Multiple Virus

Re: Multiple Virus2nd September 2009, 1:27 am

K it saved it on desktop! first scan that didn't quit! Smile...

. here is the log in sections cause I don't know how much can fit per post.

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"TOSCDSPD" = "C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" ["TOSHIBA"]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer-Networking Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"" ["Advanced Micro Devices, Inc."]
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"TPwrMain" = "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE"
"HSON" = "C:\Program Files\TOSHIBA\TBS\HSON.exe"
"SmoothView" = "C:\Program Files\Toshiba\SmoothView\SmoothView.exe"
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"McENUI" = "C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide" ["McAfee, Inc."]
"mcagent_exe" = "C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey" ["McAfee, Inc."]
"ISTray" = ""C:\Program Files\Spyware Doctor\pctsTray.exe"" ["PC Tools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"(Default)" = "(empty string)" [file not found]
"GrpConv" = "grpconv -o" [MS]
"Malwarebytes' Anti-Malware" = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent" ["Malwarebytes Corporation"]
"Cleanup" = "C:\cleanup.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6145\SiteAdv.dll" ["McAfee, Inc."]
{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}\(Default) = "McAntiPhishingBHO"
-> {HKLM...CLSID} = "McAfee Phishing Filter"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\msk\mcapbho.dll" ["McAfee, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy"
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan\scriptsn.dll" ["McAfee, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live ID Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [null data]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\Windows\System32\ieframe.dll" [MS]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{28803F59-3A75-4058-995F-4EE5503B023C}" = "Wireless Devices"
-> {HKLM...CLSID} = "Bluetooth Devices"
\InProcServer32\(Default) = "C:\Windows\system32\FunctionDiscoveryFolder.dll" [MS]
"{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}" = "Enhanced Storage Data Source"
-> {HKLM...CLSID} = "Enhanced Storage Data Source"
\InProcServer32\(Default) = "C:\Windows\system32\EhStorShell.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
SDContextExt\(Default) = "{70F8E90E-353A-47AB-B297-C576345EE693}"
-> {HKLM...CLSID} = "PC Tools Context Menu Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\SDCONT~1.DLL" ["PC Tools"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
SDContextExt\(Default) = "{70F8E90E-353A-47AB-B297-C576345EE693}"
-> {HKLM...CLSID} = "PC Tools Context Menu Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\SDCONT~1.DLL" ["PC Tools"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Re: Multiple Virus2nd September 2009, 1:28 am

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"BindDirectlyToPropertySetStorage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

"DisableCMD" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\system32\config\systemprofile\Pictures\planets\star feild.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Justyn\Pictures\planets\star feild.jpg"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\Ribbons.scr" [MS]

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

DMFMADFolder\
"Provider" = "Ulead DVD MovieFactory 5"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Ulead Systems\DVD MovieFactory for TOSHIBA\Ulead DVD MovieFactory 5\MovieHunter.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

ImgBurnBluRayBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnBluRayBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnCDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnCDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnHDDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnHDDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnPlayBluRayOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayBluRayOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayBluRayOnArrival_ReadDisc\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

ImgBurnPlayCDAudioOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayCDAudioOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayCDAudioOnArrival_ReadDisc\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

ImgBurnPlayDVDMovieOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayDVDMovieOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayDVDMovieOnArrival_ReadDisc\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

ImgBurnPlayHDDVDOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayHDDVDOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayHDDVDOnArrival_ReadDisc\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

MSEnhancedStorageHandler\
"Provider" = "@C:\Windows\system32\EhStorShell.dll,-108"
"ProgID" = "EhStorShell.AutoplayHandler"
"InitCmdLine" = "Authorize"
HKLM\SOFTWARE\Classes\EhStorShell.AutoplayHandler\CLSID\(Default) = "{36F54939-CD3B-4C73-92D5-F9A389ED631C}"
-> {HKLM...CLSID} = "Enhanced Storage Autoplay Handler Class"
\InProcServer32\(Default) = "C:\Windows\system32\EhStorShell.dll" [MS]

MSWMEncVCArrival\
"Provider" = "Windows Media Encoder 9 Series"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Windows Media Components\Encoder\WMEnc.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

NeroAutoPlay8CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

NeroAutoPlay8DataDisc_CD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

NeroAutoPlay8DataDisc_DVD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]

NeroAutoPlay8LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

NeroAutoPlay8PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8TranscodeVideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

NeroAutoPlay8VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

Re: Multiple Virus2nd September 2009, 1:29 am

TosDVDPlayHandler\
"Provider" = "TOSHIBA DVD PLAYER"
"InvokeProgID" = "TosDvdPlayer"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\TosDvdPlayer\shell\play\command\(Default) = ""C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TosHDDVD.exe"" ["TOSHIBA Corporation"]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda://%1" ["the VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file dvd://%1" ["the VideoLAN Team"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]

Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
"{16BB71AF-1698-41B6-95C2-D63E8817E881}" -> launches: "C:\Windows\system32\pcalua.exe -a "C:\Program Files\InstallShield Installation Information\{68BEE9AE-D577-4CFA-9201-02B0CF288FC5}\setup.exe" -c -runfromtemp -l0x0409" [MS]
"{7B02EF0B-A410-4938-8480-9BA26420A627}" -> (HIDDEN!) launches: "C:\Windows\TEMP\b.exe" [file not found]
"{BB65B0FB-5712-401b-B616-E69AC55E2757}" -> (HIDDEN!) launches: "C:\Windows\TEMP\a.exe" [file not found]

C:\Windows\System32\Tasks\Apple
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ManualDefrag" -> launches: "%windir%\system32\defrag.exe \\?\Volume{7d5bf50a-49af-11de-a2d4-001e33b8ad14}\" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS]
"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS]
"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
-> {HKLM...CLSID} = "HotStart User Agent"
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
"TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}"
-> {HKLM...CLSID} = "Transient Multi-Monitor Manager"
\InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection
"NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}"
-> {HKLM...CLSID} = "Nap ITask Handler Implementation"
\InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System
"ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Shell
"CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}"
-> {HKLM...CLSID} = "CrawlStartPages Task Handler"
\InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
-> {HKLM...CLSID} = "GadgetsManager Class"
\InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]
"WSHReset" -> (HIDDEN!) launches: "%systemroot%\system32\netsh.exe interface tcp set heuristic wsh=default" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {HKLM...CLSID} = "MsCtfMonitor task handler"
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Wired
"GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows\Wireless
"GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data]

Re: Multiple Virus2nd September 2009, 1:30 am

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 26

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6145\SiteAdv.dll" ["McAfee, Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
<> C:\WINDOWS\INF\IERESET.INF was not found!

