Multiple Virus

found a post that looks very similar to my problem!!! And you were the mod for him (http://www.geekpolice.net/virus-spyware-malware-removal-f11/win32-cryptor-t12275-30.htm)

I was gonna create my own script for the files on my computer, but will wait for professional to help me.

EDIT:

I made my own script based on your advice to another (DON'T WORRY! I WON'T EXECUTE IT UNTIL I GET A PROFESSIONAL'S OPINION)!

heres what I would have done:



But I can wait a little longer, PLEASE. I thank you so much if you can help me.

Doctor inferno, can you help me?

Sophar detected this in addition:

C:\Windows\System32\drivers\geyekrsbmxtfyx.sys
C:\Windows\System32\drivers\geyekrbndqupbe.sys
C:\Windows\System32\geyekredqbkoxn.dll
C:\Windows\System32\geyekrvceiditw.dat
C:\Windows\System32\geyekrlnrrrxnp.dll
C:\Windows\System32\cngaudit.dll
C:\Windows\System32\geyekrhpptxniw.dat
C:\Windows\System32\geyekrpjyjtred.dll
C:\Windows\System32\geyekrvibpvqwk.dll
C:\Windows\System32\geyekrnjsqrbbm.dat



And somehow it disabled my genuine windows serial, I am afraid to type it in the box in case it steals it.


P.S: 3AM Here now and I have been refreshing page for 8 hours i think lol... Guess it's time to shut down my computer and give tomorrow 1 last shot before I reformat. Hope you respond soon

Another test, Just trying to run all so you can see all at once and help easier.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 03:32:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrntqvoxie]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\geyekrbndqupbe.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main]
"aid"="10200"
"sid"="3"
"cmddelay"=dword:00003840

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\injector]
"*"="geyekrwsp.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules]
"geyekrrk.sys"="\systemroot\system32\drivers\geyekrbndqupbe.sys"
"geyekrcmd.dll"="\systemroot\system32\geyekrvibpvqwk.dll"
"geyekrlog.dat"="\systemroot\system32\geyekrnjsqrbbm.dat"
"geyekrwsp.dll"="\systemroot\system32\geyekrpjyjtred.dll"
"geyekr.dat"="\systemroot\system32\geyekrhpptxniw.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\geyekrbndqupbe.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main]
"aid"="10200"
"sid"="3"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules]
"geyekrrk.sys"="\systemroot\system32\drivers\geyekrbndqupbe.sys"
"geyekrcmd.dll"="\systemroot\system32\geyekredqbkoxn.dll"
"geyekrlog.dat"="\systemroot\system32\geyekrvceiditw.dat"
"geyekrwsp.dll"="\systemroot\system32\geyekrlnrrrxnp.dll"
"geyekr.dat"="\systemroot\system32\geyekrduijfiqy.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\geyekrntqvoxie]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\geyekrbndqupbe.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main]
"aid"="10200"
"sid"="3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules]
"geyekrrk.sys"="\systemroot\system32\drivers\geyekrbndqupbe.sys"
"geyekrcmd.dll"="\systemroot\system32\geyekredqbkoxn.dll"
"geyekrlog.dat"="\systemroot\system32\geyekrvceiditw.dat"
"geyekrwsp.dll"="\systemroot\system32\geyekrlnrrrxnp.dll"
"geyekr.dat"="\systemroot\system32\geyekrduijfiqy.dat"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001
"IconServiceLib"="IconCodecService.dll"
"DdeSendTimeout"=dword:00000000
"DesktopHeapLogging"=dword:00000001
"GDIProcessHandleQuota"=dword:00002710
"ShutdownWarningDialogTimeout"=dword:ffffffff
"USERPostMessageLimit"=dword:00002710
"USERProcessHandleQuota"=dword:00002710
@="mnmsrvc"
"DeviceNotSelectedTimeout"="15"
"Spooler"="yes"
"TransmissionRetryTimeout"="90"
"USERNestedWindowLimit"=dword:00000032

scanning hidden files ...


//This is where the program shuts down.

Can you check the size of this file - cngaudit.dll

it will be located in

C:\Windows\System32\cngaudit.dll

Hello.
Where did you get catchme? if you have a full Combofix log, can you post it please?

11.5 KB

don't remember where I got it, was searching for anti rootkit programs to scan to see which ones worked. Combofix closes down immediately after attempting to scan. Anything posted is logs i found as far as they could get before being shut down.

Was really hoping to have a suggestion when I woke up . Wish you were on longer.

Can you post a new GMER log? I want to check something.

found hidden malicious services in which I disabled in registry. Restarted computer and it allowed me to run combo-fix! It restarted, and now am in safe mode running a quick MBAM scan. I will post the Malware Byetes log if you want as soon as it is done.

Was planning on booting in normal mode to do full scan afterwards too and run all scans for fresh logs.

