit.Win32.ZAccess.aml (0)
07:01:27.0526 1912 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
07:01:27.0526 1912 iaStorV - ok
07:01:27.0573 1912 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
07:01:27.0573 1912 iirsp - ok
07:01:27.0682 1912 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
07:01:27.0682 1912 intelide - ok
07:01:27.0713 1912 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
07:01:27.0713 1912 intelppm - ok
07:01:27.0823 1912 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
07:01:27.0823 1912 IpFilterDriver - ok
07:01:27.0838 1912 IpInIp - ok
07:01:27.0885 1912 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
07:01:27.0885 1912 IPMIDRV - ok
07:01:27.0916 1912 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
07:01:27.0916 1912 IPNAT - ok
07:01:27.0979 1912 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
07:01:27.0979 1912 IRENUM - ok
07:01:28.0010 1912 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
07:01:28.0025 1912 isapnp - ok
07:01:28.0135 1912 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
07:01:28.0135 1912 iScsiPrt - ok
07:01:28.0181 1912 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
07:01:28.0181 1912 iteatapi - ok
07:01:28.0228 1912 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
07:01:28.0228 1912 iteraid - ok
07:01:28.0259 1912 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
07:01:28.0259 1912 kbdclass - ok
07:01:28.0306 1912 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
07:01:28.0306 1912 kbdhid - ok
07:01:28.0353 1912 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
07:01:28.0369 1912 KSecDD - ok
07:01:28.0462 1912 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
07:01:28.0462 1912 lltdio - ok
07:01:28.0509 1912 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
07:01:28.0509 1912 LSI_FC - ok
07:01:28.0571 1912 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
07:01:28.0571 1912 LSI_SAS - ok
07:01:28.0603 1912 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
07:01:28.0603 1912 LSI_SCSI - ok
07:01:28.0634 1912 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
07:01:28.0634 1912 luafv - ok
07:01:28.0681 1912 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
07:01:28.0696 1912 mdmxsdk - ok
07:01:28.0743 1912 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
07:01:28.0743 1912 megasas - ok
07:01:28.0805 1912 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
07:01:28.0821 1912 MegaSR - ok
07:01:28.0868 1912 MEMSWEEP2 - ok
07:01:28.0883 1912 mferkdk - ok
07:01:28.0946 1912 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
07:01:28.0946 1912 Modem - ok
07:01:28.0993 1912 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
07:01:28.0993 1912 monitor - ok
07:01:29.0024 1912 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
07:01:29.0024 1912 mouclass - ok
07:01:29.0071 1912 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
07:01:29.0071 1912 mouhid - ok
07:01:29.0102 1912 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
07:01:29.0117 1912 MountMgr - ok
07:01:29.0164 1912 mozyFilter (7f4e5e7bbae245616c28a53b94dd7ddb) C:\Windows\system32\DRIVERS\mozy.sys
07:01:29.0164 1912 mozyFilter - ok
07:01:29.0227 1912 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
07:01:29.0258 1912 mpio - ok
07:01:29.0273 1912 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
07:01:29.0289 1912 mpsdrv - ok
07:01:29.0305 1912 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
07:01:29.0305 1912 Mraid35x - ok
07:01:29.0351 1912 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
07:01:29.0367 1912 MRxDAV - ok
07:01:29.0398 1912 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
07:01:29.0398 1912 mrxsmb - ok
07:01:29.0461 1912 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
07:01:29.0476 1912 mrxsmb10 - ok
07:01:29.0492 1912 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
07:01:29.0492 1912 mrxsmb20 - ok
07:01:29.0539 1912 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
07:01:29.0554 1912 msahci - ok
07:01:29.0585 1912 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
07:01:29.0585 1912 msdsm - ok