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]

Re: Multiple Virus2nd September 2009, 1:30 am

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

Agere Modem Call Progress Audio, AgereModemAudio, "C:\Windows\system32\agrsmsvc.exe" ["Agere Systems"]
AMD External Events Utility, AMD External Events Utility, "C:\Windows\system32\atiesrxx.exe" ["AMD"]
Application Layer Gateway Service, ALG, "C:\Windows\System32\alg.exe" [MS]
Ati External Event Utility, Ati External Event Utility, "C:\Windows\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Certificate Propagation, CertPropSvc, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\certprop.dll" [MS]}
CNG Key Isolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
COM+ System Application, COMSysApp, "C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}" [MS]
Computer Browser, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
ConfigFree Service, ConfigFree Service, ""C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe"" ["TOSHIBA CORPORATION"]
DFS Replication, DFSR, "C:\Windows\system32\DFSR.exe" [MS]
Diagnostic Service Host, WdiServiceHost, "C:\Windows\System32\svchost.exe -k wdisvc" {"C:\Windows\system32\wdi.dll" [MS]}
Distributed Transaction Coordinator, MSDTC, "C:\Windows\System32\msdtc.exe" [MS]
Extensible Authentication Protocol, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
Health Key and Certificate Management, hkmsvc, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\system32\kmsvc.dll" [MS]}
Human Interface Device Access, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}
InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
Interactive Services Detection, UI0Detect, "C:\Windows\system32\UI0Detect.exe" [MS]
Internet Connection Sharing (ICS), SharedAccess, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\ipnathlp.dll" [MS]}
Jumpstart Wifi Protected Setup, jswpsapi, "C:\Program Files\Jumpstart\jswpsapi.exe" [file not found]
Link-Layer Topology Discovery Mapper, lltdsvc, "C:\Windows\System32\svchost.exe -k LocalService" {"C:\Windows\System32\lltdsvc.dll" [MS]}
McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe" ["McAfee, Inc."]
McAfee Real-time Scanner, McShield, "C:\Program Files\McAfee\VirusScan\McShield.exe" ["McAfee, Inc."]
McAfee Scanner, McODS, "C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe" [null data]
McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee, Inc."]
McAfee SpamKiller Service, MSK80Service, ""C:\Program Files\McAfee\MSK\MskSrver.exe"" ["McAfee, Inc."]
McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe" ["McAfee, Inc."]
Microsoft .NET Framework NGEN v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Microsoft iSCSI Initiator Service, MSiSCSI, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\system32\iscsiexe.dll" [MS]}
Microsoft Office Diagnostics Service, odserv, ""C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"" [MS]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
Net.Tcp Port Sharing Service, NetTcpPortSharing, ""C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"" [MS]
Netlogon, Netlogon, "C:\Windows\system32\lsass.exe" [MS]
Network Access Protection Agent, napagent, "C:\Windows\System32\svchost.exe -k NetworkService" {"C:\Windows\system32\qagentRT.dll" [MS]}
NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Parental Controls, WPCSvc, "C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\System32\wpcsvc.dll" [MS]}
PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\pctsAuxs.exe" ["PC Tools"]
PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\pctsSvc.exe" ["PC Tools"]
Peer Name Resolution Protocol, PNRPsvc, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\system32\p2psvc.dll" [MS]}
Peer Networking Grouping, p2psvc, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\system32\p2psvc.dll" [MS]}
Peer Networking Identity Manager, p2pimsvc, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\system32\p2psvc.dll" [MS]}
Performance Logs & Alerts, pla, "C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork" {"C:\Windows\system32\pla.dll" [MS]}
pinger, pinger, "C:\TOSHIBA\IVP\ISM\pinger.exe" [null data]
PnP-X IP Bus Enumerator, IPBusEnum, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\ipbusenum.dll" [MS]}
PNRP Machine Name Publication Service, PNRPAutoReg, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\system32\p2psvc.dll" [MS]}
Problem Reports and Solutions Control Panel Support, wercplsupport, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\wercplsupport.dll" [MS]}
Quality Windows Audio Video Experience, QWAVE, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\qwave.dll" [MS]}
Remote Access Auto Connection Manager, RasAuto, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\rasauto.dll" [MS]}
Remote Procedure Call (RPC) Locator, RpcLocator, "C:\Windows\system32\locator.exe" [MS]
Remote Registry, RemoteRegistry, "C:\Windows\system32\svchost.exe -k regsvc" {"C:\Windows\system32\regsvc.dll" [MS]}
Routing and Remote Access, RemoteAccess, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\mprdim.dll" [MS]}
SBSD Security Center Service, SBSDWSCService, "C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe" ["Safer Networking Ltd."]
Secure Socket Tunneling Protocol Service, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]}
SiteAdvisor Service, SiteAdvisor Service, "C:\Program Files\SiteAdvisor\6145\SAService.exe" ["McAfee, Inc."]
SL UI Notification Service, SLUINotify, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\SLUINotify.dll" [MS]}
Smart Card, SCardSvr, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\System32\SCardSvr.dll" [MS]}
Smart Card Removal Policy, SCPolicySvc, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\certprop.dll" [MS]}
SmartFaceVWatchSrv, SmartFaceVWatchSrv, ""C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe"" ["Toshiba"]
SNMP Trap, SNMPTRAP, "C:\Windows\System32\snmptrap.exe" [MS]
Swupdtmr, Swupdtmr, "c:\TOSHIBA\IVP\swupdate\swupdtmr.exe" [null data]
Terminal Services Configuration, SessionEnv, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\system32\sessenv.dll" [MS]}
TOSHIBA Navi Support Service, TNaviSrv, "C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe" ["TOSHIBA Corporation"]
TOSHIBA Optical Disc Drive Service, TODDSrv, "C:\Windows\system32\TODDSrv.exe" ["TOSHIBA Corporation"]
TOSHIBA Power Saver, TosCoSrv, ""C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe"" ["TOSHIBA Corporation"]
TOSHIBA SMART Log Service, TOSHIBA SMART Log Service, ""C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe"" ["TOSHIBA Corporation"]
TPM Base Services, TBS, "C:\Windows\System32\svchost.exe -k LocalService" {"C:\Windows\System32\tbssvc.dll" [MS]}
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
Virtual Disk, vds, "C:\Windows\System32\vds.exe" [MS]
Windows Backup, SDRSVC, "C:\Windows\system32\svchost.exe -k SDRSVC" {"C:\Windows\System32\SDRSVC.dll" [MS]}
Windows CardSpace, idsvc, ""C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"" [MS]
Windows Color System, WcsPlugInService, "C:\Windows\system32\svchost.exe -k wcssvc" {"C:\Windows\System32\WcsPlugInService.dll" [MS]}
Windows Connect Now - Config Registrar, wcncsvc, "C:\Windows\System32\svchost.exe -k LocalService" {"C:\Windows\System32\wcncsvc.dll" [MS]}
Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Event Collector, Wecsvc, "C:\Windows\system32\svchost.exe -k NetworkService" {"C:\Windows\system32\wecsvc.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Windows Installer, msiserver, "C:\Windows\system32\msiexec /V" [MS]
Windows Live ID Sign-in Assistant, wlidsvc, ""C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"" [MS]
Windows Media Center Extender Service, Mcx2Svc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\Mcx2Svc.dll" [MS]}
Windows Media Center Receiver Service, ehRecvr, "C:\Windows\ehome\ehRecvr.exe" [MS]
Windows Media Center Scheduler Service, ehSched, "C:\Windows\ehome\ehsched.exe" [MS]
Windows Media Center Service Launcher, ehstart, "C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork" {"C:\Windows\ehome\ehstart.dll" [MS]}
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
Windows Remote Management (WS-Management), WinRM, "C:\Windows\System32\svchost.exe -k NetworkService" {"C:\Windows\system32\WsmSvc.dll" [MS]}
Wired AutoConfig, dot3svc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\dot3svc.dll" [MS]}
WLAN AutoConfig, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
WMI Performance Adapter, wmiApSrv, "C:\Windows\system32\wbem\WmiApSrv.exe" [MS]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
PCL hpz3l054\Driver = "hpz3l054.dll" ["Hewlett-Packard Company"]

