Use Vipre tried malware bytes still getting redirect virus

[zipzilch]

I seem to have a bad redirect virus. I also have seen security system 2012 in my programs. I ran malwarebytes and it got rid of a few malicous sites, but keeps coming up with blocks for outgoing programs. I have not seen the redirect since I ran it but just got done recently. I have also tried Norton Power Eraser, but it found nothing. Should I contact vipre to see what they have or is there an easier way to get rid of it. Tech support takes quite a while it seems. the threats it found are malware.trace, PUPbitminer, Trojan.agent, Trojan.Fakealer.CL.Gen. I am so tired of being redirected to yellowpages.com it is annoying. The malwarebytes is blocking something about 3 times a minute. Any help would be appreciated.

Zipzilch

[zipzilch]

Here are the dds file and the attach from running the dds tool

DDS.txt

Attach.txt

[zipzilch]

Here are the dds file and the attach from running the dds tool

Thinking about the sticky I do run world of warcraft which I believe uses peer to peer for file upgrades. I have never had problems with this before and Blizzard is very thorough controlling these. I hope this is not a problem. Also my computer is a laptop and I have kids that use it. Mostly I use it for college though. Let me know if I need to disable anything or get rid of anything on it please.

Thanks for the anticipated help!

[zipzilch]

Still nothing it seems to be getting worse, now it opens two windows to my home page when I click on some things. Any help would be appreciated!

[Maniac]

Hello zipzilch! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/paste in your next reply.
  

Please do not attach your log files, because that makes our work much more slowly and difficult.

I would like to take an overview of the status of your system, so please:

1. Please run a free online scan with the ESET Online Scanner
   Note: You will need to use Internet Explorer for this scan
   
2. Tick the box next to YES, I accept the Terms of Use
   
3. Click Start
   
4. When asked, allow the ActiveX control to install
   
5. Click Start
   
6. Make sure that the option Remove found threats is not check, but the option Scan unwanted applications is check.
   
7. Click Scan (This scan can take several hours, so please be patient)
   
8. Once the scan is completed, you may close the window
   
9. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
10. Copy and paste that log as a reply to this topic
    

[zipzilch]

i had remove threats checked for about half of the scan. I turned it off and started over. This is what I ended up with.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

esets_scanner_update returned -1 esets_gle=53251

[Maniac]

Is this only? Any idea what was found and how much?

[zipzilch]

it originally had found 8 but took care of them before I noticed the fix box checked. Should I run it again and see what it does?

[Maniac]

It is not a bad idea. Plese re-run it and let me know.

[zipzilch]

I am running this now but desktop.ini came up as a trojan along with a message from vipre saying that I need to reboot for the virus scanner to work correctly. I tries this once and it tries to delete a file (unsuccessfully) then starts back up and the same warnings come up again about the trojan and rebooting.

[Maniac]

I doubt, I think this is a false positive. I suggest you to temporarily uninstall it.

[zipzilch]

log.txt

I am running this now but desktop.ini came up as a trojan along with a message from vipre saying that I need to reboot for the virus scanner to work correctly. I tries this once and it tries to delete a file (unsuccessfully) then starts back up and the same warnings come up again about the trojan and rebooting.

[zipzilch]

sorry forgot not to attach a file, here it is:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=c80d0fcf4622c34a8e635e13a5827b5a

# end=stopped

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-11-16 01:19:00

# local_time=2011-11-15 08:19:00 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=256 16777215 100 0 36959658 36959658 0 0

# compatibility_mode=5893 16776574 100 94 7308227 72947760 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=113960

# found=9

# cleaned=9

# scan_time=2031

C:\Program Files (x86)\RIFT Game\rift-live.exe a variant of Win32/Kryptik.UUO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files (x86)\RIFT Game\riftpatchlive.exe a variant of Win32/Kryptik.UUO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Mark\Desktop\0.0918812403092909.exe a variant of Win32/Kryptik.VAL trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Mark\Desktop\0.500775735811844.exe a variant of Win32/Kryptik.VJH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Mark\Desktop\shortcuts\Wow (2).exe a variant of Win32/Kryptik.UUO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Mark\Desktop\shortcuts\Wow.exe a variant of Win32/Kryptik.UUO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.2.0-enUS-patch.exe a variant of Win32/Kryptik.UUO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Users\Public\Documents\Blizzard Entertainment\World of Warcraft Installer\Installer.exe a variant of Win32/Kryptik.UUO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M\stream[1].htm HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

# version=7

# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=c80d0fcf4622c34a8e635e13a5827b5a