07:01:29.0632 1912 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
07:01:29.0632 1912 Msfs - ok
07:01:29.0663 1912 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
07:01:29.0679 1912 msisadrv - ok
07:01:29.0757 1912 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
07:01:29.0757 1912 MSKSSRV - ok
07:01:29.0819 1912 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
07:01:29.0819 1912 MSPCLOCK - ok
07:01:29.0851 1912 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
07:01:29.0851 1912 MSPQM - ok
07:01:29.0897 1912 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
07:01:29.0913 1912 MsRPC - ok
07:01:29.0944 1912 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
07:01:29.0944 1912 mssmbios - ok
07:01:29.0975 1912 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
07:01:29.0975 1912 MSTEE - ok
07:01:30.0007 1912 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
07:01:30.0007 1912 Mup - ok
07:01:30.0100 1912 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
07:01:30.0100 1912 NativeWifiP - ok
07:01:30.0163 1912 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
07:01:30.0194 1912 NDIS - ok
07:01:30.0241 1912 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
07:01:30.0241 1912 NdisTapi - ok
07:01:30.0256 1912 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
07:01:30.0256 1912 Ndisuio - ok
07:01:30.0303 1912 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
07:01:30.0303 1912 NdisWan - ok
07:01:30.0334 1912 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
07:01:30.0350 1912 NDProxy - ok
07:01:30.0412 1912 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
07:01:30.0412 1912 NetBIOS - ok
07:01:30.0459 1912 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
07:01:30.0459 1912 netbt - ok
07:01:30.0537 1912 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
07:01:30.0537 1912 nfrd960 - ok
07:01:30.0584 1912 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
07:01:30.0584 1912 Npfs - ok
07:01:30.0646 1912 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
07:01:30.0646 1912 nsiproxy - ok
07:01:30.0724 1912 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
07:01:30.0755 1912 Ntfs - ok
07:01:30.0802 1912 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
07:01:30.0802 1912 ntrigdigi - ok
07:01:30.0818 1912 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
07:01:30.0818 1912 Null - ok
07:01:30.0989 1912 NVENETFD (a1108084b0d2fc43dcc401735770e2a3) C:\Windows\system32\DRIVERS\nvmfdx32.sys
07:01:31.0005 1912 NVENETFD - ok
07:01:31.0286 1912 nvlddmkm (d65bc32c1795191b7f2b028351ab4fe2) C:\Windows\system32\DRIVERS\nvlddmkm.sys
07:01:31.0520 1912 nvlddmkm - ok
07:01:31.0629 1912 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
07:01:31.0629 1912 nvraid - ok
07:01:31.0676 1912 nvsmu (9aebc32f9d6e02ebee0369ab296fe7c8) C:\Windows\system32\DRIVERS\nvsmu.sys
07:01:31.0676 1912 nvsmu - ok
07:01:31.0723 1912 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
07:01:31.0723 1912 nvstor - ok
07:01:31.0769 1912 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
07:01:31.0769 1912 nv_agp - ok
07:01:31.0801 1912 NwlnkFlt - ok
07:01:31.0816 1912 NwlnkFwd - ok
07:01:31.0879 1912 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
07:01:31.0879 1912 ohci1394 - ok
07:01:31.0957 1912 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
07:01:31.0957 1912 Parport - ok
07:01:31.0988 1912 Partizan - ok
07:01:32.0081 1912 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
07:01:32.0081 1912 partmgr - ok
07:01:32.0113 1912 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
07:01:32.0128 1912 Parvdm - ok
07:01:32.0191 1912 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
07:01:32.0191 1912 pci - ok
07:01:32.0222 1912 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
07:01:32.0222 1912 pciide - ok
07:01:32.0269 1912 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
07:01:32.0269 1912 pcmcia - ok
07:01:32.0347 1912 PCTBD (3a0262b85b5bb4d4cfc096ea00ed610b) C:\Windows\system32\Drivers\PCTBD.sys
07:01:32.0347 1912 PCTBD - ok
07:01:32.0471 1912 PCTCore (0edb74bd0d52d6d94cf862322e48b94e) C:\Windows\system32\drivers\PCTCore.sys