---------- (launch time: 2009-09-01 18:10:19)
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 100 seconds, including 9 seconds for message boxes)

//sorry for all the posts, it was long.

GEYEKR2nd September 2009, 1:34 am

A quick add that PCtools found (its trial so it won't let me delete them).
It wasnt in scan mode either it just popped up that it found them. and I can't find them in the specified folder to delete manually.

(HIGH) Backdoor.Tidserv (2 infections)

...file:

c:\windows\system32\geyekrhpptxniw.dat
c:\windows\system32\geyekrnjsqrbbm.dat

Last edited by justyn on 2nd September 2009, 7:27 am; edited 1 time in total

Re: Multiple Virus2nd September 2009, 1:39 am

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:

Multiple Virus - Page 1 CF_download_FF

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

See HERE for how to disable your AV.
Double click on svchost.exe.
Follow the prompts. NOTE:
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouse click combofix's window whilst it's running. That may cause it to stall.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Multiple Virus - Page 1 DXwU4

Re: Multiple Virus2nd September 2009, 1:49 am

well it opens loads the blue bar and nothing happens after it closes. There is a new process in Task manager named sed.cfxxe, which I assume is combofix. It remains at 60 K memory and will not produce a log, I did not click or move mouse anywhere while it ran.

Re: Multiple Virus2nd September 2009, 3:40 am

I ran GMER and here are the result, before the malware clsoed it 10 minutes in! >.<:

GMER 1.0.15.15077 [gzwoy4u6.exe] - http://www.gmer.net
Rootkit scan 2009-09-01 20:26:39
Windows 6.0.6002 Service Pack 2

---- System - GMER 1.0.15 ----

Code 85FCF6C8 ZwEnumerateKey
Code 85FD4EB8 ZwFlushInstructionCache
Code 85FD15DE ZwSaveKey
Code 85FCF6FE ZwSaveKeyEx
Code 85FD1615 IofCallDriver
Code 85FD4DB6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 81E7D912 5 Bytes JMP 85FD161A
.text ntkrnlpa.exe!IofCompleteRequest 81E7D97F 5 Bytes JMP 85FD4DBB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81FE8EF5 5 Bytes JMP 85FD4EBC
PAGE ntkrnlpa.exe!ZwEnumerateKey 820360BA 5 Bytes JMP 85FCF6CC
PAGE ntkrnlpa.exe!ZwSaveKey 8208B969 5 Bytes JMP 85FD15E2
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8208BB07 5 Bytes JMP 85FCF702
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre6\bin\java.exe[404] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Java\jre6\bin\java.exe[404] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Java\jre6\bin\java.exe[404] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\wininit.exe[456] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\wininit.exe[456] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\wininit.exe[456] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\winlogon.exe[484] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 001B000A
.text C:\Windows\system32\services.exe[532] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\services.exe[532] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\services.exe[532] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\lsm.exe[552] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 0036000A
.text C:\Windows\system32\svchost.exe[708] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[708] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[708] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[780] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[780] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[780] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[944] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[944] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[944] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[968] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[968] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[968] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[1008] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[1008] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[1008] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1112] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1112] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1112] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1132] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 000C000A
.text C:\Users\Justyn\AppData\Local\Temp\jkos-Justyn\binaries\ScanningProcess.exe[1248] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 003D000A
.text C:\Windows\system32\Taskmgr.exe[1260] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[1284] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1284] GDI32.dll!GetObjectA + C5