First quickscan of Malware Bytes in safe mode:

Malwarebytes' Anti-Malware 1.40
Database version: 2732
Windows 6.0.6002 Service Pack 2 (Safe Mode)

9/2/2009 3:12:37 PM
mbam-log-2009-09-02 (15-12-24).txt

Scan type: Quick Scan
Objects scanned: 91445
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Justyn\Desktop\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\Users\Justyn\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.


//those were combofix renamed, so I chose ignore.

Here was the first scan of Combo-fix log: (forgot to post earlier)

ComboFix 09-08-31.03 - Justyn 09/02/2009 14:41.1.2 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3581.2573 [GMT -7:00]
Running from: c:\users\Justyn\Desktop\Combo-Fix.exe
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\WMEncoder.msi
c:\windows\system32\w32apiw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_geyekrntqvoxie
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_geyekrntqvoxie


((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 10:51 . 2009-09-02 10:51 -------- d-----w- c:\program files\trend micro
2009-09-02 09:29 . 2009-06-18 19:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2009-09-02 08:50 . 2009-09-02 08:50 -------- d-----w- c:\program files\Sophos
2009-09-02 02:58 . 2009-09-02 02:58 -------- d-----w- C:\iDEFENSE
2009-09-02 02:54 . 2009-09-02 10:25 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-01 05:02 . 2009-09-02 04:41 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-01 04:42 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 04:42 . 2009-09-02 09:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-01 04:42 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 04:39 . 2009-09-01 04:39 -------- d-----w- C:\_OTM
2009-09-01 00:17 . 2009-09-01 00:17 680 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2009-09-01 00:06 . 2009-09-01 00:07 117760 ----a-w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-01 00:06 . 2009-09-01 00:06 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2009-08-31 23:51 . 2009-08-31 23:52 117760 ----a-w- c:\users\Justyn\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-31 23:50 . 2009-08-31 23:50 -------- d-----w- c:\users\Justyn\AppData\Roaming\SUPERAntiSpyware.com
2009-08-31 23:13 . 2009-08-31 23:13 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-31 22:15 . 2009-08-31 22:15 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2009-08-31 22:10 . 2009-08-31 22:10 -------- d-----w- c:\users\Administrator\AppData\Local\Adobe
2009-08-31 21:08 . 2009-08-31 21:08 -------- d-----w- c:\users\Justyn\AppData\Roaming\Malwarebytes
2009-08-31 21:08 . 2009-08-31 21:08 -------- d-----w- c:\programdata\Malwarebytes
2009-08-30 10:00 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-20 02:14 . 2009-08-20 02:14 -------- d-----w- c:\users\Justyn\AppData\Local\TechSmith
2009-08-20 01:24 . 2009-08-20 01:24 -------- d-----w- c:\windows\system32\QuickTime
2009-08-20 01:23 . 2009-08-20 01:23 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-08-20 01:23 . 2009-08-20 01:23 -------- d-----w- c:\program files\TechSmith
2009-08-20 01:02 . 2005-06-15 10:00 102400 ----a-w- c:\windows\system32\tsccvid.dll
2009-08-13 22:56 . 2009-06-15 14:54 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-13 22:56 . 2009-06-15 14:53 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-13 22:56 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-13 22:56 . 2009-06-15 23:15 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-13 22:56 . 2009-06-15 14:53 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-13 22:56 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-13 22:56 . 2009-06-15 14:52 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-13 22:56 . 2009-06-15 12:48 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-11 18:51 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-11 18:51 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-11 18:51 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-11 18:51 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-11 18:51 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-11 18:51 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-11 18:51 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-11 18:51 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-06 05:32 . 2009-08-06 05:32 -------- d-----w- c:\program files\Eltima Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 20:54 . 2009-09-02 20:54 5018 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-09-02 02:33 . 2009-05-26 09:01 1356 ----a-w- c:\users\Justyn\AppData\Local\d3d9caps.dat
2009-09-01 02:24 . 2009-09-01 02:24 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-01 00:45 . 2009-06-12 07:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-01 00:17 . 2009-05-27 15:35 112408 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-31 22:51 . 2009-05-26 10:17 -------- d-----w- c:\program files\MPlayer for Windows
2009-08-21 06:41 . 2009-07-09 21:25 -------- d-----w- c:\program files\PopCap Games
2009-08-18 06:45 . 2009-05-26 10:15 -------- d-----w- c:\program files\AllToAVI
2009-08-13 23:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-12 10:09 . 2009-05-26 04:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-12 10:02 . 2009-04-18 01:15 -------- d-----w- c:\programdata\Microsoft Help
2009-07-21 21:52 . 2009-07-28 19:54 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 19:54 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 19:54 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 19:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-14 21:50 . 2009-05-26 12:58 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-12 01:59 . 2009-07-12 01:59 -------- d-----w- c:\program files\AC3Filter
2009-07-09 21:25 . 2009-07-09 21:25 -------- d-----w- c:\programdata\PopCap Games
2009-06-23 16:40 . 2009-05-26 00:12 112408 ----a-w- c:\users\Justyn\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-22 10:16 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-15 14:53 . 2009-07-14 22:34 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-14 22:34 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-14 22:34 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-14 22:34 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-14 22:34 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-26 00:11 . 2009-05-26 00:11 13 --sh--r- c:\windows\System32\drivers\fbd.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-30 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-08 6037504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):80,f9,84,c9,23,f3,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1807422815-738861055-1700803671-1000]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1807422815-738861055-1700803671-500]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{711C5B84-0C3E-416A-89B9-1350A4ED4FEC}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{25905A1D-1F5E-47B2-B09C-EEF478C4E851}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{96860A96-0D2A-41A4-B0E1-34BCAF32B006}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EA08C4D4-2078-4D85-B6DD-B699421FA7F7}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{4FEA6F7A-EEE3-4BC0-9AE8-0A2869114AD2}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{897D469D-2E34-4EDD-AB76-86BDB48292BF}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{76A7691E-FD0E-43E8-AE65-D77446D438F2}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D30B2C49-5B28-4541-BF67-194BA9EA2DB0}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{E19DFC26-5237-4A4E-934F-F5D6B8B417E4}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\System32\drivers\jswpslwf.sys [4/17/2009 6:55 PM 20384]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\System32\SAVRKBootTasks.sys [9/2/2009 2:29 AM 18816]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [5/15/2009 8:23 PM 176128]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [4/17/2008 12:19 AM 40960]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [12/3/2007 5:03 PM 126976]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [3/30/2009 4:28 PM 1533808]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [5/5/2008 11:06 AM 7168]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [4/24/2008 6:35 PM 73728]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe --> c:\program files\Jumpstart\jswpsapi.exe [?]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [5/16/2008 10:59 AM 9216]
S4 VMLIV;VMLIV;c:\users\JUSTYN\AppData\Local\Temp\VMLIV.exe --> c:\users\JUSTYN\AppData\Local\Temp\VMLIV.exe [?]
S4 ZQTY;ZQTY;c:\users\JUSTYN\AppData\Local\Temp\ZQTY.exe --> c:\users\JUSTYN\AppData\Local\Temp\ZQTY.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: Download Video - http://www.viloader.net/addon.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: netzero.com
Trusted Zone: netzero.net
TCP: {CA815AB6-B3EE-45F6-BB70-FF51C8C23AF7} = 68.87.69.146,68.87.85.98
FF - ProfilePath - c:\users\Justyn\AppData\Roaming\Mozilla\Firefox\Profiles\d9533ooq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 14:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\D74B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\atieclxx.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\wlanext.exe
c:\windows\System32\agrsmsvc.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-09-02 14:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 21:55