07:01:32.0471 1912 PCTCore - ok
07:01:32.0596 1912 pctDS (af08ec0f2093867ab955e24121ee7002) C:\Windows\system32\drivers\pctDS.sys
07:01:32.0596 1912 pctDS - ok
07:01:32.0659 1912 pctEFA (4b1b0cd45a047c0941f6b6151f6fb3c1) C:\Windows\system32\drivers\pctEFA.sys
07:01:32.0674 1912 pctEFA - ok
07:01:32.0752 1912 pctgntdi (44fd6a1042c766df69bc6ba55780019d) C:\Windows\System32\drivers\pctgntdi.sys
07:01:32.0752 1912 pctgntdi - ok
07:01:32.0799 1912 pctplsg (b5d22f79943e156bf8fabf1e4888820c) C:\Windows\System32\drivers\pctplsg.sys
07:01:32.0815 1912 pctplsg - ok
07:01:32.0939 1912 PCTSD (86b9af53e46d0618d230608aed82622f) C:\Windows\system32\Drivers\PCTSD.sys
07:01:32.0939 1912 PCTSD - ok
07:01:33.0002 1912 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
07:01:33.0017 1912 PEAUTH - ok
07:01:33.0095 1912 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
07:01:33.0095 1912 PptpMiniport - ok
07:01:33.0127 1912 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
07:01:33.0127 1912 Processor - ok
07:01:33.0205 1912 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
07:01:33.0220 1912 PSched - ok
07:01:33.0439 1912 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
07:01:33.0485 1912 ql2300 - ok
07:01:33.0548 1912 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
07:01:33.0548 1912 ql40xx - ok
07:01:33.0595 1912 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
07:01:33.0610 1912 QWAVEdrv - ok
07:01:33.0688 1912 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
07:01:33.0688 1912 RasAcd - ok
07:01:33.0735 1912 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
07:01:33.0735 1912 Rasl2tp - ok
07:01:33.0813 1912 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
07:01:33.0813 1912 RasPppoe - ok
07:01:33.0860 1912 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
07:01:33.0860 1912 RasSstp - ok
07:01:33.0922 1912 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
07:01:33.0922 1912 rdbss - ok
07:01:33.0985 1912 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
07:01:33.0985 1912 RDPCDD - ok
07:01:34.0094 1912 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
07:01:34.0094 1912 rdpdr - ok
07:01:34.0141 1912 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
07:01:34.0141 1912 RDPENCDD - ok
07:01:34.0203 1912 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
07:01:34.0203 1912 RDPWD - ok
07:01:34.0281 1912 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
07:01:34.0281 1912 RFCOMM - ok
07:01:34.0359 1912 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\Windows\system32\DRIVERS\rimmptsk.sys
07:01:34.0359 1912 rimmptsk - ok
07:01:34.0453 1912 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\Windows\system32\DRIVERS\rimsptsk.sys
07:01:34.0453 1912 rimsptsk - ok
07:01:34.0484 1912 rismxdp (d231b577024aa324af13a42f3a807d10) C:\Windows\system32\DRIVERS\rixdptsk.sys
07:01:34.0484 1912 rismxdp - ok
07:01:34.0546 1912 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
07:01:34.0546 1912 rspndr - ok
07:01:34.0593 1912 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
07:01:34.0609 1912 sbp2port - ok
07:01:34.0702 1912 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
07:01:34.0702 1912 sdbus - ok
07:01:34.0780 1912 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
07:01:34.0780 1912 secdrv - ok
07:01:34.0889 1912 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
07:01:34.0889 1912 Serenum - ok
07:01:34.0936 1912 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
07:01:34.0936 1912 Serial - ok
07:01:34.0983 1912 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
07:01:34.0983 1912 sermouse - ok
07:01:35.0108 1912 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
07:01:35.0108 1912 sffdisk - ok
07:01:35.0139 1912 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
07:01:35.0139 1912 sffp_mmc - ok
07:01:35.0217 1912 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
07:01:35.0233 1912 sffp_sd - ok
07:01:35.0295 1912 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
07:01:35.0311 1912 sfloppy - ok
07:01:35.0373 1912 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
07:01:35.0389 1912 sisagp - ok