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-11-16 02:16:21

# local_time=2011-11-15 09:16:21 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=256 16777215 100 0 36961774 36961774 0 0

# compatibility_mode=5893 16776574 100 94 7310343 72949876 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=206009

# found=1

# cleaned=0

# scan_time=3355

C:\Windows\system64\consrv.dll Win64/Sirefef.E trojan (unable to clean) 00000000000000000000000000000000 I

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=c80d0fcf4622c34a8e635e13a5827b5a

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-11-19 03:03:31

# local_time=2011-11-19 10:03:31 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=256 16777215 100 0 37267645 37267645 0 0

# compatibility_mode=5893 16776574 100 94 7616214 73255747 0 0

# compatibility_mode=8192 67108863 100 0 225317 225317 0 0

# scanned=99292

# found=8

# cleaned=0

# scan_time=2714

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\cueqbohndngzc7.jar-764c558a-14ed10b1.zip a variant of Java/TrojanDownloader.OpenStream.NCM trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-27ada74c-7f2d577e.zip Java/Agent.DW trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-2d844abd-6f56ff45.zip Java/Agent.DW trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-2dbd98cb-56257443.zip Java/Agent.DW trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-6e18e403-3c2a9c13.zip multiple threats (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-6fc64319-46f2a5ca.zip Java/Agent.DW trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-7b0f2009-6755ad08.zip multiple threats (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\worms.jar-23f7c449-514281d3.zip Java/Agent.DJ trojan (unable to clean) 00000000000000000000000000000000 I

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=c80d0fcf4622c34a8e635e13a5827b5a

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-11-19 04:21:28

# local_time=2011-11-19 11:21:28 (-0500, Eastern Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7600 NT

# compatibility_mode=256 16777215 100 0 37270427 37270427 0 0

# compatibility_mode=5893 16776574 100 94 7618996 73258529 0 0

# compatibility_mode=8192 67108863 100 0 228099 228099 0 0

# scanned=207080

# found=10

# cleaned=0

# scan_time=4609

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\cueqbohndngzc7.jar-764c558a-14ed10b1.zip a variant of Java/TrojanDownloader.OpenStream.NCM trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-27ada74c-7f2d577e.zip Java/Agent.DW trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-2d844abd-6f56ff45.zip Java/Agent.DW trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-2dbd98cb-56257443.zip Java/Agent.DW trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-6e18e403-3c2a9c13.zip multiple threats (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-6fc64319-46f2a5ca.zip Java/Agent.DW trojan (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\field.jar-7b0f2009-6755ad08.zip multiple threats (unable to clean) 00000000000000000000000000000000 I

C:\Users\Mark\AppData\Roaming\Sun\Java\Deployment\cache\javapi\v1.0\jar\worms.jar-23f7c449-514281d3.zip Java/Agent.DJ trojan (unable to clean) 00000000000000000000000000000000 I

C:\Windows\system64\consrv.dll Win64/Sirefef.E trojan (unable to clean) 00000000000000000000000000000000 I

${Memory} a variant of Win32/Sirefef.DN trojan 00000000000000000000000000000000 I

[Maniac]

Please follow the instructions here to download and run ComboFix:

www.bleepingcomputer.com/combofix/how-to-use-combofix#use

Post the log file.

[zipzilch]

ComboFix 11-11-19.04 - Mark 11/19/2011 12:51:27.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4095.2454 [GMT -5:00]

Running from: c:\users\Mark\Desktop\ComboFix.exe

AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}

FW: Sunbelt VIPRE *Disabled* {86665057-352D-7810-313F-4F92DEFBC8FA}

SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\programdata\FullRemove.exe

c:\users\Mark\AppData\Local\dfl20z32.dll

c:\windows\system32\consrv.dll

c:\windows\System64

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_COMSysApp

.

.

((((((((((((((((((((((((( Files Created from 2011-10-19 to 2011-11-19 )))))))))))))))))))))))))))))))

.

.