Pre-Run: 157,075,496,960 bytes free
Post-Run: 156,926,767,104 bytes free

266 --- E O F --- 2009-08-30 10:01

Hijackthis log?:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:57 PM, on 9/2/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: *.netzero.com
O15 - Trusted Zone: *.netzero.net
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA815AB6-B3EE-45F6-BB70-FF51C8C23AF7}: NameServer = 68.87.69.146,68.87.85.98
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Unknown owner - C:\Program Files\Jumpstart\jswpsapi.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5542 bytes

MY windows sticker Activation key won't work! it's on limited accessiblilty mode. grrr!

This is what it says:

the product key you have entered does not appear to be a valid windows vista product key.

100% sure it is I have the reciept and sticker on bottom of laptop and everything!

This malware messed up my system.

Last edited by justyn on 3rd September 2009, 12:02 am; edited 1 time in total

Hello.
There isn't much we can do about activiation, you'll need to ring Microsoft and explain your situation.

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

ok Thanks, did you notice anything to delete from hijackthis?

I will download that free antivirus you listed.

Hello.
The Hijack This scan looks good, nothing that alerts me from here.

you usually say run combofix /u after using it.

Oh shoot, Took a deeper look it goes farther. I deleted some more geyekrXXXXX keys and found VMLIV and ZQTY services. here is partial log of a part of gmer.

GMER 1.0.15.15077 [gzwoy4u6.exe] - http://www.gmer.net
Rootkit scan 2009-09-02 20:46:29
Windows 6.0.6002 Service Pack 2


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@Type 272
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@Start 4
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@ImagePath C:\Users\JUSTYN\AppData\Local\Temp\VMLIV.exe
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@DisplayName VMLIV
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@ObjectName LocalSystem

---- EOF - GMER 1.0.15 ----

You know I am so infested with virus I am gonna just reformat... but i wanna use my computer... and this infection is the worst in history of malware.

So did you format, or still need help?

Alright I formatted since they said some of my windows files may be corrupted. Thanks for all the help though, I learned a lot. Computer runs good as new lol... cause it is new again.

Anyways i got 60 - day trail of norton 360 again when I reformatted/installed. Is that a good antivirus? I don't want any malware to get by.

I wish everyone luck who gets the same problem.

I recommend using Avira free, its way better then Norton:

http://free-av.com