07:01:35.0451 1912 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
07:01:35.0451 1912 SiSRaid2 - ok
07:01:35.0513 1912 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
07:01:35.0513 1912 SiSRaid4 - ok
07:01:35.0607 1912 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
07:01:35.0607 1912 Smb - ok
07:01:35.0685 1912 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
07:01:35.0685 1912 spldr - ok
07:01:35.0763 1912 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
07:01:35.0763 1912 srv - ok
07:01:35.0872 1912 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
07:01:35.0872 1912 srv2 - ok
07:01:35.0935 1912 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
07:01:35.0950 1912 srvnet - ok
07:01:36.0013 1912 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
07:01:36.0013 1912 swenum - ok
07:01:36.0044 1912 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
07:01:36.0059 1912 Symc8xx - ok
07:01:36.0075 1912 SymIM - ok
07:01:36.0106 1912 SymIMMP - ok
07:01:36.0200 1912 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
07:01:36.0200 1912 Sym_hi - ok
07:01:36.0262 1912 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
07:01:36.0262 1912 Sym_u3 - ok
07:01:36.0325 1912 SynTP (bf7aa84d5af0faa0978c840e63b17dbf) C:\Windows\system32\DRIVERS\SynTP.sys
07:01:36.0325 1912 SynTP - ok
07:01:36.0465 1912 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
07:01:36.0512 1912 Tcpip - ok
07:01:36.0574 1912 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
07:01:36.0574 1912 Tcpip6 - ok
07:01:36.0637 1912 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
07:01:36.0637 1912 tcpipreg - ok
07:01:36.0699 1912 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
07:01:36.0699 1912 TDPIPE - ok
07:01:36.0715 1912 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
07:01:36.0715 1912 TDTCP - ok
07:01:36.0761 1912 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
07:01:36.0761 1912 tdx - ok
07:01:36.0808 1912 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
07:01:36.0808 1912 TermDD - ok
07:01:36.0917 1912 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
07:01:36.0917 1912 tssecsrv - ok
07:01:36.0980 1912 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
07:01:36.0980 1912 tunmp - ok
07:01:37.0042 1912 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
07:01:37.0042 1912 tunnel - ok
07:01:37.0089 1912 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
07:01:37.0089 1912 uagp35 - ok
07:01:37.0136 1912 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
07:01:37.0136 1912 udfs - ok
07:01:37.0183 1912 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
07:01:37.0183 1912 uliagpkx - ok
07:01:37.0214 1912 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
07:01:37.0229 1912 uliahci - ok
07:01:37.0245 1912 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
07:01:37.0245 1912 UlSata - ok
07:01:37.0307 1912 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
07:01:37.0323 1912 ulsata2 - ok
07:01:37.0339 1912 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
07:01:37.0339 1912 umbus - ok
07:01:37.0370 1912 UMPass (88bd96a1baeed33ee8bdf9499c07a841) C:\Windows\system32\DRIVERS\umpass.sys
07:01:37.0385 1912 UMPass - ok
07:01:37.0510 1912 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
07:01:37.0510 1912 USBAAPL - ok
07:01:37.0573 1912 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
07:01:37.0573 1912 usbaudio - ok
07:01:37.0619 1912 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
07:01:37.0619 1912 usbccgp - ok
07:01:37.0666 1912 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
07:01:37.0666 1912 usbcir - ok
07:01:37.0697 1912 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
07:01:37.0697 1912 usbehci - ok
07:01:37.0729 1912 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
07:01:37.0729 1912 usbhub - ok
07:01:37.0760 1912 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
07:01:37.0760 1912 usbohci - ok
07:01:37.0791 1912 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
07:01:37.0791 1912 usbprint - ok
07:01:37.0822 1912 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