Re: Multiple Virus2nd September 2009, 3:41 am

.text C:\Windows\system32\svchost.exe[1284] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1444] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1444] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1444] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\Explorer.EXE[1944] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\Explorer.EXE[1944] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\Explorer.EXE[1944] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2152] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2152] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2152] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!CreateWindowExW 77031305 5 Bytes JMP 7332D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxIndirectParamW 77052EF5 5 Bytes JMP 73423C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxParamA 77068152 5 Bytes JMP 73423BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxIndirectParamA 7706847D 5 Bytes JMP 73423C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxIndirectA 7707D4D9 5 Bytes JMP 73423B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxIndirectW 7707D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxIndirectW 7707D5D3 5 Bytes JMP 73423AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxExA 7707D639 5 Bytes JMP 73423A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxExW 7707D65D 5 Bytes JMP 73423A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!SetWindowsHookExW 770287AD 5 Bytes JMP 73329521 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!CallNextHookEx 77028E3B 5 Bytes JMP 7331CB69 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!UnhookWindowsHookEx 770298DB 5 Bytes JMP 732943F6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!CreateWindowExW 77031305 5 Bytes JMP 7332D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!DialogBoxIndirectParamW 77052EF5 5 Bytes JMP 73423C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!DialogBoxParamA 77068152 5 Bytes JMP 73423BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!DialogBoxIndirectParamA 7706847D 5 Bytes JMP 73423C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxIndirectA 7707D4D9 5 Bytes JMP 73423B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxIndirectW 7707D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxIndirectW 7707D5D3 5 Bytes JMP 73423AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxExA 7707D639 5 Bytes JMP 73423A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxExW 7707D65D 5 Bytes JMP 73423A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] ole32.dll!OleLoadFromStream 76B01E12 5 Bytes JMP 73423F78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] ole32.dll!CoCreateInstance 76B39EA6 5 Bytes JMP 7332D408 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2856] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 003C000A
.text C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe[2916] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 002A000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2956] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 003E000A
.text C:\Users\Justyn\AppData\Local\Temp\jkos-Justyn\binaries\ScanningProcess.exe[3700] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 003D000A
.text C:\Users\Justyn\Desktop\gzwoy4u6.exe[3824] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 0038000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!SetWindowsHookExW 770287AD 5 Bytes JMP 73329521 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!CallNextHookEx 77028E3B 5 Bytes JMP 7331CB69 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!UnhookWindowsHookEx 770298DB 5 Bytes JMP 732943F6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!CreateWindowExW 77031305 5 Bytes JMP 7332D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!DialogBoxIndirectParamW 77052EF5 5 Bytes JMP 73423C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!DialogBoxParamA 77068152 5 Bytes JMP 73423BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!DialogBoxIndirectParamA 7706847D 5 Bytes JMP 73423C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxIndirectA 7707D4D9 5 Bytes JMP 73423B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxIndirectW 7707D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxIndirectW 7707D5D3 5 Bytes JMP 73423AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxExA 7707D639 5 Bytes JMP 73423A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxExW 7707D65D 5 Bytes JMP 73423A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] ole32.dll!OleLoadFromStream 76B01E12 5 Bytes JMP 73423F78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] ole32.dll!CoCreateInstance 76B39EA6 5 Bytes JMP 7332D408 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

Re: Multiple Virus2nd September 2009, 3:42 am

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Java\jre6\bin\java.exe[404] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Java\jre6\bin\java.exe[404] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\wininit.exe[456] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\wininit.exe[456] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\services.exe[532] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\services.exe[532] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[708] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[708] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[780] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[780] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\System32\svchost.exe[944] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\System32\svchost.exe[944] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\System32\svchost.exe[1008] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\System32\svchost.exe[1008] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1112] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1112] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1284] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1284] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1444] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1444] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740E7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7413A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [740EBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740DF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740E75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740DE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74118395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [740EDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740DFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740DFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740D71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7416CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7410C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [740DD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [740D6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740D687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [740E2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2152] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2152] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2300] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2300] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2652] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2652] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4012] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4012] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Re: Multiple Virus2nd September 2009, 3:42 am

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\java.exe [404] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [456] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [532] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [708] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [780] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [944] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [968] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1008] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1112] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1284] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\McAfee\MPF\MPFSrv.exe [1380] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1444] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [1944] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2152] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2300] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2652] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [4012] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\geyekrbndqupbe.sys (*** hidden *** ) [SYSTEM] geyekrntqvoxie <-- ROOTKIT !!!

Re: Multiple Virus2nd September 2009, 3:42 am

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie@imagepath \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main@aid 10200
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main@sid 3
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekrcmd.dll \systemroot\system32\geyekrvibpvqwk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekrlog.dat \systemroot\system32\geyekrnjsqrbbm.dat
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekrwsp.dll \systemroot\system32\geyekrpjyjtred.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekr.dat \systemroot\system32\geyekrhpptxniw.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie@start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie@imagepath \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main@aid 10200
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main@sid 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekrcmd.dll \systemroot\system32\geyekrvibpvqwk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekrlog.dat \systemroot\system32\geyekrnjsqrbbm.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekrwsp.dll \systemroot\system32\geyekrpjyjtred.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekr.dat \systemroot\system32\geyekrhpptxniw.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie@imagepath \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main@aid 10200
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main@sid 3
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekrcmd.dll \systemroot\system32\geyekrvibpvqwk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekrlog.dat \systemroot\system32\geyekrnjsqrbbm.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekrwsp.dll \systemroot\system32\geyekrpjyjtred.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekr.dat \systemroot\system32\geyekrhpptxniw.dat
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie@imagepath \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main@aid 10200
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main@sid 3
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekrcmd.dll \systemroot\system32\geyekrvibpvqwk.dll
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekrlog.dat \systemroot\system32\geyekrnjsqrbbm.dat
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekrwsp.dll \systemroot\system32\geyekrpjyjtred.dll
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekr.dat \systemroot\system32\geyekrhpptxniw.dat

Re: Multiple Virus2nd September 2009, 3:43 am

That was as far as the log got until it autoclosed Sad tearing

I ran each checkbox of GMER 1 by 1 and found out it scans all without closing except for files. Once it searches for files it autocloses and sets ownership to everyone as denied access. Which I take back by making my user the owner of the file but it does it again if i scan files.