2011-11-19 17:56 . 2011-11-19 17:56 -------- d-----w- c:\users\Lori\AppData\Local\temp

2011-11-19 17:56 . 2011-11-19 17:56 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-19 17:56 . 2011-11-19 17:56 -------- d-----w- c:\users\Guest\AppData\Local\temp

2011-11-16 00:43 . 2011-11-16 00:43 -------- d-----w- c:\program files (x86)\ESET

2011-11-14 17:34 . 2011-11-14 17:34 -------- d-----w- c:\users\Mark\AppData\Roaming\Malwarebytes

2011-11-14 17:34 . 2011-11-14 17:34 -------- d-----w- c:\programdata\Malwarebytes

2011-11-14 17:34 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-14 17:34 . 2011-11-14 17:34 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-11-10 13:12 . 2011-11-17 02:12 -------- d-----w- c:\users\Mark\AppData\Local\CrashDumps

2011-11-09 18:37 . 2011-11-09 20:48 -------- d-----w- C:\VIPRERESCUE

2011-11-09 15:43 . 2011-11-09 15:43 -------- d-----w- c:\users\Mark\AppData\Roaming\deIBrzPNx

2011-11-09 15:43 . 2011-11-09 15:43 -------- d-----w- c:\users\Mark\AppData\Roaming\dN1uuD22F4pm5Qd

2011-11-09 15:40 . 2011-11-14 17:14 -------- d-----w- c:\users\Mark\AppData\Local\NPE

2011-11-09 15:40 . 2011-11-09 15:41 -------- d-----w- c:\programdata\Norton

2011-11-09 15:26 . 2011-11-09 15:26 -------- d-----w- c:\users\Mark\AppData\Roaming\qUCelIBrzNx1v2b

2011-11-09 15:26 . 2011-11-09 15:26 -------- d-----w- c:\users\Mark\AppData\Roaming\cJ6dEK8fR9Tw

2011-11-09 15:26 . 2011-11-09 15:26 -------- d-----w- c:\users\Mark\AppData\Roaming\H7fEL9gTZjC

2011-11-08 18:51 . 2011-10-01 05:28 886784 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-08 18:51 . 2011-10-01 04:43 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll

2011-11-08 18:51 . 2011-09-29 16:24 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-08 18:51 . 2011-09-29 04:09 3141120 ----a-w- c:\windows\system32\win32k.sys

2011-11-04 20:51 . 2011-11-04 20:51 -------- d-----w- c:\windows\Sun

2011-11-04 20:17 . 2011-11-04 20:17 -------- d-----w- c:\users\Mark\AppData\Roaming\RjjYCekIVzONx0

2011-11-04 20:17 . 2011-11-04 20:17 -------- d-----w- c:\users\Mark\AppData\Roaming\DnG55aQHdWKfR9T

2011-11-04 20:17 . 2011-11-04 20:17 -------- d-----w- c:\users\Mark\AppData\Roaming\bG5sQJ6dE8R9TwU

2011-11-04 20:17 . 2011-11-06 11:39 -------- d-----w- c:\users\Mark\AppData\Roaming\jnG4aQH6s7LTqkV

2011-11-04 20:17 . 2011-11-04 20:17 -------- d-----w- c:\users\Mark\AppData\Roaming\zfRL9XqUCkBzNx0

2011-11-04 20:17 . 2011-11-04 20:17 -------- d-----w- c:\users\Mark\AppData\Roaming\oEK8gRZ9hXjVlB

2011-10-26 00:20 . 2011-08-15 05:08 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2011-10-26 00:20 . 2011-08-15 04:25 6144 ----a-w- c:\program files (x86)\Internet Explorer\iecompat.dll

2011-10-21 19:50 . 2011-10-21 19:50 -------- d-----w- c:\program files (x86)\Apple Software Update

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-19 14:26 . 2011-04-25 13:48 159080 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10138.bin

2011-11-15 13:49 . 2011-07-13 22:46 45056 ----a-w- c:\windows\system32\acovcnt.exe

2011-10-13 21:11 . 2011-07-13 20:27 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-01 03:21 . 2011-10-12 19:21 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-01 02:59 . 2011-10-12 19:21 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-09-06 16:30 . 2011-09-06 16:30 45904 ----a-w- c:\windows\SysWow64\sbbd.exe

2011-08-29 21:36 . 2011-08-29 21:36 71256 ----a-w- c:\windows\system32\drivers\sbapifs.sys

2011-08-29 21:36 . 2011-08-29 21:36 101720 ----a-w- c:\windows\SysWow64\drivers\SBREDrv.sys

2011-08-27 05:40 . 2011-10-12 19:12 331776 ----a-w- c:\windows\system32\oleacc.dll

2011-08-27 05:40 . 2011-10-12 19:12 861184 ----a-w- c:\windows\system32\oleaut32.dll

2011-08-27 04:43 . 2011-10-12 19:12 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll

2011-08-27 04:43 . 2011-10-12 19:12 233472 ----a-w- c:\windows\SysWow64\oleacc.dll

2011-08-23 21:06 . 2011-08-23 21:07 49262 ----a-w- c:\windows\SysWow64\jpicpl32.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]

@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"

[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]