07:01:37.0822 1912 usbscan - ok
07:01:37.0885 1912 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
07:01:37.0885 1912 USBSTOR - ok
07:01:37.0931 1912 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
07:01:37.0931 1912 usbuhci - ok
07:01:37.0978 1912 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
07:01:37.0978 1912 usbvideo - ok
07:01:38.0025 1912 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
07:01:38.0025 1912 vga - ok
07:01:38.0056 1912 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
07:01:38.0056 1912 VgaSave - ok
07:01:38.0103 1912 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
07:01:38.0103 1912 viaagp - ok
07:01:38.0134 1912 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
07:01:38.0134 1912 ViaC7 - ok
07:01:38.0181 1912 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
07:01:38.0181 1912 viaide - ok
07:01:38.0212 1912 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
07:01:38.0212 1912 volmgr - ok
07:01:38.0275 1912 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
07:01:38.0290 1912 volmgrx - ok
07:01:38.0384 1912 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
07:01:38.0384 1912 volsnap - ok
07:01:38.0446 1912 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
07:01:38.0446 1912 vsmraid - ok
07:01:38.0540 1912 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
07:01:38.0555 1912 WacomPen - ok
07:01:38.0618 1912 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
07:01:38.0633 1912 Wanarp - ok
07:01:38.0633 1912 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
07:01:38.0633 1912 Wanarpv6 - ok
07:01:38.0680 1912 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
07:01:38.0696 1912 Wd - ok
07:01:38.0789 1912 Wdf01000 (73c5809c82828e34232f9811cb51490e) C:\Windows\system32\drivers\Wdf01000.sys
07:01:38.0805 1912 Suspicious file (Forged): C:\Windows\system32\drivers\Wdf01000.sys. Real md5: 73c5809c82828e34232f9811cb51490e, Fake md5: 9950e3d0f08141c7e89e64456ae7dc73
07:01:38.0805 1912 Wdf01000 ( Virus.Win32.Rloader.a ) - infected
07:01:38.0805 1912 Wdf01000 - detected Virus.Win32.Rloader.a (0)
07:01:38.0961 1912 winachsf (e096ffb754f1e45ae1bddac1275ae2c5) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
07:01:39.0008 1912 winachsf - ok
07:01:39.0164 1912 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
07:01:39.0179 1912 WmiAcpi - ok
07:01:39.0304 1912 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
07:01:39.0304 1912 WpdUsb - ok
07:01:39.0367 1912 WRkrn (0c676ece3e219383191edbd9ff757bbe) C:\Windows\system32\drivers\WRkrn.sys
07:01:39.0367 1912 WRkrn - ok
07:01:39.0413 1912 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
07:01:39.0413 1912 ws2ifsl - ok
07:01:39.0476 1912 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
07:01:39.0507 1912 WUDFRd - ok
07:01:39.0601 1912 XAudio (19e7c173b6242ad7521e537ae54768bf) C:\Windows\system32\DRIVERS\xaudio.sys
07:01:39.0601 1912 XAudio - ok
07:01:39.0647 1912 MBR (0x1B8) (1a1a06f62e891045814007163c1c76c3) \Device\Harddisk0\DR0
07:01:39.0694 1912 \Device\Harddisk0\DR0 - ok
07:01:39.0694 1912 Boot (0x1200) (e861d021ca27d3a95109a8f6175045c9) \Device\Harddisk0\DR0\Partition0
07:01:39.0694 1912 \Device\Harddisk0\DR0\Partition0 - ok
07:01:39.0725 1912 Boot (0x1200) (4cacfec3b5b78628bd1c331bc8da1b5a) \Device\Harddisk0\DR0\Partition1
07:01:39.0725 1912 \Device\Harddisk0\DR0\Partition1 - ok
07:01:39.0725 1912 ============================================================
07:01:39.0725 1912 Scan finished
07:01:39.0741 1912 ============================================================
07:01:39.0757 1568 Detected object count: 2
07:01:39.0757 1568 Actual detected object count: 2
07:02:39.0692 1568 Backup copy found, using it..
07:02:39.0707 1568 C:\Windows\system32\DRIVERS\i8042prt.sys - will be cured on reboot
07:02:42.0297 1568 i8042prt ( Rootkit.Win32.ZAccess.aml ) - User select action: Cure
07:02:42.0453 1568 Backup copy found, using it..
07:02:42.0484 1568 C:\Windows\system32\drivers\Wdf01000.sys - will be cured on reboot
07:02:42.0484 1568 Wdf01000 ( Virus.Win32.Rloader.a ) - User select action: Cure
07:02:54.0933 0252 Deinitialize success