Re: Multiple Virus2nd September 2009, 4:53 am

Disabled the Geyekrntqvoxie service in GMER, did not delete yet, Now in Normal mode but scanners still get shut down. Really want help on getting rid of this ASAP.

tried gmer again but the services reenable themselves automatically..
this is so annoying i was soo close to reformatting but I will wait 1 more hour or so if I can, I really need to access some things but will not type passwords til I am 100% safe... And unlesss I can fully scan without the malware closing the app I will not feel safe.

I know I am infected still cause we have not accomplished anything, but I posted the logs I could get.

Re: Multiple Virus2nd September 2009, 5:49 am

found a post that looks very similar to my problem!!! And you were the mod for him (http://www.geekpolice.net/virus-spyware-malware-removal-f11/win32-cryptor-t12275-30.htm)

I was gonna create my own script for the files on my computer, but will wait for professional to help me.

EDIT:

I made my own script based on your advice to another (DON'T WORRY! I WON'T EXECUTE IT UNTIL I GET A PROFESSIONAL'S OPINION)!

heres what I would have done:

Code:


Drivers to disable:
geyekrntqvoxie

Drivers to delete:
geyekrntqvoxie

Files to delete:
c:\windows\system32\geyekrhpptxniw.dat
c:\windows\system32\geyekrnjsqrbbm.dat
c:\windows\system32\geyekrvibpvqwk.dll
c:\windows\system32\geyekrpjyjtred.dll
c:\Windows\system32\drivers\geyekrbndqupbe.sys

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie
HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie
HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie

But I can wait a little longer, PLEASE. I thank you so much if you can help me.

Re: Multiple Virus2nd September 2009, 8:03 am

Doctor inferno, can you help me?

Re: Multiple Virus2nd September 2009, 9:52 am

Sophar detected this in addition:

C:\Windows\System32\drivers\geyekrsbmxtfyx.sys
C:\Windows\System32\drivers\geyekrbndqupbe.sys
C:\Windows\System32\geyekredqbkoxn.dll
C:\Windows\System32\geyekrvceiditw.dat
C:\Windows\System32\geyekrlnrrrxnp.dll
C:\Windows\System32\cngaudit.dll
C:\Windows\System32\geyekrhpptxniw.dat
C:\Windows\System32\geyekrpjyjtred.dll
C:\Windows\System32\geyekrvibpvqwk.dll
C:\Windows\System32\geyekrnjsqrbbm.dat

And somehow it disabled my genuine windows serial, I am afraid to type it in the box in case it steals it.

P.S: 3AM Here now and I have been refreshing page for 8 hours i think lol... Guess it's time to shut down my computer and give tomorrow 1 last shot before I reformat. Hope you respond soon Sad tearing

Re: Multiple Virus2nd September 2009, 10:41 am

Another test, Just trying to run all so you can see all at once and help easier.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 03:32:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrntqvoxie]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\geyekrbndqupbe.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main]
"aid"="10200"
"sid"="3"
"cmddelay"=dword:00003840

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\injector]
"*"="geyekrwsp.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules]
"geyekrrk.sys"="\systemroot\system32\drivers\geyekrbndqupbe.sys"
"geyekrcmd.dll"="\systemroot\system32\geyekrvibpvqwk.dll"
"geyekrlog.dat"="\systemroot\system32\geyekrnjsqrbbm.dat"
"geyekrwsp.dll"="\systemroot\system32\geyekrpjyjtred.dll"
"geyekr.dat"="\systemroot\system32\geyekrhpptxniw.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\geyekrbndqupbe.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main]
"aid"="10200"
"sid"="3"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules]
"geyekrrk.sys"="\systemroot\system32\drivers\geyekrbndqupbe.sys"
"geyekrcmd.dll"="\systemroot\system32\geyekredqbkoxn.dll"
"geyekrlog.dat"="\systemroot\system32\geyekrvceiditw.dat"
"geyekrwsp.dll"="\systemroot\system32\geyekrlnrrrxnp.dll"
"geyekr.dat"="\systemroot\system32\geyekrduijfiqy.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\geyekrntqvoxie]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\geyekrbndqupbe.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main]
"aid"="10200"
"sid"="3"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules]
"geyekrrk.sys"="\systemroot\system32\drivers\geyekrbndqupbe.sys"
"geyekrcmd.dll"="\systemroot\system32\geyekredqbkoxn.dll"
"geyekrlog.dat"="\systemroot\system32\geyekrvceiditw.dat"
"geyekrwsp.dll"="\systemroot\system32\geyekrlnrrrxnp.dll"
"geyekr.dat"="\systemroot\system32\geyekrduijfiqy.dat"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001
"IconServiceLib"="IconCodecService.dll"
"DdeSendTimeout"=dword:00000000
"DesktopHeapLogging"=dword:00000001
"GDIProcessHandleQuota"=dword:00002710
"ShutdownWarningDialogTimeout"=dword:ffffffff
"USERPostMessageLimit"=dword:00002710
"USERProcessHandleQuota"=dword:00002710
@="mnmsrvc"
"DeviceNotSelectedTimeout"="15"
"Spooler"="yes"
"TransmissionRetryTimeout"="90"
"USERNestedWindowLimit"=dword:00000032

scanning hidden files ...

//This is where the program shuts down.

Re: Multiple Virus2nd September 2009, 12:39 pm

Can you check the size of this file - cngaudit.dll

it will be located in

C:\Windows\System32\cngaudit.dll

Re: Multiple Virus2nd September 2009, 1:35 pm

Hello.
Where did you get catchme? if you have a full Combofix log, can you post it please?

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Multiple Virus - Page 1 DXwU4

Re: Multiple Virus2nd September 2009, 8:53 pm

11.5 KB

Re: Multiple Virus2nd September 2009, 9:05 pm

don't remember where I got it, was searching for anti rootkit programs to scan to see which ones worked. Combofix closes down immediately after attempting to scan. Anything posted is logs i found as far as they could get before being shut down.