2007-06-02 01:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Pinyin IME Migration"="c:\progra~2\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-04 33128]

"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]

"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]

"HControlUser"="c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe" [2009-06-19 105016]

"ATKOSD2"="c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe" [2009-08-17 6859392]

"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Media\DMedia.exe" [2009-08-20 170624]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-06-07 421160]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]

"SBAMTray"="c:\program files (x86)\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-09-06 1357136]

"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

PdaNet Desktop.lnk - c:\program files (x86)\PdaNet for Android\PdaNetPC.exe [2010-7-2 447952]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

FancyStart daemon.lnk - c:\windows\Installer\{F0DF4513-3C4C-4EB8-8012-2C5F70AF3988}\_A1DDD39913A1970387B7B3.exe [2009-11-3 12862]

SRS Premium Sound.lnk - c:\windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe [2009-11-3 156880]

tmchlang.lnk - c:\program files\Trend Micro\Internet Security\TmChLang.exe [N/A]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]

IME File REG_SZ IMSC12.IME

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Service;c:\windows\system32\DRIVERS\sbfwim.sys [x]

R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [x]

R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]

S1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [x]

S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-11-09 49752]

S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]

S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]

S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]

S2 OberonGameConsoleService;Oberon Media Game Console service;c:\program files (x86)\Asus\Game Park\GameConsole\OberonGameConsoleService.exe [2009-09-15 44312]

S2 SBAMSvc;VIPRE Antivirus Premium;c:\program files (x86)\Sunbelt Software\VIPRE\SBAMSvc.exe [2011-09-06 2804280]

S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]

S2 SBPIMSvc;SB Recovery Service;c:\program files (x86)\Sunbelt Software\VIPRE\SBPIMSvc.exe [2011-09-06 181584]

S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [x]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]

S3 SBFWIMCLMP;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\DRIVERS\SBFWIM.sys [x]

.

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]

@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"

[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]

2007-06-02 00:52 159744 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]

@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"

[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]

2009-11-25 16:47 444752 ----a-w- c:\windows\System32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]

@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"

[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]

2009-11-25 16:47 444752 ----a-w- c:\windows\System32\mscoree.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-10-25 60264]

"EeeStorageBackup"="c:\program files (x86)\ASUS\Asus WebStorage\BackupService.exe" [2009-08-25 947472]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-15 16336416]

"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2009-09-30 621440]

"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2009-08-12 323072]

"SBRegRebootCleaner"="c:\program files (x86)\Sunbelt Software\VIPRE\SBRC.exe" [2011-09-06 197968]

"combofix"="c:\combofix\CF29353.3XE" [2009-07-14 344576]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKLM-Run-Setwallpaper - c:\programdata\SetWallpaper.cmd

Toolbar-Locked - (no file)

AddRemove-ASUS_Screensaver - c:\windows\system32\ASUS_Screensaver.scr

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe

c:\program files\ATKGFNEX\GFNEXSrv.exe

c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe

c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe

c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe

c:\program files (x86)\ASUS\ATK Hotkey\Atouch64.exe

c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe

c:\program files (x86)\ASUS\ATK Hotkey\KBFiltr.exe

c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe

c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe

c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe

c:\windows\AsScrPro.exe

c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe

.

**************************************************************************

.

Completion time: 2011-11-19 13:27:04 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-19 18:27

.

Pre-Run: 11,399,753,728 bytes free

Post-Run: 10,538,659,840 bytes free

.

- - End Of File - - E765EC1668939C1067F36E109BBCC4E7

[Maniac]

Open Notepad and copy and paste the text in the code box below into it:

Folder::
c:\users\Mark\AppData\Roaming\deIBrzPNx
c:\users\Mark\AppData\Roaming\dN1uuD22F4pm5Qd
c:\users\Mark\AppData\Roaming\qUCelIBrzNx1v2b
c:\users\Mark\AppData\Roaming\cJ6dEK8fR9Tw
c:\users\Mark\AppData\Roaming\H7fEL9gTZjC
c:\users\Mark\AppData\Roaming\RjjYCekIVzONx0
c:\users\Mark\AppData\Roaming\DnG55aQHdWKfR9T
c:\users\Mark\AppData\Roaming\bG5sQJ6dE8R9TwU
c:\users\Mark\AppData\Roaming\jnG4aQH6s7LTqkV
c:\users\Mark\AppData\Roaming\zfRL9XqUCkBzNx0
c:\users\Mark\AppData\Roaming\oEK8gRZ9hXjVlB

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

In your next post here, please include ComboFix.txt and let me know how are things there.

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!