After this reset, windows started in normal mode. Still have Security Sphere 2012 flashing notifications and popups, but updated and ran MBAM quick scan. At the end of clicking remove selected, an error box came up saying some items could not be removed.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8356

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

12/12/2011 7:21:52 AM
mbam-log-2011-12-12 (07-21-52).txt

Scan type: Quick scan
Objects scanned: 189148
Time elapsed: 10 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\programdata\on28300lppaa28300\on28300lppaa28300.exe (Trojan.FakeAlert) -> 2672 -> Failed to unload process.

Memory Modules Infected:
c:\Windows\System32\helpvaws.dll (Trojan.Banker) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oN28300LpPaA28300 (Trojan.FakeAlert) -> Value: oN28300LpPaA28300 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.FakeAlert) -> Bad: (C:\ProgramData\oN28300LpPaA28300\oN28300LpPaA28300.exe) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad: (explorer.exe, C:\ProgramData\oN28300LpPaA28300\oN28300LpPaA28300.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\helpvaws.dll (Trojan.Banker) -> Delete on reboot.
c:\programdata\on28300lppaa28300\on28300lppaa28300.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\Windows\Temp\5689.sys (Heuristics.Shuriken) -> Quarantined and deleted successfully.
c:\Windows\Temp\_ex-68.exe (Trojan.Dropper) -> Quarantined and deleted successfully.







Computer rebooted better. I also just remembered that I sometimes get random errors that Windows encountered an error and had to shut down "x" program, and is searching for a solution. I usually click cancel.

I decided to run MBAM one more time, as from reading through the site I have heard that sometimes you need to run it more than once... log file after second run:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8356

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

12/12/2011 7:36:53 AM
mbam-log-2011-12-12 (07-36-53).txt

Scan type: Quick scan
Objects scanned: 188832
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




After this, I ran my Webroot antivirus, and it came back with 0 infections!! Wow! Keeping my fingers crossed that it is gone, but anxiously awaiting a response to the log files. I tried searching on google, and it appears there are no more redirects! Thank you so much!

I am still having trouble clicking the popup notification that says "some startup programs were blocked", and am still getting the error "Windows Defender: Application Failed to Initialize: 0x80070006. The handle is invalid." Additionally, when trying to turn on Security Center I get the following error "The Security Center service can't be started." And when trying to turn on Windows Firewall I get the following: "Due to an unidentified problem windows cannot display Windows Firewall settings."

I had a rogue-antivirus prior to the one I got yesterday that may have cause some damage to security center and the firewall (so these incidents may not be related to what happened yesterday).... thanks!

Edited by nomorevirus12, 12 December 2011 - 08:00 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:28 AM

Posted 14 December 2011 - 02:16 PM

Hello, we still may have a diiferent rootkit on here. The S Sphere infection infects the Hosts file also.

Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


Your HOSTS file is infected.
Reset the HOSTS file
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system.
Some types of malware will alter the HOSTS file as part of its infection. Please follow the instructions provided in How do I reset the hosts file back to the default?

To reset the hosts file automatically,go HERE click the Posted Image button. Then just follow the prompts in the Fix it wizard.


OR
Click Run in the File Download dialog box or save MicrosoftFixit50267.msi to your Desktop and double-click on it to run. Then just follow the promots in the Fix it wizard.


Rerun TDSSKiller .....

Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 nomorevirus12

nomorevirus12
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 15 December 2011 - 10:29 PM

Thanks! Super anti-spiware log below:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/15/2011 at 10:01 PM

Application Version : 5.0.1142

Core Rules Database Version : 8059
Trace Rules Database Version: 5871

Scan type : Quick Scan
Total Scan Time : 00:11:40

Operating System Information
Windows Vista Home Premium 32-bit, Service Pack 2 (Build 6.00.6002)
UAC Off - Administrator

Memory items scanned : 358
Memory threats detected : 0
Registry items scanned : 30388
Registry threats detected : 1
File items scanned : 8906
File threats detected : 138

Malware.Trace
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Adware.Tracking Cookie
.accounts.google.com [ C:\USERS\JANELLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\98HZSRHJ.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\USERS\JANELLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\98HZSRHJ.DEFAULT\COOKIES.SQLITE ]
.accounts.google.com [ C:\USERS\JANELLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\98HZSRHJ.DEFAULT\COOKIES.SQLITE ]
accounts.google.com [ C:\USERS\JANELLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\98HZSRHJ.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\98HZSRHJ.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\98HZSRHJ.DEFAULT\COOKIES.SQLITE ]
.2o7.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.trafficmp.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.trafficmp.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.trafficmp.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.imrworldwide.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ads.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.avgtechnologies.112.2o7.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.collective-media.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.collective-media.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.collective-media.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ads.bridgetrack.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ads.bridgetrack.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.advertising.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.realmedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.realmedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.realmedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.zedo.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.zedo.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.www.burstnet.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.clickfuse.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.traveladvertising.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.traveladvertising.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.media2.legacy.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.zedo.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.zedo.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.questionmarket.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.questionmarket.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.amazon-adsystem.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.a1.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.a1.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.a1.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.a1.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.a1.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.a1.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.a1.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.apmebf.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.apmebf.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.fastclick.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.akamai.interclickproxy.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.media6degrees.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.pro-market.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adtech.de [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.premiumtv.122.2o7.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.pro-market.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adbrite.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ru4.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.specificclick.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.insightexpressai.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.insightexpressai.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
statse.webtrendslive.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ox-d.coedmediagroup.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adbrite.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.casalemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.yieldmanager.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.coedmediagroup.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ox-d.coedmediagroup.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ox-d.coedmediagroup.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ox-d.coedmediagroup.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.mm.chitika.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.lfstmedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adserver.adtechus.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.interclick.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.zedo.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.zedo.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad.yieldmanager.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
accounts.google.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.invitemedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.112.2o7.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adxpose.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ads.saymedia.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adserver.adtechus.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.kontera.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.serving-sys.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
track.prd1.netshelter.net [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ads.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ads.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ads.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ads.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ads.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ads.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.ads.pointroll.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.tribalfusion.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.statcounter.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.media6degrees.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.media6degrees.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.media6degrees.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.media6degrees.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adfarm1.adition.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.legolas-media.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.legolas-media.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adfarm1.adition.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
ad2.adfarm1.adition.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.adfarm1.adition.com [ C:\USERS\JANELLE\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

Trojan.Agent/Gen-Falpdb
C:\WINDOWS\SYSTEM32\DRIVERS\PJLCFWHD.SYS

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:28 AM

Posted 15 December 2011 - 10:35 PM

Good, how is it running after this... One more scan to see if anything was missed.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 nomorevirus12

nomorevirus12
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 16 December 2011 - 04:59 PM

ESET Log:


C:\Users\Janelle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\12a49b83-50d724fb multiple threats deleted - quarantined
C:\Users\Janelle\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\42\38deab6a-2d53ebdf a variant of Java/Exploit.CVE-2011-3544.C trojan deleted - quarantined
C:\Windows\$NtUninstallKB62280$\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0R4AQXZI\stream[1].htm HTML/Iframe.B.Gen virus deleted - quarantined
C:\Windows\$NtUninstallKB62280$\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0R4AQXZI\stream[2].htm HTML/Iframe.B.Gen virus deleted - quarantined

Thank you again!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:28 AM

Posted 16 December 2011 - 08:12 PM

Looks good any issues left?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 nomorevirus12

nomorevirus12
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 19 December 2011 - 08:55 PM

Everything seems OK. Still having trouble getting windows firewall going, and can't start security center. Is there a way to re-install this? Or a recommended alternative?

thank you for all your help!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:28 AM

Posted 19 December 2011 - 11:52 PM

You're welcome, There may be some sorrupt file.
Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
Let it run and insert the CD when asked.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users