Re: Multiple Virus2nd September 2009, 9:31 pm

Was really hoping to have a suggestion when I woke up Sad tearing

. Wish you were on longer.

Re: Multiple Virus2nd September 2009, 10:06 pm

Can you post a new GMER log? I want to check something.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Multiple Virus - Page 1 DXwU4

Re: Multiple Virus2nd September 2009, 10:10 pm

found hidden malicious services in which I disabled in registry. Restarted computer and it allowed me to run combo-fix! It restarted, and now am in safe mode running a quick MBAM scan. I will post the Malware Byetes log if you want as soon as it is done.

Was planning on booting in normal mode to do full scan afterwards too and run all scans for fresh logs.

Re: Multiple Virus2nd September 2009, 10:32 pm

First quickscan of Malware Bytes in safe mode:

Malwarebytes' Anti-Malware 1.40
Database version: 2732
Windows 6.0.6002 Service Pack 2 (Safe Mode)

9/2/2009 3:12:37 PM
mbam-log-2009-09-02 (15-12-24).txt

Scan type: Quick Scan
Objects scanned: 91445
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Justyn\Desktop\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
C:\Users\Justyn\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

//those were combofix renamed, so I chose ignore.

Re: Multiple Virus2nd September 2009, 10:55 pm

Here was the first scan of Combo-fix log: (forgot to post earlier)

ComboFix 09-08-31.03 - Justyn 09/02/2009 14:41.1.2 - NTFSx86
Microsoft

Windows Vista

Home Premium 6.0.6002.2.1252.1.1033.18.3581.2573 [GMT -7:00]
Running from: c:\users\Justyn\Desktop\Combo-Fix.exe
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\WMEncoder.msi
c:\windows\system32\w32apiw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_geyekrntqvoxie
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_geyekrntqvoxie

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 10:51 . 2009-09-02 10:51 -------- d-----w- c:\program files\trend micro
2009-09-02 09:29 . 2009-06-18 19:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2009-09-02 08:50 . 2009-09-02 08:50 -------- d-----w- c:\program files\Sophos
2009-09-02 02:58 . 2009-09-02 02:58 -------- d-----w- C:\iDEFENSE
2009-09-02 02:54 . 2009-09-02 10:25 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-01 05:02 . 2009-09-02 04:41 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-01 04:42 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-01 04:42 . 2009-09-02 09:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-01 04:42 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 04:39 . 2009-09-01 04:39 -------- d-----w- C:\_OTM
2009-09-01 00:17 . 2009-09-01 00:17 680 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2009-09-01 00:06 . 2009-09-01 00:07 117760 ----a-w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-01 00:06 . 2009-09-01 00:06 -------- d-----w- c:\users\Administrator\AppData\Roaming\SUPERAntiSpyware.com
2009-08-31 23:51 . 2009-08-31 23:52 117760 ----a-w- c:\users\Justyn\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-31 23:50 . 2009-08-31 23:50 -------- d-----w- c:\users\Justyn\AppData\Roaming\SUPERAntiSpyware.com
2009-08-31 23:13 . 2009-08-31 23:13 0 ----a-w- c:\windows\ativpsrm.bin
2009-08-31 22:15 . 2009-08-31 22:15 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2009-08-31 22:10 . 2009-08-31 22:10 -------- d-----w- c:\users\Administrator\AppData\Local\Adobe
2009-08-31 21:08 . 2009-08-31 21:08 -------- d-----w- c:\users\Justyn\AppData\Roaming\Malwarebytes
2009-08-31 21:08 . 2009-08-31 21:08 -------- d-----w- c:\programdata\Malwarebytes
2009-08-30 10:00 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-20 02:14 . 2009-08-20 02:14 -------- d-----w- c:\users\Justyn\AppData\Local\TechSmith
2009-08-20 01:24 . 2009-08-20 01:24 -------- d-----w- c:\windows\system32\QuickTime
2009-08-20 01:23 . 2009-08-20 01:23 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-08-20 01:23 . 2009-08-20 01:23 -------- d-----w- c:\program files\TechSmith
2009-08-20 01:02 . 2005-06-15 10:00 102400 ----a-w- c:\windows\system32\tsccvid.dll
2009-08-13 22:56 . 2009-06-15 14:54 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-13 22:56 . 2009-06-15 14:53 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-13 22:56 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-13 22:56 . 2009-06-15 23:15 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-13 22:56 . 2009-06-15 14:53 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-13 22:56 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-13 22:56 . 2009-06-15 14:52 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-13 22:56 . 2009-06-15 12:48 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-11 18:51 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-11 18:51 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-11 18:51 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-11 18:51 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-11 18:51 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-11 18:51 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-11 18:51 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-11 18:51 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-06 05:32 . 2009-08-06 05:32 -------- d-----w- c:\program files\Eltima Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 20:54 . 2009-09-02 20:54 5018 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-09-02 02:33 . 2009-05-26 09:01 1356 ----a-w- c:\users\Justyn\AppData\Local\d3d9caps.dat
2009-09-01 02:24 . 2009-09-01 02:24 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-01 00:45 . 2009-06-12 07:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-01 00:17 . 2009-05-27 15:35 112408 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-31 22:51 . 2009-05-26 10:17 -------- d-----w- c:\program files\MPlayer for Windows
2009-08-21 06:41 . 2009-07-09 21:25 -------- d-----w- c:\program files\PopCap Games
2009-08-18 06:45 . 2009-05-26 10:15 -------- d-----w- c:\program files\AllToAVI
2009-08-13 23:22 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-12 10:09 . 2009-05-26 04:22 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-12 10:02 . 2009-04-18 01:15 -------- d-----w- c:\programdata\Microsoft Help
2009-07-21 21:52 . 2009-07-28 19:54 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 19:54 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 19:54 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 19:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-14 21:50 . 2009-05-26 12:58 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-12 01:59 . 2009-07-12 01:59 -------- d-----w- c:\program files\AC3Filter
2009-07-09 21:25 . 2009-07-09 21:25 -------- d-----w- c:\programdata\PopCap Games
2009-06-23 16:40 . 2009-05-26 00:12 112408 ----a-w- c:\users\Justyn\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-22 10:16 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-15 14:53 . 2009-07-14 22:34 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-14 22:34 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-14 22:34 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-14 22:34 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-14 22:34 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-26 00:11 . 2009-05-26 00:11 13 --sh--r- c:\windows\System32\drivers\fbd.sys
.

Re: Multiple Virus2nd September 2009, 10:55 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-30 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-08 6037504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):80,f9,84,c9,23,f3,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1807422815-738861055-1700803671-1000]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1807422815-738861055-1700803671-500]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{711C5B84-0C3E-416A-89B9-1350A4ED4FEC}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{25905A1D-1F5E-47B2-B09C-EEF478C4E851}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{96860A96-0D2A-41A4-B0E1-34BCAF32B006}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{EA08C4D4-2078-4D85-B6DD-B699421FA7F7}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{4FEA6F7A-EEE3-4BC0-9AE8-0A2869114AD2}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{897D469D-2E34-4EDD-AB76-86BDB48292BF}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{76A7691E-FD0E-43E8-AE65-D77446D438F2}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D30B2C49-5B28-4541-BF67-194BA9EA2DB0}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{E19DFC26-5237-4A4E-934F-F5D6B8B417E4}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\System32\drivers\jswpslwf.sys [4/17/2009 6:55 PM 20384]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\System32\SAVRKBootTasks.sys [9/2/2009 2:29 AM 18816]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\System32\atiesrxx.exe [5/15/2009 8:23 PM 176128]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [4/17/2008 12:19 AM 40960]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [12/3/2007 5:03 PM 126976]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [3/30/2009 4:28 PM 1533808]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [5/5/2008 11:06 AM 7168]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [4/24/2008 6:35 PM 73728]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe --> c:\program files\Jumpstart\jswpsapi.exe [?]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [5/16/2008 10:59 AM 9216]
S4 VMLIV;VMLIV;c:\users\JUSTYN\AppData\Local\Temp\VMLIV.exe --> c:\users\JUSTYN\AppData\Local\Temp\VMLIV.exe [?]
S4 ZQTY;ZQTY;c:\users\JUSTYN\AppData\Local\Temp\ZQTY.exe --> c:\users\JUSTYN\AppData\Local\Temp\ZQTY.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
IE: Display All Images with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/228"
IE: Display Image with Full Quality - "c:\program files\NetZero\qsacc\appres.dll/227"
IE: Download Video - http://www.viloader.net/addon.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: netzero.com
Trusted Zone: netzero.net
TCP: {CA815AB6-B3EE-45F6-BB70-FF51C8C23AF7} = 68.87.69.146,68.87.85.98
FF - ProfilePath - c:\users\Justyn\AppData\Roaming\Mozilla\Firefox\Profiles\d9533ooq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 14:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\D74B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\atieclxx.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\wlanext.exe
c:\windows\System32\agrsmsvc.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-09-02 14:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 21:55

Pre-Run: 157,075,496,960 bytes free
Post-Run: 156,926,767,104 bytes free

266 --- E O F --- 2009-08-30 10:01

Re: Multiple Virus2nd September 2009, 11:16 pm

Hijackthis log?:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:57 PM, on 9/2/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - Trusted Zone: *.netzero.com
O15 - Trusted Zone: *.netzero.net
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA815AB6-B3EE-45F6-BB70-FF51C8C23AF7}: NameServer = 68.87.69.146,68.87.85.98
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Unknown owner - C:\Program Files\Jumpstart\jswpsapi.exe (file missing)
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: SmartFaceVWatchSrv - Toshiba - C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 5542 bytes

Re: Multiple Virus2nd September 2009, 11:36 pm

MY windows sticker Activation key won't work! it's on limited accessiblilty mode. grrr!

Re: Multiple Virus3rd September 2009, 12:01 am

This is what it says:

the product key you have entered does not appear to be a valid windows vista product key.

100% sure it is I have the reciept and sticker on bottom of laptop and everything!

This malware messed up my system.

Last edited by justyn on 3rd September 2009, 12:02 am; edited 1 time in total

Re: Multiple Virus3rd September 2009, 12:01 am

Hello.
There isn't much we can do about activiation, you'll need to ring Microsoft and explain your situation.

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Multiple Virus - Page 1 DXwU4

Re: Multiple Virus3rd September 2009, 12:03 am

ok Thanks, did you notice anything to delete from hijackthis?

I will download that free antivirus you listed.

Re: Multiple Virus3rd September 2009, 12:04 am

Hello.
The Hijack This scan looks good, nothing that alerts me from here.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Multiple Virus - Page 1 DXwU4

Re: Multiple Virus3rd September 2009, 12:28 am

you usually say run combofix /u after using it.

Re: Multiple Virus3rd September 2009, 3:47 am

Oh shoot, Took a deeper look it goes farther. I deleted some more geyekrXXXXX keys and found VMLIV and ZQTY services. here is partial log of a part of gmer.

GMER 1.0.15.15077 [gzwoy4u6.exe] - http://www.gmer.net
Rootkit scan 2009-09-02 20:46:29
Windows 6.0.6002 Service Pack 2

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@Type 272
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@Start 4
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@ImagePath C:\Users\JUSTYN\AppData\Local\Temp\VMLIV.exe
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@DisplayName VMLIV
Reg HKLM\SYSTEM\ControlSet004\Services\VMLIV@ObjectName LocalSystem

---- EOF - GMER 1.0.15 ----

Re: Multiple Virus3rd September 2009, 3:55 am

You know I am so infested with virus I am gonna just reformat... but i wanna use my computer... and this infection is the worst in history of malware.

Re: Multiple Virus3rd September 2009, 2:45 pm

So did you format, or still need help?

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Multiple Virus - Page 1 DXwU4

Re: Multiple Virus3rd September 2009, 11:13 pm

Alright I formatted since they said some of my windows files may be corrupted. Thanks for all the help though, I learned a lot. Computer runs good as new lol... cause it is new again.

Anyways i got 60 - day trail of norton 360 again when I reformatted/installed. Is that a good antivirus? I don't want any malware to get by.

I wish everyone luck who gets the same problem.

Re: Multiple Virus4th September 2009, 1:28 am

I recommend using Avira free, its way better then Norton:

http://free-av.com

............................................................................................
While my help is always free, please consider donating to keep this site alive: Donate

Multiple Virus

descriptionRe: Multiple Virus2nd September 2009, 1:27 am

descriptionRe: Multiple Virus2nd September 2009, 1:28 am

descriptionRe: Multiple Virus2nd September 2009, 1:29 am

descriptionRe: Multiple Virus2nd September 2009, 1:30 am

descriptionRe: Multiple Virus2nd September 2009, 1:30 am

descriptionGEYEKR2nd September 2009, 1:34 am

descriptionRe: Multiple Virus2nd September 2009, 1:39 am

descriptionRe: Multiple Virus2nd September 2009, 1:49 am

descriptionRe: Multiple Virus2nd September 2009, 3:40 am

descriptionRe: Multiple Virus2nd September 2009, 3:41 am

descriptionRe: Multiple Virus2nd September 2009, 3:42 am

descriptionRe: Multiple Virus2nd September 2009, 3:42 am

descriptionRe: Multiple Virus2nd September 2009, 3:42 am

descriptionRe: Multiple Virus2nd September 2009, 3:43 am

descriptionRe: Multiple Virus2nd September 2009, 4:53 am

descriptionRe: Multiple Virus2nd September 2009, 5:49 am

descriptionRe: Multiple Virus2nd September 2009, 8:03 am

descriptionRe: Multiple Virus2nd September 2009, 9:52 am

descriptionRe: Multiple Virus2nd September 2009, 10:41 am

descriptionRe: Multiple Virus2nd September 2009, 12:39 pm

descriptionRe: Multiple Virus2nd September 2009, 1:35 pm

descriptionRe: Multiple Virus2nd September 2009, 8:53 pm

descriptionRe: Multiple Virus2nd September 2009, 9:05 pm

descriptionRe: Multiple Virus2nd September 2009, 9:31 pm

descriptionRe: Multiple Virus2nd September 2009, 10:06 pm

descriptionRe: Multiple Virus2nd September 2009, 10:10 pm

descriptionRe: Multiple Virus2nd September 2009, 10:32 pm

descriptionRe: Multiple Virus2nd September 2009, 10:55 pm

descriptionRe: Multiple Virus2nd September 2009, 10:55 pm

descriptionRe: Multiple Virus2nd September 2009, 11:16 pm

descriptionRe: Multiple Virus2nd September 2009, 11:36 pm

descriptionRe: Multiple Virus3rd September 2009, 12:01 am

descriptionRe: Multiple Virus3rd September 2009, 12:01 am

descriptionRe: Multiple Virus3rd September 2009, 12:03 am

descriptionRe: Multiple Virus3rd September 2009, 12:04 am

descriptionRe: Multiple Virus3rd September 2009, 12:28 am

descriptionRe: Multiple Virus3rd September 2009, 3:47 am

descriptionRe: Multiple Virus3rd September 2009, 3:55 am

descriptionRe: Multiple Virus3rd September 2009, 2:45 pm

descriptionRe: Multiple Virus3rd September 2009, 11:13 pm

descriptionRe: Multiple Virus4th September 2009, 1:28 am

descriptionRe: Multiple Virus

Re: Multiple Virus2nd September 2009, 1:27 am

Re: Multiple Virus2nd September 2009, 1:28 am

Re: Multiple Virus2nd September 2009, 1:29 am

Re: Multiple Virus2nd September 2009, 1:30 am

Re: Multiple Virus2nd September 2009, 1:30 am

GEYEKR2nd September 2009, 1:34 am

Re: Multiple Virus2nd September 2009, 1:39 am

Re: Multiple Virus2nd September 2009, 1:49 am

Re: Multiple Virus2nd September 2009, 3:40 am

Re: Multiple Virus2nd September 2009, 3:41 am

Re: Multiple Virus2nd September 2009, 3:42 am

Re: Multiple Virus2nd September 2009, 3:42 am

Re: Multiple Virus2nd September 2009, 3:42 am

Re: Multiple Virus2nd September 2009, 3:43 am

Re: Multiple Virus2nd September 2009, 4:53 am

Re: Multiple Virus2nd September 2009, 5:49 am

Re: Multiple Virus2nd September 2009, 8:03 am

Re: Multiple Virus2nd September 2009, 9:52 am

Re: Multiple Virus2nd September 2009, 10:41 am

Re: Multiple Virus2nd September 2009, 12:39 pm

Re: Multiple Virus2nd September 2009, 1:35 pm

Re: Multiple Virus2nd September 2009, 8:53 pm

Re: Multiple Virus2nd September 2009, 9:05 pm

Re: Multiple Virus2nd September 2009, 9:31 pm

Re: Multiple Virus2nd September 2009, 10:06 pm

Re: Multiple Virus2nd September 2009, 10:10 pm

Re: Multiple Virus2nd September 2009, 10:32 pm

Re: Multiple Virus2nd September 2009, 10:55 pm

Re: Multiple Virus2nd September 2009, 10:55 pm

Re: Multiple Virus2nd September 2009, 11:16 pm

Re: Multiple Virus2nd September 2009, 11:36 pm

Re: Multiple Virus3rd September 2009, 12:01 am

Re: Multiple Virus3rd September 2009, 12:01 am

Re: Multiple Virus3rd September 2009, 12:03 am

Re: Multiple Virus3rd September 2009, 12:04 am

Re: Multiple Virus3rd September 2009, 12:28 am

Re: Multiple Virus3rd September 2009, 3:47 am

Re: Multiple Virus3rd September 2009, 3:55 am

Re: Multiple Virus3rd September 2009, 2:45 pm

Re: Multiple Virus3rd September 2009, 11:13 pm

Re: Multiple Virus4th September 2009, 1:28 am

Re: Multiple Virus